Edit tour

Windows Analysis Report
http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip

Overview

General Information

Sample URL:	http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip
Analysis ID:	846744
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected ZipBomb

Downloads suspicious files via Chrome

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Creates a DirectInput object (often for capturing keystrokes)

PE file does not import any functions

Drops PE files

Tries to load missing DLLs

Found evasive API chain checking for process token information

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1092 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 4792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1668,i,6246966439295609251,3032567147448731362,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

unarchiver.exe (PID: 5952 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\vcredist_x86_2010.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 5976 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq" "C:\Users\user\Downloads\vcredist_x86_2010.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5536 cmdline: cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vcredist_x86_2010.exe (PID: 5424 cmdline: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe MD5: B88228D5FEF4B6DC019D69D4471F23EC)

Setup.exe (PID: 5876 cmdline: c:\e2ac7bbaf115a22162e746\Setup.exe MD5: 006F8A615020A4A17F5E63801485DF46)

chrome.exe (PID: 5448 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

msiexec.exe (PID: 5292 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Downloads\808b5fc3-82f6-495c-aad1-e6a77861a814.tmp	JoeSecurity_ZipBomb	Yara detected ZipBomb	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,		8_2_01004F6B
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_010045EB GetFileAttributesA,LoadLibraryA,GetProcAddress,DecryptFileA,GetLastError,		8_2_010045EB

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1049\eula.rtf	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230414_113914468-MSI_vc_red.msi.txt

Jump to behavior

Source:	Binary string: sfxcab.pdb source: vcredist_x86_2010.exe, vcredist_x86_2010.exe, 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, vcredist_x86_2010.exe, 00000008.00000000.258236228.0000000001002000.00000020.00000001.01000000.00000006.sdmp, vcredist_x86_2010.exe.4.dr
Source:	Binary string: sqmapi.pdb source: Setup.exe, 00000009.00000002.425644285.000000006B181000.00000020.00000001.01000000.0000000A.sdmp, sqmapi.dll.8.dr
Source:	Binary string: SetupEngine.pdb source: Setup.exe, 00000009.00000002.425686518.000000006B1B1000.00000020.00000001.01000000.00000009.sdmp, SetupEngine.dll.8.dr
Source:	Binary string: patchhooks.pdbX source: vc_red.msi.8.dr
Source:	Binary string: patchhooks.pdb source: vc_red.msi.8.dr
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000009.00000000.262259461.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Setup.exe.8.dr
Source:	Binary string: SetupUi.pdb source: Setup.exe, Setup.exe, 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, SetupUi.dll.8.dr
Source:	Binary string: SetupResources.pdb source: SetupResources.dll8.8.dr, SetupResources.dll3.8.dr, SetupResources.dll1.8.dr, SetupResources.dll7.8.dr, SetupResources.dll2.8.dr, SetupResources.dll4.8.dr, SetupResources.dll6.8.dr, SetupResources.dll5.8.dr, SetupResources.dll0.8.dr, SetupResources.dll.8.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,

8_2_010046B9

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Apr 2023 09:38:59 GMTServer: ApacheLast-Modified: Wed, 21 Sep 2022 07:10:49 GMTAccept-Ranges: bytesContent-Length: 5051101Cache-Control: max-age=0, no-cache, no-store, must-revalidatePragma: no-cacheExpires: Wed, 11 Jan 1984 05:00:00 GMTKeep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 88 50 22 49 e7 87 7f aa 2d 12 4d 00 58 69 4d 00 15 00 00 00 76 63 72 65 64 69 73 74 5f 78 38 36 5f 32 30 31 30 2e 65 78 65 ec 5c 6b 7c 54 47 15 bf fb cc 26 d9 b0 0b 24 6d 0a a1 2c 34 68 2a 14 d1 95 96 b0 84 26 c0 86 54 09 6c 58 d8 25 25 0f b0 24 5d 56 0a 31 b9 17 a8 92 36 b8 d9 34 37 b7 5b eb a3 8a 5a 2a 08 28 5a 1f a8 3c d2 96 47 42 30 09 14 29 85 4a a9 d4 8a 15 f5 c6 45 9b 0a 25 01 52 ae ff 33 f7 6e 36 09 d4 d7 cf 0f 7e 30 bf cc 9d 99 33 67 ce cc 9c 39 73 e6 cc 6b 0b 1f 7c 9a 33 70 1c 67 84 53 14 8e 6b e6 d4 bf 5c ee 9f ff 9d 87 1b 36 f6 c5 61 dc ee c4 5f 8e 6b d6 cd fb e5 b8 45 81 95 35 8e aa ea 35 0f 57 2f 7f c4 f1 d0 f2 d5 ab d7 f0 8e 4f 57 38 aa 85 d5 8e 95 ab 1d 73 16 78 1d 8f ac 59 51 31 39 25 25 29 33 46 e3 ae aa bc ed b3 ee 1c 11 73 0f 17 0e 1f b1 83 85 c7 8e 78 83 c5 67 8f 78 9e f9 79 23 ea 99 9f 8b 74 f2 e7 30 7f e1 ca 87 02 94 ef 83 ea e8 71 73 dc 3c 9d 81 db 12 fc cc dc 78 bd 6d 29 c9 ba 84 24 ae 01 91 51 2a 4c 79 08 1f 07 5c 0b 8b ea 58 58 cf 71 26 7c c8 19 63 99 11 a6 48 e0 73 85 14 aa 63 11 07 c1 ed ec 5f 0d c5 ff 36 6d e2 b8 2d ac 50 1d b7 fb f6 01 09 0b 0b b9 25 03 e2 8e f1 1c 97 f1 0f 78 dd fb a1 41 7d c2 ca b4 e8 3f 18 7f 32 5f b1 9e 87 7f 67 bd d6 ae 06 b5 93 87 90 58 36 79 c5 72 7e 39 d1 1f a9 53 db 4e 34 9b 06 e3 e5 22 65 72 75 4d 35 58 a4 b6 e1 3c 70 db e7 71 dc 93 43 f0 fe 35 b1 f9 ff df ff d0 df aa cd 1c e7 83 9b 0e 37 1e ce 0e 77 ed 59 8e 7b 0b ee 18 dc 6e b8 ed 70 4d 70 1b 36 ab 79 86 93 dc e3 ef ca 56 8e 93 e1 8e c3 bd 08 b7 1d 2e eb 3b 1c 57 0d 7f 05 dc 22 38 33 e2 1f 81 7f 1b 85 e1 3c 88 07 e1 ea e0 be 06 b7 0b ee 38 dc 0c c2 a1 30 06 cb 59 b8 27 11 2f f9 36 c7 fd 60 33 68 c3 b5 c3 9d 85 fb 23 d5 0f 2e e9 39 c8 36 dc 64 b8 99 70 f3 e0 ca e0 56 c3 d5 c3 7d 19 6e 3b dc cf e0 0e c3 9d 80 3b 0f d7 0b 67 fe 36 f2 c2 7d 1c 6e 1e dc 8b 28 2f 00 bf 0a ae 09 6e 3b c1 e0 da e1 ce c0 bd 0d f7 57 b8 3e b8 54 e0 66 c1 cd 84 9b 07 b7 0c 6e 2d 5c 23 dc 73 70 3f 80 fb 2b 1c fd f5 6d e3 b8 0b db d4 f0 7c f8 33 e1 26 c1 dd 09 37 02 ce 0c d7 8b 36 af d0 70 2c cf 22 cf b7 38 ee 22 dc 79 b8 b3 70 27 e0 32 00 6f 86 ff 63 b8 ed 70 df 84 7b 1a ae 01 ee 73 70 93 90 3e 03 ee 93 70 25 d4 4f 70 2d 80 cf 87 7b 10 6e 05 dc 6a b8 5c 38 fa fb 0e ca 6b 84 7b 0c ae 19 2e f6 f7 e4 a7 a1 f7 6e fe eb d7 9d 7a b8 bb 68 9c 7f 18 2e 19 65 6c 1e b6 d3 fe c6 a9 e1 cf 98 38 fb 83 3f f8 69 da 84 9a f2 09 53 ee 15 ca 09 77 6e 05 3f 7b 95 50 c3 57 54 17 09 6b aa 85 47 16 56 d4 ac 11 aa 1f aa d0 d2 e6 63 1a d0 d2 bd fc 72 be 82 9b bd 6a 4d 4d 0c 42 38 0b aa 2a 56 c7 a2 25 0f 21 b0 bc 6a e5 e4 15 ab 56 51 5a 49 c9 e4 92 fb a7 83 0e b7 8a 5b c3 7d 9a 5b 0e bf

Source: Setup.exe, 00000009.00000002.424733940.0000000001513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Setup.exe, 00000009.00000003.264926044.0000000003390000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000009.00000003.266016756.0000000003350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: eula.rtf8.8.dr	String found in binary or memory: http://schemas.microsoft

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Tools/Prerequisiti/vcredist_x86_2010.zip HTTP/1.1Host: download.arxivar.itConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unarchiver.exe, 00000003.00000002.424561920.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\vcredist_x86_2010.zip (copy)

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,

8_2_01003972

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\inprogressinstallinfo.ipi

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_01008906	8_2_01008906
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_0100911E	8_2_0100911E
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_01009558	8_2_01009558
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_01008286	8_2_01008286
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_0100859D	8_2_0100859D
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_01008CC5	8_2_01008CC5
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_6B14CBE6	9_2_6B14CBE6

Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: String function: 6B14E8E8 appears 149 times
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: String function: 6B16265B appears 183 times

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	8_2_01003972
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_0100358B NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	8_2_0100358B
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_010034F4 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	8_2_010034F4

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_01002B13: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle,

8_2_01002B13

Source: SetupResources.dll0.8.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: SetupResources.dll5.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll8.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll2.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll3.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll0.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll6.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll1.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll4.8.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll7.8.dr	Static PE information: No import functions for PE file found

Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1668,i,6246966439295609251,3032567147448731362,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\vcredist_x86_2010.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq" "C:\Users\user\Downloads\vcredist_x86_2010.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Process created: C:\e2ac7bbaf115a22162e746\Setup.exe c:\e2ac7bbaf115a22162e746\Setup.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1668,i,6246966439295609251,3032567147448731362,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\vcredist_x86_2010.zip	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq" "C:\Users\user\Downloads\vcredist_x86_2010.zip	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Process created: C:\e2ac7bbaf115a22162e746\Setup.exe c:\e2ac7bbaf115a22162e746\Setup.exe	Jump to behavior

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InProcServer32

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\808b5fc3-82f6-495c-aad1-e6a77861a814.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: classification engine

Classification label: mal52.evad.win@39/88@4/7

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Code function: 9_2_6B13DBFF __EH_prolog3,CoCreateInstance,SysFreeString,__CxxThrowException@8,SysFreeString,

9_2_6B13DBFF

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,

8_2_01004F6B

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Code function: 9_2_6B15681A __EH_prolog3,GetLastError,GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,

9_2_6B15681A

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Code function: 9_2_6B13EFE2 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,CloseHandle,

9_2_6B13EFE2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_01

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Code function: 9_2_6B157A10 LoadResource,LockResource,SizeofResource,

9_2_6B157A10

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source:	Binary string: sfxcab.pdb source: vcredist_x86_2010.exe, vcredist_x86_2010.exe, 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, vcredist_x86_2010.exe, 00000008.00000000.258236228.0000000001002000.00000020.00000001.01000000.00000006.sdmp, vcredist_x86_2010.exe.4.dr
Source:	Binary string: sqmapi.pdb source: Setup.exe, 00000009.00000002.425644285.000000006B181000.00000020.00000001.01000000.0000000A.sdmp, sqmapi.dll.8.dr
Source:	Binary string: SetupEngine.pdb source: Setup.exe, 00000009.00000002.425686518.000000006B1B1000.00000020.00000001.01000000.00000009.sdmp, SetupEngine.dll.8.dr
Source:	Binary string: patchhooks.pdbX source: vc_red.msi.8.dr
Source:	Binary string: patchhooks.pdb source: vc_red.msi.8.dr
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000009.00000000.262259461.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Setup.exe.8.dr
Source:	Binary string: SetupUi.pdb source: Setup.exe, Setup.exe, 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, SetupUi.dll.8.dr
Source:	Binary string: SetupResources.pdb source: SetupResources.dll8.8.dr, SetupResources.dll3.8.dr, SetupResources.dll1.8.dr, SetupResources.dll7.8.dr, SetupResources.dll2.8.dr, SetupResources.dll4.8.dr, SetupResources.dll6.8.dr, SetupResources.dll5.8.dr, SetupResources.dll0.8.dr, SetupResources.dll.8.dr

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_010065F3 push ecx; ret	8_2_01006603
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_00D73DF5 push ecx; ret	9_2_00D73E08
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_6B15AA75 push ecx; ret	9_2_6B15AA88
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_6B162709 push ecx; ret	9_2_6B16271C

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_010029C2 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_010029C2

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\Setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\SetupEngine.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: C:\e2ac7bbaf115a22162e746\1049\SetupResources.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	File created: c:\e2ac7bbaf115a22162e746\1049\eula.rtf	Jump to behavior

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230414_113914468-MSI_vc_red.msi.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected ZipBomb

Source: Yara match

File source: C:\Users\user\Downloads\808b5fc3-82f6-495c-aad1-e6a77861a814.tmp, type: DROPPED

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5512	Thread sleep count: 137 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5512	Thread sleep time: -68500s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Dropped PE file which has not been started: C:\e2ac7bbaf115a22162e746\1049\SetupResources.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_8-2908

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

8_2_010046B9

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	API call chain: ExitProcess graph end node			graph_8-2533
Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	API call chain: ExitProcess graph end node			graph_8-2869

Source: C:\e2ac7bbaf115a22162e746\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\e2ac7bbaf115a22162e746\Setup.exe

Code function: 9_2_00D745BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_00D745BE

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_010029C2 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

8_2_010029C2

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_01005899 InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateEventA,CreateThread,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess,

8_2_01005899

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Code function: 8_2_010062FF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_010062FF
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_00D745BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00D745BE
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_00D72BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00D72BA5
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_6B15B38A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6B15B38A
Source: C:\e2ac7bbaf115a22162e746\Setup.exe	Code function: 9_2_6B1587C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6B1587C1

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq" "C:\Users\user\Downloads\vcredist_x86_2010.zip	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

8_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Code function: 8_2_01003D02 AllocateAndInitializeSid,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLengthSid,GetTokenInformation,GetLengthSid,

8_2_01003D02

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

8_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

8_2_01003972

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	11 Process Injection	13 Masquerading	1 Input Capture	1 System Time Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	16 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe	0%	Virustotal	Browse
C:\e2ac7bbaf115a22162e746\1028\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1028\SetupResources.dll	0%	Virustotal	Browse
C:\e2ac7bbaf115a22162e746\1031\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1031\SetupResources.dll	0%	Virustotal	Browse
C:\e2ac7bbaf115a22162e746\1033\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1033\SetupResources.dll	0%	Virustotal	Browse
C:\e2ac7bbaf115a22162e746\1036\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1040\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1041\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1042\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\1049\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\2052\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\3082\SetupResources.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\Setup.exe	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\SetupEngine.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\SetupUi.dll	0%	ReversingLabs
C:\e2ac7bbaf115a22162e746\sqmapi.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://go.microsoft.	0%	URL Reputation	safe
http://go.microsoft.	0%	URL Reputation	safe
http://schemas.microsoft	0%	URL Reputation	safe
http://schemas.microsoft	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.217.168.45	true	false	high
www.google.com	142.250.203.100	true	false	high
download.arxivar.it	95.110.165.164	true	false	high
clients.l.google.com	142.250.203.110	true	false	high
windowsupdatebg.s.llnwi.net	95.140.230.192	true	false	unknown
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high
http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	Setup.exe, 00000009.00000003.264926044.0000000003390000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000009.00000003.266016756.0000000003350000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.microsoft	eula.rtf8.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.45	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
95.110.165.164	download.arxivar.it	Italy	31034	ARUBA-ASNIT	false
142.250.203.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	846744
Start date and time:	2023-04-14 11:38:04 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.win@39/88@4/7
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 69.1% (good quality ratio 66.2%) Quality average: 80.3% Quality standard deviation: 27%
HCA Information:	Successful, ratio: 90% Number of executed functions: 131 Number of non-executed functions: 135

Warnings

Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.0.174.123, 23.0.174.121, 23.0.174.130, 23.0.174.115, 23.0.174.122, 23.0.174.128, 23.0.174.107, 23.0.174.129, 23.0.174.112, 8.253.95.121, 8.238.189.126, 67.26.137.254, 67.26.81.254, 8.248.113.254, 142.250.203.99, 34.104.35.123
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, edgedl.me.gvt1.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net
Execution Graph export aborted for target unarchiver.exe, PID 5952 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

53aa1b.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:s:s
MD5:	21438EF4B9AD4FC266B6129A2F60DE29
SHA1:	5EB8E2242EEB4F5432BEEEC8B873F1AB0A6B71FD
SHA-256:	13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354
SHA-512:	37436CED85E5CD638973E716D6713257D692F9DD2E1975D5511AE3856A7B3B9F0D9E497315A058B516AB31D652EA9950938C77C1AD435EA8D4B49D73427D1237
Malicious:	false
Reputation:	low
Preview:	0..

C:\Config.Msi\53aa18.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	4195
Entropy (8bit):	5.276452201925073
Encrypted:	false
SSDEEP:	96:K/KOK7u5NVhltLngqA6tRe4nXtvRqd2nX/KuKDvRqd2KuKGWnninzVoiVlZ:KipSNrlBngqreXJGJGPF
MD5:	19648368E84FE527704BACFD95D7C80A
SHA1:	BA4BC15E6282437347FC2BE0CEA6265CEA14F9D5
SHA-256:	574EA3BBEA3537EAB38E8F0D686137A72E6013E3CEBED7753F1D1C8A646FD9D2
SHA-512:	3F77BE8C77163E9D57EFC062EC6648B8182F0C3A818352A103B9419BA35B23AF479D1950321032D9C6C43D1F75D4E05AF391FC4576BF69E933D79B60B5706C63
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.\.V.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RemoveODBC..Removing ODBC components....InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]G...c:\Config.Msi\53aa19.rbf....c:\Config.Msi\53aa19.rbf..l.c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86.@ ....@Pm...@.......@.....@.................@..@.G...c:\Config.Msi\53aa1a.rbf....c:\Config.Msi\53aa1a.rbf..l.c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86.@ ....@P....@.......@.....@.................@..@..

C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5073240
Entropy (8bit):	7.998813387067771
Encrypted:	true
SSDEEP:	98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
MD5:	B88228D5FEF4B6DC019D69D4471F23EC
SHA1:	372D9C1670343D3FB252209BA210D4DC4D67D358
SHA-256:	8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
SHA-512:	CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HFI5FB1.tmp.html

Download File

Process:	C:\e2ac7bbaf115a22162e746\Setup.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Reputation:	low
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\HFI88B8.tmp.html

Download File

Process:	C:\e2ac7bbaf115a22162e746\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	5200
Entropy (8bit):	3.6462195043117687
Encrypted:	false
SSDEEP:	48:35QV1+K03KGQ085QkK45QO+5QrJQhPq5QPL45Qn+5QU8K03KGQpTAh85QvOLbZf3:yfKkSHLRaAbejJA0YAyjVje
MD5:	B76DB2CA82AD206BEAF490F5F7D0C153
SHA1:	6CEA3ED2637FF0224D86B98EA4662D03E3188397
SHA-256:	F52667672F050844A7BB43587550656FAA580B886C2EF583805E0D07B52D61F0
SHA-512:	8FA9C96989E4F1857DD315B70B059BAC07F5DF2FA14290B19367FCFF3EDC058EA07AC3CF9DAF0B52A8F5206D4C361016712A10F6482103FFF17776F74B831145
Malicious:	false
Reputation:	low
Preview:	....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.1.4./.2.0.2.3.,. .1.1.:.3.9.:.2.2.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a. .r.e.p.a.i.r.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.1.4./.2.0.2.3.,. .1.1.:.3.9.:.2.2.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.1.4./.2.0.2.3.,. .1.1.:.3.9.:.2.2.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.v.c._.r.e.

C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230414_113914468-MSI_vc_red.msi.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
Category:	dropped
Size (bytes):	199612
Entropy (8bit):	3.7716063283173753
Encrypted:	false
SSDEEP:	1536:caXGyGOlWRf5L2/ELUZu7JPl0p8mewa3g9mwT8oCpwZJroiKYSRZ8506IaL8ISWG:cDjCq
MD5:	59F8BECF3F82F4C75520D5EDB40997C6
SHA1:	B9C8BD2D142076EE020C7E091761C2F027725B75
SHA-256:	01B750492A4848DCA66969D9A87224BCFA47B52BE0A0804EA46F9124EB5902CB
SHA-512:	EB528F80DE280A696104C43168576605D30C981B9D5B1DA1D3860C32A40938A6C0F93901FE1F52B88AB72368345C4E6324359778C06748C794E9B94E0089BD55
Malicious:	false
Reputation:	low
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .4./.1.4./.2.0.2.3. . .1.1.:.3.9.:.2.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.e.2.a.c.7.b.b.a.f.1.1.5.a.2.2.1.6.2.e.7.4.6.\.S.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.4.:.D.4.). .[.1.1.:.3.9.:.2.3.:.8.0.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.4.:.D.4.). .[.1.1.:.3.9.:.2.3.:.8.0.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.F.4.:.D.4.). .[.1.1.:.3.9.:.2.3.:.8.0.3.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .c.:.\.e.2.a.c.7.b.b.a.f.1.1.5.a.2.2.1.6.2.e.7.4.6.\.v.c._.r.e.d...m.s.i..... . . . . . . . . . . ........ .A.c.t.i.o.n.:. ..... . . . . . . . . . . ........ .C.o.m.m.a.n.d.L.i.n.e.:. ...............M.S.I. .(.c.). .(.F.4.:.D.4.). .[.1.1.:.3.9.:.2.3.:.8.0.3.

C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230414_113914468.html

Download File

Process:	C:\e2ac7bbaf115a22162e746\Setup.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with very long lines (357), with CRLF line terminators
Category:	dropped
Size (bytes):	74422
Entropy (8bit):	3.685188542402743
Encrypted:	false
SSDEEP:	768:fdsOTLyUFJFEWUxFzvTJwaXLu0Q563zo6I6Rkz0Sfy9F0S+rajMm:fdsWyUr+WUxpvTvQ5Ir
MD5:	45EE1B1F6D17223E1DFC5FA11C237190
SHA1:	7E2CC2CDCAD125BC62B32E45BD5529D6CF4D86C7
SHA-256:	2B3FCDE32EED2B617C3C13D4C77394981FFEC8D03008F81C5798CBF33134FAFD
SHA-512:	120315D5C344E17D11B69CDE4D47D555A4A1CBA0B9AB8CC916D15CC3BE05B78C064A70A01C165DFC313DA27FFA8ECE974EE713050639BEFA564F8AA4558ECAC0
Malicious:	false
Reputation:	low
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\Setup_20230414_113905902.html

Download File

Process:	C:\e2ac7bbaf115a22162e746\Setup.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with very long lines (323), with CRLF line terminators
Category:	dropped
Size (bytes):	29168
Entropy (8bit):	3.71120841192511
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjPhAAXA+/CKl:fdsOT01KcBUFJFEWUxFzvHzJw+/CK8S
MD5:	FBF44244C25B151FB3542C86530FCD41
SHA1:	0D9DF7DA29107D31E1CF3115A9CBF2701581162C
SHA-256:	D379BB1BBA28B3310015D798ECF17D40E929FF60F8C29041740B001FE6868F21
SHA-512:	592A7E5EE4569C9EDC5DBDBE436D4E7A1B1094271077EB181C85EA7F3598840D4964622008312B869F4DC1BEFFFBBC351F514EFA4D6023DB6677CB5480F12A55
Malicious:	false
Reputation:	low
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1496
Entropy (8bit):	5.155571040070919
Encrypted:	false
SSDEEP:	24:f/IiJZiJjWIZiJZiJUwniJfl7kiJZiJFTgGiJbTiJhGiJoyiJagiJZiJxzoiJZiw:f/IGZGbZGZGpnGd7kGZGpgGGbTGhGGhE
MD5:	5631DCFF4B1E2301258E60E44B6A0D93
SHA1:	F1F7F57B8ABBBE8814093D869FAA7BE1CE5DE765
SHA-256:	5175808CC2AC9BDBB6199AD2A681709E950C5EE4DC4CD9E8C044B78DCCFD2481
SHA-512:	8E371A6D5DB317E57290078C8D30DC3BF46421C158696BA6D92BEBB7930AEE061B606B90ECA5D4763F3441029FC2DD853FDDFC66860F5396DFEC33B2284902E0
Malicious:	false
Reputation:	low
Preview:	04/14/2023 11:39 AM: Unpack: C:\Users\user\Downloads\vcredist_x86_2010.zip..04/14/2023 11:39 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq..04/14/2023 11:39 AM: Received from standard out: ..04/14/2023 11:39 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/14/2023 11:39 AM: Received from standard out: ..04/14/2023 11:39 AM: Received from standard out: Scanning the drive for archives:..04/14/2023 11:39 AM: Received from standard out: 1 file, 5051101 bytes (4933 KiB)..04/14/2023 11:39 AM: Received from standard out: ..04/14/2023 11:39 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\vcredist_x86_2010.zip..04/14/2023 11:39 AM: Received from standard out: --..04/14/2023 11:39 AM: Received from standard out: Path = C:\Users\user\Downloads\vcredist_x86_2010.zip..04/14/2023 11:39 AM: Received from standard out: Type = zip..04/14/2023 11:39 AM: Received from standard out: Physical Size = 5051101

C:\Users\user\Downloads\808b5fc3-82f6-495c-aad1-e6a77861a814.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	414756
Entropy (8bit):	7.999358336189364
Encrypted:	true
SSDEEP:	12288:mMBEny0rDhN4jRBGDz6nP1hHN3dJ8Pd7ufKcE9:m7/MfG/6dtJdA+KcE9
MD5:	976DFD77A913FA55C49F64F1D5ADD9A6
SHA1:	C36B5E1136B077FA768AD709D0C2961A2088B978
SHA-256:	F5D91FBDA9A48E5CB65E264CB083F2D418AC869BED5C9344257ABB81FF8C8078
SHA-512:	32FC738470D10FBA14067BF5816CAA64D82D24464A806A3CC024F60A356E9C3FA39648405A6BE917F1858E6495169E3420F0EFA5D320E0D48C689A40B0B68E14
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\Downloads\808b5fc3-82f6-495c-aad1-e6a77861a814.tmp, Author: Joe Security
Reputation:	low
Preview:	PK.........P"I...-.M.XiM.....vcredist_x86_2010.exe.\k\|TG....&..$m..,4h.....&..T.lX.%%..$]V.1....6..47.[.Z.(Z..<.GB0..).J.....E..%.R..3.n6.....~0...3g..9s..k..\|.3p.g.S..k..\.....6..a..._.k....E..5...5.W/.........OW8......s.x...YQ19%%)3F......s........x..g.x..y#..t..0........qs.<.......x.m)..$...QLy...\...XX.q&\|..c...H.s...c....._...6m.-.P.........%.......x...A}...?..2_....g.......X6y.r~9...S.N4...."eruM5X...<p..q.C..5...........7...w.Y.{....n..pMp.6.y......V.........;.W...."83.......<.........8...0..Y.'./.6..`3h....#....9.6.d..p....V...}.n;......;...g.6..}.n..(/.....n;.........W.>.T.f......n-\#.sp?..+...m.....\|.3.&...7....6..p,.".8.".y..p'.2.o..c..p.{....sp..>..p%.Op-..{.n..j.\8....k.{........n...z..h.....el.......8..?.i....S....wn.?{.P.WT..k..G.V........c....r....jMM.B8..V.%.!..j....VQZI........[.}.[...+@..*...zn>.^.....Ax....R.>..$.$Q..T..z.C.55..\|.b.#...U.+..QW~Mu..z.Z@...{z,q......OF.[.g...ZY.V..WU..Q.r....5...S.BA...\|x

C:\Users\user\Downloads\vcredist_x86_2010.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	5051101
Entropy (8bit):	7.999842058771493
Encrypted:	true
SSDEEP:	98304:2iTPA+uPfYHlruGsJ5FvhmJOJvZPZ7OX/qFxnrUmGGTgmu5zPpxQYjgMRHgVqLhE:v0+2fGlrkJFmUBZZ7uiFl4mGjRGMR+qu
MD5:	85795C16356998C3C01A84B5188A0077
SHA1:	85602F6D565637B9ED2B7F666E1E3700614965B8
SHA-256:	038039C76EC0BCDDF58D77301720245C7DC32550715E39E4AFCB8EA450BCBB0B
SHA-512:	6CF163C409BCAA78C4B431FD1AE9D018DE48E42979E7C4328A0BF1116D1BFE83813B8F7912E82E9BBB11F557F81EAA03501194C9102D7E2E3572F2F48F932101
Malicious:	true
Reputation:	low
Preview:	PK.........P"I...-.M.XiM.....vcredist_x86_2010.exe.\k\|TG....&..$m..,4h.....&..T.lX.%%..$]V.1....6..47.[.Z.(Z..<.GB0..).J.....E..%.R..3.n6.....~0...3g..9s..k..\|.3p.g.S..k..\.....6..a..._.k....E..5...5.W/.........OW8......s.x...YQ19%%)3F......s........x..g.x..y#..t..0........qs.<.......x.m)..$...QLy...\...XX.q&\|..c...H.s...c....._...6m.-.P.........%.......x...A}...?..2_....g.......X6y.r~9...S.N4...."eruM5X...<p..q.C..5...........7...w.Y.{....n..pMp.6.y......V.........;.W...."83.......<.........8...0..Y.'./.6..`3h....#....9.6.d..p....V...}.n;......;...g.6..}.n..(/.....n;.........W.>.T.f......n-\#.sp?..+...m.....\|.3.&...7....6..p,.".8.".y..p'.2.o..c..p.{....sp..>..p%.Op-..{.n..j.\8....k.{........n...z..h.....el.......8..?.i....S....wn.?{.P.WT..k..G.V........c....r....jMM.B8..V.%.!..j....VQZI........[.}.[...+@..*...zn>.^.....Ax....R.>..$.$Q..T..z.C.55..\|.b.#...U.+..QW~Mu..z.Z@...{z,q......OF.[.g...ZY.V..WU..Q.r....5...S.BA...\|x

C:\Users\user\Downloads\vcredist_x86_2010.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	5051101
Entropy (8bit):	7.999842058771493
Encrypted:	true
SSDEEP:	98304:2iTPA+uPfYHlruGsJ5FvhmJOJvZPZ7OX/qFxnrUmGGTgmu5zPpxQYjgMRHgVqLhE:v0+2fGlrkJFmUBZZ7uiFl4mGjRGMR+qu
MD5:	85795C16356998C3C01A84B5188A0077
SHA1:	85602F6D565637B9ED2B7F666E1E3700614965B8
SHA-256:	038039C76EC0BCDDF58D77301720245C7DC32550715E39E4AFCB8EA450BCBB0B
SHA-512:	6CF163C409BCAA78C4B431FD1AE9D018DE48E42979E7C4328A0BF1116D1BFE83813B8F7912E82E9BBB11F557F81EAA03501194C9102D7E2E3572F2F48F932101
Malicious:	false
Reputation:	low
Preview:	PK.........P"I...-.M.XiM.....vcredist_x86_2010.exe.\k\|TG....&..$m..,4h.....&..T.lX.%%..$]V.1....6..47.[.Z.(Z..<.GB0..).J.....E..%.R..3.n6.....~0...3g..9s..k..\|.3p.g.S..k..\.....6..a..._.k....E..5...5.W/.........OW8......s.x...YQ19%%)3F......s........x..g.x..y#..t..0........qs.<.......x.m)..$...QLy...\...XX.q&\|..c...H.s...c....._...6m.-.P.........%.......x...A}...?..2_....g.......X6y.r~9...S.N4...."eruM5X...<p..q.C..5...........7...w.Y.{....n..pMp.6.y......V.........;.W...."83.......<.........8...0..Y.'./.6..`3h....#....9.6.d..p....V...}.n;......;...g.6..}.n..(/.....n;.........W.>.T.f......n-\#.sp?..+...m.....\|.3.&...7....6..p,.".8.".y..p'.2.o..c..p.{....sp..>..p%.Op-..{.n..j.\8....k.{........n...z..h.....el.......8..?.i....S....wn.?{.P.WT..k..G.V........c....r....jMM.B8..V.%.!..j....VQZI........[.}.[...+@..*...zn>.^.....Ax....R.>..$.$Q..T..z.C.55..\|.b.#...U.+..QW~Mu..z.Z@...{z,q......OF.[.g...ZY.V..WU..Q.r....5...S.BA...\|x

C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\CacheSize.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:s:s
MD5:	21438EF4B9AD4FC266B6129A2F60DE29
SHA1:	5EB8E2242EEB4F5432BEEEC8B873F1AB0A6B71FD
SHA-256:	13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354
SHA-512:	37436CED85E5CD638973E716D6713257D692F9DD2E1975D5511AE3856A7B3B9F0D9E497315A058B516AB31D652EA9950938C77C1AD435EA8D4B49D73427D1237
Malicious:	false
Reputation:	low
Preview:	0..

C:\Windows\Installer\MSIAAE2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	875
Entropy (8bit):	5.476495989853316
Encrypted:	false
SSDEEP:	24:PBVPUt1bFjkPUt1wkUyHVFPJXkXZIMEVlt1U5:P/Pa1xIPa1wtybPZe3EVlt1e
MD5:	62F5F1032E3105280EE2A6957FDE4232
SHA1:	541FE62D9E5EEB38D050A6218915C70FF5828E0C
SHA-256:	F46CF3929646A04A9B6412B44EBB42DD4CEFCE4BBBBFEF3ECD54BC6C41D2126B
SHA-512:	FC6E2CEDF2AD2190BBC47DD7C580AAC0F13118A3BD419C5562E622F6DA47B4E5C849AB8C5CABB825AA495C96AD6C3B7866B64B7C9B7EE5E28E8937D30DB55589
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.\.V.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RemoveODBC..Removing ODBC components..T....@....T....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}..10.0.30319........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}..c:\e2ac7bbaf115a22162e746\...@.....@.....@....

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6013287597368349
Encrypted:	false
SSDEEP:	48:t8PhuuRc06WXJanT5nAIK9SyedCVEFAnhSbedCOWeUJydZfQBj:Qhu1RnTZAIK9/nVCAhWn5eJZoB
MD5:	7E56A6300A71F702A4726B956F50056B
SHA1:	D3BFBBF8186AC797D4A38F929B1FE9CF5FD7E5CE
SHA-256:	E1A821B8616FD0D21450BD56E8657164CE53F33974BFB80EDF4FC7AE3974EF0E
SHA-512:	3A7AE3B57DC981B13F707455730212A4084CF14ED7DA123DCF45F87743199F4B1AE0CD738144D89451E5C375060B77C2E02E0979D36A8F1C30F113D608FA3388
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	192827
Entropy (8bit):	5.392017125723381
Encrypted:	false
SSDEEP:	3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFo:i0LVlAPm
MD5:	B41A3D9602FE07FED10266534B1F974C
SHA1:	87F02D2C7030F81A143899075A13076A77A9427E
SHA-256:	41F734650E0478D1D6A8797C1A226F55DD08EE656933450ECF70D48DFC6AEFD5
SHA-512:	70E3BDD92146B86A3A694C8F41BC452B43657036468243E4196958B1085EA9D383901206CC10506EB3FA98946116B02B3A27EF871EF91685D219549BB76E8F04
Malicious:	false
Reputation:	low
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

C:\Windows\Temp\~DF0DAC30E2917274D7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2793997578462577
Encrypted:	false
SSDEEP:	48:JzmuXM+8FXJpT5uAIK9SyedCVEFAnhSbedCOWeUJydZfQBj:RmPRTUAIK9/nVCAhWn5eJZoB
MD5:	FA26C9EBBCB4885664F331155481DB9F
SHA1:	68A7CCA75339F68AE0D04AB1A0A10B8DD5568BDE
SHA-256:	500BD4FFF7622B8149B29B485766240AB1A1C83AAAACA3DA375CCF8C9E0DB296
SHA-512:	584C8373B9C8D3CE20B9F76E89B96A4A5E3DD73292E0E9DE806CACB531E1F695173324C6FB3A32B8B59F211C5C3CA8EEE32523F6674B843045244667F626CFE5
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF141E45E6E145673A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2793997578462577
Encrypted:	false
SSDEEP:	48:JzmuXM+8FXJpT5uAIK9SyedCVEFAnhSbedCOWeUJydZfQBj:RmPRTUAIK9/nVCAhWn5eJZoB
MD5:	FA26C9EBBCB4885664F331155481DB9F
SHA1:	68A7CCA75339F68AE0D04AB1A0A10B8DD5568BDE
SHA-256:	500BD4FFF7622B8149B29B485766240AB1A1C83AAAACA3DA375CCF8C9E0DB296
SHA-512:	584C8373B9C8D3CE20B9F76E89B96A4A5E3DD73292E0E9DE806CACB531E1F695173324C6FB3A32B8B59F211C5C3CA8EEE32523F6674B843045244667F626CFE5
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF30A36F5A7EF87F94.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.14867103132748344
Encrypted:	false
SSDEEP:	48:PBj5Zfz7WeUJ4SbedCaSyedCVEFAn/KhA:PBFZue9Wna/nVCA/KhA
MD5:	044A903BF2CF71013632142ACD9237E5
SHA1:	0E132E202A8C9C2B7F8A8E2F18A67F117BF9579D
SHA-256:	AAF27EF3E3D60AD8741AACC46264F355DF2CAFB85CFC6A635AD8E0AB542E7DD5
SHA-512:	028FAEB80958D0490AAA72570EE2632721BF8328EC55245FEDD914FF531DC12876184E50653B52B048F7442B1F2E3FE41EAB9B217A828758E34863E3A81E5082
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF32C112041162C036.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3FAD030D82DC6304.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6013287597368349
Encrypted:	false
SSDEEP:	48:t8PhuuRc06WXJanT5nAIK9SyedCVEFAnhSbedCOWeUJydZfQBj:Qhu1RnTZAIK9/nVCAhWn5eJZoB
MD5:	7E56A6300A71F702A4726B956F50056B
SHA1:	D3BFBBF8186AC797D4A38F929B1FE9CF5FD7E5CE
SHA-256:	E1A821B8616FD0D21450BD56E8657164CE53F33974BFB80EDF4FC7AE3974EF0E
SHA-512:	3A7AE3B57DC981B13F707455730212A4084CF14ED7DA123DCF45F87743199F4B1AE0CD738144D89451E5C375060B77C2E02E0979D36A8F1C30F113D608FA3388
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF668F5E8C546A1001.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF72622D02220F8B41.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF924E29EB1FF1DBA2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBEEE1E8683A8CAD0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2793997578462577
Encrypted:	false
SSDEEP:	48:JzmuXM+8FXJpT5uAIK9SyedCVEFAnhSbedCOWeUJydZfQBj:RmPRTUAIK9/nVCAhWn5eJZoB
MD5:	FA26C9EBBCB4885664F331155481DB9F
SHA1:	68A7CCA75339F68AE0D04AB1A0A10B8DD5568BDE
SHA-256:	500BD4FFF7622B8149B29B485766240AB1A1C83AAAACA3DA375CCF8C9E0DB296
SHA-512:	584C8373B9C8D3CE20B9F76E89B96A4A5E3DD73292E0E9DE806CACB531E1F695173324C6FB3A32B8B59F211C5C3CA8EEE32523F6674B843045244667F626CFE5
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD5E268768AC254B2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFED40C4E43762C968.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6013287597368349
Encrypted:	false
SSDEEP:	48:t8PhuuRc06WXJanT5nAIK9SyedCVEFAnhSbedCOWeUJydZfQBj:Qhu1RnTZAIK9/nVCAhWn5eJZoB
MD5:	7E56A6300A71F702A4726B956F50056B
SHA1:	D3BFBBF8186AC797D4A38F929B1FE9CF5FD7E5CE
SHA-256:	E1A821B8616FD0D21450BD56E8657164CE53F33974BFB80EDF4FC7AE3974EF0E
SHA-512:	3A7AE3B57DC981B13F707455730212A4084CF14ED7DA123DCF45F87743199F4B1AE0CD738144D89451E5C375060B77C2E02E0979D36A8F1C30F113D608FA3388
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\$shtdwn$.req

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	data
Category:	dropped
Size (bytes):	788
Entropy (8bit):	0.09823380614560741
Encrypted:	false
SSDEEP:	3:lbll/:lB
MD5:	DF7119A5D3CAEDA80BF0FB6F8E53DE8F
SHA1:	76458E1D2E0FA4519FACB71A5F23F8799713BE2B
SHA-256:	3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
SHA-512:	85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
Malicious:	false
Reputation:	low
Preview:	Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1028\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
Category:	dropped
Size (bytes):	30672
Entropy (8bit):	4.2936704552740705
Encrypted:	false
SSDEEP:	384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
MD5:	7FC06A77D9AAFCA9FB19FAFA0F919100
SHA1:	E565740E7D582CD73F8D3B12DE2F4579FF18BB41
SHA-256:	A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
SHA-512:	466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.\|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce\|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

C:\e2ac7bbaf115a22162e746\1028\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	5.9724110685335825
Encrypted:	false
SSDEEP:	192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
MD5:	7C136B92983CEC25F85336056E45F3E8
SHA1:	0BB527E7004601E920E2AAC467518126E5352618
SHA-256:	F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
SHA-512:	06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1028\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	188446
Entropy (8bit):	4.98936861773382
Encrypted:	false
SSDEEP:	3072:vjB8N7T+SN6FY5PmQlivKawlrIMUkYfkv8CshgJNgRJAoJvIrOJBElrhzxQXK6uG:o7SSN6FYtmQlivKawlrIMUkYfkv8Cs4U
MD5:	129D8E8824B0D545ADC29E571A6E2C02
SHA1:	5A1DDFCD2AE21D96C818D315CB5E263F525A39CD
SHA-256:	83B8268E2874699227F9B1AD3F72A06CBF474EFA3983F5C5EE9BFE415DB98476
SHA-512:	1048F646D5866DC8736DB0A023A65A7E208A5F56774FA8EC5D59E4272A54A9A6E94B01B84293A7EC9F889BAD7865522E783AF30BF61BB9249687DCEAC62066D8
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ???????????????????????????\'a1\'ec???};}{\f14\fbidi \froman\fcharset136\fprq2{\\panose 02020500000000000000}PMingLiU{\\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\fa

C:\e2ac7bbaf115a22162e746\1031\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
Category:	dropped
Size (bytes):	41622
Entropy (8bit):	3.577523249714746
Encrypted:	false
SSDEEP:	384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
MD5:	B83C3803712E61811C438F6E98790369
SHA1:	61A0BC59388786CED045ACD82621BEE8578CAE5A
SHA-256:	2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
SHA-512:	E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

C:\e2ac7bbaf115a22162e746\1031\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.135663555520085
Encrypted:	false
SSDEEP:	384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
MD5:	7C9AE49B3A400C728A55DD1CACC8FFB2
SHA1:	DD3A370F541010AD650F4F6AA42E0CFC68A00E66
SHA-256:	402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
SHA-512:	D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1031\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	163866
Entropy (8bit):	5.029712171633306
Encrypted:	false
SSDEEP:	3072:oiJ+vgRJA8J/snalBEm0OgKXIJR10GZybh2C:aQ
MD5:	117DABB5A055B09B6DB6BCBA8F911073
SHA1:	E8F5D907939400824CC5DADB681852C35CA7BB79
SHA-256:	DAEA9CD8151A2C24A87C3254DEC1DE0463234E44922C8E0AA4E01AB58EC89664
SHA-512:	E995D03998BE9F07F9E9B8566E429D3795ADBDEEEFB2048D6B8877CE15A0ABFCE4FAAEE8DC773250495C15CC35FD0040D81593B51067533836D5F3CF8612D3C4
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ???????????????????????????\'a1\'ec???};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fpr

C:\e2ac7bbaf115a22162e746\1033\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
Category:	dropped
Size (bytes):	39246
Entropy (8bit):	3.5443876937052083
Encrypted:	false
SSDEEP:	192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
MD5:	D642E322D1E8B739510CA540F8E779F9
SHA1:	36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
SHA-256:	5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
SHA-512:	E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

C:\e2ac7bbaf115a22162e746\1033\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17240
Entropy (8bit):	5.151474565875158
Encrypted:	false
SSDEEP:	192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
MD5:	9547D24AC04B4D0D1DBF84F74F54FAF7
SHA1:	71AF6001C931C3DE7C98DDC337D89AB133FE48BB
SHA-256:	36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
SHA-512:	8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1033\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	7080
Entropy (8bit):	4.934776172726828
Encrypted:	false
SSDEEP:	192:9fcddvfbS9u6zZ+kodpj4eQ1lhcgi5X90vJqpsSih2:y/fbSZ/odpjmlhcgi5NSkRA2
MD5:	19D028345AADCC05697EEC6D8C5B5874
SHA1:	70BD3D4D51373FB82F0257F28D5F3609BFC82520
SHA-256:	F4FF4EACE31B75176A0806E1693041D546D2599AEC0C77D295BAD09CAC7D9FE7
SHA-512:	9B3DFFEC7C1595197AF69E59094588541558BEF56982475DDDD2C9E3D75FC8B970B384452713632AE20435EC0CAEC6CC4CD8CEC9CD4B4809335FDC9F2CC7B842
Malicious:	false
Reputation:	low
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\f1\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f2\'b7\tab\f0 updates,\f1\par..\f2\'b7\tab\f0 supplements,\f1\par..\f2\'b7\tab\f0 Internet-based services, and \f1\par..\f2\'b7\tab\f0 support services\f1\par.

C:\e2ac7bbaf115a22162e746\1036\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
Category:	dropped
Size (bytes):	41492
Entropy (8bit):	3.5522209001567364
Encrypted:	false
SSDEEP:	192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
MD5:	E382ABC19294F779D2833287242E7BC6
SHA1:	1CEAE32D6B24A3832F9244F5791382865B668A72
SHA-256:	43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
SHA-512:	06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

C:\e2ac7bbaf115a22162e746\1036\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.112489568342605
Encrypted:	false
SSDEEP:	384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
MD5:	93F57216FE49E7E2A75844EDFCCC2E09
SHA1:	DCCD52787F147E9581D303A444C8EE134AFC61A8
SHA-256:	2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
SHA-512:	EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B\|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1036\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	162915
Entropy (8bit):	5.023428742885146
Encrypted:	false
SSDEEP:	3072:Xn6ipERiA7JzI3ilBEBr97dQnKG5zpZ27KN4:KiZ
MD5:	BBBBB0BDA00FDA985BB39FEE5FD04FF8
SHA1:	3053CF30FAD92F133AD3EA7EEFB8C729D323EA00
SHA-256:	3CB591E6801E91FE58E79449F7C99B88C3BA0ACE5D922B4AA0C8F2CDD81854BD
SHA-512:	32CC1B0F033B13D7614F8BD80DE4D3F9D4668632010BCB563E90773FB2F4971D19206C46B0C2B0E55308CA14F4DEAF5EB415DAE5F2C0C4331B5DF0AE44B2F61E
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ????????????????????????????\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma{\\falt ?? ??};}{\f39\fbidi \fswiss\f

C:\e2ac7bbaf115a22162e746\1040\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
Category:	dropped
Size (bytes):	40338
Entropy (8bit):	3.5295538496820984
Encrypted:	false
SSDEEP:	384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
MD5:	0AF948FE4142E34092F9DD47A4B8C275
SHA1:	B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
SHA-256:	C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
SHA-512:	D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

C:\e2ac7bbaf115a22162e746\1040\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.142702232041524
Encrypted:	false
SSDEEP:	384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
MD5:	E4860FC5D4C114D5C0781714F3BF041A
SHA1:	864CE88E8AB1DB9AFF6935F9231521B6B72D5974
SHA-256:	6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
SHA-512:	39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1040\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	189369
Entropy (8bit):	4.993456059906976
Encrypted:	false
SSDEEP:	3072:8K91dpBgRJA8J/snalBEm0OgKXIJR10GZybh2C:8aK
MD5:	F1602100F6C135AB5D8026E9248BAF02
SHA1:	DEBE92E8761F5320352DCFFE844FB25A10E9EA14
SHA-256:	284A8BBA438DA22A1B4F497B0B4ED1D9886184859527B87FF7350C83F198AB2D
SHA-512:	2A0FBEF3114B54EDB400D913D317A5097801834BEE0FB536B0FF645DD1CA40A1451945AD563119A5BA80F26B51CDA8B23E93BE71D7C82723AFEDE3CBF1DA00C6
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ?????????????????????????????\'a1\'ec?};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma{\\falt ?? ??};}{\f39\fbidi \fsw

C:\e2ac7bbaf115a22162e746\1041\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
Category:	dropped
Size (bytes):	34318
Entropy (8bit):	4.3825885013202255
Encrypted:	false
SSDEEP:	192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
MD5:	7FCFBC308B0C42DCBD8365BA62BADA05
SHA1:	18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
SHA-256:	01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
SHA-512:	CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

C:\e2ac7bbaf115a22162e746\1041\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15704
Entropy (8bit):	5.929554826924656
Encrypted:	false
SSDEEP:	192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
MD5:	278FD7595B580A016705D00BE363612F
SHA1:	89A299A9ABECB624C3606267371B7C07B74B3B26
SHA-256:	B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
SHA-512:	838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1041\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	181054
Entropy (8bit):	4.962328655200384
Encrypted:	false
SSDEEP:	3072:7vykJ9MRJAwJjAXetBE1rRbe+KusGWqcJ2V:fJ
MD5:	89D66A0B94450729015D021BC8F859E9
SHA1:	C9AD4C7DCDAFEAD282DAA1C214E7A0EAB567FFD5
SHA-256:	6A1884515CC4378D732F681934658252A4B45D76CE7F53CF8650BE794CC8D390
SHA-512:	336A5B1CBF2F52DF5B151A564C8452826D253F9FC565C865D7BA37B91229996D9AE59603350BD5CD99352ED63D265D8578095560CB7DE67DA7E1AA2135FBF0FB
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ??????????????????????????????\'a8\'ac};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\f

C:\e2ac7bbaf115a22162e746\1042\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
Category:	dropped
Size (bytes):	32962
Entropy (8bit):	4.366055142656104
Encrypted:	false
SSDEEP:	192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
MD5:	71DFD70AE141F1D5C1366CB661B354B2
SHA1:	C4B22590E6F6DD5D39E5158B831AE217CE17A776
SHA-256:	CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
SHA-512:	5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

C:\e2ac7bbaf115a22162e746\1042\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15192
Entropy (8bit):	5.9622226182057325
Encrypted:	false
SSDEEP:	192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
MD5:	FCFD69EC15A6897A940B0435439BF5FC
SHA1:	6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
SHA-256:	90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
SHA-512:	4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1042\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	351492
Entropy (8bit):	4.844773730829239
Encrypted:	false
SSDEEP:	768:bNK7z5n/OLs3+lAB4HeqyOOZjYCrv1MT2hhO0kN9okLgd80UKdF8K8Zb4ajD/y9m:bI79kaIDUhOhQAUiK/9/MjZr
MD5:	8203E9FC25A5720AFB8C43E8BE10C3B0
SHA1:	FC7D9B452B6D5475FD1EF61B78E8BC6E32F08974
SHA-256:	0EBD62213F41DFFA0BCD939BDC6ABC25096E95112C217FDF27CE661A19AD0866
SHA-512:	F95DCB9C25436AE322C240A0D0ABD9F4904A5AF313CAC5CB8C90C1A5460DAD8E983347AD7540C672046E4210945B053B75313BB6D10B44B2A0BF0024B400E81E
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}Batang{\\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a1\'a7};}{\f20\fbidi \froman\fcharset129\f

C:\e2ac7bbaf115a22162e746\1049\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
Category:	dropped
Size (bytes):	40428
Entropy (8bit):	4.232828720335164
Encrypted:	false
SSDEEP:	384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
MD5:	0EEB554D0B9F9FCDB22401E2532E9CD0
SHA1:	08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
SHA-256:	BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
SHA-512:	2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

C:\e2ac7bbaf115a22162e746\1049\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.548909804205606
Encrypted:	false
SSDEEP:	192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
MD5:	7EF74AF6AB5760950A1D233C582099F1
SHA1:	BF79FF66346907446F4F95E1E785A03CA108EB5D
SHA-256:	658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
SHA-512:	BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ..............0..X............................................................................................text...G...........................@..@.rsrc....0... .....................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\1049\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	213363
Entropy (8bit):	4.934134633374225
Encrypted:	false
SSDEEP:	6144:D/fSz7yMsMyN1FyRtXSWS3SoSalsySMDS7SmSJ8SUSPsBa5IqDSySipSAS6ASGS+:pG
MD5:	5B95EFBC01DC97EE9A6C6F64A49AA62D
SHA1:	A99C984A0D5E316FE60D588A3519F2D5C805C1DE
SHA-256:	0CFACFF2B63121AD1D71376E4A3799B93B7E6D278209FE4806CCA0F74830CFC1
SHA-512:	A0B19864E68945A74BCE24C8D5EB0050ABB66C6FF6A53D0482FFA70E93EEE2957608BB9BDE535718D56CD5D7509B4DD7A1786C99BC2120344293234B7A6C2A3B
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ???????????????????????????????};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\\p

C:\e2ac7bbaf115a22162e746\2052\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
Category:	dropped
Size (bytes):	31138
Entropy (8bit):	4.240036868712424
Encrypted:	false
SSDEEP:	192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
MD5:	52B1DC12CE4153AA759FB3BBE04D01FC
SHA1:	BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
SHA-256:	D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
SHA-512:	418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.\|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

C:\e2ac7bbaf115a22162e746\2052\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	6.010838262457833
Encrypted:	false
SSDEEP:	192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
MD5:	407CDB7E1C2C862B486CDE45F863AE6E
SHA1:	308AEEBEB1E1663ACA26CE880191F936D0E4E683
SHA-256:	9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
SHA-512:	7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\2052\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	225202
Entropy (8bit):	4.985888615397263
Encrypted:	false
SSDEEP:	3072:0pvaMOA6EOEGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Kho:6v+Ez0
MD5:	6E5BDDF58163B11C79577B35A87A4424
SHA1:	8AAA1008360F7B255A6A88AD02D3A00DEB8B0AE6
SHA-256:	D4A26E3756437CA8BA132AE3A73AA7A829478A847D6B9AB69A8090515CE9A60A
SHA-512:	21DD9D754C0A3A383F20259E87AA4769D6ECB36753039DCE8B644E16E0ABC3C94B4B850648E0369474C914655140E7F3CC3E808ED27E70892A863F61F8588C6E
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ??????????????????????????\'a1\'a7????};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma{\\falt ?? ??};}{\f39\fbidi

C:\e2ac7bbaf115a22162e746\3082\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
Category:	dropped
Size (bytes):	40912
Entropy (8bit):	3.5296334743141515
Encrypted:	false
SSDEEP:	384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
MD5:	5397A12D466D55D566B4209E0E4F92D3
SHA1:	FCFFD8961FB487995543FC173521FDF5DF6E243B
SHA-256:	F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
SHA-512:	7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

C:\e2ac7bbaf115a22162e746\3082\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.182140892959793
Encrypted:	false
SSDEEP:	192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
MD5:	B057315A8C04DF29B7E4FD2B257B75F4
SHA1:	D674D066DF8D1041599FCBDB3BA113600C67AE93
SHA-256:	51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
SHA-512:	F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\3082\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	152458
Entropy (8bit):	5.013297113523102
Encrypted:	false
SSDEEP:	3072:4zkouwFDNSMUYugRJA8J/snalBEm0OgKXIJR10GZybh2U:4zDNIYt
MD5:	A920D4F55EAE5FEBAB1082AB2BCC2439
SHA1:	CBD631427871B620E9C95417788BFCDD1CD0A2A5
SHA-256:	2FFF2122C4D176E074365775227D4208AF48F2F921BE7623EDC315CD345ACF0B
SHA-512:	28135FBD9D940F0DEEC7A059AB2998B034575CC5D6DD31B1BE501B60689860478B0A0AB5183C69B2ACBBB9C1A074BBAA215960B3FACC6A9A3B0170E27E7B2B47
Malicious:	false
Reputation:	low
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New{\\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol{\\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings{\\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\\panose 02010600030101010101}SimSun{\\falt ????????????????????????????\'a8\'ac??};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math{\\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma{\\falt ?? ??};}{\f39\fbidi \fsw

C:\e2ac7bbaf115a22162e746\DHtmlHeader.html

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Reputation:	low
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\e2ac7bbaf115a22162e746\DisplayIcon.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	88533
Entropy (8bit):	7.210526848639953
Encrypted:	false
SSDEEP:	1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
MD5:	F9657D290048E169FFABBBB9C7412BE0
SHA1:	E45531D559C38825FBDE6F25A82A638184130754
SHA-256:	B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
SHA-512:	8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
Malicious:	false
Reputation:	low
Preview:	..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\Graphics\Print.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.923507556620034
Encrypted:	false
SSDEEP:	24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
MD5:	7E55DDC6D611176E697D01C90A1212CF
SHA1:	E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
SHA-256:	FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
SHA-512:	283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
Malicious:	false
Reputation:	low
Preview:	............ .h.......(....... ..... .....@.........................................................................................t?.fR.\|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

C:\e2ac7bbaf115a22162e746\Graphics\Rotate1.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5118974066097444
Encrypted:	false
SSDEEP:	6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
MD5:	26A00597735C5F504CF8B3E7E9A7A4C1
SHA1:	D913CB26128D5CA1E1AC3DAB782DE363C9B89934
SHA-256:	37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
SHA-512:	08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l\|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+...........................................3.2%.$+...........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate2.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5178766234336925
Encrypted:	false
SSDEEP:	12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
MD5:	8419CAA81F2377E09B7F2F6218E505AE
SHA1:	2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
SHA-256:	DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
SHA-512:	74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................\|.\|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate3.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5189797450574103
Encrypted:	false
SSDEEP:	12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
MD5:	924FD539523541D42DAD43290E6C0DB5
SHA1:	19A161531A2C9DBC443B0F41B97CBDE7375B8983
SHA-256:	02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
SHA-512:	86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate4.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5119705312617957
Encrypted:	false
SSDEEP:	6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
MD5:	BB55B5086A9DA3097FB216C065D15709
SHA1:	1206C708BD08231961F17DA3D604A8956ADDCCFE
SHA-256:	8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
SHA-512:	DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... .............................................................................................................................................................................................................y.y...\|.\|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate5.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5083713071878764
Encrypted:	false
SSDEEP:	6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
MD5:	3B4861F93B465D724C60670B64FCCFCF
SHA1:	C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
SHA-256:	7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
SHA-512:	2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate6.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5043420982993396
Encrypted:	false
SSDEEP:	12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
MD5:	70006BF18A39D258012875AEFB92A3D1
SHA1:	B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
SHA-256:	19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
SHA-512:	97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate7.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.4948009720290445
Encrypted:	false
SSDEEP:	6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
MD5:	FB4DFEBE83F554FAF1A5CEC033A804D9
SHA1:	6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
SHA-256:	4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
SHA-512:	3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Rotate8.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.513882730304912
Encrypted:	false
SSDEEP:	12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
MD5:	D1C53003264DCE4EFFAF462C807E2D96
SHA1:	92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
SHA-256:	5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
SHA-512:	C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

C:\e2ac7bbaf115a22162e746\Graphics\Save.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.824239610266714
Encrypted:	false
SSDEEP:	24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
MD5:	7D62E82D960A938C98DA02B1D5201BD5
SHA1:	194E96B0440BF8631887E5E9D3CC485F8E90FBF5
SHA-256:	AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
SHA-512:	AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
Malicious:	false
Reputation:	low
Preview:	............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{\|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

C:\e2ac7bbaf115a22162e746\Graphics\Setup.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	36710
Entropy (8bit):	5.3785085024370805
Encrypted:	false
SSDEEP:	384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
MD5:	3D25D679E0FF0B8C94273DCD8B07049D
SHA1:	A517FC5E96BC68A02A44093673EE7E076AD57308
SHA-256:	288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
SHA-512:	3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
Malicious:	false
Reputation:	low
Preview:	..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\Graphics\SysReqMet.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.038533294442847
Encrypted:	false
SSDEEP:	24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
MD5:	661CBD315E9B23BA1CA19EDAB978F478
SHA1:	605685C25D486C89F872296583E1DC2F20465A2B
SHA-256:	8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
SHA-512:	802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
Malicious:	false
Reputation:	low
Preview:	............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.\|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

C:\e2ac7bbaf115a22162e746\Graphics\SysReqNotMet.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.854644771288791
Encrypted:	false
SSDEEP:	24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
MD5:	EE2C05CC9D14C29F586D40EB90C610A9
SHA1:	E571D82E81BD61B8FE4C9ECD08869A07918AC00B
SHA-256:	3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
SHA-512:	0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
Malicious:	false
Reputation:	low
Preview:	............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......\|\|..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................\|\|..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

C:\e2ac7bbaf115a22162e746\Graphics\stop.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	6.016582854640062
Encrypted:	false
SSDEEP:	96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
MD5:	5DFA8D3ABCF4962D9EC41CFC7C0F75E3
SHA1:	4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
SHA-256:	B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
SHA-512:	69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
Malicious:	false
Reputation:	low
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

C:\e2ac7bbaf115a22162e746\Graphics\warn.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	4.3821301214809045
Encrypted:	false
SSDEEP:	192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
MD5:	B2B1D79591FCA103959806A4BF27D036
SHA1:	481FD13A0B58299C41B3E705CB085C533038CAF5
SHA-256:	FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
SHA-512:	5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
Malicious:	false
Reputation:	low
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

C:\e2ac7bbaf115a22162e746\ParameterInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
Category:	dropped
Size (bytes):	8968
Entropy (8bit):	3.5907064103424333
Encrypted:	false
SSDEEP:	192:gCwdBdVv3CL021BqG2ahBCw2G2X2BCEj2G2KQ6G2nCw+KFl:kRPGiGPKGPGYCrKFl
MD5:	66590F13F4C9BA563A9180BDF25A5B80
SHA1:	D6D9146FAEEC7824B8A09DD6978E5921CC151906
SHA-256:	BF787B8C697CE418F9D4C07260F56D1145CA70DB1CC4B1321D37840837621E8F
SHA-512:	ABA67C66C2F3D9B3C9D71D64511895F15F696BE8BE0EEDD2D6908E1203C4B0CF318B366F9F3CD9C3B3B8C0770462F83E6EEA73E304C43F88D0CBEDF69E7C92B3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

C:\e2ac7bbaf115a22162e746\Setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78152
Entropy (8bit):	6.011592088917562
Encrypted:	false
SSDEEP:	1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
MD5:	006F8A615020A4A17F5E63801485DF46
SHA1:	78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
SHA-256:	D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
SHA-512:	C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.\|.......B.....h.~.....Y.\|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\SetupEngine.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	807256
Entropy (8bit):	6.357664904941565
Encrypted:	false
SSDEEP:	24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
MD5:	84C1DAF5F30FF99895ECAB3A55354BCF
SHA1:	7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
SHA-256:	7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
SHA-512:	E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\SetupUi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295248
Entropy (8bit):	6.262127887617593
Encrypted:	false
SSDEEP:	3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
MD5:	EB881E3DDDC84B20BD92ABCEC444455F
SHA1:	E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
SHA-256:	11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
SHA-512:	5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\SetupUi.xsd

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
Category:	dropped
Size (bytes):	30120
Entropy (8bit):	4.990211039591874
Encrypted:	false
SSDEEP:	768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
MD5:	2FADD9E618EFF8175F2A6E8B95C0CACC
SHA1:	9AB1710A217D15B192188B19467932D947B0A4F8
SHA-256:	222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
SHA-512:	A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

C:\e2ac7bbaf115a22162e746\SplashScreen.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
Category:	dropped
Size (bytes):	41078
Entropy (8bit):	0.3169962482036715
Encrypted:	false
SSDEEP:	24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
MD5:	43B254D97B4FB6F9974AD3F935762C55
SHA1:	F94D150C94064893DAED0E5BBD348998CA9D4E62
SHA-256:	91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
SHA-512:	46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
Malicious:	false
Reputation:	low
Preview:	BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

C:\e2ac7bbaf115a22162e746\Strings.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	14246
Entropy (8bit):	3.70170676934679
Encrypted:	false
SSDEEP:	384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
MD5:	332ADF643747297B9BFA9527EAEFE084
SHA1:	670F933D778ECA39938A515A39106551185205E9
SHA-256:	E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
SHA-512:	BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

C:\e2ac7bbaf115a22162e746\UiInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	36342
Entropy (8bit):	3.0937266645670003
Encrypted:	false
SSDEEP:	768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
MD5:	812F8D2E53F076366FA3A214BB4CF558
SHA1:	35AE734CFB99BB139906B5F4E8EFBF950762F6F0
SHA-256:	0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
SHA-512:	1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

C:\e2ac7bbaf115a22162e746\header.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
Category:	dropped
Size (bytes):	7308
Entropy (8bit):	3.7864255453272464
Encrypted:	false
SSDEEP:	48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
MD5:	3AD1A8C3B96993BCDF45244BE2C00EEF
SHA1:	308F98E199F74A43D325115A8E7072D5F2C6202D
SHA-256:	133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
SHA-512:	133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
Malicious:	false
Reputation:	low
Preview:	BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\sqmapi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144416
Entropy (8bit):	6.7404750879679485
Encrypted:	false
SSDEEP:	3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
MD5:	3F0363B40376047EFF6A9B97D633B750
SHA1:	4EAF6650ECA5CE931EE771181B04263C536A948B
SHA-256:	BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
SHA-512:	537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

C:\e2ac7bbaf115a22162e746\vc_red.cab

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Microsoft Cabinet archive data, 4186145 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 354 datablocks, 0x1503 compression
Category:	dropped
Size (bytes):	4192089
Entropy (8bit):	7.999755784501758
Encrypted:	true
SSDEEP:	98304:YHgT57PlfosWFk9TRxWCP/kbNfS2g92D7epPC1txsBDDfifN7wVH:YHmPxFik99xlnANfcM3YDIN7YH
MD5:	6C59FECF51931FB4540E571AE0310098
SHA1:	DB5B0E9F7D20D2B1CCD61320ECCA7A60E118619B
SHA-256:	08E4D5BAD48C0203FDF02FDC28794F820DFB1D4480BDCAC562E7BC6E15FFAAD3
SHA-512:	D9CC7C6EF54105C981AACAAFDE890019AF766B53417E765FA7636C3B8A4400CE6F987CCEF1A54B4521412A8E45C011476C065CEBC892688AEED1B027E3E761BA
Malicious:	false
Reputation:	low
Preview:	MSCF....!.?.....D...........................!.?.8...........Y...b...H.........r<.I .F_CENTRAL_atl100_x86.HAB.H.....r<.I .F_CENTRAL_mfc100_x86.P....\D...r<.I .F_CENTRAL_mfc100chs_x86.P.....D...r<.I .F_CENTRAL_mfc100cht_x86.P...0wE...r<.I .F_CENTRAL_mfc100deu_x86.P....rF...r<.I .F_CENTRAL_mfc100enu_x86.P....IG...r<.I .F_CENTRAL_mfc100esn_x86.P... CH...r<.I .F_CENTRAL_mfc100fra_x86.P...p>I...r<.I .F_CENTRAL_mfc100ita_x86.P....1J...r<.I .F_CENTRAL_mfc100jpn_x86.P.....J...r<.I .F_CENTRAL_mfc100kor_x86.P...`.K...r<.I .F_CENTRAL_mfc100rus_x86.P.B..sL...r<.I .F_CENTRAL_mfc100u_x86.P9........r<.I .F_CENTRAL_mfcm100_x86.P;..PV....r<.I .F_CENTRAL_mfcm100u_x86.Pm........r<.I .F_CENTRAL_msvcp100_x86.P.........r<.I .F_CENTRAL_msvcr100_x86.P...@.....r<.I .F_CENTRAL_vcomp100_x86.P3........r<.. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8...W..:..[..... '.."S`$..n...W..de`e. .(.$.gV...2..X@A..ra*NR<cq\|...{.`.p.M.. .).JM....q..........Q.......?.........2..nL......U.f#[v..#--

C:\e2ac7bbaf115a22162e746\vc_red.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
Category:	dropped
Size (bytes):	155136
Entropy (8bit):	6.337010677866242
Encrypted:	false
SSDEEP:	3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
MD5:	CD2B99BB86BA6A499110C72B78B9324E
SHA1:	7A288418B36E681093B33DC169E4D27C2EE33EDD
SHA-256:	41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
SHA-512:	17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
Malicious:	false
Reputation:	low
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\e2ac7bbaf115a22162e746\watermark.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
Category:	dropped
Size (bytes):	309032
Entropy (8bit):	6.583379857106919
Encrypted:	false
SSDEEP:	3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
MD5:	1A5CAAFACFC8C7766E404D019249CF67
SHA1:	35D4878DB63059A0F25899F4BE00B41F430389BF
SHA-256:	2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
SHA-512:	202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
Malicious:	false
Reputation:	low
Preview:	BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2023 11:38:57.761363029 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.761457920 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.761604071 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.790082932 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.790170908 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.790267944 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.791440964 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.791481018 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.792144060 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:57.792233944 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:57.792320967 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:57.792798996 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.792829990 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.793529987 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:57.793567896 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:57.936955929 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:57.954025030 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:57.954071045 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:57.955322027 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:57.955491066 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:57.957166910 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:57.957232952 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:57.965034008 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.965049982 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.985956907 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.986035109 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.986382008 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.986465931 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.988488913 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.988595963 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:57.988806963 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:57.988894939 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.255654097 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.255743027 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.255770922 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.255891085 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.256037951 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.256181002 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.256230116 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:58.256547928 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:58.257042885 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:58.257101059 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:58.291764975 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:58.292045116 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:58.292090893 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:58.292130947 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:58.292217016 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:58.296371937 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.296428919 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.296510935 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.296598911 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.308732986 CEST	49686	443	192.168.2.3	142.250.203.110
Apr 14, 2023 11:38:58.308779955 CEST	443	49686	142.250.203.110	192.168.2.3
Apr 14, 2023 11:38:58.336242914 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.336361885 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.336390018 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.337022066 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.337120056 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.340509892 CEST	49685	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:58.340538979 CEST	443	49685	172.217.168.45	192.168.2.3
Apr 14, 2023 11:38:58.342040062 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:38:59.885627031 CEST	49688	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:38:59.886168957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:38:59.908993006 CEST	80	49688	95.110.165.164	192.168.2.3
Apr 14, 2023 11:38:59.909082890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:38:59.909224033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:38:59.909275055 CEST	49688	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.018615007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.041843891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042313099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042366982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042414904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042454958 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.042500019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042553902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042568922 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.042617083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042665005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042680979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.042723894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042774916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042788982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.042831898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.042882919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.066071033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066137075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066169024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066212893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066289902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066329956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.066370964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.066394091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066450119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066463947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.066509008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066560030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066576004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.066618919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066672087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066685915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.066731930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.066781998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090002060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090070963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090101957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090147018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090224981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090280056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090297937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090325117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090339899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090385914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090430021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090481997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090497017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090540886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090584040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090604067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090647936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090698004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090713024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090755939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090799093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090821028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090866089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090914965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.090934038 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.090976954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.091026068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114084959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114186049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114234924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114281893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114329100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114355087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114382029 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114425898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114480019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114494085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114538908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114593029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114605904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114648104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114692926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114717960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114759922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114808083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114830017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114871025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114923954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.114938021 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.114981890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115025997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115044117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.115086079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115133047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115161896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.115197897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115242004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115262032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.115304947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115353107 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.115370035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115449905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115495920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115516901 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.115561008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115612030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.115626097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139075041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139148951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139240026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139259100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139302969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139333010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139379025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139451027 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139482021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139528036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139573097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139594078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139636993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139683008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139702082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139744997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139797926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139812946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139858007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139899969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.139921904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.139966011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140010118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140028954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140072107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140114069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140131950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140176058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140222073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140239954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140284061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140327930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140347004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140388012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140434027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140453100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140495062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140539885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140587091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140604019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140646935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140680075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140698910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140718937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140738964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140762091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140770912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140784979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140799999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140821934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140842915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.140852928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.140897989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.152748108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.175762892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.175829887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.175909042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.175960064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.175996065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176048994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176063061 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176107883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176151991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176171064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176214933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176265955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176279068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176322937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176368952 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176386118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176429987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176481009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176495075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176537037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176587105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176599979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176642895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176687956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176707029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176753044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176801920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176815987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176858902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176904917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.176923037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.176971912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177012920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177032948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177078009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177129030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177143097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177187920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177237988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177252054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177294970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177345037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177359104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177402020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177447081 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177464962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177510023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177561045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177575111 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177618980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177665949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177683115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177728891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177778006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177791119 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177833080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177877903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.177896976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177942038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.177993059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.178006887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.178051949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.178100109 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.201337099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201404095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201452971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201545000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.201570034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201621056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201634884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.201678991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201730013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201744080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.201786041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201828957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201848030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.201889992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201941967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.201956034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.201997995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202049017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202063084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202104092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202148914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202167988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202213049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202263117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202276945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202318907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202363968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202385902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202430964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202476025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202495098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202538967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202583075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202599049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202641964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202687025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202704906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202748060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202799082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202812910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202855110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202898026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.202915907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.202965021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203011036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203033924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203078032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203125000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203145981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203188896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203243017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203257084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203299046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203349113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203361988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203430891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203480005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203500032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203543901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203588963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203609943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203654051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203702927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203716993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203762054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203807116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203826904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203871012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203916073 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.203933954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.203979969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.204024076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.204041004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.204087973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.204149008 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.215907097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.227389097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227471113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227519035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227564096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.227595091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227648020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227662086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.227706909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227754116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.227771997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227818012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.227865934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.239283085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239348888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239420891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239480019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239507914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.239540100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.239579916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239624977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239676952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239691019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.239736080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239787102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239799976 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.239842892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239893913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.239911079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.239953041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240005016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240017891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240060091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240108013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240120888 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240164042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240214109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240227938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240271091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240322113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240334988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240377903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240422964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240439892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240483999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240533113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240546942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240590096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240634918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240652084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240696907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240741014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240757942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240799904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240847111 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240863085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240906000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.240955114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.240978956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241022110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241066933 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.241084099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241127968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241178036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241190910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.241234064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241276979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.241292953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241337061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241385937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241400957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.241442919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241487026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.241503954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241548061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.241592884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.251621962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.251689911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.251734972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.251780987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.251820087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.251844883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.251882076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.251931906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.251979113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.251996040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.252043962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.252088070 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.264638901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.264712095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.264803886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.264851093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.264878988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.264903069 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.264950037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.264997959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265043974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265062094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265105009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265149117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265167952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265213966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265255928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265278101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265324116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265374899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265388012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265434027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265479088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265501976 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265543938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265593052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265609980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265656948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265707016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265722036 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265763998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265809059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265830040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265872955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265916109 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.265934944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.265980005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266036034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266057968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266103983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266145945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266169071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266216040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266261101 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266279936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266325951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266367912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266387939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266431093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266472101 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266491890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266535997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266577959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266596079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266640902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266683102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266704082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266747952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266791105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266808987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266854048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266896009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.266916990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.266963005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267005920 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267026901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267071009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267113924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267132998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267178059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267220020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267241955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267283916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267324924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267345905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267391920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267473936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267488003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267532110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267580986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267596006 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267636061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267678976 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267702103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267748117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267791986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267813921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267859936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267904043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.267923117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.267970085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268012047 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.268030882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268074989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268121004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.268137932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268183947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268225908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.268248081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268294096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268337965 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.268359900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268403053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268445969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.268464088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268511057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.268554926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.291738033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.340883970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.479744911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503119946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503223896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503271103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503325939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503345966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503381014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503465891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503515005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503566027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503580093 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503626108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503679037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503693104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503737926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503786087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503803015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503850937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503904104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.503921986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.503963947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504014969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504029989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504087925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504134893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504158020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504203081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504257917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504271984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504314899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504367113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504380941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504421949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504467964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504515886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504535913 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504578114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504600048 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504641056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504688025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504708052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504756927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504811049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504826069 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504867077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504920006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.504935980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.504980087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505028009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505043983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505090952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505143881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505157948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505198956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505249977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505264997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505306005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505357981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505372047 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505414009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505467892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505481958 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505522966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505573988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505588055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505630016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505677938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505695105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505742073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505793095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505806923 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505848885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505901098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.505914927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.505955935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506007910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506021976 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506062984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506114960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506129980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506170988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506217957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506261110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506283998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506331921 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506349087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506396055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506447077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506460905 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506503105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506548882 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506567955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506613016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506659985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506679058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506721973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506776094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506791115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506831884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506886005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506900072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.506941080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.506992102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507005930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507050037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507102966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507116079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507158995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507210016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507225037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507266045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507313013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507329941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507375956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507425070 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507460117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507507086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507560015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507574081 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507616043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507668018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507683992 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507725000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507777929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507792950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507834911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507888079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507901907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.507944107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.507994890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508008957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508050919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508102894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508116961 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508158922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508209944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508223057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508266926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508318901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508354902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508397102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508445978 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508461952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508507967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508555889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508572102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508616924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508665085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.508682966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.508975983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.531836987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.531904936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.531958103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532006025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532052994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532085896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532085896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532129049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532164097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532211065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532258987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532304049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532349110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532393932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532416105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532459974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532504082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532530069 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532569885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532617092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532636881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532682896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532728910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532747984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532790899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532835960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532856941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.532901049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532943010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.532995939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533042908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533091068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533111095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533154011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533199072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533219099 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533262014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533308029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533329964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533371925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533425093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533440113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533483028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533566952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533582926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533627033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533680916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533694983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533737898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533790112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533803940 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533848047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533895016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.533911943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.533957958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534008026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534022093 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534066916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534120083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534133911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534177065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534229994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534245014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534287930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534337997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534353018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534396887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534449100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534465075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534507990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534554958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534575939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534621000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534667015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534688950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534732103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534780979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534801960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534848928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534894943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.534914970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.534959078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535008907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535022974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535067081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535115957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535130024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535173893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535223007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535237074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535280943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535322905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535343885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535387993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535443068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535480976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535526037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535578012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535592079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535643101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535692930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535707951 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535751104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535794020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535814047 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535857916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535906076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.535921097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.535964012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536012888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536026955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536070108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536118984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536134005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536175966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536226034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536241055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536283016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536333084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536346912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536390066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536442041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536456108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536499977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536541939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536561966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536606073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536654949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536669016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536710978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536760092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536783934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536828041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536878109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536891937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.536935091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.536987066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537000895 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537044048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537094116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537107944 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537151098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537199974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537214041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537256956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537306070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537319899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537362099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537412882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537426949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537468910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537519932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537533998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537575960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537626028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537638903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537681103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537730932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537744999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537786961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537831068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537849903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.537892103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537940979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.537957907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.538000107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.538048983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.538065910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.560985088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561053991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561077118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561130047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561153889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561209917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561225891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561269999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561288118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561332941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561384916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561399937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561425924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561453104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561480045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561527014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561546087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561579943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561605930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561652899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561671972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561703920 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561733007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561784029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561800003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561841965 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561865091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561917067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.561933994 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561966896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.561994076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562084913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562099934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562149048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562164068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562210083 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562227964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562283039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562297106 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562340021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562361956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562417030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562431097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562474012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562493086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562546968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562561989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562601089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562621117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562668085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562688112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562736034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562751055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562793016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562813997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562861919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562885046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562922955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.562943935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.562995911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563010931 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563045979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563072920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563121080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563149929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563195944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563210964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563245058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563285112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563330889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563349009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563416958 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563441038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563492060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563509941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563565016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563580036 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563612938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563641071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563688040 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563704967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563755989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563771009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563810110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563832045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563883066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.563898087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563931942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.563960075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564012051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564026117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564063072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564089060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564140081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564153910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564196110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564215899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564261913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564282894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564330101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564344883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564380884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564404964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564456940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564471960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564506054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564532995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564584970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564600945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564636946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564661980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564713955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564728022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564764977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564794064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564841032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564861059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564893007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564929962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.564977884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.564995050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565047979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565063000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565099955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565124989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565176964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565191984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565227985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565253973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565305948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565319061 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565355062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565381050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565443039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565459013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565494061 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565519094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565572977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565588951 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565623999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565649986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565704107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565718889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565752983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565778971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565824986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565846920 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565886974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.565907001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565953970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.565973997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566005945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566035032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566086054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566101074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566135883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566164017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566216946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566231012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566267014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566294909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566346884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566361904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566397905 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566423893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566474915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566489935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566525936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566550970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566602945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566617012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566652060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566679001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566730976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566745043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566780090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566807032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566859007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566871881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566909075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.566931963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566982985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.566998005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567038059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567059994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567111969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567126036 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567162991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567187071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567240000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567254066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567289114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567316055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567368031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567382097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567415953 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567460060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567512989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567528009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567569017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567585945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567639112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567652941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567693949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567717075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567770004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567784071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567817926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567843914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567898035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.567910910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567946911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.567970991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568023920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568039894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568073988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568101883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568154097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568169117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568203926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568229914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568281889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568295956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568331003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568356037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568408966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.568423986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.568459034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.580152988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.591471910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591521978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591550112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.591595888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591614962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.591651917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.591677904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591734886 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.591756105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591809988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591824055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.591876984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591928959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.591975927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592022896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592041969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592087984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592108965 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592150927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592169046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592214108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592267036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592281103 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592328072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592377901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592391014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592432976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592483044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592497110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592539072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592586040 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592602015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592648983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592695951 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592713118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592756987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592809916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592823029 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592864037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592911005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.592941046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.592986107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593048096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593065023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593147993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593193054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593214035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593214035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593261957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593313932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593327045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593370914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593420982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593434095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593477011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593523026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593539953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593585968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593638897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593652010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593694925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593739033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593771935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593806982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593863010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593878984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593894005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.593935013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.593982935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594012976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594058990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594104052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594125986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594167948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594217062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594234943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594279051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594331026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594345093 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594388962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594436884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594454050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594499111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594549894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594563007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594605923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594656944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594670057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594712973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594769001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594784975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594836950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594890118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.594903946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.594958067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.595010042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603082895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603140116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603193045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603212118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603266001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603317022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603341103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603387117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603458881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603472948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603518009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603562117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603583097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603626966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603678942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603693008 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603735924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603780985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603799105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603842974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603885889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603904963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.603945971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.603998899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.604013920 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.604055882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.604101896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.604120016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.604163885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.604212046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.604239941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.617957115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618038893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618052959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618099928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618148088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618161917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618206024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618248940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618271112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618311882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618362904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618376970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618418932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618470907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618484020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618527889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618578911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618592024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618637085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618686914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618700981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618745089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618798018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618812084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618856907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618905067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.618921995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.618971109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619019032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619034052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619076967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619131088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619144917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619189024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619240046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619254112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619298935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619350910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619364023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619426966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619481087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619496107 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619539022 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619585991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619604111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619647980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619697094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619710922 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619755030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619806051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619832993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619879961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619930983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.619946957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.619990110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620039940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620053053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620096922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620146990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620161057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620207071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620259047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620271921 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620316982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620369911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620384932 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620429039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620482922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620497942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620543957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620598078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620610952 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620655060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620706081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620719910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620763063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620809078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620825052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620872021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620918036 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.620934963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.620985985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621037960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621052980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.621095896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621143103 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.621160984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621236086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621279001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621299028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.621344090 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.621388912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627302885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627356052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627410889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627455950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627481937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627518892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627533913 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627568960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627607107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627621889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627655983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627696991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627707958 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627742052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627784967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627795935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627830982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627867937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627883911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.627918005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627959967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.627970934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.628005028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.628038883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.628052950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.628087044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.628129005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.628139973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.628175974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.628217936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.645704985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.645807028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.645854950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.645900965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.645946980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.645997047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646039009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646039009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646071911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646111012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646161079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646209002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646225929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646270990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646322966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646337032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646380901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646425962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646445036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646492004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646537066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646557093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646600962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646646023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646663904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646708012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646758080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646771908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646812916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646857977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646874905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646918058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.646961927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.646981001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647028923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647075891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647094011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647139072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647183895 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647202969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647245884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647294998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647310972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647353888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647419930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647439003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647484064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647530079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647547007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647592068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647643089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647656918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647699118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647747040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647759914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647802114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647851944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647865057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.647906065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647954941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.647969961 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648013115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648061991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648076057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648118019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648168087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648180962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648222923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648272038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648287058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648329973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648375034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648391962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648437977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648489952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648503065 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648545027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648593903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648607016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648649931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648694038 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648711920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648756981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648802042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648819923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648865938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648914099 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.648931026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.648977041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.649019957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.649039984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.649084091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.649132967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.649147987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.649190903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.649235964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.652272940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652338982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652415037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.652678013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652729034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652785063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652800083 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.652848005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652892113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.652913094 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.652957916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653002024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.653021097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653064966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653106928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653125048 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.653167009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653212070 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.653229952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653274059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653322935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653337002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.653378963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653424978 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.653443098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653486967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653532028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.653551102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653597116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.653641939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672225952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672285080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672329903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672354937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672405958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672456026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672473907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672518969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672568083 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672590017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672633886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672679901 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672697067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672743082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672789097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672805071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672851086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672900915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.672914028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.672956944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673002005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673019886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673063993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673114061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673126936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673171997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673216105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673237085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673280001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673324108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673341036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673386097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673430920 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673449039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673494101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673537970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673554897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673600912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673645020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673662901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673708916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673758984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673772097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673815966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673866987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673880100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673927069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.673970938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.673991919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674036980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674079895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674102068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674145937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674196959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674211025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674254894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674299955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674315929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674366951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674417973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674436092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674480915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674540997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674560070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674603939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674653053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674666882 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674710035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674757957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674778938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674823046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674866915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674885988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.674930096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674981117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.674994946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675038099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675081968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675098896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675143957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675188065 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675205946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675251961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675297976 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675316095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675360918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675424099 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675453901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675499916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675550938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675564051 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675606012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675657988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675673008 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675714016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.675760984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.675779104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677320957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677406073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677433014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.677476883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677530050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677544117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.677587032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677634001 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.677651882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677695036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677740097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.677758932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677802086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677848101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677866936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.677907944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.677954912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.677972078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.678016901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.678070068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.678083897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.678126097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.678169966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.678190947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.678236008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.678282022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.678298950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.699451923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.699657917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.699836016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.699884892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.699929953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.699954987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700001955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700047970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700066090 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700110912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700153112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700171947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700215101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700259924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700278044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700324059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700370073 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700387001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700432062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700478077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700496912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700540066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700592995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700606108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700648069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700697899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700711012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700752020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700803041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700817108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700858116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700908899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.700922012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.700963020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701009989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701033115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701076031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701124907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701138020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701180935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701224089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701245070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701291084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701342106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701354980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701395988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701441050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701461077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701507092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701550961 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701571941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701617956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701662064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701683044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701730013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701775074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.701791048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701837063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.701884985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.704284906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.727385044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727511883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727556944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727596045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.727633953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727686882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727700949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.727747917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727798939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727813005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.727857113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727902889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.727922916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.727972984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728025913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728039980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728084087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728135109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728147984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728192091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728243113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728256941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728301048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728353024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728365898 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728409052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728458881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728472948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728516102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728568077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728581905 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728625059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728674889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728688002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728730917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728781939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728796005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728837967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728883982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.728900909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728945971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.728997946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729011059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729054928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729105949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729119062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729161978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729213953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729228020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729270935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729320049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729334116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729377031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729424000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729443073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729489088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729540110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729552984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729595900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729643106 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729659081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729705095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729758024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729770899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729814053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729863882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729876995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729919910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.729968071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.729984999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730034113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730083942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730097055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730139971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730185032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730201960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730247021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730298996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730313063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730356932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730401993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730420113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730463982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730510950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730528116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730576038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730622053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730638981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730684996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730734110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730746984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730791092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730845928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730860949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.730902910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730956078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.730973959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731017113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731067896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731081009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731122971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731168985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731185913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731231928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731281042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731295109 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731338024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731383085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731417894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731462955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731514931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731529951 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731574059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731620073 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731636047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731679916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731729984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731743097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731786013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731834888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731848001 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731890917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731940031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.731955051 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.731997967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.732043982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.755130053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755220890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755275011 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.755311012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755359888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755422115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.755455017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755475998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.755518913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755563974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755609035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755654097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755712032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755759001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755804062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755850077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755894899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.755924940 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.755949020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.755979061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756028891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756072044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756093979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.756136894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756181002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756225109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756270885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756314039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756357908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756402016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756444931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756488085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756531954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756573915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756617069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756648064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.756683111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756728888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756776094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756819963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756860971 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.756884098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756932974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.756947994 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.756993055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757036924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757055998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757102013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757147074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757164955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757209063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757261038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757275105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757318020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757365942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757381916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757427931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757477999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757493019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757534981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757586956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757601023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757644892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757688999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757709026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757752895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757805109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757817984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757860899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757911921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.757925034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.757968903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758014917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758033037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758079052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758131027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758143902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758187056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758239985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758253098 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758296967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758344889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758359909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758399963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758452892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758466959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758511066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758562088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758574963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758619070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758670092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758682966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758725882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758778095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758790970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758833885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758882999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758896112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.758940935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.758994102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759006977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759049892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759095907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759113073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759159088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759207964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759222031 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759264946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759311914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759329081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759373903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759419918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759459019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759505987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759552956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759569883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759614944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759664059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759676933 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.759721994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.759768963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.762867928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783051014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783121109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783154011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783200979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783246994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783299923 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783299923 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783334017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783390045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783432007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783484936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783531904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783551931 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783596039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783643007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783660889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783706903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783757925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783772945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783814907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783868074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783880949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783922911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.783971071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.783987045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784034014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784085035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784097910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784141064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784190893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784204960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784248114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784298897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784313917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784357071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784408092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784420967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784463882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784516096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784528971 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784570932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784616947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784635067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784682989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784734011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784748077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784796000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784847975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784862041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784904003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.784950972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.784966946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785012960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785063982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785077095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785120964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785171986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785186052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785228014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785279989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785294056 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785335064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785384893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785399914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785440922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785492897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785506964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785548925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785641909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785655975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785697937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785743952 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785762072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785804987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785856009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785870075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.785909891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785954952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.785974979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786017895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786066055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786082029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786128044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786176920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786190033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786232948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786278009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786295891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786336899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786381960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786401033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786447048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786495924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786513090 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786556005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786601067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786622047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786668062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786715031 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786731005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786777020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786822081 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786839962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786885977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786938906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.786953926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.786998034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787048101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787061930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787105083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787149906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787167072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787213087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787259102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787276983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787319899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787369013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787383080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787446976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787497044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787511110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787554026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787600040 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787616968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787662029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787710905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787724018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787765026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.787811041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.787827969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811006069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811073065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811144114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811187029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811233044 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811233044 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811285973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811340094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811352968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811453104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811501026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811525106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811568975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811619997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811647892 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811692953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811738968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811757088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811801910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811849117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811866045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811911106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.811956882 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.811975002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812021971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812067032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812083960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812128067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812176943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812191010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812236071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812287092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812299967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812345028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812393904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812407017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812453032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812504053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812558889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812603951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812654972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812669039 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812712908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812753916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812773943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812815905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812865973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812879086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.812922955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812964916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.812987089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813030958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813080072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813092947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813136101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813179016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813199043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813241959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813288927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813303947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813344955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813394070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813407898 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813450098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813499928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813513041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813555002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813604116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813657999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813702106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813745022 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813775063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813810110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813862085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813874960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813916922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.813963890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.813982010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814028025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814078093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814091921 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814135075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814182997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814198017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814240932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814291000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814305067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814348936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814399004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814412117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814455986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814505100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814517975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814560890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814610004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814623117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814666033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814718008 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814764977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814814091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814863920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814877033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814920902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.814966917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.814984083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815030098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815080881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815094948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815138102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815185070 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815201998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815247059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815304995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815320969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815360069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815413952 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815433979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815475941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815524101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815536022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815576077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815623045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815634966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815675974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815720081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815732002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.815805912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815855026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.815867901 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.824174881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.838954926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839055061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839088917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839134932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839179039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839252949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839278936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839318991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839364052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839413881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839446068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839490891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839541912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839555979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839597940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839649916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839663982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839706898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839752913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839771032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839814901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839865923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839879036 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839924097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.839971066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.839989901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840039015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840089083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840102911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840145111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840195894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840212107 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840270996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840323925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840379953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840421915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840471029 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840488911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840537071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840584993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840605974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840650082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840703011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840717077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840759993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840811968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840826035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840868950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840919971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.840934038 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.840976954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841025114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841042995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841088057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841140985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841155052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841198921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841252089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841265917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841310024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841356039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841412067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841468096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841514111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841533899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841574907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841629028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841643095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841686010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841737986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841757059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841806889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841857910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841871977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.841914892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841965914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.841980934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842022896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842067957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842098951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842140913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842184067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842202902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842245102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842295885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842322111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842365026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842415094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842427969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842508078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842556000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842573881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842618942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842669964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842683077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842725992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842777014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842791080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842833996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842885971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842899084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.842941999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.842988968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843007088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843050957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843101025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843113899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843157053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843206882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843220949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843269110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843318939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843342066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843389034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843453884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843472958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843516111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843564034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843620062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843663931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843709946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843727112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843771935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843822956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843836069 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843879938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843926907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.843945026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.843991995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.844039917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.847140074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867088079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867149115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867194891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867227077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867274046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867321014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867342949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867412090 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867470980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867497921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867544889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867597103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867609978 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867651939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867716074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867729902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867774010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867824078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867839098 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867882013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867928982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.867947102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.867994070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868043900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868058920 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868099928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868150949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868165016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868208885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868261099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868274927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868318081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868367910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868381977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868423939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868474007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868486881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868530989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868582010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868596077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868638992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868689060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868702888 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868745089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868791103 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868808985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868854046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868900061 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.868916988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.868963003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869009018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869026899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869071007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869122028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869134903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869178057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869226933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869240046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869282961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869332075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869345903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869389057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869438887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869452000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869496107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869544983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869558096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869601965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869652987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869666100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869709015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869751930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869770050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869815111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869864941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869878054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.869921923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869971037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.869986057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870029926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870079041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870091915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870136023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870181084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870207071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870245934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870297909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870311975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870354891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870402098 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870420933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870480061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870528936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870547056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870590925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870640993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870654106 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870697975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870748043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870760918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870801926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870845079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870865107 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.870906115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870958090 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.870981932 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871026039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871077061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871090889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871133089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871180058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871207952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871252060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871300936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871315002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871357918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871413946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871436119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871480942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871532917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871546984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871589899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871639013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871653080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871695995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871746063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871758938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871802092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871851921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871865034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.871910095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.871956110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895025969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895088911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895137072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895159960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895211935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895262957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895277023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895322084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895370960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895387888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895456076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895503998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895524025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895569086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895618916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895664930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895710945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895757914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895776033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895818949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895870924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895884037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895929098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.895976067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.895993948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896043062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896090031 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896106005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896152020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896195889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896213055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896259069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896306038 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896322966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896368980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896420956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896435022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896477938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896524906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896542072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896588087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896635056 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896651983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896697998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896747112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896760941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896804094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896851063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896868944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896915913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.896961927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.896977901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897027969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897073030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897090912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897136927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897181988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897200108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897245884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897290945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897309065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897353888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897407055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897419930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897464037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897516966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897530079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897572041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897619009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897650003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897696018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897742033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897758961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897804976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897856951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897870064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.897911072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897955894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.897978067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898020983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898072958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898086071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898127079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898174047 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898190975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898236990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898288965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898302078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898345947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898396015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898410082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898452997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898500919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898519039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898566008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898617029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898629904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898672104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898718119 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898734093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898778915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898829937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898843050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898886919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898935080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.898948908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.898993969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899050951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899065971 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899110079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899159908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899174929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899216890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899267912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899281979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899323940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899368048 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899386883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899461031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899513960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899528027 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899569988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899616003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899635077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899678946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899729013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899744034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899785042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899836063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899848938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.899890900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899943113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.899960041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923197985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923255920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923300028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923336029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923388958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923420906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923466921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923510075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923542023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923588991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923636913 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923655033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923702002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923744917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923763037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923804998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923856974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923871040 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.923914909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923964977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.923980951 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924024105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924071074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924088001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924134016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924180984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924197912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924243927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924293995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924308062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924351931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924395084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924415112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924458027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924509048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924523115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924567938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924613953 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924632072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924675941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924721956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924738884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924797058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924850941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924864054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.924906969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924954891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.924972057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925014973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925064087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925077915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925121069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925172091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925185919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925225973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925272942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925303936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925348043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925394058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925410032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925455093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925503969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925515890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925559044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925609112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925622940 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925663948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925710917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925726891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925771952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925821066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925834894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925878048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925925016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.925941944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.925990105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926042080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926055908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926099062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926147938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926162004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926203966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926250935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926266909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926312923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926358938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926376104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926423073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926474094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926486969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926529884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926582098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926594973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926639080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926682949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926702023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926747084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926799059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926812887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926856995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926903009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.926920891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.926965952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927011967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927033901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927095890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927143097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927164078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927207947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927253962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927269936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927315950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927369118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927381039 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927450895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927501917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927515984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927558899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927607059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927624941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927670002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927720070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927733898 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927786112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927839994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927854061 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.927897930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927948952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.927964926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.928008080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.928052902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.951157093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951214075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951257944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951302052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951344967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951389074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951464891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951507092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951550007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951594114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951627016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.951663971 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.951689959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951738119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951781988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951827049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951869965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951915026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.951960087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.951978922 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.951999903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952055931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952102900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952148914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952194929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952238083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952280998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952322960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952367067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952410936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952455997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952497959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952541113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952584028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952621937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.952641964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.952666998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952709913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952752113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952795029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952837944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952882051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952925920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.952967882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953015089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953061104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953104019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953140020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.953167915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953212023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953253984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953296900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953336000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.953361988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953406096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953449011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953493118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953533888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953577042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953620911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953663111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953682899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.953726053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953778982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953792095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.953835011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953879118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.953896999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953941107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.953988075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954005003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954056025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954108000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954122066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954168081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954219103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954231024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954274893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954327106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954340935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954385996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954433918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954447985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954493999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954545975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954559088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954602957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954654932 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954672098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954718113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954760075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954777956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954827070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954879045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954893112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954936028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.954981089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.954998016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955058098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955104113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955147982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955169916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955220938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955235004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955284119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955297947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955331087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955362082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955425978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955478907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955492973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955534935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955581903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955600023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955645084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955692053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.955709934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955754995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.955801010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.978857040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.978919029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.978966951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.978992939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979042053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979104996 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979124069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979188919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979240894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979262114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979310036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979356050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979373932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979441881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979486942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979506016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979552031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979598999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979618073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979661942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979710102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979727030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979772091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979819059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979839087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979883909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979935884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.979948997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.979995012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980041981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980060101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980106115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980155945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980170012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980212927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980257988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980277061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980323076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980372906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980386972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980428934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980473042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980490923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980536938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980587006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980601072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980644941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980732918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980747938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980791092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980842113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980855942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.980896950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980947018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.980962992 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981005907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981054068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981067896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981108904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981158972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981172085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981216908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981265068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981277943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981321096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981369972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981384993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981430054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981473923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981492043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981535912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981586933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981600046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981643915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981689930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981708050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981753111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981802940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981816053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981858969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981905937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.981921911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.981967926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982012987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982033968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982079983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982129097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982142925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982182980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982234001 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982263088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982306957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982357025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982371092 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982414961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982465029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982477903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982518911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982568979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982583046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982624054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982672930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982686043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982729912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982775927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982793093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982836962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982886076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982899904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.982943058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.982991934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983010054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983052015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983103037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983118057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983160019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983211040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983223915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983266115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983309031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983328104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983371019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983422041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983453035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983496904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983550072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983565092 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983608961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983659029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983671904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983716011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983761072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983779907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:00.983824015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:00.983870029 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.006892920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.006942987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.006987095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007011890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007061005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007112980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007127047 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007172108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007220984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007237911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007282019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007328987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007344961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007407904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007461071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007481098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007528067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007575035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007594109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007638931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007685900 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007703066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007750034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007797003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007813931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007859945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007910967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.007924080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.007967949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008022070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008034945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008079052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008127928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008141994 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008186102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008234024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008250952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008296013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008346081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008359909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008404970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008455038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008469105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008511066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008557081 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008574963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008620024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008666039 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008682966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008728981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008780003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008793116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008836985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008888006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008900881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.008943081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.008991003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009006977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009051085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009094954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009114027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009157896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009207964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009222031 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009263992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009314060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009330034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009378910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009426117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009443998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009490013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009536982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009553909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009598017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009646893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009659052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009702921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009752035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009766102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009809971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009852886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009871960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009917021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.009962082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.009979963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010026932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010072947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010090113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010135889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010181904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010199070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010242939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010293007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010307074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010350943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010401011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010415077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010458946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010508060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010520935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010565996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010615110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010628939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010673046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010721922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010735035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010780096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010824919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010840893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010883093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010931969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.010945082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.010988951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011039019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011053085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011096001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011146069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011159897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011204004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011255026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011267900 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011312008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011359930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011373043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011435986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011486053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011498928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011543989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011594057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011620998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011666059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011715889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011729956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.011775017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.011821985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.034920931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.034989119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035063028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035088062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035146952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035188913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035217047 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035250902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035290956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035310030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035350084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035389900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035454988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035497904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035542011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035572052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035597086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035619020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035660982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035701990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035742998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035782099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035816908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035842896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035886049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035929918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.035948038 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.035976887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036005974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036048889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036088943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036107063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036148071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036225080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036245108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036284924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036607027 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036649942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036689997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036729097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036747932 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036788940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036834955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036847115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036887884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036926031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.036942959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.036983013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037029982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037041903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037081957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037127972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037139893 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037179947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037228107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037240028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037292957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037341118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037358999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037404060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037450075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037471056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037514925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037559986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037578106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037621975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037672997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037687063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037730932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037776947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037794113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037837982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037883043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.037899017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037941933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.037992001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038007975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038049936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038094997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038111925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038156986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038207054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038219929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038263083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038307905 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038325071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038367033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038420916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038436890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038481951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038532972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038547039 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038588047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038635015 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038651943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038697958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038744926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038763046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038805962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038852930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038868904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038914919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.038960934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.038978100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039022923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039068937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039086103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039130926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039182901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039196014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039237976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039284945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039303064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039346933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039392948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039429903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039474964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039521933 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039544106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039594889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039644003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039660931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039706945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039752960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039771080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039815903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039861917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039880991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039926052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.039972067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.039989948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.040035963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.040085077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.040098906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.040143013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.040189981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063162088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063224077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063256025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063302040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063333035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063365936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063416004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063468933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063522100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063535929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063580036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063628912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063642979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063685894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063736916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063750982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063805103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063853025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.063872099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063915968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063965082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.063981056 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064026117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064078093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064090967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064132929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064186096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064198971 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064240932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064294100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064306974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064347982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064395905 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064413071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064456940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064507961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064522982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064563036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064616919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064630985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064671993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064724922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064738989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064779997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064836979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064851046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.064892054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064944983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.064959049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065000057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065052032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065064907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065108061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065157890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065171957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065215111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065263987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065278053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065320969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065370083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065383911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065427065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065475941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065489054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065532923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065583944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065597057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065640926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065692902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065706968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065747976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065799952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065814018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065855980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065907955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.065921068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.065963030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066013098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066025972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066067934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066112995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066133022 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066179037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066225052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066241980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066286087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066337109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066350937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066391945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066438913 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066457033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066500902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066551924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066565990 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066606998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066653967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066670895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066716909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066762924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066782951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066833973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066884041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.066898108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.066941023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067029953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067043066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067085981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067137003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067150116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067192078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067243099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067256927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067297935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067349911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067363977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067425013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067468882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067497015 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067543030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067593098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067606926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067653894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067703009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067715883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067759991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067811012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067825079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067867994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067915916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.067929983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.067972898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.068021059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.068037987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.068080902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.068131924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.068145037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.068181038 CEST	80	49688	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.068258047 CEST	49688	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.069926977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091233015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091289997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091317892 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091367006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091418982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091461897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091514111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091566086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091581106 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091624975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091675043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091689110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091731071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091782093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091794968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091836929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091887951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091901064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.091943979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.091994047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092012882 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092057943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092104912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092123032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092169046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092216969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092235088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092281103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092327118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092344999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092391014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092442989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092457056 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092500925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092552900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092566967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092609882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092662096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092675924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092720985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092767000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092786074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092830896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092883110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092895985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.092941046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.092992067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093008995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093050957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093100071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093113899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093156099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093204975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093216896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093261957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093313932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093327999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093372107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093420982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093436003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093480110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093525887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093544960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093590975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093641043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093655109 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093698025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093743086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093761921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093806982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093859911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093873024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093916893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.093966007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.093993902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094042063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094089031 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094106913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094152927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094204903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094218016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094261885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094306946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094325066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094368935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094420910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094434023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094475031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094523907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094537020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094578981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094630957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094645023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094690084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094741106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094754934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094798088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094846010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094865084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094908953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.094954967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.094971895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095019102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095067024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095079899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095124006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095174074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095187902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095231056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095278025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095293999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095340014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095386028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095422029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095468998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095520020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095534086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095577002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095628023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095643044 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095685959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095738888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095752001 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095793962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095843077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095855951 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.095896959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095946074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.095959902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.096002102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096046925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.096065044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096112013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096162081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096174955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.096219063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096267939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.096283913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096329927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.096379042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.119385958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119477987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119525909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119550943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.119616032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119662046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119682074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.119729042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119779110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119793892 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.119846106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119889975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119909048 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.119952917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.119995117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120021105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120063066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120116949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120131969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120177031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120228052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120240927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120285988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120337963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120352030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120395899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120450020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120464087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120507002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120558023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120572090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120615959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120668888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120682001 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120726109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120780945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120794058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120836973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120886087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120901108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.120944977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.120999098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121016026 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121057987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121103048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121150970 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121185064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121237040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121251106 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121293068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121342897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121356010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121411085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121454000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121474981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121517897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121566057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121579885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121623039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121665001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121686935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121728897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121779919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121793985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121838093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121880054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121898890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.121942043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.121992111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122008085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122051954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122093916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122121096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122169971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122212887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122232914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122277021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122327089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122339964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122392893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122443914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122457027 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122499943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122550011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122564077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122606039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122656107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122669935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122710943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122761011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122773886 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122816086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122865915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122881889 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.122931004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122972965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.122994900 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123039007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123081923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123102903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123147011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123212099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123224974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123266935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123315096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123327971 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123372078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123431921 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123457909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123503923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123549938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123568058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123611927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123665094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123680115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123720884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123774052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123788118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123831987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123882055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123894930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.123938084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.123989105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124005079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.124051094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124104023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124118090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.124172926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124224901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124241114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.124283075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124336004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124350071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.124392033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124444962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124459028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.124500036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124552011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.124564886 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.147536039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147587061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147620916 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.147659063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147711992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147726059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.147782087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147835016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147847891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.147891998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147942066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.147954941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.147999048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148049116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148067951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148114920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148159027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148180008 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148221970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148273945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148302078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148348093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148400068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148412943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148457050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148509026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148521900 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148566961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148618937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148632050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148684025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148732901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148746014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148791075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148843050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148857117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.148900986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148952007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.148964882 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149008989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149061918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149075985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149122000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149174929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149188995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149233103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149286985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149300098 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149344921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149396896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149410963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149452925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149504900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149518013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149560928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149612904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149626017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149668932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149719954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149734974 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149776936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149830103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149843931 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149885893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149938107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.149951935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.149993896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150047064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150062084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150105000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150158882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150172949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150216103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150266886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150280952 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150324106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150376081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150389910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150433064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150482893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150496006 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150541067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150583029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150602102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150645971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150696993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150711060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150754929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150804043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150816917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150861025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150909901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.150923014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.150965929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151029110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151042938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151087046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151132107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151153088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151196957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151251078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151267052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151330948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151382923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151413918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151458979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151510000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151524067 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151566982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151618958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151633024 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151675940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151729107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151742935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151787043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151839972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151853085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.151896954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151947975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.151961088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152003050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152050972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152070999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152116060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152167082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152179956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152223110 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152273893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152287960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152332067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152384043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152398109 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152441025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152493000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152506113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152549982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152601957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152652979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.152698994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.152749062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.175729036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.175780058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.175817013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.175848007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.175879955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.175916910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.175934076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.175971031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176019907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176032066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176068068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176106930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176124096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176162004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176199913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176217079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176250935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176290035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176306009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176342964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176383018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176430941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176469088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176507950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176525116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176562071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176600933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176616907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176651955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176690102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176704884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176739931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176779032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176795006 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176832914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176870108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176886082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.176923037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176961899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.176980019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177016973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177052975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177067995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177104950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177144051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177160025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177196980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177233934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177249908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177287102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177326918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177342892 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177381039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177417040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177433014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177469015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177512884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177525043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177561998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177599907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177614927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177650928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177687883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177704096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177740097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177778959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177795887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177833080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177869081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177884102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.177921057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177958965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.177973986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178009033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178056955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178083897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178128004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178180933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178195000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178237915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178287983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178314924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178358078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178412914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178430080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178477049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178527117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178540945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178586006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178637981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178652048 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178694963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178742886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178755045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178798914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178850889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178864956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.178909063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178957939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.178971052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179016113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179064989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179083109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179126024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179177046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179191113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179231882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179280996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179295063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179337978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179389000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179425955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179477930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179522038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179541111 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179583073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179632902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179646015 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179688931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179733038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179752111 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179794073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179842949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179857016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179899931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.179948092 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.179964066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180012941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180063963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180078030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.180120945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180170059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180183887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.180227041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180279970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180293083 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.180336952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180381060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.180459023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.203459978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203540087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203562975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.203623056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203675985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203689098 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.203732014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203783035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203797102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.203840017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203892946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203907013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.203948021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.203999996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204018116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204061985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204116106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204130888 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204173088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204226017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204240084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204282999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204334974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204349041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204390049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204442024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204456091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204495907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204547882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204561949 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204602957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204655886 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204668999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204710960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204763889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204777956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204824924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204869986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204890966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.204935074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.204988003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205004930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205048084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205101013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205115080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205156088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205208063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205220938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205261946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205312014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205326080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205367088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205420971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205435038 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205476999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205528975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205547094 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205600977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205656052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205668926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205712080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205764055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205779076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205822945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205868959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205889940 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.205931902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205982924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.205997944 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206042051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206091881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206105947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206146955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206197023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206211090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206252098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206294060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206312895 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206355095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206406116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206420898 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206463099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206513882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206527948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206568956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206619024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206631899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206672907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206724882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206737995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206782103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206830978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206844091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206887960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206937075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.206950903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.206994057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207047939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207062960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207104921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207155943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207170010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207211971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207263947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207277060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207319975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207370043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207382917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207452059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207499027 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207516909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207561016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207609892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207623959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207665920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207715034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207727909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207771063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207820892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207834005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207878113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207926035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.207951069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.207989931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208031893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208050013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.208089113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208137035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208148956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.208187103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208235025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208246946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.208285093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208326101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208344936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.208383083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208430052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208442926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.208481073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.208528996 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.212555885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.231636047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.231729984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.231774092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.231812954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.231853008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.231906891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.231920004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.231965065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232019901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232033968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232076883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232129097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232144117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232187986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232239962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232254028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232300043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232352018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232366085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232409000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232460976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232475042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232520103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232567072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232589960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232636929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232687950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232701063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232744932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232798100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232812881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232856035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232907057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.232938051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.232991934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233040094 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233059883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233103037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233154058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233167887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233208895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233258009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233270884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233313084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233364105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233377934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233419895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233470917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233484983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233526945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233573914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233591080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233635902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233686924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233700991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233741999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233793020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233808041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233849049 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233895063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.233912945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.233958006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234020948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234040022 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234085083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234136105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234150887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234194994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234241009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234260082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234306097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234354019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234371901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234417915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234463930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234482050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234527111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234574080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234591007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234636068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234688997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234703064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234745979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234797001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234810114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234858036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234900951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.234920979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.234962940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235013008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235028982 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235074997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235126972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235140085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235184908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235234976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235248089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235292912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235342979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235358000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235423088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235476971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235490084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235534906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235586882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235600948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235642910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235693932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235707998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235753059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235805988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235820055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235862970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235915899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.235941887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.235987902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236041069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236053944 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236098051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236149073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236161947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236206055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236255884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236270905 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236315012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236366034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236380100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236422062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236474037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236486912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236529112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236581087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236593962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236637115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236689091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236701965 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236747026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236798048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236812115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236856937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236876011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236922026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.236939907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.236983061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.237032890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260176897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260250092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260282040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260318041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260350943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260387897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260409117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260423899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260462046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260472059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260504007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260536909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260551929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260582924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260613918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260684967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260716915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260749102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260765076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260796070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260828018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260842085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260873079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260905027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260921955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.260953903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.260987043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261002064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261033058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261069059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261084080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261116028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261147976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261162043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261193991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261228085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261244059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261276007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261308908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261324883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261357069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261389017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261403084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261435986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261467934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261482000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261512995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261547089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261564016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261595964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261627913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261641979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261672974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261707067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261722088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261754990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261787891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261802912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261836052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261868954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261884928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261915922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261949062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.261962891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.261993885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262027979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262043953 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262074947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262109041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262123108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262154102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262187958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262204885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262237072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262269974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262284994 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262316942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262350082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262362957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262394905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262428045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262443066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262475014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262509108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262522936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262554884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262588024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262603045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262634993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262669086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262682915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262715101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262748957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262763977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262795925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262829065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262842894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262875080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262907982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262924910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.262955904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.262991905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263009071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263041019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263092995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263103962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263138056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263169050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263184071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263216019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263248920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263264894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263298035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263329983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263344049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263375998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263421059 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263442039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263474941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263509035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263535976 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263556957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263591051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263605118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263634920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263668060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263683081 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263714075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263747931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263772964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263797045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263829947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263843060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263874054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263907909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263922930 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.263955116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.263988018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.264003992 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.264034033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.264067888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.264082909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.264115095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.264164925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287168026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287218094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287250042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287287951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287300110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287338972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287349939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287379026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287436962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287468910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287488937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287514925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287555933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287587881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287616968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287635088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287635088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287664890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287677050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287709951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287739992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287755966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287786961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287817001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287836075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287862062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287893057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287924051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287945032 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.287969112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.287998915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288022995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288049936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288069963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288100004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288130999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288151979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288177967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288209915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288224936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288254023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288285971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288316011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288332939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288358927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288391113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288408041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288440943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288451910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288481951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288512945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288531065 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288558960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288592100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288624048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288638115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288667917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288700104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288732052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288743973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288757086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288789034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288820028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288836956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288865089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288898945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288913965 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.288943052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.288975000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289009094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289025068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289055109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289086103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289102077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289134979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289144993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289172888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289202929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289222002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289263964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289314032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289328098 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289366007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289408922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289449930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289468050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289506912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289550066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289566040 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289599895 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289621115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289663076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289702892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289720058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289757967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289802074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289819956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289859056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289899111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289946079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.289958000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.289995909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290038109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290055990 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290093899 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290134907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290150881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290184975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290216923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290260077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290301085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290335894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290360928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290400982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290442944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290461063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290498972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290540934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290560007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290594101 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290613890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290653944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290693998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290713072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290751934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290791988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290808916 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290848970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290887117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290904999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.290944099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.290983915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291026115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291043043 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.291081905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291124105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.291142941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291182995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291222095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291239977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.291279078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291318893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.291336060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.291369915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.314466000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314531088 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314574957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314621925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.314656019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314702034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314747095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314768076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.314811945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314873934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314893961 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.314938068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.314980984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315004110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315043926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315068007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315112114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315155029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315165997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315206051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315249920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315269947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315313101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315356970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315421104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315444946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315490961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315510035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315553904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315597057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315614939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315659046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315711975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315726042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315771103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315814972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315857887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315876007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.315920115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315963984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.315983057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316015959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316042900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316091061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316140890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316154003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316198111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316242933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316262960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316306114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316349030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316401005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316414118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316458941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316503048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316521883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316555977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316581011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316629887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316673040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316692114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316736937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316787004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316801071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316845894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316888094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316940069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.316953897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.316998005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317053080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317065954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317105055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317128897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317173004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317215919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317235947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317280054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317332983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317346096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317390919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317444086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317466974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317512035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317555904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317606926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317620993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317665100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317708015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317725897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317770004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317811966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317831039 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317871094 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.317893028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317938089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.317981958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318005085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318048000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318094015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318113089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318156004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318201065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318253994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318267107 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318310976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318363905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318377018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318413973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318438053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318480968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318531036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318545103 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318588018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318639040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318653107 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318696022 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318737984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318789959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318803072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318846941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318896055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.318909883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318947077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.318970919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319014072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319070101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319083929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.319128036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319171906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319192886 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.319236040 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319286108 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.319310904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319353104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319410086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319453955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319494009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.319511890 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.319531918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319571972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319612026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.319639921 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.319670916 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.320290089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.342742920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.342802048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.342847109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.342899084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.342927933 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.342978001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343008995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343050957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343096018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343142033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343163013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343216896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343235016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343281031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343326092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343379021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343413115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343461037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343507051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343525887 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343564987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343588114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343632936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343677998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343698978 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343743086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343795061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343811035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.343856096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343900919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343952894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.343966007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344011068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344064951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344078064 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344121933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344172955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344187021 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344232082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344270945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344300032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344345093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344388008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344407082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344454050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344506979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344520092 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344568014 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344618082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344639063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344676018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344701052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344747066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344791889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344810009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344856024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344901085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.344922066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.344964981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345009089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345065117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345077991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345122099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345168114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345185041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345221996 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345247030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345302105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345352888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345406055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345419884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345463037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345515013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345529079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345570087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345614910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345633030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345669985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345694065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345748901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345793009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345845938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345860004 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345899105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.345921993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.345973969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346024990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346071959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346117020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346134901 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346158028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346203089 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346247911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346268892 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346312046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346358061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346381903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346422911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346466064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346509933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346528053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346570969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346615076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346633911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346668005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346693993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346740961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346785069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346808910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.346858025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346904039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346947908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.346966028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347007990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347055912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347074986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347117901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347170115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347183943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347218990 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347244024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347286940 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347338915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347393990 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347461939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347508907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347529888 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347573042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347625971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347680092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347692966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347738028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347790003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347803116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347837925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.347862959 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347907066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347949982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.347970009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.348016024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.348068953 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.348083019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.348126888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.348176003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.371320963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371454000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371501923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371545076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371570110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.371601105 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.371640921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371685982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371743917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371793985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.371810913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371856928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371908903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.371922016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.371954918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.371983051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372030973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372082949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372097015 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372139931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372191906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372205019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372247934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372298002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372311115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372355938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372400045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372452021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372466087 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372509003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372558117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372586966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372637987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372653008 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372695923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372747898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372761011 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372805119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372855902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372869968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.372914076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.372960091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373013020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373028040 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373070955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373121023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373135090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373166084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373194933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373239994 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373294115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373307943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373349905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373399973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373413086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373456955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373501062 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373552084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373564959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373608112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373651981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373671055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373703003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373732090 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373779058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373831034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373843908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373888016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373933077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.373953104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.373996019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374047041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374062061 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374105930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374156952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374171019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374214888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374258995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374310017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374322891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374365091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374412060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374428034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374474049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374491930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374536037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374586105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374598980 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374641895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374689102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374706984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374761105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374805927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374855995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374876022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374902964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.374937057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.374982119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375037909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375052929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375089884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375117064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375169992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375190020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375232935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375283957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375298023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375339031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375390053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375422955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375468016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375513077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375564098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375577927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375622988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375673056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375686884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375719070 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375749111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375793934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375844002 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.375860929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375920057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.375962019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376000881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376025915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376072884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376092911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376136065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376187086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376200914 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376243114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376293898 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376307011 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376348972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376393080 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376445055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376458883 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376502991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376554012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376568079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376600027 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.376629114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376674891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.376725912 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.399755955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.399815083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.399858952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.399902105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.399933100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.399962902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.399996996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400060892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400113106 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400126934 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400171995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400219917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400237083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400283098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400327921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400387049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400404930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400450945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400471926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400516033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400564909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400593996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400641918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400686979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400742054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400758028 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400795937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400825024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400871038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400914907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.400962114 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.400991917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401040077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401092052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401106119 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401149035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401196003 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401222944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401274920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401289940 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401331902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401395082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401408911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401451111 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401496887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401545048 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401573896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401619911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401649952 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401683092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401726007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401772022 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401804924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401849031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401909113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.401941061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.401992083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402009010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402053118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402112007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402131081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402177095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402220011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402267933 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402292967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402335882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402355909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402400970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402457952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402481079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402519941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402570009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402584076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402635098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402689934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402746916 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402791977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402837992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402884960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.402913094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.402955055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403006077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403026104 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403064013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403095961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403139114 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403182030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403225899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403258085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403306961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403321981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403364897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403435946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403489113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403534889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403598070 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403613091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403656006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403700113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403748989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403774023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403825045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403837919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.403883934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403949022 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.403961897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404005051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404056072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404069901 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404125929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404175997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404190063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404232979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404279947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404306889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404351950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404395103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404443979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404459000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404505014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404531956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404577017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404618025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404678106 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404695988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404745102 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404759884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404803038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404860973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404901981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.404939890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.404987097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405009031 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.405052900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405097961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405141115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.405174971 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405220985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405272007 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405291080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.405333042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.405356884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405404091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405448914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405497074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.405527115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405580044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.405594110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.428555965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428608894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428654909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428677082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.428723097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.428746939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428792000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428838015 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428880930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428901911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.428946972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.428999901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429019928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429060936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429090977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429122925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429157019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429177999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429204941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429238081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429271936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429287910 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429316998 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429332972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429367065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429398060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429411888 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429441929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429476023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429508924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429523945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429553986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429585934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429601908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429630041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429661036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429707050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429749966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429769993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429814100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429864883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429878950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.429922104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429968119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.429989100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430032969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430079937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430124998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430145025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430187941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430241108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430253983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430286884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430314064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430358887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430411100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430423975 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430469036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430521965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430535078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430579901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430624008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430676937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430690050 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430736065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430783987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430800915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430844069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430864096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.430906057 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430948019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.430968046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431011915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431063890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431077957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431122065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431164980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431185007 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431229115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431272030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431314945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431333065 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431360960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431394100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431463003 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431504965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431549072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431569099 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431619883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431664944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431684017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431720972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431746006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431788921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431838036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431853056 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.431896925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431947947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.431962013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432007074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432061911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432110071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432130098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432173967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432224989 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432238102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432269096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432301044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432347059 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432393074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432410955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432456017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432501078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432523012 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432564020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432610035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432662010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432674885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432715893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432761908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432780981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432815075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432842016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432887077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432933092 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.432950974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.432996988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433051109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433064938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.433109045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433152914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433201075 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.433218002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433264017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433310986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.433329105 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433373928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.433391094 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433437109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433489084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433502913 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.433543921 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433589935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.433609009 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.434585094 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.456789970 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.456851006 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.456873894 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.456927061 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.456979990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.456994057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457053900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457099915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457123995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457170010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457217932 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457233906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457282066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457334042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457346916 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457391977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457479000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457525969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457545996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457592010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457644939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457659006 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457690954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457720995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457766056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457818985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457833052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457874060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457926035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.457940102 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.457983017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458029032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458076000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458097935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458142996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458194017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458208084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458240986 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458270073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458314896 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458359957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458378077 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458420992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458463907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458508968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458528042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458570957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458622932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458636045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458668947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458698034 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458741903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458789110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458806038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458849907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458895922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.458914042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.458956957 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459001064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459048986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459069014 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459095955 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459132910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459178925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459230900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459244013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459301949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459348917 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459367037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459441900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459492922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459506989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459548950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459592104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459635973 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459656000 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459700108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459750891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459764957 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459796906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459829092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459872961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459923983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.459938049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.459980965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460030079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460046053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460089922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460141897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460155010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460197926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460242033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460288048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460330963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460354090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460354090 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460402012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460450888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460465908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460524082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460566998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460586071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460628033 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460671902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460715055 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460733891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460777998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460830927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460846901 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.460891008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460942030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.460956097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461004972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461020947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461065054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461117029 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461131096 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461172104 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461224079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461236954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461277008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461323977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461371899 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461399078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461446047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461498976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461512089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461554050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461599112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461637020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461654902 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461684942 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461728096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461779118 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461807966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461852074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461893082 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.461913109 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.461956978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462007046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462022066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.462065935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462110996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462160110 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.462177038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462219954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462271929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.462287903 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.462318897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.485543966 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485613108 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485658884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485728979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485773087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485801935 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.485855103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485874891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.485909939 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.485939980 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.485986948 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486044884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486068010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486119032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486171961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486185074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486229897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486272097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486316919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486335993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486380100 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486423969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486443996 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486469030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486505985 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486552000 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486603975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486618042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486660004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486706018 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486725092 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486767054 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486812115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486857891 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486877918 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486917019 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.486939907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.486984968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487029076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487051010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487095118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487147093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487159967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487204075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487247944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487297058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487309933 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487353086 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487417936 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487437963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487479925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487504005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487551928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487596035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487638950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487672091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487714052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487763882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487777948 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487809896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487838030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487883091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487931967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.487946033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.487989902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488038063 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488054991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488097906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488146067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488159895 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488204002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488249063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488295078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488312960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488358021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488411903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488425016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488461018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488486052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488533974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488585949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488599062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488641024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488692999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488707066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488749027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488795042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488841057 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.488858938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488905907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488957882 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.488970995 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489006996 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489033937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489090919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489144087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489156961 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489202023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489248037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489265919 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489310026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489353895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489406109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489418983 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489460945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489511013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489525080 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489556074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489584923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489629030 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489679098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489691973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489733934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489784002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489797115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489840984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489883900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489936113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.489949942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.489991903 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490041018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490057945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490111113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490149975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490168095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490195036 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490222931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490263939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490313053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490325928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490364075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490401983 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490422010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490462065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490500927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490520954 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490561008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490602016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490639925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490658045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490696907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490736008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490755081 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490786076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.490809917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490850925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490897894 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.490910053 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.507020950 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.513892889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.513948917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.513993979 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514041901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514086962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514132977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514179945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514226913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514250994 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.514293909 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.514319897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514380932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514426947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514472008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514518023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.514548063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514594078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514648914 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514662981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.514699936 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.514727116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514772892 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514820099 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514843941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.514900923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514945984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.514998913 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515016079 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515053988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515078068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515124083 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515167952 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515188932 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515244961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515290976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515345097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515357018 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515415907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515439987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515486002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515580893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515594959 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515640020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515685081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515729904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515769005 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515788078 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515813112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515858889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515916109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.515930891 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.515980005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516026020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516073942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516093969 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516140938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516190052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516204119 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516237020 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516263962 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516309023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516360044 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516395092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516455889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516510963 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516530991 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516577005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516618967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516666889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516680956 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516725063 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516774893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516788960 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516822100 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.516849041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516892910 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516947031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.516959906 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517004013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517051935 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517071962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517117977 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517168999 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517182112 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517225981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517271996 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517323017 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517335892 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517379045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517429113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517442942 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517479897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517513037 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517580986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517641068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517654896 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517698050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517740965 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517764091 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517822027 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517878056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517931938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.517951012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.517997026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518049002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518062115 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518104076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518156052 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518168926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518202066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518229008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518275023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518328905 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518342972 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518385887 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518435955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518449068 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518492937 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518537998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518591881 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518605947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518662930 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518716097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518743992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518790960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518841982 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518855095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518887997 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.518929005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.518974066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519026995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519042969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.519085884 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519130945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519182920 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519196987 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.519256115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519309044 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.519331932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519377947 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.519421101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519488096 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519542933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519558907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.519603968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.519654989 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.530100107 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.530184984 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.530293941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.542598963 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.542678118 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.542737961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.542785883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.542809010 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.542857885 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.542901993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.542921066 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.542967081 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543010950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543031931 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543075085 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543119907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543138981 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543170929 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543205976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543266058 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543319941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543333054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543378115 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543438911 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543484926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543531895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543577909 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543623924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543646097 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543689013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543737888 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543802023 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543802977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.543848038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543906927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543951035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.543994904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544015884 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544059992 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544114113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544127941 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544162035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544192076 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544239044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544291019 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544305086 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544348001 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544399023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544411898 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544454098 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544500113 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544559002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544599056 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544619083 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544646978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544692993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544744968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544759035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544801950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544861078 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544915915 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.544944048 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.544987917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545032024 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545057058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545099020 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545142889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545160055 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545188904 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545226097 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545269012 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545320988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545335054 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545377016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545429945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545443058 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545483112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545533895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545547962 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545589924 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545634031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545685053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545698881 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545739889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545792103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545804977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545840025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.545866013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545911074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.545970917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546011925 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546050072 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546099901 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546153069 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546166897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546210051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546256065 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546283960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546329021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546381950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546396017 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546437025 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546489954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546504021 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546535969 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546565056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546611071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546662092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546674967 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546715975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546761036 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546793938 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546840906 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546890974 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.546905041 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.546947002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547009945 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547025919 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547092915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547141075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547183990 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547208071 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547241926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547271013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547312975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547374964 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547389030 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547466993 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547514915 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547557116 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547583103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547627926 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547672987 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547693968 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547738075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547791958 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547806025 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547842979 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.547878981 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547924042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.547980070 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.548001051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.548051119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.548096895 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.548154116 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.548202991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.548202991 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.548260927 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.553267002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.553319931 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.553368092 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.553428888 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.553471088 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.571455002 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571521044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571594954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571610928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.571661949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571707010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571759939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571773052 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.571819067 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571872950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571887016 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.571918964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.571949005 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.571994066 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572079897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572093964 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572137117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572189093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572202921 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572247028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572293043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572344065 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572357893 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572401047 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572452068 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572464943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572515011 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572527885 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572571039 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572613955 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572659016 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572676897 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572722912 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572776079 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572789907 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572822094 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.572850943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572896004 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572948933 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.572962999 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573008060 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573059082 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573076010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573121071 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573173046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573187113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573229074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573276997 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573328972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573342085 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573385954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573436975 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573450089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573482037 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573509932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573555946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573606968 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573621035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573663950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573717117 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573730946 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573775053 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573824883 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573837042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.573880911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573925972 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573977947 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.573991060 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574033976 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574089050 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574103117 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574146032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574198008 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574210882 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574243069 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574271917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574316978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574368954 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574384928 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574434042 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574477911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574496984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574539900 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574580908 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574631929 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574645042 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574688911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574731112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574748993 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574779034 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574809074 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574863911 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574924946 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.574939966 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.574981928 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575027943 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575051069 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575094938 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575139046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575156927 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575198889 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575244904 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575295925 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575309992 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575352907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575421095 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575453043 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575506926 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575547934 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575592041 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575642109 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575655937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575700045 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575747967 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575762033 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575804949 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575848103 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575896978 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.575911045 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.575953960 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576003075 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576019049 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576049089 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576081038 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576124907 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576189995 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576204062 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576246023 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576291084 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576311111 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576353073 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576395035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576437950 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576457977 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576500893 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576550961 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576564074 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576606035 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576648951 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576668978 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576703072 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576730013 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576776028 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576819897 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576839924 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.576880932 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576930046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.576944113 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600059032 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600121021 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600164890 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600208998 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600234985 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600271940 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600306988 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600359917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600374937 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600419044 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600469112 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600493908 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600531101 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600568056 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600584984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600620031 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600656986 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600693941 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600708961 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600744009 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600780010 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600799084 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600828886 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.600860119 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600910902 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600950956 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.600969076 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601005077 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601052046 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601063013 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601100922 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601136923 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601151943 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601187944 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601226091 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601262093 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601289988 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601334095 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601378918 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601398945 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601438046 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601459026 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601504087 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601553917 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.601567984 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.601604939 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:01.602051973 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:01.910172939 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:01.910268068 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:01.910413980 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:01.911067963 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:01.911114931 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:01.977983952 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:01.978763103 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:01.978831053 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:01.980431080 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:01.980537891 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:01.982713938 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:01.982830048 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:02.052251101 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:02.052335024 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:02.161629915 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:11.951205015 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:11.951354980 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:11.951487064 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:13.594922066 CEST	49690	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:39:13.594976902 CEST	443	49690	142.250.203.100	192.168.2.3
Apr 14, 2023 11:39:16.587573051 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:16.587666035 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:17.614881039 CEST	49689	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:17.644324064 CEST	80	49689	95.110.165.164	192.168.2.3
Apr 14, 2023 11:39:43.302795887 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:39:43.302869081 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:39:44.927774906 CEST	49688	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:39:44.951009989 CEST	80	49688	95.110.165.164	192.168.2.3
Apr 14, 2023 11:40:01.154599905 CEST	80	49688	95.110.165.164	192.168.2.3
Apr 14, 2023 11:40:01.154875040 CEST	49688	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:40:01.864032984 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:40:01.864046097 CEST	49688	80	192.168.2.3	95.110.165.164
Apr 14, 2023 11:40:01.864229918 CEST	443	49683	172.217.168.45	192.168.2.3
Apr 14, 2023 11:40:01.864351988 CEST	49683	443	192.168.2.3	172.217.168.45
Apr 14, 2023 11:40:01.864518881 CEST	49727	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:40:01.864592075 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:01.864686966 CEST	49727	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:40:01.865186930 CEST	49727	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:40:01.865221024 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:01.887294054 CEST	80	49688	95.110.165.164	192.168.2.3
Apr 14, 2023 11:40:01.922513008 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:01.923058987 CEST	49727	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:40:01.923134089 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:01.924236059 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:01.924806118 CEST	49727	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:40:01.925019026 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:01.976145029 CEST	49727	443	192.168.2.3	142.250.203.100
Apr 14, 2023 11:40:11.935424089 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:11.935586929 CEST	443	49727	142.250.203.100	192.168.2.3
Apr 14, 2023 11:40:11.935774088 CEST	49727	443	192.168.2.3	142.250.203.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2023 11:38:57.457381010 CEST	63722	53	192.168.2.3	8.8.8.8
Apr 14, 2023 11:38:57.477649927 CEST	53	63722	8.8.8.8	192.168.2.3
Apr 14, 2023 11:38:57.596780062 CEST	65522	53	192.168.2.3	8.8.8.8
Apr 14, 2023 11:38:57.611728907 CEST	53	65522	8.8.8.8	192.168.2.3
Apr 14, 2023 11:38:59.744746923 CEST	59014	53	192.168.2.3	8.8.8.8
Apr 14, 2023 11:38:59.784548998 CEST	53	59014	8.8.8.8	192.168.2.3
Apr 14, 2023 11:39:01.832350969 CEST	61787	53	192.168.2.3	8.8.8.8
Apr 14, 2023 11:39:01.852451086 CEST	53	61787	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 14, 2023 11:38:57.457381010 CEST	192.168.2.3	8.8.8.8	0xa071	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:57.596780062 CEST	192.168.2.3	8.8.8.8	0x9c6f	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:59.744746923 CEST	192.168.2.3	8.8.8.8	0x9178	Standard query (0)	download.arxivar.it	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:39:01.832350969 CEST	192.168.2.3	8.8.8.8	0x57b1	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 14, 2023 11:38:50.700685978 CEST	8.8.8.8	192.168.2.3	0xba54	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.192	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:50.700685978 CEST	8.8.8.8	192.168.2.3	0xba54	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.128	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:50.815138102 CEST	8.8.8.8	192.168.2.3	0x8a6e	No error (0)	windowsupdatebg.s.llnwi.net		178.79.225.128	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:50.815138102 CEST	8.8.8.8	192.168.2.3	0x8a6e	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.192	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:57.477649927 CEST	8.8.8.8	192.168.2.3	0xa071	No error (0)	accounts.google.com		172.217.168.45	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:57.611728907 CEST	8.8.8.8	192.168.2.3	0x9c6f	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 14, 2023 11:38:57.611728907 CEST	8.8.8.8	192.168.2.3	0x9c6f	No error (0)	clients.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:38:59.784548998 CEST	8.8.8.8	192.168.2.3	0x9178	No error (0)	download.arxivar.it		95.110.165.164	A (IP address)	IN (0x0001)	false
Apr 14, 2023 11:39:01.852451086 CEST	8.8.8.8	192.168.2.3	0x57b1	No error (0)	www.google.com		142.250.203.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

accounts.google.com

clients2.google.com

download.arxivar.it

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49685	172.217.168.45	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49686	142.250.203.110	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49689	95.110.165.164	80	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2023 11:39:00.018615007 CEST	613	OUT	GET /Tools/Prerequisiti/vcredist_x86_2010.zip HTTP/1.1 Host: download.arxivar.it Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Apr 14, 2023 11:39:00.042313099 CEST	615	IN	HTTP/1.1 200 OK Date: Fri, 14 Apr 2023 09:38:59 GMT Server: Apache Last-Modified: Wed, 21 Sep 2022 07:10:49 GMT Accept-Ranges: bytes Content-Length: 5051101 Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: Wed, 11 Jan 1984 05:00:00 GMT Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/zip Data Raw: 50 4b 03 04 14 00 00 00 08 00 88 50 22 49 e7 87 7f aa 2d 12 4d 00 58 69 4d 00 15 00 00 00 76 63 72 65 64 69 73 74 5f 78 38 36 5f 32 30 31 30 2e 65 78 65 ec 5c 6b 7c 54 47 15 bf fb cc 26 d9 b0 0b 24 6d 0a a1 2c 34 68 2a 14 d1 95 96 b0 84 26 c0 86 54 09 6c 58 d8 25 25 0f b0 24 5d 56 0a 31 b9 17 a8 92 36 b8 d9 34 37 b7 5b eb a3 8a 5a 2a 08 28 5a 1f a8 3c d2 96 47 42 30 09 14 29 85 4a a9 d4 8a 15 f5 c6 45 9b 0a 25 01 52 ae ff 33 f7 6e 36 09 d4 d7 cf 0f 7e 30 bf cc 9d 99 33 67 ce cc 9c 39 73 e6 cc 6b 0b 1f 7c 9a 33 70 1c 67 84 53 14 8e 6b e6 d4 bf 5c ee 9f ff 9d 87 1b 36 f6 c5 61 dc ee c4 5f 8e 6b d6 cd fb e5 b8 45 81 95 35 8e aa ea 35 0f 57 2f 7f c4 f1 d0 f2 d5 ab d7 f0 8e 4f 57 38 aa 85 d5 8e 95 ab 1d 73 16 78 1d 8f ac 59 51 31 39 25 25 29 33 46 e3 ae aa bc ed b3 ee 1c 11 73 0f 17 0e 1f b1 83 85 c7 8e 78 83 c5 67 8f 78 9e f9 79 23 ea 99 9f 8b 74 f2 e7 30 7f e1 ca 87 02 94 ef 83 ea e8 71 73 dc 3c 9d 81 db 12 fc cc dc 78 bd 6d 29 c9 ba 84 24 ae 01 91 51 2a 4c 79 08 1f 07 5c 0b 8b ea 58 58 cf 71 26 7c c8 19 63 99 11 a6 48 e0 73 85 14 aa 63 11 07 c1 ed ec 5f 0d c5 ff 36 6d e2 b8 2d ac 50 1d b7 fb f6 01 09 0b 0b b9 25 03 e2 8e f1 1c 97 f1 0f 78 dd fb a1 41 7d c2 ca b4 e8 3f 18 7f 32 5f b1 9e 87 7f 67 bd d6 ae 06 b5 93 87 90 58 36 79 c5 72 7e 39 d1 1f a9 53 db 4e 34 9b 06 e3 e5 22 65 72 75 4d 35 58 a4 b6 e1 3c 70 db e7 71 dc 93 43 f0 fe 35 b1 f9 ff df ff d0 df aa cd 1c e7 83 9b 0e 37 1e ce 0e 77 ed 59 8e 7b 0b ee 18 dc 6e b8 ed 70 4d 70 1b 36 ab 79 86 93 dc e3 ef ca 56 8e 93 e1 8e c3 bd 08 b7 1d 2e eb 3b 1c 57 0d 7f 05 dc 22 38 33 e2 1f 81 7f 1b 85 e1 3c 88 07 e1 ea e0 be 06 b7 0b ee 38 dc 0c c2 a1 30 06 cb 59 b8 27 11 2f f9 36 c7 fd 60 33 68 c3 b5 c3 9d 85 fb 23 d5 0f 2e e9 39 c8 36 dc 64 b8 99 70 f3 e0 ca e0 56 c3 d5 c3 7d 19 6e 3b dc cf e0 0e c3 9d 80 3b 0f d7 0b 67 fe 36 f2 c2 7d 1c 6e 1e dc 8b 28 2f 00 bf 0a ae 09 6e 3b c1 e0 da e1 ce c0 bd 0d f7 57 b8 3e b8 54 e0 66 c1 cd 84 9b 07 b7 0c 6e 2d 5c 23 dc 73 70 3f 80 fb 2b 1c fd f5 6d e3 b8 0b db d4 f0 7c f8 33 e1 26 c1 dd 09 37 02 ce 0c d7 8b 36 af d0 70 2c cf 22 cf b7 38 ee 22 dc 79 b8 b3 70 27 e0 32 00 6f 86 ff 63 b8 ed 70 df 84 7b 1a ae 01 ee 73 70 93 90 3e 03 ee 93 70 25 d4 4f 70 2d 80 cf 87 7b 10 6e 05 dc 6a b8 5c 38 fa fb 0e ca 6b 84 7b 0c ae 19 2e f6 f7 e4 a7 a1 f7 6e fe eb d7 9d 7a b8 bb 68 9c 7f 18 2e 19 65 6c 1e b6 d3 fe c6 a9 e1 cf 98 38 fb 83 3f f8 69 da 84 9a f2 09 53 ee 15 ca 09 77 6e 05 3f 7b 95 50 c3 57 54 17 09 6b aa 85 47 16 56 d4 ac 11 aa 1f aa d0 d2 e6 63 1a d0 d2 bd fc 72 be 82 9b bd 6a 4d 4d 0c 42 38 0b aa 2a 56 c7 a2 25 0f 21 b0 bc 6a e5 e4 15 ab 56 51 5a 49 c9 e4 92 fb a7 83 0e b7 8a 5b c3 7d 9a 5b 0e bf 84 2b 40 98 e7 2a b9 95 dc 7a 6e 3e c2 5e 2e c0 09 80 cc 41 78 1d b7 1a f9 52 92 3e f2 91 8f a4 24 a5 24 51 7f f0 54 Data Ascii: PKP"I-MXiMvcredist_x86_2010.exe\k\|TG&$m,4h&TlX%%$]V1647[Z(Z<GB0)JE%R3n6~03g9sk\|3pgSk\6a_kE55W/OW8sxYQ19%%)3Fsxgxy#t0qs<xm)$QLy\XXq&\|cHsc_6m-P%xA}?2_gX6yr~9SN4"eruM5X<pqC57wY{npMp6yV.;W"83<80Y'/6`3h#.96dpV}n;;g6}n(/n;W>Tfn-\#sp?+m\|3&76p,"8"yp'2ocp{sp>p%Op-{nj\8k{.nzh.el8?iSwn?{PWTkGVcrjMMB8V%!jVQZI[}[+@*zn>^.AxR>$$QT
Apr 14, 2023 11:39:00.042366982 CEST	616	IN	Data Raw: 82 a7 7a cd 43 15 35 35 8b d6 7c a6 62 b5 23 7f f9 ca 55 15 2b a0 14 51 57 7e 4d 75 85 a7 7a e5 5a 40 1e ae c8 ba 7b 7a 2c 71 d1 1a 87 96 ea e8 4f 46 8e 5b e6 89 67 a1 a2 1c 5a 59 0e 56 18 97 57 55 b5 ea 51 cf 72 fe a1 c0 a2 35 f9 c0 cb 53 f9 42 Data Ascii: zC55\|b#U+QW~MuzZ@{z,qOF[gZYVWUQr5SBA\|xr^Gj<5U5k8`5~+>KroyY_]]4o@WY(?z%cXYw5)'ZH> {=g5cky+Z{~yr\|
Apr 14, 2023 11:39:00.042414904 CEST	617	IN	Data Raw: e0 6e d4 34 52 7b 79 47 e5 0e 1a 55 ee ee 0e 77 f7 fd d3 4b 38 cf f6 c6 d2 6e c8 02 e3 4b 41 01 3f bc 80 2f 09 c9 06 de e8 54 a2 de a0 a1 3c 3a df 79 c5 e7 0b 1a f0 1f 40 fb eb 22 ee cb 9e c6 d2 5e 48 35 e5 38 1b ba ae f0 bf f2 45 dc 17 3d c1 f4 Data Ascii: n4R{yGUwK8nKA?/T<:y@"^H58E=5U9Tf2wIAIJ[HH[J'J]HK;}N)YP>*]%pub$XWz5bJR:h4</VFx/7~k6Zp:!!4
Apr 14, 2023 11:39:00.042500019 CEST	619	IN	Data Raw: ce a1 f3 37 13 8e 2d 4c 96 8b 67 70 87 03 51 2d b2 3e 82 44 92 4c d6 ab 8c 96 f2 3a c5 bb 59 df db d5 b9 a1 7c 60 71 ca 1e aa 39 70 fa 8b e3 ef 57 8b 12 ee f3 dc 2c 57 fc e4 18 79 df c0 bc be 58 11 56 52 86 91 8b ac a6 4f dd 88 0f 8f d7 98 f2 c5 Data Ascii: 7-LgpQ->DL:Y\|`q9pW,WyXVROTC"8[@9W_0e7RWc`Yxe"#EVd=O;<Eqr<7%j*86%lZp)m4AN5Z!sTl.Rn%
Apr 14, 2023 11:39:00.042553902 CEST	620	IN	Data Raw: fb 34 53 a2 7d d0 da 3e 88 61 66 8f 2b ae d8 96 a0 40 43 22 0d f9 a1 3b 4b 07 69 3d 0b 6d 1c 08 73 b7 7a 40 32 db 6d af c6 52 c3 2e 15 da 69 85 2f b5 42 a0 0a 50 75 ec 4f f4 6f 66 80 c0 dd 26 42 d6 99 28 69 2b 7d ca b1 78 2f 63 94 6f 2a de a1 b6 Data Ascii: 4S}>af+@C";Ki=msz@2mR.i/BPuOof&B(i+}x/co*m5t6}(Sak2_,v{pWzzUUn[I1Z?'3R6~6OC[9Mkh;NJPL'LNr63E3@bI+Rc0-0']#>%
Apr 14, 2023 11:39:00.042617083 CEST	621	IN	Data Raw: b8 98 5f 18 30 4e a0 f3 a5 b4 16 a6 a4 8b 8b 85 5c 6c 4c 6c 95 51 67 9c eb d1 59 5c cf bb 8a 89 a2 0b 03 7d 99 0c f3 bc 5a 77 1f 89 3c db 61 10 4e 42 11 83 af b2 97 44 dd d0 6e 8e 9d b9 5a 86 1c bd d8 fd b4 20 77 9e 93 97 00 51 aa 4d f5 a3 2d f2 Data Ascii: _0N\lLlQgY\}Zw<aNBDnZ wQM-<P3Xe[x;X$!%JW[~Ncu3K.j6k*3m!fKbW7u-R);^z+%\|B;W`^#-hP?Bu
Apr 14, 2023 11:39:00.042665005 CEST	623	IN	Data Raw: 8e 4c d2 6e 8b d1 ea 33 a8 0f 70 3a 36 4e 54 f9 e3 54 1b ee b3 ca 1e 10 a1 0b 2a 88 1f a2 1b 03 fe a0 5e 43 62 67 88 10 44 2a 4c 05 21 4d 85 4e 57 f6 6c b9 19 9a e9 d5 72 c6 2a 60 51 0b b1 46 58 73 c5 30 35 2f 7b 0c 2d 42 84 31 d9 63 68 11 c4 a7 Data Ascii: Ln3p:6NTT^CbgDL!MNWlr`QFXs05/{-B1chl4d$]ugLmB&B;vWCuVQ~1FbYHuPV55ZbKbHi)abJ[@ Q7EuKYg`NWzO(SFW`i
Apr 14, 2023 11:39:00.042723894 CEST	624	IN	Data Raw: 92 38 2c a2 1e 9b 2b ff e8 04 1b 93 49 81 c7 48 a8 b3 c9 6a a3 93 ce 09 f4 4e 3a 07 0f 17 8f 21 49 47 b3 d3 9d 48 0a e7 50 9a 90 14 df a9 ad 9b 30 1a 90 c7 d1 62 94 b4 8d ae b0 d2 99 20 c6 45 5e 36 f1 01 47 83 4c ca 99 68 bc 49 43 45 c1 45 d7 fe Data Ascii: 8,+IHjN:!IGHP0b E^6GLhICEES!C%cL@q411z@yTLT[e{ye:~xCwG`n}>Og}lL?~44Cr4OXO[6D(-N;)1
Apr 14, 2023 11:39:00.042774916 CEST	625	IN	Data Raw: 5e ca 9b 82 95 d2 d8 58 df ef e8 7f c7 b6 81 53 8f f4 6e 7e dd 45 37 27 73 72 5f c2 13 ca 42 f6 76 07 17 57 1c 54 6e 9f 93 a6 a4 f5 64 e9 75 43 5b 69 fe 7e e6 93 85 85 f5 1c bb d3 7e d9 e9 ee 76 b6 b3 c5 63 99 60 6a 26 4a db 88 6e cf c9 6d 99 f0 Data Ascii: ^XSn~E7'sr_BvWTnduC[i~~vc`j&Jnm4+B0!:AcnvnnB[o2)%YoiuK7<<M(`=s=EV1RhC1eZimfsC@6To,U?XksV0EOTg'0NAv<&h.,
Apr 14, 2023 11:39:00.042831898 CEST	627	IN	Data Raw: 7e 3d 9e fd 7e 35 fb 7a 30 89 2c 35 b4 be e1 2d f4 3a 89 50 e4 20 09 2c 00 bf 4e 60 ac f4 07 4d e2 58 b1 e1 38 62 31 49 24 32 4c a6 7a 53 18 99 29 20 c3 b2 87 5b 90 8f 08 f2 a3 a4 fb 5d d7 f9 54 d8 2d 43 5a c0 1f b9 95 00 52 8d b1 01 d6 f0 33 aa Data Ascii: ~=~5z0,5-:P ,N`MX8b1I$2LzS) []T-CZR3QV~?hFa7#(B3KL\\|YC1v=Ee~;v*}=_Y(SP[:Sh{Z\wcO<GC;OByYm:LH?
Apr 14, 2023 11:39:00.066071033 CEST	628	IN	Data Raw: 12 71 30 6c 45 e8 29 75 89 f3 14 63 09 ba ad df 4c 5f e2 c5 5e 6a a4 81 49 89 4f de 77 9d 71 c3 1a c4 0b 59 df 0d 55 09 49 e6 d0 b4 64 7e 92 76 51 3c 54 6b e1 24 b3 c4 89 73 33 6d 61 da 18 ac 54 1a 7e 0c 78 f4 1e ad d9 5f 36 32 6d f5 31 c6 90 77 Data Ascii: q0lE)ucL_^jIOwqYUId~vQ<Tk$s3maT~x_62m1wH.DCoebrTt.rb9\|*%KTJrhOhh>_O&h$p6`zdZEC;Dd:,UNUbowu:m}OrO+'[$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49688	95.110.165.164	80	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2023 11:39:44.927774906 CEST	5887	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49685	172.217.168.45	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-14 09:38:58 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg
2023-04-14 09:38:58 UTC	0	OUT	Data Raw: 20 Data Ascii:
2023-04-14 09:38:58 UTC	2	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 14 Apr 2023 09:38:58 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce-b_6tDXqclGe6wO0eQblWTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp" Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-04-14 09:38:58 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-04-14 09:38:58 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49686	142.250.203.110	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-14 09:38:58 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-104.0.5112.81 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-04-14 09:38:58 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-4glVaUVrcmhys8SFaeTRtg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 14 Apr 2023 09:38:58 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5947 X-Daystart: 9538 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-04-14 09:38:58 UTC	1	IN	Data Raw: 32 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 39 34 37 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 39 35 33 38 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 Data Ascii: 2c8<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5947" elapsed_seconds="9538"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-04-14 09:38:58 UTC	2	IN	Data Raw: 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 3f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-04-14 09:38:58 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 1092, Parent PID: 4532

General

Target ID:	0
Start time:	11:38:55
Start date:	14/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4792, Parent PID: 1092

General

Target ID:	1
Start time:	11:38:56
Start date:	14/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1668,i,6246966439295609251,3032567147448731362,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5448, Parent PID: 4532

General

Target ID:	2
Start time:	11:38:58
Start date:	14/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: unarchiver.exePID: 5952, Parent PID: 1092

General

Target ID:	3
Start time:	11:39:01
Start date:	14/04/2023
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\vcredist_x86_2010.zip
Imagebase:	0x690000
File size:	12800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 5976, Parent PID: 5952

General

Target ID:	4
Start time:	11:39:02
Start date:	14/04/2023
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq" "C:\Users\user\Downloads\vcredist_x86_2010.zip
Imagebase:	0x1140000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5984, Parent PID: 5976

General

Target ID:	5
Start time:	11:39:02
Start date:	14/04/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5536, Parent PID: 5952

General

Target ID:	6
Start time:	11:39:03
Start date:	14/04/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5584, Parent PID: 5536

General

Target ID:	7
Start time:	11:39:03
Start date:	14/04/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: vcredist_x86_2010.exePID: 5424, Parent PID: 5536

General

Target ID:	8
Start time:	11:39:03
Start date:	14/04/2023
Path:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe
Imagebase:	0x1000000
File size:	5073240 bytes
MD5 hash:	B88228D5FEF4B6DC019D69D4471F23EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Setup.exePID: 5876, Parent PID: 5424

General

Target ID:	9
Start time:	11:39:05
Start date:	14/04/2023
Path:	C:\e2ac7bbaf115a22162e746\Setup.exe
Wow64 process (32bit):	true
Commandline:	c:\e2ac7bbaf115a22162e746\Setup.exe
Imagebase:	0xd70000
File size:	78152 bytes
MD5 hash:	006F8A615020A4A17F5E63801485DF46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 5292, Parent PID: 580

General

Target ID:	17
Start time:	11:39:23
Start date:	14/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff709c80000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 5952, Parent PID: 1092COMMON

Executed Functions

Function 02960870 Relevance: 1.0, Instructions: 968COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424956983.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2960000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404858a06b6849479d3092c8c2178826e96f15c4aab06ded2e7b350e37e759cb
Instruction ID: 9c0ffbb5a431ed52fba75a879088acc7644e9c4a1e09b5bb3bbcd1da23dbb3e8
Opcode Fuzzy Hash: 404858a06b6849479d3092c8c2178826e96f15c4aab06ded2e7b350e37e759cb
Instruction Fuzzy Hash: 8E11BF6250E3C04FE703C7A45CA58A5BFF0CD97220B0A8ADFC4D58B6E3D159191AD793

Uniqueness

Uniqueness Score: -1.00%

Function 029502C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96510ff9e47221a79b4158a9604ce7c3041b084d9f45649ed06de0b136728528
Instruction ID: 9709fed88b15802bc263ec29b9cb5181ed4d682e5b07f36dbc80c05855a405ab
Opcode Fuzzy Hash: 96510ff9e47221a79b4158a9604ce7c3041b084d9f45649ed06de0b136728528
Instruction Fuzzy Hash: B8B13934701120DFCB18EB64E959B5E7BB6FF89344F108929E90ADB368EB349D41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 029507A8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee61655cc620c551e3c701d088c4af60cb136df481953804a9b4c10a8cf9a4c1
Instruction ID: ef48ea9778716d245392c181d6bbd024d63ce391a71a7e5dd340c8b1677fcda4
Opcode Fuzzy Hash: ee61655cc620c551e3c701d088c4af60cb136df481953804a9b4c10a8cf9a4c1
Instruction Fuzzy Hash: 44A16F30B002158FDB18EB78D95576E77E7AFC8308F248828D906A7395EF798C42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02950799 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86401104fdcc830902b70cf695009f1fe53365659b92ac9f69155f2f36fa7d1e
Instruction ID: 9b5898e911e0c5b5d311e4747c761d594c3b3efc08e55561a4a1ddae06df7507
Opcode Fuzzy Hash: 86401104fdcc830902b70cf695009f1fe53365659b92ac9f69155f2f36fa7d1e
Instruction Fuzzy Hash: 52818F30B002158FDB14EB78D95576E77E6EF88348F248828D906EB395EB79CD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02950C99 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688fbac83ffd66d36c46b68fe3d70c0964332190f12734822e726b107810d8fc
Instruction ID: 28539ec66b06c146ca6dad16cef8edd9f582c62815b7241da947a3e6303cd862
Opcode Fuzzy Hash: 688fbac83ffd66d36c46b68fe3d70c0964332190f12734822e726b107810d8fc
Instruction Fuzzy Hash: B021F330B007148BCB15EB3988516AE7BD6AFC9348F04483CD446DB345DF79AD0687A5

Uniqueness

Uniqueness Score: -1.00%

Function 02950CA8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6aa4011e1dafd726687828c976f998629aa05a4619b50be0081974c5a7c6a1
Instruction ID: 4fa34ca94f733de44982c4e84313b5fd232f22e2d27c039bac1c169617a2fe93
Opcode Fuzzy Hash: 4c6aa4011e1dafd726687828c976f998629aa05a4619b50be0081974c5a7c6a1
Instruction Fuzzy Hash: 2921F130B007148BCB20EB3984916AEBBD6AFC9208B04883CD446DB385DF79AD068795

Uniqueness

Uniqueness Score: -1.00%

Function 02950B8F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc9388f69e881310e13db1cb7c4150dbf16d355ed02a2cb9c5adb9f6e6a0813
Instruction ID: 3dbe4e593d3ac5fbe36c1108a0ac7e5aba99e4cafba7a47ea9ceb8ec4eb13b09
Opcode Fuzzy Hash: 1fc9388f69e881310e13db1cb7c4150dbf16d355ed02a2cb9c5adb9f6e6a0813
Instruction Fuzzy Hash: F211DD36A10214AFCB02DFB4D85199E7BF6BF89214B254879E209EB335EB359C05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02950BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d6324f4469e0335cb0f50fa977d8da7215bbd13419f44d25ee672800c2ab26
Instruction ID: d3c1642e4638b0d0ba56d549b8dc1646ee766f9f1d69c8936920b3d04949a157
Opcode Fuzzy Hash: a7d6324f4469e0335cb0f50fa977d8da7215bbd13419f44d25ee672800c2ab26
Instruction Fuzzy Hash: EB119E36A10118AFCB05EBB4D855D9E7BE6AB89214B214979E205E7324EF35AC05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 029607F8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424956983.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2960000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ada42c34188529db61098f0d89f915df4136e7a20e729ca68aab8f56b5ac2bc
Instruction ID: 8f22bbda1240e7d7ab8b1fe284c294c7ae1b4ddba55306e688510db573accb42
Opcode Fuzzy Hash: 7ada42c34188529db61098f0d89f915df4136e7a20e729ca68aab8f56b5ac2bc
Instruction Fuzzy Hash: A701B1B24096406FD300CB55AC41857FBFCDF95520F08C86BEC488B602E225A9188BB2

Uniqueness

Uniqueness Score: -1.00%

Function 029605CF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424956983.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2960000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02107f7a05546a63f42eb7fa6c8dd3b77f567a4ffe1dd8ad1e58fbf9aca656a9
Instruction ID: d6ee32c0c0113b7504507d87de49c6eeae4add22a2592086aecd7f5ff428bf8a
Opcode Fuzzy Hash: 02107f7a05546a63f42eb7fa6c8dd3b77f567a4ffe1dd8ad1e58fbf9aca656a9
Instruction Fuzzy Hash: 9A01D6B65093805FD7118B169C40862FFB8EF86670709C4AFEC898B612D225A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0296081E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424956983.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2960000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021d93f9123fbfe8dc9102558f4efb207f5b10eaecc2306d93bdb8d25a2f71dd
Instruction ID: c1931b742cd306d9ea15746db279677ccc3349972dd1e14c47c61d7631a1ba1d
Opcode Fuzzy Hash: 021d93f9123fbfe8dc9102558f4efb207f5b10eaecc2306d93bdb8d25a2f71dd
Instruction Fuzzy Hash: 10F082B29056046BD300DF45EC458A6F7ECDF94521F14C52EEC488B701E676B9194AF2

Uniqueness

Uniqueness Score: -1.00%

Function 029605F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424956983.0000000002960000.00000040.00000020.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2960000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7219f67d63ff8dcf8c12b400f151baaca6daf86cb0917b22a41a6f9cd54de9d7
Instruction ID: 24a83a640cdbb0c4070c8a8e6893e3650e08a84767f98dd9d231bc5a467c7706
Opcode Fuzzy Hash: 7219f67d63ff8dcf8c12b400f151baaca6daf86cb0917b22a41a6f9cd54de9d7
Instruction Fuzzy Hash: 73E092766046404B9650CF0AEC41462F7E8EB84630B18C47FDC0E8BB01E63AB509CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02950C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b28d329464904fcc8f75533a4bd45e7b6ed68f57abb76dace9dbcab855b2c6
Instruction ID: b7819afdc37cf323838b72ea1106262de9b73bdf881f26d722464f76d5f51025
Opcode Fuzzy Hash: a9b28d329464904fcc8f75533a4bd45e7b6ed68f57abb76dace9dbcab855b2c6
Instruction Fuzzy Hash: FAE0DF71F043586FCB14ABB8884169E7FE5DF41120F1048BE900CD7341EA3A8C068790

Uniqueness

Uniqueness Score: -1.00%

Function 02950C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9fe86e5dfab78913b63622736738709564d7952c323526803022a28b74c2e3
Instruction ID: 06a4f179b496d172fae1087f10e0b161bc8cdcb97bd302dd9434cba77cd7882d
Opcode Fuzzy Hash: dc9fe86e5dfab78913b63622736738709564d7952c323526803022a28b74c2e3
Instruction Fuzzy Hash: EFD01231F003185B8B54EAB9584559E7BEADB84564F20447D9008D7340EE399C018794

Uniqueness

Uniqueness Score: -1.00%

Function 02950DD1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2432f7740aace9ef2910192244b922a04400611cf34869ad5754bd7aba8b28f
Instruction ID: 3d3465c15656c4e56b2facdd9bbbd96b2f58c29ef59ca3118e4b1e3a1c4b255d
Opcode Fuzzy Hash: e2432f7740aace9ef2910192244b922a04400611cf34869ad5754bd7aba8b28f
Instruction Fuzzy Hash: 49D05E742102108FCB059B34D859B617BEA6BC8308F55855494085B360D778EC40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02950DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.424928184.0000000002950000.00000040.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2950000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b981b17ac51c28db1fc1163d13c0f2a9d3c7f9842ae938a17d71b1e8d5f6eeae
Instruction ID: 67201117845d9cb77cb7348dfd888a0723c715d525cb4134038e134ac7f00fac
Opcode Fuzzy Hash: b981b17ac51c28db1fc1163d13c0f2a9d3c7f9842ae938a17d71b1e8d5f6eeae
Instruction Fuzzy Hash: E5C012303102148BC708E774D56AA2577DA67C4308F58C56884084B361EB34EC40C780

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vcredist_x86_2010.exePID: 5424, Parent PID: 5536COMMON

Execution Graph

Execution Coverage:	29%
Dynamic/Decrypted Code Coverage:	75.7%
Signature Coverage:	43.2%
Total number of Nodes:	699
Total number of Limit Nodes:	21

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01005899 Relevance: 91.4, APIs: 42, Strings: 10, Instructions: 429
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E01005899() {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				struct _PROCESS_INFORMATION _v36;
				signed short _v54;
				char _v60;
				char _v72;
				struct _STARTUPINFOA _v140;
				void* _t41;
				signed int _t45;
				struct HWND__* _t47;
				intOrPtr _t49;
				long _t52;
				void* _t57;
				void* _t60;
				unsigned int _t63;
				signed int _t65;
				signed int _t66;
				long _t74;
				CHAR* _t75;
				void* _t76;
				unsigned int _t77;
				void* _t81;
				short _t82;
				signed int _t85;
				void* _t86;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				long _t98;
				signed int _t99;
				long _t107;
				long _t110;
				void* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t118;
				void* _t120;
				char _t129;
				signed int _t130;
				signed int _t131;
				signed int _t133;
				int _t136;
				signed int _t138;
				void* _t140;
				void* _t143;
				CHAR* _t145;
				void* _t147;
				void* _t152;
				void* _t153;
				void* _t160;
				void* _t162;
				intOrPtr _t166;

				 *0x100d044 =  *0x100d044 | 0xffffffff;
				_t144 = 0x80000000;
				_v8 = 0;
				 *0x100cd00 = 0;
				 *0x100c8c8 = 0x80000000;
				InitializeCriticalSectionAndSpinCount(0x100d060, 0xffffffff);
				 *0x100c060 = 1;
				__imp__#17(_t143, _t153, _t120);
				 *0x100d078 = GetProcessHeap();
				E01002FB2();
				_t41 = CreateEventA(0, 1, 0, 0);
				 *0x100cf24 = _t41;
				if(_t41 != 0) {
					E0100400D();
					__eflags =  *0x100c054; // 0x0
					if(__eflags != 0) {
						L10:
						 *0x100cf2c = CreateEventA(0, 0, 0, 0);
						_t45 = CreateThread(0, 0, E01003941, 0, 0,  &_v20); // executed
						__eflags = _t45;
						if(_t45 != 0) {
							WaitForSingleObject( *0x100cf2c, 0xffffffff);
							_t47 =  *0x100ce04; // 0x702e8
							__eflags = _t47;
							if(_t47 != 0) {
								__eflags =  *0x100c4b4; // 0x0
								if(__eflags == 0) {
									SendDlgItemMessageA(_t47, 0x68, 0xc, 0,  *0x100c4b0);
									_t49 =  *0x100c014; // 0x4cada8
									_t52 = _t49 + 0xffff >> 0x10 << 0x10;
									__eflags = _t52;
									SendDlgItemMessageA( *0x100ce04, 0x6a, 0x401, 0, _t52); // executed
									SendDlgItemMessageA( *0x100ce04, 0x6a, 0x404, 1, 0);
								} else {
									Sleep(0x1f4);
									ShowWindow( *0x100ce04, 0);
									SetParent( *0x100ce04,  *0x100cf28);
								}
								__eflags =  *0x100c054; // 0x0
								if(__eflags != 0) {
									L21:
									E01004F6B(_t122, _t140, _t144);
									__eflags =  *0x100c054; // 0x0
									_t145 = 0x100d1a0;
									if(__eflags != 0) {
										L28:
										E01002BC4("c:\e2ac7bbaf115a22162e746", "_sfx_manifest_", _t145);
										_t57 = CreateFileA(_t145, 0x80000000, 1, 0, 3, 0x8000000, 0);
										__eflags = _t57 - 0xffffffff;
										_v12 = _t57;
										if(_t57 == 0xffffffff) {
											goto L6;
										}
										 *0x100c050 = GetFileSize(_t57, 0);
										_t60 = E01003BE7(_t58 + 1);
										__eflags = _t60;
										_pop(_t122);
										 *0x100c04c = _t60;
										if(_t60 != 0) {
											_t122 =  &_v16;
											_t97 = ReadFile(_v12, _t60,  *0x100c050,  &_v16, 0);
											__eflags = _t97;
											if(_t97 != 0) {
												_t98 =  *0x100c050; // 0x0
												__eflags = _v16 - _t98;
												if(_v16 == _t98) {
													_t122 =  *0x100c04c; // 0x790f08
													 *0x100c048 = 1;
													 *((char*)(_t122 + _t98)) = 0;
												}
											}
										}
										CloseHandle(_v12);
										__eflags =  *0x100c048; // 0x1
										if(__eflags == 0) {
											goto L6;
										} else {
											DeleteFileA(_t145);
											L35:
											__eflags =  *0x100c048; // 0x1
											if(__eflags == 0) {
												L38:
												__eflags =  *0x100d07c; // 0x78d720
												if(__eflags == 0) {
													L59:
													__eflags =  *0x101d3e0;
													if( *0x101d3e0 == 0) {
														ShowWindow( *0x100ce04, 0);
														LoadStringA( *0x100c05c, 0x20000002, _t145, 0x104);
														MessageBoxA( *0x100ce04, _t145, _t145, 0x10030);
													}
													L61:
													_t63 =  *0x100c8c8; // 0xc0000013
													__eflags = _t63;
													if(_t63 < 0) {
														goto L68;
													}
													__eflags = 0x40000000 & _t63;
													if(__eflags != 0) {
														L66:
														_push(0x20000007);
														goto L67;
													}
													_t65 = E01003972(_t63 >> 0x00000001 & 0x00000001, _t140, _t145, __eflags, _t63 & 0x00000001, _t63 >> 0x00000001 & 0x00000001, _t63 >> 0x00000004 & 0x00000001, 0x100c8d0,  *0x100c8cc);
													__eflags = _t65;
													_t66 =  *0x100c8c8; // 0xc0000013
													if(_t65 == 0) {
														_t66 = _t66 | 0x40000000;
														__eflags = _t66;
														 *0x100c8c8 = _t66;
													}
													__eflags = 0x40000000 & _t66;
													if((0x40000000 & _t66) == 0) {
														goto L68;
													} else {
														goto L66;
													}
												}
												__eflags =  *0x100c4ac; // 0x0
												if(__eflags != 0) {
													goto L59;
												}
												__eflags =  *0x100c4b4; // 0x0
												if(__eflags == 0) {
													SendDlgItemMessageA( *0x100ce04, 0x68, 0xc, 0,  *0x100ce0c); // executed
												}
												SetEnvironmentVariableA("_SFX_CAB_EXE_PATH", "c:\e2ac7bbaf115a22162e746");
												SetEnvironmentVariableA("_SFX_CAB_EXE_PACKAGE", "C:\Users\hardz\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe");
												SetEnvironmentVariableA("_SFX_CAB_EXE_PARAMETERS",  *0x100c4a8); // executed
												E010037BF(_t122);
												_t74 =  *0x100ce0c; // 0x10022bb
												__eflags =  *_t74;
												if( *_t74 != 0) {
													_t75 =  *0x100d07c; // 0x78d720
													__eflags = 0x100d3e0;
													do {
														_t129 =  *_t75;
														_t75[0x100d3e0] = _t129;
														_t75 =  &(_t75[1]);
														__eflags = _t129;
													} while (_t129 != 0);
													_t76 =  *0x100c4a8; // 0x753804
													_t140 = _t76;
													do {
														_t130 =  *_t76;
														_t76 = _t76 + 1;
														__eflags = _t130;
													} while (_t130 != 0);
													_t77 = _t76 - _t140;
													_t147 = 0x100d3df;
													__eflags = 0x100d3e0;
													do {
														_t131 =  *(_t147 + 1);
														_t147 = _t147 + 1;
														__eflags = _t131;
													} while (_t131 != 0);
													_t133 = _t77 >> 2;
													_t160 = _t140;
													_t136 = memcpy(_t147, _t160, _t133 << 2) & 0x00000003;
													__eflags = _t136;
													memcpy(_t160 + _t133 + _t133, _t160, _t136);
													_t162 = _t162 + 0x18;
													goto L53;
												} else {
													_t94 = ExpandEnvironmentStringsA( *0x100d07c, "c:\e2ac7bbaf115a22162e746\Setup.exe ", 0x10000); // executed
													__eflags = _t94;
													_v8 = _t94;
													if(_t94 == 0) {
														goto L1;
													}
													__eflags = _t94 - 0x10000;
													if(_t94 < 0x10000) {
														L53:
														_t138 = 0x11;
														_t152 =  &_v140;
														_t81 = memset(_t152, 0, _t138 << 2);
														_t145 = _t152 + _t138;
														_t82 = _t81 + 1;
														_v140.dwFlags = _t82;
														_v140.wShowWindow = _t82;
														_v140.cb = 0x44;
														_t85 = CreateProcessA(0, "c:\e2ac7bbaf115a22162e746\Setup.exe ", 0, 0, 0, 0x20, 0,  *0x101d3e4,  &_v140,  &_v36); // executed
														__eflags = _t85;
														if(_t85 == 0) {
															goto L1;
														}
														__eflags =  *0x100c4b4; // 0x0
														if(__eflags == 0) {
															ShowWindow( *0x100ce04, 0);
														}
														_t86 = _v36.hProcess;
														 *0x100d04c = _t86;
														WaitForSingleObject(_t86, 0xffffffff);
														GetExitCodeProcess(_v36,  &_v8);
														CloseHandle(_v36.hThread);
														E01002821(0);
														__eflags = _v8 - 0xcabf00d1;
														if(_v8 != 0xcabf00d1) {
															E01002D78();
														} else {
															_v8 = 0;
														}
														goto L61;
													}
													goto L1;
												}
											}
											__eflags =  *0x100c000; // 0x1
											if(__eflags == 0) {
												goto L38;
											}
											_t96 = E010046B9(_t122, _t140, _t145,  *0x100c04c); // executed
											__eflags = _t96;
											if(_t96 == 0) {
												goto L6;
											}
											goto L38;
										}
									}
									__eflags =  *0x100c4b4; // 0x0
									if(__eflags == 0) {
										LoadStringA( *0x100c05c, 0x20000004, 0x100d1a0, 0x104);
										LoadStringA( *0x100c05c, 0x20000006, "To Directory:", 0x104);
										SendDlgItemMessageA( *0x100ce04, 0x65, 0xc, 0, 0x100d1a0); // executed
										SendDlgItemMessageA( *0x100ce04, 0x66, 0xc, 0, "To Directory:"); // executed
										SendDlgItemMessageA( *0x100ce04, 0x69, 0xc, 0, "c:\e2ac7bbaf115a22162e746"); // executed
										SendDlgItemMessageA( *0x100ce04, 0x6a, 0x402, 0, 0); // executed
										_t107 = (_v54 & 0x0000ffff) << 0x10;
										__eflags = _t107;
										SendDlgItemMessageA( *0x100ce04, 0x6a, 0x401, 0, _t107); // executed
										ShowWindow( *0x100ce04, 5); // executed
									}
									_t99 = E010076CB(__eflags, _v12, "C:\Users\hardz\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe", L"", 0, 0x10055a3, 0, 0); // executed
									_t162 = _t162 + 0x1c;
									__eflags = _t99;
									if(_t99 == 0) {
										goto L6;
									} else {
										__eflags =  *0x101d3e0;
										if( *0x101d3e0 != 0) {
											L27:
											__eflags =  *0x100c054; // 0x0
											if(__eflags == 0) {
												goto L35;
											}
											goto L28;
										}
										__eflags =  *0x100ce04; // 0x702e8
										if(__eflags == 0) {
											goto L13;
										}
										goto L27;
									}
								} else {
									_push(0);
									_push(0);
									_t110 = E01003C0F("C:\Users\hardz\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe"); // executed
									_t144 = _t110;
									_t112 = E010066A7(E01003BE7, E01002C2E, E01003C0F, E01003C58, E01003C87, E01002C4B, E01002C7C, 0,  &_v72);
									_t122 =  &_v60;
									_v12 = _t112;
									_t113 = E0100673E(_t112, _t110,  &_v60); // executed
									_t162 = _t162 + 0x3c;
									__eflags = _t113;
									if(_t113 == 0) {
										L6:
										_push(0x20000001);
										goto L67;
									}
									__eflags =  *0x100c4b4; // 0x0
									if(__eflags == 0) {
										ShowWindow( *0x100ce04, 0); // executed
									}
									goto L21;
								}
							}
							L13:
							_push(0x4c7);
							goto L67;
						} else {
							_push(8);
							L67:
							E01003892();
							L68:
							_t166 =  *0x100c060; // 0x1
							if(_t166 != 0) {
								DeleteCriticalSection(0x100d060);
								 *0x100c060 = 0;
							}
							ExitProcess(_v8);
						}
					}
					_t117 = E010027CB();
					__eflags = _t117;
					if(_t117 != 0) {
						_t118 =  *0x100c018; // 0xa400
						__eflags = (_t118 & 0xffff0000) - 0xcab00000;
						if((_t118 & 0xffff0000) != 0xcab00000) {
							__eflags =  *0x100c018 & 0x80000000;
							if(( *0x100c018 & 0x80000000) == 0) {
								 *0x100c4ac = 1;
							}
							 *0x100c01b =  *0x100c01b & 0x0000007f;
							__eflags =  *0x100c01b;
							goto L10;
						}
						goto L6;
					} else {
						_push(0x47e);
						goto L67;
					}
				}
				L1:
				_push(0xffffffff);
				goto L67;
			}

0x010058a4
0x010058b2
0x010058bc
0x010058bf
0x010058c5
0x010058cb
0x010058d4
0x010058da
0x010058e6
0x010058eb
0x010058fa
0x010058fe
0x01005903
0x0100590c
0x01005911
0x01005917
0x01005960
0x01005966
0x01005978
0x0100597e
0x01005980
0x01005991
0x01005997
0x0100599c
0x0100599e
0x010059aa
0x010059b6
0x010059f0
0x010059f2
0x010059ff
0x010059ff
0x01005a11
0x01005a23
0x010059b8
0x010059bd
0x010059ca
0x010059dc
0x010059dc
0x01005a25
0x01005a2b
0x01005a96
0x01005a96
0x01005a9b
0x01005aa1
0x01005aa6
0x01005b98
0x01005ba3
0x01005bb9
0x01005bbf
0x01005bc2
0x01005bc5
0x00000000
0x00000000
0x01005bd3
0x01005bda
0x01005bdf
0x01005be1
0x01005be2
0x01005be7
0x01005bea
0x01005bf8
0x01005bfe
0x01005c00
0x01005c02
0x01005c07
0x01005c0a
0x01005c0c
0x01005c12
0x01005c1c
0x01005c1c
0x01005c0a
0x01005c00
0x01005c22
0x01005c28
0x01005c2e
0x00000000
0x01005c34
0x01005c35
0x01005c3b
0x01005c3b
0x01005c41
0x01005c5e
0x01005c5e
0x01005c64
0x01005dd6
0x01005dd6
0x01005ddc
0x01005de5
0x01005dfc
0x01005e0f
0x01005e0f
0x01005e15
0x01005e15
0x01005e1a
0x01005e1c
0x00000000
0x00000000
0x01005e23
0x01005e25
0x01005e60
0x01005e60
0x00000000
0x01005e60
0x01005e47
0x01005e4c
0x01005e4e
0x01005e53
0x01005e55
0x01005e55
0x01005e57
0x01005e57
0x01005e5c
0x01005e5e
0x00000000
0x00000000
0x00000000
0x00000000
0x01005e5e
0x01005c6a
0x01005c70
0x00000000
0x00000000
0x01005c76
0x01005c7c
0x01005c8f
0x01005c8f
0x01005ca1
0x01005cad
0x01005cba
0x01005cbc
0x01005cc1
0x01005cc6
0x01005cc8
0x01005cf5
0x01005d01
0x01005d03
0x01005d03
0x01005d05
0x01005d08
0x01005d09
0x01005d09
0x01005d0d
0x01005d12
0x01005d14
0x01005d14
0x01005d16
0x01005d17
0x01005d17
0x01005d1b
0x01005d1d
0x01005d1d
0x01005d1e
0x01005d1e
0x01005d21
0x01005d22
0x01005d22
0x01005d28
0x01005d2b
0x01005d31
0x01005d31
0x01005d34
0x01005d34
0x00000000
0x01005cca
0x01005cdb
0x01005ce1
0x01005ce3
0x01005ce6
0x00000000
0x00000000
0x01005cec
0x01005cee
0x01005d36
0x01005d38
0x01005d3b
0x01005d41
0x01005d41
0x01005d43
0x01005d44
0x01005d47
0x01005d5c
0x01005d72
0x01005d78
0x01005d7a
0x00000000
0x00000000
0x01005d80
0x01005d86
0x01005d8f
0x01005d8f
0x01005d95
0x01005d9b
0x01005da0
0x01005dad
0x01005db6
0x01005dbc
0x01005dc1
0x01005dc8
0x01005dcf
0x01005dca
0x01005dca
0x01005dca
0x00000000
0x01005dc8
0x00000000
0x01005cf0
0x01005cc8
0x01005c43
0x01005c49
0x00000000
0x00000000
0x01005c51
0x01005c56
0x01005c58
0x00000000
0x00000000
0x00000000
0x01005c58
0x01005c2e
0x01005aac
0x01005ab2
0x01005ac9
0x01005ae4
0x01005af6
0x01005b08
0x01005b1a
0x01005b2b
0x01005b31
0x01005b31
0x01005b43
0x01005b4d
0x01005b4d
0x01005b68
0x01005b6d
0x01005b70
0x01005b72
0x00000000
0x01005b78
0x01005b78
0x01005b7e
0x01005b8c
0x01005b8c
0x01005b92
0x00000000
0x00000000
0x00000000
0x01005b92
0x01005b80
0x01005b86
0x00000000
0x00000000
0x00000000
0x01005b86
0x01005a2d
0x01005a2d
0x01005a2e
0x01005a34
0x01005a39
0x01005a63
0x01005a68
0x01005a6e
0x01005a71
0x01005a76
0x01005a79
0x01005a7b
0x0100593d
0x0100593d
0x00000000
0x0100593d
0x01005a81
0x01005a87
0x01005a90
0x01005a90
0x00000000
0x01005a87
0x01005a2b
0x010059a0
0x010059a0
0x00000000
0x01005982
0x01005982
0x01005e65
0x01005e65
0x01005e6a
0x01005e6a
0x01005e70
0x01005e77
0x01005e7d
0x01005e7d
0x01005e86
0x01005e86
0x01005980
0x01005919
0x0100591e
0x01005920
0x0100592c
0x01005936
0x0100593b
0x01005947
0x0100594d
0x0100594f
0x0100594f
0x01005959
0x01005959
0x00000000
0x01005959
0x00000000
0x01005922
0x01005922
0x00000000
0x01005922
0x01005920
0x01005905
0x01005905
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0100D060,000000FF), ref: 010058CB
#17.COMCTL32 ref: 010058DA
GetProcessHeap.KERNEL32 ref: 010058E0
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 010058FA
DeleteCriticalSection.KERNEL32(0100D060,20000001), ref: 01005E77
ExitProcess.KERNEL32 ref: 01005E86

Strings

_sfx_manifest_, xrefs: 01005B99
c:\e2ac7bbaf115a22162e746\Setup.exe , xrefs: 01005CD0, 01005CFA, 01005D6C
Extracting File:, xrefs: 01005AA1, 01005ABD, 01005AEA, 01005B98, 01005BB8, 01005C34, 01005DF0, 01005E07, 01005E08
_SFX_CAB_EXE_PACKAGE, xrefs: 01005CA8
_SFX_CAB_EXE_PARAMETERS, xrefs: 01005CB5
_SFX_CAB_EXE_PATH, xrefs: 01005C9C
To Directory:, xrefs: 01005AD4, 01005AF8
D, xrefs: 01005D5C
C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe, xrefs: 01005A2F, 01005B60, 01005CA3
c:\e2ac7bbaf115a22162e746, xrefs: 01005B0A, 01005B9E, 01005C97

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CriticalProcessSection$CountCreateDeleteEventExitHeapInitializeSpin
String ID: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe$D$Extracting File:$To Directory:$_SFX_CAB_EXE_PACKAGE$_SFX_CAB_EXE_PARAMETERS$_SFX_CAB_EXE_PATH$_sfx_manifest_$c:\e2ac7bbaf115a22162e746$c:\e2ac7bbaf115a22162e746\Setup.exe
API String ID: 2862019026-4212358123
Opcode ID: c3a792d8c2075a35dd7e64b05d9c3b2f4654ac4543c79ca2ca3d8c026a3f3d64
Instruction ID: c7a1a7c6920ba9a6fd8a3830312b28b74cc00901af42d7916e2ca50266dc036a
Opcode Fuzzy Hash: c3a792d8c2075a35dd7e64b05d9c3b2f4654ac4543c79ca2ca3d8c026a3f3d64
Instruction Fuzzy Hash: 06E18070540245BFFB339BA49E89F6A3BA9F705754F1042AAF2C1A50D9DBBA4C40CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01004F6B Relevance: 77.6, APIs: 35, Strings: 9, Instructions: 646
timestringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E01004F6B(void* __ecx, struct HWND__* __edx, struct HWND__* __edi) {
				intOrPtr _v8;
				struct _SECURITY_DESCRIPTOR _v28;
				char _v60;
				char _v272;
				struct HWND__* _v276;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _ACL _v316;
				char _v1340;
				char _v1342;
				char _v1344;
				char _v1345;
				char _v1346;
				int _v1352;
				char _v1353;
				int _v1360;
				int _v1364;
				int _v1368;
				signed int _v1372;
				signed int _v1376;
				char* _v1380;
				int* _v1384;
				int _v1388;
				int _v1392;
				long* _v1396;
				long _v1400;
				long _v1404;
				void* _v1408;
				long _v1412;
				int _v1416;
				struct _SECURITY_DESCRIPTOR* _v1420;
				int _v1424;
				struct _FILETIME _v1432;
				long _v1436;
				struct _SYSTEMTIME _v1452;
				long* _v1460;
				char* _v1464;
				intOrPtr _v1476;
				void* __ebx;
				void* __esi;
				intOrPtr _t174;
				void* _t179;
				struct HWND__* _t181;
				char _t183;
				struct HWND__* _t186;
				intOrPtr _t187;
				int _t188;
				signed int _t189;
				signed int _t190;
				intOrPtr _t191;
				struct HWND__* _t192;
				void* _t193;
				void* _t200;
				long _t201;
				struct HWND__* _t205;
				void* _t206;
				struct HWND__* _t210;
				struct HWND__* _t212;
				struct HWND__* _t237;
				struct HWND__* _t238;
				struct HWND__* _t242;
				void* _t244;
				struct HWND__* _t253;
				int _t255;
				struct HWND__* _t257;
				struct HWND__* _t258;
				int _t260;
				struct HWND__* _t267;
				struct HWND__* _t268;
				struct HWND__* _t270;
				struct HWND__* _t276;
				signed int _t278;
				signed int _t279;
				struct HWND__* _t281;
				struct HWND__* _t283;
				struct HWND__* _t285;
				struct HWND__* _t287;
				struct HWND__* _t289;
				struct HWND__* _t292;
				signed char _t295;
				long _t296;
				char _t299;
				int _t300;
				struct HWND__* _t302;
				int _t309;
				struct HWND__* _t312;
				signed int _t324;
				struct HWND__* _t326;
				void* _t328;
				char* _t333;
				long* _t334;
				void* _t335;
				struct HWND__* _t339;
				signed int _t342;
				void* _t343;
				void* _t344;
				void* _t345;
				void* _t347;

				_t326 = __edi;
				_t323 = __edx;
				_t174 =  *0x100c028; // 0x9dd8
				_t347 =  *0x100d080; // 0x63
				_v8 = _t174;
				_v1344 = 0x5c3a63;
				_v1345 = 0x63;
				_v1346 = 0x63;
				_v1364 = 0;
				_v1360 = 0;
				_v1392 = 0;
				_v1388 = 0;
				_v1352 = 0;
				_v1368 = 0;
				_v1424 = 0xc;
				_v1420 =  &_v28;
				_v1416 = 0;
				_v1384 = 0;
				if(_t347 == 0) {
					L3:
					_t179 = E01003D02( &_v1408,  &_v1372,  &_v1380); // executed
					if(_t179 != 0) {
						_push(_t333);
						_push(_t326);
						_t181 = InitializeSecurityDescriptor( &_v28, 1);
						__eflags = _t181;
						if(_t181 != 0) {
							_t283 = InitializeAcl( &_v316, 0x100, 2);
							__eflags = _t283;
							if(_t283 != 0) {
								_t333 = AddAccessAllowedAce;
								_t326 = 0x10000000;
								_t285 = AddAccessAllowedAce( &_v316, 2, 0x10000000, _v1408);
								__eflags = _t285;
								if(_t285 != 0) {
									_t287 = AddAccessAllowedAce( &_v316, 2, 0x10000000, _v1372);
									__eflags = _t287;
									if(_t287 != 0) {
										_t289 = AddAccessAllowedAce( &_v316, 2, 0x10000000, _v1380);
										__eflags = _t289;
										if(_t289 != 0) {
											_t292 = SetSecurityDescriptorDacl( &_v28, 1,  &_v316, 0);
											__eflags = _t292;
											if(_t292 != 0) {
												_v1384 =  &_v1424;
											}
										}
									}
								}
							}
						}
						__eflags =  *0x101d3e0;
						if( *0x101d3e0 != 0) {
							L15:
							GetSystemDirectoryA("c:\e2ac7bbaf115a22162e746\Setup.exe ", 0xffff);
							_t295 =  *0x100d3e0; // 0x63
							_v1376 = _v1376 & 0x00000000;
							_v1372 = _v1372 & 0x00000000;
							_t296 = _t295 | 0x00000020; // executed
							__eflags = _t296;
							_t183 = E010029C2(_t326); // executed
							_t299 = 0x61;
							_v1353 = _t183;
							_v1344 = 0x61;
							do {
								__eflags = _t299 - _v1353;
								if(_t299 != _v1353) {
									_t39 =  &_v1344; // 0x5c3a63
									_v1342 = 0;
									_t186 = QueryDosDeviceA(_t39,  &_v1340, 0x400); // executed
									__eflags = _t186;
									_v1342 = 0x5c;
									if(_t186 == 0) {
										L34:
										_t74 =  &_v1344; // 0x5c3a63
										_t299 =  *_t74;
									} else {
										_strlwr( &_v1340);
										_v1464 = "harddisk";
										_t267 = strstr( &_v1340, ??);
										__eflags = _t267;
										if(_t267 != 0) {
											L20:
											_t45 =  &_v1344; // 0x5c3a63, executed
											_t268 = E01002B13(_t326,  *_t45); // executed
											_t326 = _t268;
											__eflags = _t326;
											if(_t326 == 0) {
												goto L34;
											} else {
												_t270 = E010028D9(_t326,  &_v1344); // executed
												__eflags = _t270;
												if(_t270 == 0) {
													goto L34;
												} else {
													_t276 = GetDiskFreeSpaceA( &_v1344,  &_v1400,  &_v1412,  &_v1404,  &_v1436); // executed
													__eflags = _t276;
													if(_t276 == 0) {
														goto L34;
													} else {
														_t278 = _v1400 * _v1412;
														_t323 = _t278 * _v1404 >> 0x20;
														_t279 = _t278 * _v1404;
														_t299 = _v1344;
														__eflags = _t299 - _t296;
														_v1368 = 1;
														_t342 = _t278 * _v1404 >> 0x20;
														if(_t299 != _t296) {
															__eflags = _t326 - 2;
															if(_t326 != 2) {
																L30:
																__eflags = _t342 - _v1360;
																if(__eflags >= 0) {
																	if(__eflags > 0) {
																		L33:
																		_v1364 = _t279;
																		_v1360 = _t342;
																		_v1345 = _t299;
																	} else {
																		__eflags = _t279 - _v1364;
																		if(_t279 > _v1364) {
																			goto L33;
																		}
																	}
																}
															} else {
																__eflags = _t342 - _v1388;
																if(__eflags < 0) {
																	goto L30;
																} else {
																	if(__eflags > 0) {
																		L29:
																		_v1392 = _t279;
																		_v1388 = _t342;
																		_v1346 = _t299;
																	} else {
																		__eflags = _t279 - _v1392;
																		if(_t279 <= _v1392) {
																			goto L30;
																		} else {
																			goto L29;
																		}
																	}
																}
															}
														} else {
															_v1376 = _t279;
															_v1372 = _t342;
														}
													}
												}
											}
										} else {
											_t281 = strstr( &_v1340, "ramdisk");
											__eflags = _t281;
											if(_t281 == 0) {
												goto L34;
											} else {
												goto L20;
											}
										}
									}
								}
								_t299 = _t299 + 1;
								__eflags = _t299 - 0x7a;
								_v1344 = _t299;
							} while (_t299 <= 0x7a);
							_t333 = 0;
							__eflags = _v1368;
							if(_v1368 != 0) {
								_t187 =  *0x100c01c; // 0xcab00eee
								__eflags = _t187 - 0xcab00eee;
								if(_t187 == 0xcab00eee) {
									L42:
									_t188 = _v1372;
									__eflags = _v1360 - _t188;
									if(__eflags > 0) {
										goto L46;
									} else {
										if(__eflags < 0) {
											L45:
											_t300 = _v1376;
											_v1360 = _t188;
										} else {
											__eflags = _v1364 - _v1376;
											if(_v1364 >= _v1376) {
												goto L46;
											} else {
												goto L45;
											}
										}
									}
								} else {
									__eflags = _v1360;
									if(__eflags > 0) {
										L46:
										_t85 =  &_v1345; // 0x63
										_t296 =  *_t85;
										_t300 = _v1364;
									} else {
										if(__eflags < 0) {
											goto L42;
										} else {
											__eflags = _v1364 - _t187;
											if(_v1364 >= _t187) {
												goto L46;
											} else {
												goto L42;
											}
										}
									}
								}
								_t189 =  *0x100c014; // 0x4cada8
								_t324 = 3;
								_t323 = _t189 * _t324 >> 0x20;
								_t190 = _t189 * _t324;
								__eflags = _v1360 - _t323;
								if(__eflags < 0) {
									L51:
									__eflags = _v1388 - _t323;
									if(__eflags < 0) {
										L92:
										_push(0x20000009);
										goto L93;
									} else {
										if(__eflags > 0) {
											L54:
											_t95 =  &_v1346; // 0x63
											_v1344 =  *_t95;
											goto L55;
										} else {
											__eflags = _v1392 - _t190;
											if(_v1392 < _t190) {
												goto L92;
											} else {
												goto L54;
											}
										}
									}
								} else {
									if(__eflags > 0) {
										L50:
										_v1344 = _t296;
										L55:
										_t242 = CryptAcquireContextA( &_v1396, _t333, _t333, 1, 0xf0000000); // executed
										__eflags = _t242;
										if(_t242 == 0) {
											L69:
											_t333 = 0x100d080;
											_t123 =  &_v1344; // 0x5c3a63
											_t244 = E01002BC4(_t123, "temp\\ext", 0x100d080);
											GetSystemTime( &_v1452);
											SystemTimeToFileTime( &_v1452,  &_v1432);
											E01002CAE(_t323, _t244, _v1432.dwLowDateTime *  *0x100c014 & 0x0000ffff, _t244);
											_t326 = 1;
											_t253 = E010045EB(1, 0x100d080, _v1384, 1);
											__eflags = _t253;
											if(_t253 != 0) {
												_v1352 = 1;
												goto L72;
											} else {
												goto L70;
											}
										} else {
											_t326 = sprintf;
											_v1372 = _t333;
											_v1368 = _t333;
											_t296 = 0x100d080;
											do {
												_t257 = CryptGenRandom(_v1396, 0x10,  &_v60);
												__eflags = _t257;
												if(_t257 != 0) {
													_t102 =  &_v1344; // 0x5c3a63
													_t260 = sprintf(_t296, "%s", _t102);
													_t345 = _t345 + 0xc;
													_t333 = 0;
													__eflags = 0;
													_v1360 = 9;
													if(0 != 0) {
														_t105 = _t260 + 0x100d080; // 0x655c3a63
														_v1380 = _t105;
														do {
															sprintf(_v1380, "%02x",  *(_t343 + _t333 - 0x38) & 0x000000ff);
															_v1380 =  &(_v1380[2]);
															_t345 = _t345 + 0xc;
															_t333 =  &(_t333[1]);
															__eflags = _t333 - _v1360;
														} while (_t333 < _v1360);
													}
												}
												__eflags =  *0x100d080;
												if( *0x100d080 == 0) {
													_v1372 = 1;
												} else {
													_t333 = 1;
													_t258 = E010045EB(_t326, _t296, _v1384, 1); // executed
													__eflags = _t258;
													if(_t258 != 0) {
														_v1352 = 1;
													}
												}
												_v1368 = _v1368 + 1;
												__eflags = _v1352;
												if(_v1352 == 0) {
													__eflags = _v1372;
													if(_v1372 == 0) {
														goto L67;
													}
												}
												break;
												L67:
												__eflags = _v1368 - 0x2710;
											} while (_v1368 < 0x2710);
											_t253 = CryptReleaseContext(_v1396, 0);
											__eflags = _v1352;
											if(_v1352 != 0) {
												goto L72;
											} else {
												goto L69;
											}
										}
									} else {
										__eflags = _t300 - _t190;
										if(_t300 < _t190) {
											goto L51;
										} else {
											goto L50;
										}
									}
								}
							} else {
								_push(0x20000008);
								goto L93;
							}
						} else {
							__eflags =  *0x100c4ac; // 0x0
							if(__eflags == 0) {
								goto L15;
							} else {
								_t253 = GetCurrentDirectoryA(0x104, "c:\e2ac7bbaf115a22162e746");
								L72:
								_t296 = 0;
								__eflags =  *0x101d3e0;
								if( *0x101d3e0 != 0) {
									L89:
									__eflags = _v1352 - _t296;
									if(_v1352 != _t296) {
										goto L86;
									} else {
										_t253 = E010045EB(_t326, "c:\e2ac7bbaf115a22162e746", _v1384, 1);
										__eflags = _t253;
										if(_t253 != 0) {
											goto L86;
										} else {
											goto L70;
										}
									}
								} else {
									__eflags =  *0x100c4ac - _t296; // 0x0
									if(__eflags == 0) {
										goto L89;
									} else {
										_t326 = 0x100d080;
										while(1) {
											_t255 = DialogBoxParamA( *0x100c05c, 0x6b,  *0x100ce04, E01003E7A, _t296);
											__eflags = _t255 - 0xffffffff;
											if(_t255 == 0xffffffff) {
												goto L4;
											}
											__eflags = _t255 - _t296;
											if(_t255 == _t296) {
												L88:
												_push(0x4c7);
												goto L93;
											} else {
												__eflags =  *_t255;
												if( *_t255 == 0) {
													goto L88;
												} else {
													_t309 = _t255;
													_t130 = _t309 + 1; // 0x1
													_t333 = _t130;
													do {
														_t323 =  *_t309;
														_t309 = _t309 + 1;
														__eflags = _t323;
													} while (_t323 != 0);
													__eflags = _t309 - _t333 + 1 - 0x104;
													if(_t309 - _t333 + 1 >= 0x104) {
														L70:
														_push(0x52);
														goto L93;
													} else {
														_t323 = _t326 - _t255;
														__eflags = _t323;
														do {
															_t312 =  *_t255;
															 *((char*)(_t323 + _t255)) = _t312;
															_t255 = _t255 + 1;
															__eflags = _t312;
														} while (_t312 != 0);
														_t253 = E010045EB(_t326, _t326, _t296, _t296);
														__eflags = _t253;
														if(_t253 != 0) {
															_v1352 = 1;
														}
														__eflags = _v1352 - _t296;
														if(_v1352 == _t296) {
															continue;
														} else {
															L86:
															_pop(_t333);
															goto L87;
														}
													}
												}
											}
											goto L136;
										}
										goto L4;
									}
								}
							}
						}
					} else {
						L4:
						_push(0xffffffff);
						L93:
						E01003892();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t343);
						_t344 = _t345;
						_t191 =  *0x100c028; // 0x9dd8
						_push(_t296);
						_v1476 = _t191;
						_t192 = _v1464;
						_push(_t333);
						_t334 = _v1460;
						_push(_t326);
						if(_t192 == 0) {
							L134:
							_t193 = 0;
							__eflags = 0;
						} else {
							if(_t192 == 2) {
								__eflags =  *0x100c4ac; // 0x0
								if(__eflags != 0) {
									L113:
									__eflags =  *0x100c048; // 0x1
									if(__eflags != 0) {
										L119:
										__eflags =  *0x100c4b4; // 0x0
										if(__eflags != 0) {
											L122:
											E01002BC4("c:\e2ac7bbaf115a22162e746", _t334[1],  &_v272);
											_v276 = 1;
											 *0x100c3a0 = 0;
											E0100447F(0x100c004,  &_v272);
											while(1) {
												_t200 = CreateFileA( &_v272, 0x40000000, 3, 0, 2, 0x80, 0); // executed
												_t328 = _t200;
												__eflags = _t328 - 0xffffffff;
												if(_t328 != 0xffffffff) {
													break;
												}
												_t201 = GetLastError();
												__eflags = _t201 - 5;
												if(_t201 != 5) {
													L128:
													__eflags = _v276;
													if(_v276 == 0) {
														goto L132;
													} else {
														_v276 = 0;
														E01004590( &_v272, 0, 0); // executed
														continue;
													}
												} else {
													_t205 = E010044AD( &_v272, 0x100c3a0);
													__eflags = _t205;
													if(_t205 == 0) {
														goto L128;
													} else {
														_t206 = 0;
														__eflags = 0;
														do {
															_t166 = _t206 + 0x100c3a0; // 0x0
															_t302 =  *_t166;
															 *((char*)(_t344 + _t206 - 0x108)) = _t302;
															_t206 = _t206 + 1;
															__eflags = _t302;
														} while (_t302 != 0);
														continue;
													}
												}
												goto L135;
											}
											SetFilePointer(_t328,  *_t334, 0, 0); // executed
											SetEndOfFile(_t328); // executed
											SetFilePointer(_t328, 0, 0, 0); // executed
											 *0x100c4a4 = _t328;
											_t193 = _t328;
										} else {
											_t210 =  *0x100ce04; // 0x702e8
											__eflags = _t210;
											if(_t210 == 0) {
												goto L100;
											} else {
												SendDlgItemMessageA(_t210, 0x68, 0xc, 0, _t334[1]); // executed
												goto L122;
											}
										}
									} else {
										__eflags =  *0x100c000; // 0x1
										if(__eflags == 0) {
											goto L119;
										} else {
											__imp___stricmp(_t334[1], "_sfx_manifest_");
											__eflags = _t192;
											if(_t192 != 0) {
												goto L119;
											} else {
												 *0x100c050 =  *_t334;
												_t212 = E01003BE7( *_t334 + 1);
												__eflags = _t212;
												 *0x100c04c = _t212;
												if(_t212 != 0) {
													 *0x100d048 = _t212;
													 *0x100c048 = 1;
													_t212->i = 0;
													_t193 = 0xdadafeed;
												} else {
													_push(8);
													goto L133;
												}
											}
										}
									}
								} else {
									__eflags =  *0x100ce08; // 0x0
									if(__eflags != 0) {
										goto L113;
									} else {
										_t192 = strstr(_t334[1], "cdtag.1");
										__eflags = _t192;
										if(_t192 != 0) {
											goto L134;
										} else {
											goto L113;
										}
									}
								}
							} else {
								if(_t192 != 3) {
									goto L134;
								} else {
									if(_t334[5] != 0xdadafeed) {
										DosDateTimeToFileTime(0, 0,  &_v292);
										LocalFileTimeToFileTime( &_v292,  &_v284);
										SetFileTime(_t334[5],  &_v284,  &_v284,  &_v284); // executed
										FindCloseChangeNotification(_t334[5]);
										__eflags =  *0x100c4b4; // 0x0
										 *0x100c4a4 = 0;
										if(__eflags != 0) {
											L102:
											__eflags =  *0x100c3a0; // 0x0
											if(__eflags == 0) {
												L104:
												__eflags =  *_t334;
												if( *_t334 != 0) {
													 *0x100ce0c = E01003E3A(_t334[1]);
													_t339 = E01002BC4(0x100d080, _t334[1],  &_v272);
													while(1) {
														__eflags = _t339 -  &_v272;
														if(_t339 <=  &_v272) {
															break;
														}
														__eflags = _t339->i - 0x5c;
														if(_t339->i != 0x5c) {
															_t339 = _t339 - 1;
															__eflags = _t339;
															continue;
														}
														break;
													}
													 *0x100d07c = E01003E3A( &_v272);
													 *_t339 = 0;
													 *0x101d3e4 = E01003E3A( &_v272);
												}
												goto L97;
											} else {
												E01002BC4(0x100d080, _t334[1],  &_v272);
												_t237 = MoveFileExA(0x100c3a0,  &_v272, 1);
												__eflags = _t237;
												if(_t237 == 0) {
													L132:
													_push(0xffffffff);
													goto L133;
												} else {
													goto L104;
												}
											}
										} else {
											_t238 =  *0x100ce04; // 0x702e8
											__eflags = _t238;
											if(_t238 != 0) {
												SendDlgItemMessageA(_t238, 0x6a, 0x405, 0, 0);
												goto L102;
											} else {
												L100:
												_push(0x4c7);
												L133:
												E01003892();
												goto L134;
											}
										}
									} else {
										L97:
										_t193 = 1;
									}
								}
							}
						}
						L135:
						_pop(_t335);
						return E010062FF(_t193, 0, _v28.Dacl, _t323, _t335);
					}
				} else {
					_t253 = E010045EB(__edi, "c:\e2ac7bbaf115a22162e746", 0, 0);
					if(_t253 != 0) {
						L87:
						return E010062FF(_t253, _t296, _v8, _t323, _t333);
					} else {
						 *0x100d080 = _t253;
						goto L3;
					}
				}
				L136:
			}

0x01004f6b
0x01004f6b
0x01004f76
0x01004f7e
0x01004f84
0x01004f8a
0x01004f94
0x01004f9b
0x01004fa2
0x01004fa8
0x01004fae
0x01004fb4
0x01004fba
0x01004fc0
0x01004fc6
0x01004fd0
0x01004fd6
0x01004fdc
0x01004fe2
0x01004ffd
0x01005012
0x01005019
0x01005022
0x01005023
0x0100502a
0x01005030
0x01005032
0x01005046
0x0100504c
0x0100504e
0x01005056
0x0100505c
0x0100506b
0x0100506d
0x0100506f
0x01005081
0x01005083
0x01005085
0x01005097
0x01005099
0x0100509b
0x010050ab
0x010050b1
0x010050b3
0x010050bb
0x010050bb
0x010050b3
0x0100509b
0x01005085
0x0100506f
0x0100504e
0x010050c1
0x010050c7
0x010050e6
0x010050f0
0x010050f6
0x010050fc
0x01005103
0x0100510a
0x0100510a
0x0100510d
0x01005112
0x01005114
0x0100511a
0x01005120
0x01005120
0x01005126
0x01005138
0x0100513f
0x01005146
0x0100514c
0x0100514e
0x01005155
0x0100527e
0x0100527e
0x0100527e
0x0100515b
0x01005162
0x01005174
0x0100517c
0x0100517e
0x01005182
0x0100519c
0x0100519c
0x010051a2
0x010051a7
0x010051a9
0x010051ab
0x00000000
0x010051b1
0x010051b8
0x010051bd
0x010051bf
0x00000000
0x010051c5
0x010051e8
0x010051ee
0x010051f0
0x00000000
0x010051f6
0x010051fc
0x01005203
0x01005203
0x01005209
0x0100520f
0x01005211
0x0100521b
0x0100521d
0x0100522d
0x01005230
0x01005258
0x01005258
0x0100525e
0x01005260
0x0100526a
0x0100526a
0x01005270
0x01005276
0x01005262
0x01005262
0x01005268
0x00000000
0x00000000
0x01005268
0x01005260
0x01005232
0x01005232
0x01005238
0x00000000
0x0100523a
0x0100523a
0x01005244
0x01005244
0x0100524a
0x01005250
0x0100523c
0x0100523c
0x01005242
0x00000000
0x00000000
0x00000000
0x00000000
0x01005242
0x0100523a
0x01005238
0x0100521f
0x0100521f
0x01005225
0x01005225
0x0100521d
0x010051f0
0x010051bf
0x01005184
0x01005190
0x01005192
0x01005196
0x00000000
0x00000000
0x00000000
0x00000000
0x01005196
0x01005182
0x01005155
0x01005284
0x01005286
0x01005289
0x01005289
0x01005295
0x01005297
0x0100529d
0x010052a9
0x010052ae
0x010052b3
0x010052c9
0x010052c9
0x010052cf
0x010052d5
0x00000000
0x010052d7
0x010052d7
0x010052e7
0x010052e7
0x010052ed
0x010052d9
0x010052df
0x010052e5
0x00000000
0x00000000
0x00000000
0x00000000
0x010052e5
0x010052d7
0x010052b5
0x010052b7
0x010052bd
0x010052f5
0x010052f5
0x010052f5
0x010052fb
0x010052bf
0x010052bf
0x00000000
0x010052c1
0x010052c1
0x010052c7
0x00000000
0x00000000
0x00000000
0x00000000
0x010052c7
0x010052bf
0x010052bd
0x01005301
0x01005308
0x01005309
0x01005309
0x0100530b
0x01005311
0x01005321
0x01005321
0x01005327
0x01005593
0x01005593
0x00000000
0x0100532d
0x0100532d
0x0100533b
0x0100533b
0x01005341
0x00000000
0x0100532f
0x0100532f
0x01005335
0x00000000
0x00000000
0x00000000
0x00000000
0x01005335
0x0100532d
0x01005313
0x01005313
0x01005319
0x01005319
0x01005347
0x01005357
0x0100535d
0x0100535f
0x0100545a
0x0100545a
0x01005465
0x0100546c
0x0100547a
0x0100548e
0x010054a8
0x010054af
0x010054b8
0x010054bd
0x010054bf
0x010054c8
0x00000000
0x00000000
0x00000000
0x00000000
0x01005365
0x01005365
0x0100536b
0x01005371
0x01005377
0x0100537c
0x01005388
0x0100538e
0x01005390
0x01005392
0x0100539f
0x010053a6
0x010053ab
0x010053af
0x010053b2
0x010053b8
0x010053ba
0x010053c0
0x010053c6
0x010053d7
0x010053d9
0x010053e0
0x010053e3
0x010053e4
0x010053e4
0x010053c6
0x010053b8
0x010053ec
0x010053f3
0x01005411
0x010053f5
0x010053f7
0x01005400
0x01005405
0x01005407
0x01005409
0x01005409
0x01005407
0x0100541b
0x01005421
0x01005428
0x0100542a
0x01005431
0x00000000
0x00000000
0x01005431
0x00000000
0x01005433
0x01005433
0x01005433
0x0100544b
0x01005451
0x01005458
0x00000000
0x00000000
0x00000000
0x00000000
0x01005458
0x01005315
0x01005315
0x01005317
0x00000000
0x00000000
0x00000000
0x00000000
0x01005317
0x01005313
0x0100529f
0x0100529f
0x00000000
0x0100529f
0x010050c9
0x010050c9
0x010050cf
0x00000000
0x010050d1
0x010050db
0x010054ce
0x010054ce
0x010054d0
0x010054d6
0x01005570
0x01005570
0x01005576
0x00000000
0x01005578
0x01005585
0x0100558a
0x0100558c
0x00000000
0x0100558e
0x00000000
0x0100558e
0x0100558c
0x010054dc
0x010054dc
0x010054e2
0x00000000
0x010054e8
0x010054e8
0x010054ed
0x01005501
0x01005507
0x0100550a
0x00000000
0x00000000
0x01005510
0x01005512
0x01005569
0x01005569
0x00000000
0x01005514
0x01005514
0x01005517
0x00000000
0x01005519
0x01005519
0x0100551b
0x0100551b
0x0100551e
0x0100551e
0x01005520
0x01005521
0x01005521
0x01005528
0x0100552e
0x010054c1
0x010054c1
0x00000000
0x01005530
0x01005532
0x01005532
0x01005534
0x01005534
0x01005536
0x01005539
0x0100553a
0x0100553a
0x01005541
0x01005546
0x01005548
0x0100554a
0x0100554a
0x01005554
0x0100555a
0x00000000
0x0100555c
0x0100555c
0x0100555d
0x00000000
0x0100555d
0x0100555a
0x0100552e
0x01005517
0x00000000
0x01005512
0x00000000
0x010054ed
0x010054e2
0x010054d6
0x010050cf
0x0100501b
0x0100501b
0x0100501b
0x01005598
0x01005598
0x0100559d
0x0100559e
0x0100559f
0x010055a0
0x010055a1
0x010055a2
0x010055a5
0x010055a6
0x010055ae
0x010055b3
0x010055b4
0x010055b7
0x010055ba
0x010055bb
0x010055c2
0x010055c3
0x01005885
0x01005885
0x01005885
0x010055c9
0x010055cc
0x01005702
0x01005708
0x0100572a
0x0100572a
0x01005730
0x01005789
0x01005789
0x0100578f
0x010057ad
0x010057bc
0x010057cd
0x010057d7
0x010057dd
0x01005836
0x0100584d
0x01005853
0x01005855
0x01005858
0x00000000
0x00000000
0x010057e4
0x010057ea
0x010057ed
0x0100581a
0x0100581a
0x01005820
0x00000000
0x01005822
0x0100582b
0x01005831
0x00000000
0x01005831
0x010057ef
0x010057fb
0x01005800
0x01005802
0x00000000
0x01005804
0x01005804
0x01005804
0x01005806
0x01005806
0x01005806
0x0100580c
0x01005813
0x01005814
0x01005814
0x00000000
0x01005818
0x01005802
0x00000000
0x010057ed
0x01005865
0x01005868
0x01005872
0x01005874
0x0100587a
0x01005791
0x01005791
0x01005796
0x01005798
0x00000000
0x0100579e
0x010057a7
0x00000000
0x010057a7
0x01005798
0x01005732
0x01005732
0x01005738
0x00000000
0x0100573a
0x01005742
0x01005748
0x0100574c
0x00000000
0x0100574e
0x01005750
0x01005758
0x0100575d
0x01005760
0x01005765
0x0100576e
0x01005773
0x0100577d
0x0100577f
0x01005767
0x01005767
0x00000000
0x01005767
0x01005765
0x0100574c
0x01005738
0x0100570a
0x0100570a
0x01005710
0x00000000
0x01005712
0x0100571a
0x01005720
0x01005724
0x00000000
0x00000000
0x00000000
0x00000000
0x01005724
0x01005710
0x010055d2
0x010055d5
0x00000000
0x010055db
0x010055e2
0x01005601
0x01005615
0x01005627
0x01005630
0x01005636
0x0100563c
0x01005642
0x01005667
0x01005667
0x01005672
0x010056a0
0x010056a0
0x010056a2
0x010056b0
0x010056c5
0x010056cf
0x010056d5
0x010056d7
0x00000000
0x00000000
0x010056c9
0x010056cc
0x010056ce
0x010056ce
0x00000000
0x010056ce
0x00000000
0x010056cc
0x010056e5
0x010056f1
0x010056f8
0x010056f8
0x00000000
0x01005674
0x0100567f
0x01005692
0x01005698
0x0100569a
0x0100587e
0x0100587e
0x00000000
0x00000000
0x00000000
0x00000000
0x0100569a
0x01005644
0x01005644
0x01005649
0x0100564b
0x01005661
0x00000000
0x0100564d
0x0100564d
0x0100564d
0x01005880
0x01005880
0x00000000
0x01005880
0x0100564b
0x010055e4
0x010055e4
0x010055e6
0x010055e6
0x010055e2
0x010055d5
0x010055cc
0x01005887
0x0100588b
0x01005893
0x01005893
0x01004fe4
0x01004feb
0x01004ff2
0x0100555e
0x01005568
0x01004ff8
0x01004ff8
0x00000000
0x01004ff8
0x01004ff2
0x00000000

APIs

Part of subcall function 010045EB: GetFileAttributesA.KERNELBASE(?), ref: 0100465E
Part of subcall function 010045EB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 01004672
Part of subcall function 010045EB: GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01004682
Part of subcall function 010045EB: DecryptFileA.ADVAPI32(?,00000000), ref: 01004695
Part of subcall function 010045EB: GetLastError.KERNEL32 ref: 0100469B

InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?), ref: 0100502A
InitializeAcl.ADVAPI32(?,00000100,00000002,?,?,?,?,?), ref: 01005046
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 0100506B
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01005081
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01005097
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?,?,?), ref: 010050AB
GetCurrentDirectoryA.KERNEL32(00000104,c:\e2ac7bbaf115a22162e746,?,?,?,?,?), ref: 010050DB
GetSystemDirectoryA.KERNEL32 ref: 010050F0
QueryDosDeviceA.KERNEL32(c:\,?,00000400), ref: 01005146
_strlwr.MSVCRT ref: 01005162
strstr.MSVCRT ref: 0100517C
strstr.MSVCRT ref: 01005190
GetDiskFreeSpaceA.KERNELBASE(005C3A63,?,?,?,?,?,?,?), ref: 010051E8
CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,?,?,?), ref: 01005357
CryptGenRandom.ADVAPI32(?,00000010,?,?,?,?,?,?), ref: 01005388
sprintf.MSVCRT ref: 0100539F
sprintf.MSVCRT ref: 010053D7
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?), ref: 0100544B
GetSystemTime.KERNEL32(?,?,?,?,?,?), ref: 0100547A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?), ref: 0100548E
DialogBoxParamA.USER32 ref: 01005501
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 01005601
LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,cc:\), ref: 01005615
SetFileTime.KERNELBASE(DADAFEED,?,?,?,?,00000000,cc:\), ref: 01005627
FindCloseChangeNotification.KERNELBASE(DADAFEED,?,00000000,cc:\), ref: 01005630
SendDlgItemMessageA.USER32(000702E8,0000006A,00000405,00000000,00000000), ref: 01005661
MoveFileExA.KERNEL32 ref: 01005692
strstr.MSVCRT ref: 0100571A
_stricmp.MSVCRT(?,_sfx_manifest_,?,00000000,cc:\), ref: 01005742
SendDlgItemMessageA.USER32(000702E8,00000068,0000000C,00000000,?), ref: 010057A7
GetLastError.KERNEL32(?,00000000,cc:\), ref: 010057E4

Part of subcall function 01004590: CreateDirectoryA.KERNELBASE(?,?), ref: 010045B8

CreateFileA.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,00000000,cc:\), ref: 0100584D
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000,?,00000000,cc:\), ref: 01005865
SetEndOfFile.KERNELBASE(00000000,?,00000000,cc:\), ref: 01005868
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,cc:\), ref: 01005872

Strings

c:\e2ac7bbaf115a22162e746\Setup.exe , xrefs: 010050EB, 010050F6
ccc:\, xrefs: 0100533B
_sfx_manifest_, xrefs: 0100573A
%02x, xrefs: 010053CC
ramdisk, xrefs: 0100518A
temp\ext, xrefs: 01005460
harddisk, xrefs: 01005174
c:\e2ac7bbaf115a22162e746, xrefs: 01004F7E, 01004FE6, 01004FF8, 010050D1, 01005377, 0100539E, 010053EC, 010053FF, 0100545A, 0100545F, 010054B7, 010054E8, 01005540, 01005580, 0100566D, 0100567E, 010056BF, 010057B7
cdtag.1, xrefs: 01005712

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$Time$AccessAllowedCryptDirectorySystemstrstr$ContextCreateDescriptorErrorInitializeItemLastMessagePointerSecuritySendsprintf$AcquireAddressAttributesChangeCloseCurrentDaclDateDecryptDeviceDialogDiskFindFreeLibraryLoadLocalMoveNotificationParamProcQueryRandomReleaseSpace_stricmp_strlwr
String ID: %02x$_sfx_manifest_$c:\e2ac7bbaf115a22162e746$c:\e2ac7bbaf115a22162e746\Setup.exe $ccc:\$cdtag.1$harddisk$ramdisk$temp\ext
API String ID: 3434955678-4188335748
Opcode ID: fc543d989388e90af9c16f5f6d5131e38cd47ae6136f058cfd03532917dbfc3f
Instruction ID: cb34d6e19b9d76d7dc8cc1b05be71e2c05cbe8c8c636e12e1b2dadafe6b93270
Opcode Fuzzy Hash: fc543d989388e90af9c16f5f6d5131e38cd47ae6136f058cfd03532917dbfc3f
Instruction Fuzzy Hash: 6232A1719006589FFB73DB689C48BEA7BB9AB05346F0041E6E6C9E21C1DB758AC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010046B9 Relevance: 68.9, APIs: 30, Strings: 9, Instructions: 611
filestringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E010046B9(CHAR* __ecx, signed int __edx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v268;
				char _v528;
				char _v788;
				void* _v1788;
				struct _WIN32_FIND_DATAA _v2108;
				int _v2112;
				intOrPtr _v2116;
				signed int _v2120;
				intOrPtr _v2124;
				void* __ebx;
				void* __esi;
				intOrPtr _t143;
				void* _t145;
				signed int _t147;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t173;
				long _t174;
				signed int _t177;
				CHAR* _t180;
				signed int _t185;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr _t194;
				signed int _t195;
				signed int _t200;
				void* _t203;
				char* _t205;
				int _t207;
				intOrPtr* _t208;
				int _t210;
				int _t214;
				void* _t220;
				signed int _t221;
				signed int _t225;
				char* _t234;
				char* _t239;
				intOrPtr _t244;
				int _t255;
				CHAR* _t258;
				intOrPtr _t273;
				char* _t283;
				int _t292;
				CHAR* _t299;
				char _t314;
				CHAR* _t325;
				long _t327;
				signed int _t332;
				intOrPtr* _t334;
				signed int _t340;
				char _t346;
				char _t347;
				signed int _t352;
				signed int _t371;

				_t321 = __edx;
				_t307 = __ecx;
				_t143 =  *0x100c028; // 0x9dd8
				_v8 = _t143;
				_t144 = _a4;
				_t329 = "deltas";
				_v2124 = _a4;
				_v2120 = 1;
				_t145 = E010061D3(__ecx, _t144, "deltas");
				while(1) {
					_t324 = _t145;
					if(_t145 != 0) {
						_v2112 = 0;
						_t147 = E010060BE(_t324, 0,  &_v1788, 0x3e8);
						__eflags = _t147;
						if(_t147 != 0) {
							E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v268);
							_t153 = E010060BE(_t324, 1,  &_v1788, 0x3e8);
							__eflags = _t153;
							if(_t153 != 0) {
								E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v788);
								_t158 = E010060BE(_t324, 2,  &_v1788, 0x3e8);
								__eflags = _t158;
								if(_t158 == 0) {
									_v528 = 0;
								} else {
									E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v528);
								}
								_t160 = strstr( &_v268, "\\..\\");
								__eflags = _t160;
								_pop(_t307);
								if(_t160 == 0) {
									E01004590( &_v268, 0, 0);
									E0100447F(0x100c004,  &_v268);
									SetFileAttributesA( &_v268, 0x80);
									E0100360C(0, _t307, _t324, _v2124);
									_t307 =  &_v528;
									asm("sbb eax, eax");
									_t173 =  *0x100c040( &_v788,  ~_v528 &  &_v528,  &_v268, 0);
									__eflags = _t173;
									_v2112 = _t173;
									if(_t173 == 0) {
										_t174 = GetLastError();
										__eflags = _t174 - 5;
										if(_t174 == 5) {
											_t177 = E0100453F( &_v528,  &_v268, 0x100ce20, 0x100c3a0);
											__eflags = _t177;
											if(_t177 != 0) {
												__eflags =  *0x100c3a0; // 0x0
												_t307 = 0x100c3a0;
												if(__eflags == 0) {
													_t307 =  &_v268;
												}
												__eflags =  *0x100ce20; // 0x0
												if(__eflags == 0) {
													_t321 =  &_v528;
													asm("sbb eax, eax");
													_t180 =  ~_v528 &  &_v528;
													__eflags = _t180;
												} else {
													_t180 = 0x100ce20;
												}
												_v2112 =  *0x100c040( &_v788, _t180, _t307, 0);
												_t185 = E0100373C( &_v528,  &_v268, 0x100ce20, 0x100c3a0);
												__eflags = _t185;
												if(_t185 == 0) {
													_v2112 = 0;
												}
											}
										}
									}
								}
							}
						}
					} else {
						break;
					}
					_t38 =  &_v2120;
					 *_t38 = _v2120 & _v2112;
					__eflags =  *_t38;
					_t145 = E0100608F(0, _t324, _t324, _t329);
				}
				_t191 = E010061D3(_t307, _v2124, "copy");
				_v2116 = _t191;
				_t325 = 0x100ce20;
				if(_t191 == 0) {
					L39:
					_t192 = E010061D3(_t307, _v2124, "verify");
					_v2116 = _t192;
					if(_t192 == 0) {
						L63:
						E0100370B();
						_t326 = "delete";
						_t194 = E010061D3(_t307, _v2124, "delete");
						while(1) {
							_v2116 = _t194;
							if(_t194 == 0) {
								break;
							}
							_t307 =  &_v1788;
							_t195 = E010060BE(_t194, 1,  &_v1788, 0x3e8);
							__eflags = _t195;
							if(_t195 == 0) {
								L78:
								_t194 = E0100608F(0, _t326, _v2116, _t326);
								continue;
							}
							E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v268);
							_t200 = strstr( &_v268, "\\..\\");
							__eflags = _t200;
							_pop(_t307);
							if(_t200 != 0) {
								goto L78;
							}
							_t203 = FindFirstFileA( &_v268,  &_v2108);
							__eflags = _t203 - 0xffffffff;
							_v2112 = _t203;
							if(_t203 == 0xffffffff) {
								goto L78;
							}
							_t205 = strrchr( &_v268, 0x5c);
							_pop(_t307);
							_t332 =  &(_t205[1]);
							__eflags = _t332;
							do {
								__eflags = _v2108.dwFileAttributes & 0x00000010;
								if((_v2108.dwFileAttributes & 0x00000010) != 0) {
									goto L76;
								}
								__eflags =  *0x100c4b4; // 0x0
								if(__eflags == 0) {
									SendDlgItemMessageA( *0x100ce04, 0x68, 0xc, 0,  &(_v2108.cFileName));
								}
								_t208 =  &(_v2108.cFileName);
								_t321 = _t332 - _t208;
								__eflags = _t321;
								do {
									_t307 =  *_t208;
									 *(_t321 + _t208) = _t307;
									_t208 = _t208 + 1;
									__eflags = _t307;
								} while (_t307 != 0);
								_t210 = DeleteFileA( &_v268);
								__eflags = _t210;
								if(_t210 == 0) {
									Sleep(0x1f4);
									SetFileAttributesA( &_v268, 0x80);
									_t214 = DeleteFileA( &_v268);
									__eflags = _t214;
									if(_t214 == 0) {
										E0100447F(0x100c004,  &_v268);
									}
								}
								L76:
								_t207 = FindNextFileA(_v2112,  &_v2108);
								__eflags = _t207;
							} while (_t207 != 0);
							FindClose(_v2112);
							goto L78;
						}
						_t330 = "options";
						_t220 = E010061F9(_t307, _t321, _t326, _v2124, "options", "command");
						_t327 = L"";
						if(_t220 == 0) {
							L87:
							_t221 = E010061F9(_t307, _t321, _t327, _v2124, _t330, "run");
							__eflags = _t221;
							if(_t221 != 0) {
								_t225 = E010060BE(_t221, 1,  &_v1788, 0x3e8);
								__eflags = _t225;
								if(_t225 != 0) {
									 *0x100ce0c = E01003E3A( &_v1788);
									E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v268);
									 *0x100d07c = E01003E3A( &_v268);
									_t234 = strrchr( &_v268, 0x5c);
									__eflags = _t234;
									if(_t234 != 0) {
										 *_t234 = 0;
									}
									 *0x101d3e4 = E01003E3A( &_v268);
								}
							}
							L92:
							_t371 =  *0x100c4b4; // 0x0
							if(_t371 == 0) {
								SendDlgItemMessageA( *0x100ce04, 0x68, 0xc, 0, _t327); // executed
							}
							return E010062FF(_v2120, 0, _v8, _t321, _t330);
						}
						_t307 =  &_v1788;
						if(E0100618D(_t220,  &_v1788, 0x3e8) == 0) {
							goto L87;
						}
						_t239 = strchr( &_v1788, 0x3d);
						 *0x100d07c = _t239;
						if(_t239 == 0) {
							goto L92;
						}
						while(1) {
							_t239 =  &(_t239[1]);
							 *0x100d07c = _t239;
							_t314 =  *_t239;
							if(_t314 == 0) {
								break;
							}
							__eflags = _t314 - 0x20;
							if(_t314 > 0x20) {
								break;
							}
						}
						 *0x100ce0c = _t327;
						 *0x100d07c = E01003E3A(_t239);
						 *0x101d3e4 = 0x100d080;
						goto L92;
					}
					while(1) {
						_v2112 = 0;
						if(E010060BE(_v2116, 0,  &_v1788, 0x3e8) == 0) {
							goto L62;
						}
						_t352 =  *0x100c4b4; // 0x0
						if(_t352 == 0) {
							SendDlgItemMessageA( *0x100ce04, 0x68, 0xc, 0,  &_v1788);
						}
						E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v528);
						if(E010060BE(_v2116, 1,  &_v268, 0x104) != 0) {
							_strlwr( &_v268);
							_pop(_t307);
							E0100360C(0, _t307, _t325, _v2124);
							_t255 =  *0x100c044( &_v528, 0x1470000, 0, 0, 0, 0, 0, 0x104,  &_v788);
							_v2112 = _t255;
							if(_t255 != 0) {
								L53:
								_strlwr( &_v788);
								_t325 =  &_v788;
								_t334 =  &_v268;
								while(1) {
									_t307 =  *_t334;
									_t258 = _t307;
									if(_t307 !=  *_t325) {
										break;
									}
									if(_t258 == 0) {
										L58:
										_t258 = 0;
										L60:
										if(_t258 != 0) {
											_v2112 = 0;
										}
										goto L62;
									}
									_t307 =  *((intOrPtr*)(_t334 + 1));
									_t258 = _t307;
									if(_t307 != _t325[1]) {
										break;
									}
									_t334 = _t334 + 2;
									_t325 =  &(_t325[2]);
									if(_t258 != 0) {
										continue;
									}
									goto L58;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L60;
							}
							if(GetLastError() == 5 && E010044AD( &_v528, _t325) != 0 && MoveFileA( &_v528, _t325) != 0) {
								_v2112 =  *0x100c044(_t325, 0x1470000, 0, 0, 0, 0, 0, 0x104,  &_v788);
								if(MoveFileA(_t325,  &_v528) == 0) {
									_v2112 = 0;
								}
							}
							if(_v2112 == 0) {
								goto L62;
							} else {
								goto L53;
							}
						}
						L62:
						_v2120 = _v2120 & _v2112;
						_t244 = E0100608F(0, _t325, _v2116, "verify");
						_v2116 = _t244;
						if(_t244 != 0) {
							_t325 = 0x100ce20;
							continue;
						}
						goto L63;
					}
				}
				do {
					_v2112 = 0;
					if(E010060BE(_v2116, 0,  &_v1788, 0x3e8) != 0) {
						_t340 =  *0x100c4b4; // 0x0
						if(_t340 == 0) {
							SendDlgItemMessageA( *0x100ce04, 0x68, 0xc, 0,  &_v1788);
						}
						E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v268);
						if(E010060BE(_v2116, 1,  &_v1788, 0x3e8) != 0) {
							E01002BC4("c:\e2ac7bbaf115a22162e746",  &_v1788,  &_v528);
							_t283 = strstr( &_v268, "\\..\\");
							_pop(_t307);
							if(_t283 == 0) {
								E01004590( &_v268, 0, 0);
								E0100447F(0x100c004,  &_v268);
								SetFileAttributesA( &_v268, 0x80);
								_t292 = CopyFileA( &_v528,  &_v268, 0);
								_v2112 = _t292;
								if(_t292 == 0 && GetLastError() == 5 && E0100453F( &_v528,  &_v268, _t325, 0x100c3a0) != 0) {
									_t346 =  *0x100c3a0; // 0x0
									_t307 = 0x100c3a0;
									if(_t346 == 0) {
										_t307 =  &_v268;
									}
									_t347 =  *0x100ce20; // 0x0
									_t299 = _t325;
									if(_t347 == 0) {
										_t299 =  &_v528;
									}
									_v2112 = CopyFileA(_t299, _t307, 0);
									if(E0100373C( &_v528,  &_v268, _t325, 0x100c3a0) == 0) {
										_v2112 = 0;
									}
								}
								SetFileAttributesA( &_v268, 0x80);
							}
						}
					}
					_v2120 = _v2120 & _v2112;
					_t273 = E0100608F(0, _t325, _v2116, "copy");
					_v2116 = _t273;
				} while (_t273 != 0);
				goto L39;
			}

0x010046b9
0x010046b9
0x010046c4
0x010046cc
0x010046cf
0x010046d2
0x010046d9
0x010046df
0x010046e9
0x010048fc
0x010048fc
0x01004900
0x01004703
0x01004709
0x0100470e
0x01004710
0x01004749
0x0100475d
0x01004762
0x01004764
0x0100477d
0x01004791
0x01004796
0x01004798
0x010047b4
0x0100479a
0x010047ad
0x010047ad
0x010047c6
0x010047cc
0x010047cf
0x010047d0
0x010047df
0x010047f0
0x01004801
0x0100480d
0x01004822
0x01004828
0x01004834
0x0100483a
0x0100483c
0x01004842
0x01004848
0x0100484e
0x01004851
0x0100486f
0x01004874
0x01004876
0x01004878
0x0100487e
0x01004883
0x01004885
0x01004885
0x0100488b
0x01004891
0x010048a2
0x010048a8
0x010048aa
0x010048aa
0x01004893
0x01004893
0x01004893
0x010048c1
0x010048da
0x010048df
0x010048e1
0x010048e3
0x010048e3
0x010048e1
0x01004876
0x01004851
0x01004842
0x010047d0
0x01004764
0x00000000
0x00000000
0x00000000
0x010048ef
0x010048ef
0x010048ef
0x010048f7
0x010048f7
0x01004911
0x01004918
0x0100491e
0x01004923
0x01004ae3
0x01004aee
0x01004af5
0x01004afb
0x01004cac
0x01004cac
0x01004cb1
0x01004cbd
0x01004e14
0x01004e16
0x01004e1c
0x00000000
0x00000000
0x01004ccc
0x01004cd6
0x01004cdb
0x01004cdd
0x01004e08
0x01004e0f
0x00000000
0x01004e0f
0x01004cf6
0x01004d07
0x01004d0d
0x01004d10
0x01004d11
0x00000000
0x00000000
0x01004d25
0x01004d2b
0x01004d2e
0x01004d34
0x00000000
0x00000000
0x01004d43
0x01004d4c
0x01004d4d
0x01004d4d
0x01004d4e
0x01004d4e
0x01004d55
0x00000000
0x00000000
0x01004d5b
0x01004d61
0x01004d75
0x01004d75
0x01004d7b
0x01004d85
0x01004d85
0x01004d87
0x01004d87
0x01004d89
0x01004d8c
0x01004d8d
0x01004d8d
0x01004d98
0x01004d9e
0x01004da0
0x01004da7
0x01004db9
0x01004dc6
0x01004dcc
0x01004dce
0x01004ddc
0x01004ddc
0x01004dce
0x01004de1
0x01004dee
0x01004df4
0x01004df4
0x01004e02
0x00000000
0x01004e02
0x01004e27
0x01004e33
0x01004e3a
0x01004e3f
0x01004ea8
0x01004eb4
0x01004eb9
0x01004ebb
0x01004ecc
0x01004ed1
0x01004ed3
0x01004ee1
0x01004ef9
0x01004f0a
0x01004f18
0x01004f1e
0x01004f22
0x01004f24
0x01004f24
0x01004f32
0x01004f32
0x01004ed3
0x01004f37
0x01004f37
0x01004f3d
0x01004f4b
0x01004f4b
0x01004f63
0x01004f63
0x01004e46
0x01004e55
0x00000000
0x00000000
0x01004e60
0x01004e6a
0x01004e6f
0x00000000
0x00000000
0x01004e7c
0x01004e7c
0x01004e7d
0x01004e82
0x01004e86
0x00000000
0x00000000
0x01004e77
0x01004e7a
0x00000000
0x00000000
0x01004e7a
0x01004e89
0x01004e94
0x01004e99
0x00000000
0x01004e99
0x01004b08
0x01004b20
0x01004b2d
0x00000000
0x00000000
0x01004b33
0x01004b39
0x01004b4d
0x01004b4d
0x01004b66
0x01004b82
0x01004b8f
0x01004b95
0x01004b9c
0x01004bba
0x01004bc2
0x01004bc8
0x01004c37
0x01004c3e
0x01004c45
0x01004c4b
0x01004c51
0x01004c51
0x01004c53
0x01004c57
0x00000000
0x00000000
0x01004c5b
0x01004c6f
0x01004c6f
0x01004c78
0x01004c7a
0x01004c7c
0x01004c7c
0x00000000
0x01004c7a
0x01004c5d
0x01004c60
0x01004c65
0x00000000
0x00000000
0x01004c68
0x01004c6a
0x01004c6d
0x00000000
0x00000000
0x00000000
0x01004c6d
0x01004c73
0x01004c75
0x00000000
0x01004c75
0x01004bd3
0x01004c11
0x01004c27
0x01004c29
0x01004c29
0x01004c27
0x01004c35
0x00000000
0x00000000
0x00000000
0x00000000
0x01004c35
0x01004c82
0x01004c88
0x01004c99
0x01004ca0
0x01004ca6
0x01004b03
0x00000000
0x01004b03
0x00000000
0x01004ca6
0x01004b08
0x0100492f
0x01004942
0x0100494f
0x01004955
0x0100495b
0x0100496f
0x0100496f
0x01004988
0x010049a8
0x010049c1
0x010049d2
0x010049db
0x010049dc
0x010049eb
0x010049fc
0x01004a0d
0x01004a22
0x01004a26
0x01004a2c
0x01004a56
0x01004a5c
0x01004a61
0x01004a63
0x01004a63
0x01004a69
0x01004a6f
0x01004a71
0x01004a73
0x01004a73
0x01004a83
0x01004a9f
0x01004aa1
0x01004aa1
0x01004a9f
0x01004ab3
0x01004ab3
0x010049dc
0x010049a8
0x01004abf
0x01004ad0
0x01004ad7
0x01004ad7
0x00000000

APIs

SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,00000000), ref: 01004730
strstr.MSVCRT ref: 010047C6
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004801
GetLastError.KERNEL32 ref: 01004848
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,?), ref: 0100496F
strstr.MSVCRT ref: 010049D2
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004A0D
CopyFileA.KERNEL32(?,?,00000000), ref: 01004A22
GetLastError.KERNEL32 ref: 01004A2E
CopyFileA.KERNEL32(0100CE20,0100C3A0,00000000), ref: 01004A7C
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004AB3
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,?), ref: 01004B4D
_strlwr.MSVCRT ref: 01004B8F
GetLastError.KERNEL32 ref: 01004BCA
MoveFileA.KERNEL32 ref: 01004BEE
MoveFileA.KERNEL32 ref: 01004C1F
_strlwr.MSVCRT ref: 01004C3E
strstr.MSVCRT ref: 01004D07
FindFirstFileA.KERNEL32(?,?), ref: 01004D25
strrchr.MSVCRT ref: 01004D43
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?), ref: 01004D75
DeleteFileA.KERNEL32(?), ref: 01004D98
Sleep.KERNEL32(000001F4), ref: 01004DA7
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004DB9
DeleteFileA.KERNEL32(?), ref: 01004DC6
FindNextFileA.KERNEL32(?,00000010), ref: 01004DEE
FindClose.KERNEL32(?), ref: 01004E02
strchr.MSVCRT ref: 01004E60
strrchr.MSVCRT ref: 01004F18
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,010022BB,?), ref: 01004F4B

Strings

verify, xrefs: 01004AE3, 01004C8E
options, xrefs: 01004E27, 01004E2C, 01004EAD
\..\, xrefs: 010047C0, 010049CC, 01004D01
delete, xrefs: 01004CB1, 01004CB6, 01004E08
deltas, xrefs: 010046D2, 010046D7, 010048F5
command, xrefs: 01004E22
c:\e2ac7bbaf115a22162e746, xrefs: 01004744, 01004778, 010047A8, 01004983, 010049BC, 01004B61, 01004CF1, 01004E99, 01004EF4
run, xrefs: 01004EA8
copy, xrefs: 01004906, 01004AC5

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$ItemMessageSend$Attributes$ErrorFindLaststrstr$CopyDeleteMove_strlwrstrrchr$CloseFirstNextSleepstrchr
String ID: \..\$c:\e2ac7bbaf115a22162e746$command$copy$delete$deltas$options$run$verify
API String ID: 3851170777-1144146836
Opcode ID: 89faf3db3762656d20157f678ec9eb14baf6df118e99a81af9509fb5c0dc1727
Instruction ID: 1687914c5463bdb562aec54404296a2838319fe0694d4148413fc6cab1dc7c20
Opcode Fuzzy Hash: 89faf3db3762656d20157f678ec9eb14baf6df118e99a81af9509fb5c0dc1727
Instruction Fuzzy Hash: 06224E71940219AEFB63DBA4DC48FEA77BDAB14740F0045E6E2C9E2081DB759AC4CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010029C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E010029C2(void* __edi) {
				intOrPtr _v8;
				char _v528;
				char _v1040;
				char _v3088;
				char _v3089;
				_Unknown_base(*)()* _v3096;
				char _v3100;
				char _v3104;
				_Unknown_base(*)()* _v3108;
				_Unknown_base(*)()* _v3112;
				char _v3116;
				char _v3120;
				void* __ebx;
				void* __esi;
				intOrPtr _t26;
				intOrPtr _t31;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t38;
				void* _t40;
				void* _t50;
				intOrPtr* _t51;
				void* _t53;
				void* _t56;
				struct HINSTANCE__* _t57;
				void* _t59;
				void* _t62;

				_t26 =  *0x100c028; // 0x9dd8
				_v8 = _t26;
				_v3089 = 0;
				_v3104 = 0x100;
				_v3116 = 0x400;
				if(GetSystemDirectoryA( &_v528, 0x208) == 0) {
					L17:
					return E010062FF(_v3089, _t50, _v8, _t53, _t59);
				} else {
					_t56 =  &_v528 - 1;
					do {
						_t31 =  *((intOrPtr*)(_t56 + 1));
						_t56 = _t56 + 1;
					} while (_t31 != 0);
					_push(_t59);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsb"); // executed
					_t33 = LoadLibraryA( &_v528); // executed
					_t57 = _t33;
					if(_t57 == 0) {
						L16:
						_pop(_t59);
						goto L17;
					}
					_t34 = GetProcAddress(_t57, "OpenCluster");
					_v3108 = _t34;
					if(_t34 == 0) {
						L15:
						FreeLibrary(_t57); // executed
						goto L16;
					}
					_t36 = GetProcAddress(_t57, "CloseCluster");
					_v3112 = _t36;
					if(_t36 == 0) {
						goto L15;
					}
					_push(_t50);
					_t51 = GetProcAddress(_t57, "GetNodeClusterState");
					if(_t51 != 0) {
						_t38 = GetProcAddress(_t57, "GetClusterQuorumResource");
						_v3096 = _t38;
						if(_t38 != 0) {
							_t40 =  *_t51(0,  &_v3100); // executed
							if(_t40 == 0 && _v3100 == 0x13) {
								_t62 = _v3108(_t40);
								if(_t62 != 0) {
									_push( &_v3120);
									_push( &_v3116);
									_push( &_v3088);
									_push( &_v3104);
									_push( &_v1040);
									_push(_t62);
									if(_v3096() == 0) {
										_v3089 = _v3088;
									}
									_v3112(_t62);
								}
							}
						}
					}
					_pop(_t50);
					goto L15;
				}
			}

0x010029cd
0x010029d2
0x010029e1
0x010029e8
0x010029f2
0x01002a04
0x01002afe
0x01002b0d
0x01002a0a
0x01002a11
0x01002a12
0x01002a12
0x01002a15
0x01002a16
0x01002a1a
0x01002a20
0x01002a21
0x01002a22
0x01002a2a
0x01002a2b
0x01002a31
0x01002a35
0x01002afc
0x01002afc
0x00000000
0x01002afd
0x01002a47
0x01002a4b
0x01002a51
0x01002af5
0x01002af6
0x00000000
0x01002af6
0x01002a5d
0x01002a61
0x01002a67
0x00000000
0x00000000
0x01002a6d
0x01002a76
0x01002a7a
0x01002a82
0x01002a86
0x01002a8c
0x01002a97
0x01002a9b
0x01002aad
0x01002ab1
0x01002ab9
0x01002ac0
0x01002ac7
0x01002ace
0x01002ad5
0x01002ad6
0x01002adf
0x01002ae7
0x01002ae7
0x01002aee
0x01002aee
0x01002ab1
0x01002a9b
0x01002a8c
0x01002af4
0x00000000
0x01002af4

APIs

GetSystemDirectoryA.KERNEL32 ref: 010029FC
LoadLibraryA.KERNELBASE(?), ref: 01002A2B
GetProcAddress.KERNEL32(00000000,OpenCluster), ref: 01002A47
GetProcAddress.KERNEL32(00000000,CloseCluster), ref: 01002A5D
GetProcAddress.KERNEL32(00000000,GetNodeClusterState), ref: 01002A74
GetProcAddress.KERNEL32(00000000,GetClusterQuorumResource), ref: 01002A82
FreeLibrary.KERNELBASE(00000000), ref: 01002AF6

Strings

OpenCluster, xrefs: 01002A41
GetNodeClusterState, xrefs: 01002A6E
\clusapi.dll, xrefs: 01002A1B
GetClusterQuorumResource, xrefs: 01002A7C
CloseCluster, xrefs: 01002A57

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: AddressProc$Library$DirectoryFreeLoadSystem
String ID: CloseCluster$GetClusterQuorumResource$GetNodeClusterState$OpenCluster$\clusapi.dll
API String ID: 1303522615-3927317670
Opcode ID: 19ecdf8b4e077f10c3230d29f80904c3b00e6bcb7b69bd1645e8ca2f298c8bba
Instruction ID: 58cc90120aaaae1193b9abb678c188ec05ae692f01dcb1cc6c6543d780e01115
Opcode Fuzzy Hash: 19ecdf8b4e077f10c3230d29f80904c3b00e6bcb7b69bd1645e8ca2f298c8bba
Instruction Fuzzy Hash: F13147719002299BFB72DBA88D48FDA7BFC5F4A640F0442E5E544E2141DF748AC5DF61

Uniqueness

Uniqueness Score: -1.00%

Function 01003D02 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E01003D02(PSID* _a4, void* _a8, void** _a12) {
				intOrPtr _v8;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				long _v24;
				void** _v28;
				void* __ebx;
				void* __esi;
				intOrPtr _t22;
				void* _t34;
				void* _t44;
				signed int _t50;
				signed int _t56;
				void* _t63;
				unsigned int _t65;
				void* _t78;

				_t22 =  *0x100c028; // 0x9dd8
				_t77 = _a8;
				_v8 = _t22;
				_v28 = _a12;
				_v16.Value = 0;
				_v15 = 0;
				_v14 = 0;
				_v13 = 0;
				_v12 = 0;
				_v11 = 5;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _a4) == 0 || OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) == 0) {
					_t27 = 0;
				} else {
					_push(_t44);
					_t27 = GetTokenInformation(_v20, 4, "c:\e2ac7bbaf115a22162e746\Setup.exe ", 0x10000,  &_v24); // executed
					if(_t27 != 0) {
						_t65 = GetLengthSid( *0x100d3e0);
						_t34 = E01003BE7(_t65);
						 *_t77 = _t34;
						if(_t34 == 0) {
							L7:
							E01003892(8);
							goto L8;
						} else {
							_t77 =  *0x100d3e0; // 0x655c3a63
							_t56 = _t65 >> 2;
							memcpy(_t77 + _t56 + _t56, _t77, memcpy(_t34, _t77, _t56 << 2) & 0x00000003);
							_t78 = _t78 + 0x18;
							_t27 = GetTokenInformation(_v20, 1, "c:\e2ac7bbaf115a22162e746\Setup.exe ", 0x10000,  &_v24); // executed
							if(_t27 != 0) {
								_t77 = GetLengthSid( *0x100d3e0);
								_t34 = E01003BE7(_t43);
								 *_v28 = _t34;
								if(_t34 == 0) {
									goto L7;
								}
								L8:
								_t77 =  *0x100d3e0; // 0x655c3a63
								_t50 = _t77 >> 2;
								_t27 = memcpy(_t77 + _t50 + _t50, _t77, memcpy(_t34, _t77, _t50 << 2) & 0x00000003) + 1;
							}
						}
					}
					_pop(_t44);
				}
				return E010062FF(_t27, _t44, _v8, _t63, _t77);
			}

0x01003d0a
0x01003d13
0x01003d16
0x01003d32
0x01003d35
0x01003d39
0x01003d3d
0x01003d41
0x01003d45
0x01003d49
0x01003d55
0x01003d6e
0x01003d75
0x01003d75
0x01003d8f
0x01003d93
0x01003da6
0x01003da9
0x01003db1
0x01003db3
0x01003e04
0x01003e06
0x00000000
0x01003db5
0x01003db5
0x01003dc1
0x01003ddb
0x01003ddb
0x01003de0
0x01003de4
0x01003df2
0x01003df5
0x01003e00
0x01003e02
0x00000000
0x00000000
0x01003e0b
0x01003e0d
0x01003e17
0x01003e25
0x01003e25
0x01003de4
0x01003e26
0x01003e27
0x01003e27
0x01003e32

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01003D4D
GetCurrentProcess.KERNEL32(00000028,?), ref: 01003D5D
OpenProcessToken.ADVAPI32(00000000), ref: 01003D64
GetTokenInformation.KERNELBASE(?,00000004,c:\e2ac7bbaf115a22162e746\Setup.exe ,00010000,?), ref: 01003D8F
GetLengthSid.ADVAPI32 ref: 01003DA0
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),c:\e2ac7bbaf115a22162e746\Setup.exe ,00010000,?), ref: 01003DE0
GetLengthSid.ADVAPI32 ref: 01003DEC

Strings

c:\e2ac7bbaf115a22162e746\Setup.exe , xrefs: 01003D85, 01003DB5, 01003DD1, 01003E0D

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: Token$InformationLengthProcess$AllocateCurrentInitializeOpen
String ID: c:\e2ac7bbaf115a22162e746\Setup.exe
API String ID: 3439802213-2307559497
Opcode ID: 39bd5e7e546647ab028321304c63e802246d0dfb69878f62c748718f95d36311
Instruction ID: 50115026e131d678ab12094c5f900f2c20abbbbf56de831dd1116dd559b86531
Opcode Fuzzy Hash: 39bd5e7e546647ab028321304c63e802246d0dfb69878f62c748718f95d36311
Instruction Fuzzy Hash: 23315431600245AFEB17DBA8DC59BAF7BE9FB58740F044069FA81EB2C1DAB59904C760

Uniqueness

Uniqueness Score: -1.00%

Function 010045EB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E010045EB(void* __edi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v268;
				void* __ebx;
				void* __esi;
				intOrPtr _t19;
				void* _t20;
				char* _t24;
				void* _t26;
				void* _t27;
				signed char _t30;
				struct HINSTANCE__* _t31;
				_Unknown_base(*)()* _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				signed int _t40;
				signed int _t41;
				void _t48;
				void* _t58;
				void* _t59;
				void* _t60;

				_t19 =  *0x100c028; // 0x9dd8
				_t37 = _a8;
				_t58 = _a4;
				_v8 = _t19;
				_t20 = _t58;
				_t39 = _t20 + 1;
				do {
					_t48 =  *_t20;
					_t20 = _t20 + 1;
				} while (_t48 != 0);
				_t40 = _t20 - _t39 + 1;
				_t49 = _t40;
				_t41 = _t40 >> 2;
				memcpy( &_v268, _t58, _t41 << 2);
				_t24 = _t60 + memcpy(_t58 + _t41 + _t41, _t58, _t40 & 0x00000003) - 0x108;
				if( *((char*)(_t24 - 1)) != 0x5c) {
					 *_t24 = 0x5c;
					 *((char*)(_t24 + 1)) = 0;
				}
				_t26 = E01004590( &_v268, _t37, _a12); // executed
				_pop(_t59);
				_pop(_t38);
				if(_t26 == 0) {
					L12:
					_t27 = 0;
					L13:
					return E010062FF(_t27, _t38, _v8, _t49, _t59);
				}
				_t30 = GetFileAttributesA( &_v268); // executed
				if(_t30 == 0xffffffff || (_t30 & 0x00000010) == 0) {
					goto L12;
				} else {
					_t31 = LoadLibraryA("advapi32.dll");
					if(_t31 != 0) {
						_t33 = GetProcAddress(_t31, "DecryptFileA");
						if(_t33 != 0) {
							_t34 =  *_t33( &_v268, 0); // executed
							if(_t34 == 0) {
								GetLastError();
							}
						}
					}
					_t27 = 1;
					goto L13;
				}
			}

0x010045f6
0x010045fc
0x01004600
0x01004603
0x01004606
0x01004608
0x0100460b
0x0100460b
0x0100460d
0x0100460e
0x01004614
0x01004617
0x0100461a
0x01004623
0x0100462c
0x01004638
0x0100463a
0x0100463d
0x0100463d
0x0100464c
0x01004653
0x01004654
0x01004655
0x010046a6
0x010046a6
0x010046a8
0x010046b1
0x010046b1
0x0100465e
0x01004667
0x00000000
0x0100466d
0x01004672
0x0100467a
0x01004682
0x0100468a
0x01004695
0x01004699
0x0100469b
0x0100469b
0x01004699
0x0100468a
0x010046a3
0x00000000
0x010046a3

APIs

GetFileAttributesA.KERNELBASE(?), ref: 0100465E
LoadLibraryA.KERNEL32(advapi32.dll), ref: 01004672
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01004682
DecryptFileA.ADVAPI32(?,00000000), ref: 01004695
GetLastError.KERNEL32 ref: 0100469B

Strings

advapi32.dll, xrefs: 0100466D
DecryptFileA, xrefs: 0100467C

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$AddressAttributesDecryptErrorLastLibraryLoadProc
String ID: DecryptFileA$advapi32.dll
API String ID: 82924815-2381948369
Opcode ID: 2afcba44abed0f4631d6c18061f481163f3b24b8efbb4aba021dffaed5c2241f
Instruction ID: dd98f6a6a96e0f5451efa8104c5849e027a4f17fe98ce00ff4f40b46ec6d0873
Opcode Fuzzy Hash: 2afcba44abed0f4631d6c18061f481163f3b24b8efbb4aba021dffaed5c2241f
Instruction Fuzzy Hash: 4521D131604605DEFB62DB68CC4CBDA7BE9AB59300F0401A4EAC5E71C1EB75DA54CB16

Uniqueness

Uniqueness Score: -1.00%

Function 01002B13 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E01002B13(void* __edi, void* _a4) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				long _v24;
				intOrPtr _v40;
				void _v48;
				void* __ebx;
				void* __esi;
				intOrPtr _t13;
				int _t15;
				int _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				int _t33;
				char* _t34;

				_t13 =  *0x100c028; // 0x9dd8
				_t28 = _a4;
				_t34 = "\\\\.\\?:";
				asm("movsd");
				asm("movsw");
				_v8 = _t13;
				_v20 = 0x5c3a3f;
				asm("movsb");
				_v20 = _t28;
				_t15 = GetDriveTypeA( &_v20); // executed
				_t33 = _t15;
				_t17 = _t15;
				if(_t17 == 0) {
					_t34 = 0;
					_v12 = _t28;
					_t28 = CreateFileA( &_v16, 0x80000000, 3, 0, 3, 0, 0);
					if(_t28 == 0xffffffff) {
						goto L3;
					} else {
						if(DeviceIoControl(_t28, 0x70000, 0, 0,  &_v48, 0x18,  &_v24, 0) == 0 || _v40 != 0xb) {
							_t33 = 0;
						}
						CloseHandle(_t28);
					}
				} else {
					_t26 = _t17 - 1;
					if(_t26 != 0) {
						if(_t26 == 3) {
							_t33 = 3;
						} else {
							L3:
							_t33 = 0;
						}
					}
				}
				return E010062FF(_t33, _t28, _v8, _t30, _t34);
			}

0x01002b1b
0x01002b21
0x01002b26
0x01002b2e
0x01002b2f
0x01002b31
0x01002b37
0x01002b3f
0x01002b40
0x01002b43
0x01002b49
0x01002b4c
0x01002b4d
0x01002b60
0x01002b72
0x01002b7b
0x01002b80
0x00000000
0x01002b82
0x01002b9d
0x01002ba5
0x01002ba5
0x01002ba8
0x01002ba8
0x01002b4f
0x01002b4f
0x01002b50
0x01002b55
0x01002b5d
0x01002b57
0x01002b57
0x01002b57
0x01002b57
0x01002b55
0x01002b50
0x01002bbc

APIs

GetDriveTypeA.KERNELBASE(?), ref: 01002B43
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 01002B75
DeviceIoControl.KERNEL32 ref: 01002B95
CloseHandle.KERNEL32(00000000), ref: 01002BA8

Strings

\\.\?:, xrefs: 01002B26
?:\, xrefs: 01002B37

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CloseControlCreateDeviceDriveFileHandleType
String ID: ?:\$\\.\?:
API String ID: 3103408351-3307214488
Opcode ID: 2c8683e07499ac882b6ccafdf590b753cf23b2020a389af79e37c9552ac3cdc0
Instruction ID: 96b825b74241d8912b1bf084e53a85c8b322490675edc855e8f29042fc933e05
Opcode Fuzzy Hash: 2c8683e07499ac882b6ccafdf590b753cf23b2020a389af79e37c9552ac3cdc0
Instruction Fuzzy Hash: DE119332901618BAE722DBA99C4CEEFBFADEB49360F144161F695F3180DA748645C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 01003016 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 274
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E01003016(signed int __edx, void* __edi, CHAR* _a4) {
				intOrPtr _v8;
				long _v100;
				long _v104;
				long _v196;
				short _v236;
				void _v256;
				long _v260;
				int _v264;
				signed char _v268;
				void* _v272;
				CHAR* _v276;
				signed int _v280;
				short* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __esi;
				intOrPtr _t91;
				void* _t93;
				int _t95;
				void* _t96;
				long _t97;
				void* _t100;
				intOrPtr _t103;
				signed short _t104;
				unsigned int _t105;
				void* _t110;
				long _t112;
				char* _t113;
				long _t117;
				long _t122;
				int _t125;
				long _t130;
				long _t132;
				signed char _t133;
				signed int _t134;
				void* _t135;
				short* _t136;
				signed char _t137;
				signed int _t139;
				signed char _t145;
				void* _t146;
				void* _t148;
				void* _t150;
				short* _t151;
				short* _t152;
				short* _t153;
				short* _t154;
				short* _t155;
				CHAR* _t156;
				signed char _t157;
				void* _t174;

				_t139 = __edx;
				_t91 =  *0x100c028; // 0x9dd8
				_v8 = _t91;
				_t93 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x10000000, 0); // executed
				_v272 = _t93;
				if(_t93 != 0xffffffff) {
					_push(_t146);
					_t95 = ReadFile(_t93,  &_v256, 0xf8,  &_v260, 0); // executed
					if(_t95 != 0 && _v260 == 0xf8) {
						if(_v256 != 0x5a4d) {
							L7:
							if(_v256 == 0x4550 && _v236 >= 0xe0 && _v104 != 0 && _v100 != 0 && _v100 <= 0x40000) {
								_t96 = RtlAllocateHeap( *0x100d078, 8, _v100); // executed
								_t148 = _t96;
								_v280 = _t148;
								if(_t148 != 0) {
									_t97 = SetFilePointer(_v272, _v104, 0, 0); // executed
									if(_t97 == _v104 && ReadFile(_v272, _t148, _v100,  &_v260, 0) != 0) {
										_t130 = _v100;
										if(_v260 == _t130) {
											_t100 = _t148;
											_v264 = _t130;
											_t174 = _t130 - 0x16;
											while(1) {
												_v268 = _t100;
												if(_t174 < 0) {
													break;
												}
												if( *_t100 != 0xc0) {
													L23:
													_t100 = _t100 + 1;
													_v264 = _v264 - 1;
													continue;
												} else {
													_push(4);
													_t139 = 0;
													asm("repe cmpsd");
													if(0 != 0) {
														goto L23;
													} else {
														_t132 =  *((intOrPtr*)(_t100 + 0x10));
														_v260 = _t132;
														if(_t132 < 0x16 || _t132 > _v264) {
															goto L23;
														} else {
															if(E01002FE1(0xffffffff, _t100, _t132) == 0) {
																_t133 = _v268;
																if((_t133 & 0x00000003) != 0) {
																	_t145 = _v280;
																	_t157 = _t145;
																	while(_v260 != 0) {
																		_v260 = _v260 - 1;
																		 *_t157 =  *_t133;
																		_t157 = _t157 + 1;
																		_t133 = _t133 + 1;
																	}
																	_v260 = _v260 - 1;
																	_v268 = _t145;
																	_t133 = _t145;
																}
																_t139 =  *(_t133 + 0x14) & 0x0000ffff;
																_t103 =  *((intOrPtr*)(_t133 + 0x10)) + _t133;
																_t134 = _t133 + 0x16;
																_v280 = _t139;
																_v288 = _t103;
																if(_t139 != 0) {
																	while(1) {
																		_t139 = _t134;
																		_t135 = _t134 + 4;
																		_v276 = _t139;
																		if(_t135 > _t103) {
																			goto L47;
																		}
																		_t104 =  *_t139;
																		if((_t104 & 0x00000001) == 0 && ( *(_t139 + 2) & 0x00000001) == 0) {
																			_t139 =  *(_t139 + 2) & 0x0000ffff;
																			_t105 = _t104 & 0x0000ffff;
																			_t150 = _t135;
																			_t136 = _t135 + _t105;
																			_v284 = _t136;
																			_t137 = _t136 + _t139;
																			_v268 = _t137;
																			if(_t137 <= _v288) {
																				 *((short*)(_t150 + (_t105 >> 1) * 2 - 2)) = 0;
																				 *((short*)(_v284 + ((_v276[2] & 0x0000ffff) >> 1) * 2 - 2)) = 0;
																				_t110 = 2;
																				_t151 = _t150 - _t110;
																				 *_t151 = 0x5f;
																				_t152 = _t151 - _t110;
																				 *_t152 = 0x58;
																				_t153 = _t152 - _t110;
																				 *_t153 = 0x46;
																				_t154 = _t153 - _t110;
																				 *_t154 = 0x53;
																				_t155 = _t154 - _t110;
																				 *_t155 = 0x5f;
																				_t112 = WideCharToMultiByte(0, 0, _t155, 0xffffffff, 0, 0, 0,  &_v264);
																				_v260 = _t112;
																				if(_t112 == 0 || _v264 != 0) {
																					L46:
																					_t87 =  &_v280;
																					 *_t87 = _v280 - 1;
																					if( *_t87 != 0) {
																						_t134 = _v268;
																						_t103 = _v288;
																						continue;
																					}
																				} else {
																					_t113 = HeapAlloc( *0x100d078, 8, _t112);
																					_v276 = _t113;
																					if(_t113 != 0) {
																						WideCharToMultiByte(0, 0, _t155, 0xffffffff, _t113, _v260, 0, 0);
																						if(GetEnvironmentVariableA(_v276, 0, 0) != 0) {
																							goto L46;
																						} else {
																							_t117 = WideCharToMultiByte(0, 0, _v284, 0xffffffff, 0, 0, 0,  &_v264);
																							_v260 = _t117;
																							if(_t117 == 0 || _v264 != 0) {
																								goto L46;
																							} else {
																								_t156 = HeapAlloc( *0x100d078, 8, _t117);
																								if(_t156 != 0) {
																									WideCharToMultiByte(0, 0, _v284, 0xffffffff, _t156, _v260, 0, 0);
																									SetEnvironmentVariableA(_v276, _t156);
																									goto L46;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																		goto L47;
																	}
																}
															} else {
																_t100 = _v268;
																goto L23;
															}
														}
													}
												}
												goto L47;
											}
										}
									}
								}
							}
						} else {
							_t122 = SetFilePointer(_v272, _v196, 0, 0); // executed
							if(_t122 == _v196) {
								_t125 = ReadFile(_v272,  &_v256, 0xf8,  &_v260, 0); // executed
								if(_t125 != 0 && _v260 == 0xf8) {
									goto L7;
								}
							}
						}
					}
					L47:
					_t93 = FindCloseChangeNotification(_v272); // executed
					_pop(_t146);
				}
				return E010062FF(_t93, 0, _v8, _t139, _t146);
			}

0x01003016
0x01003021
0x01003034
0x01003040
0x01003049
0x0100304f
0x01003055
0x01003073
0x01003077
0x01003092
0x010030e0
0x010030ea
0x01003129
0x0100312f
0x01003133
0x01003139
0x0100314a
0x01003153
0x01003175
0x0100317e
0x01003184
0x01003186
0x0100318c
0x010031dd
0x010031dd
0x010031e3
0x00000000
0x00000000
0x01003194
0x010031cf
0x010031cf
0x010031d0
0x00000000
0x01003196
0x01003196
0x010031a0
0x010031a2
0x010031a4
0x00000000
0x010031a6
0x010031a6
0x010031ac
0x010031b2
0x00000000
0x010031bc
0x010031c7
0x010031ea
0x010031f3
0x010031f5
0x010031fb
0x0100320b
0x010031ff
0x01003207
0x01003209
0x0100320a
0x0100320a
0x01003213
0x01003219
0x0100321f
0x0100321f
0x01003221
0x01003228
0x0100322a
0x0100322f
0x01003235
0x0100323b
0x01003255
0x01003255
0x01003257
0x0100325c
0x01003262
0x00000000
0x00000000
0x01003268
0x0100326d
0x0100327d
0x01003281
0x01003284
0x01003286
0x01003288
0x0100328e
0x01003296
0x0100329c
0x010032aa
0x010032bd
0x010032c2
0x010032c3
0x010032c5
0x010032ca
0x010032cc
0x010032d1
0x010032d3
0x010032d8
0x010032da
0x010032df
0x010032f0
0x010032f5
0x010032f9
0x010032ff
0x010033af
0x010033af
0x010033af
0x010033b5
0x01003249
0x0100324f
0x00000000
0x0100324f
0x01003311
0x0100331a
0x01003322
0x01003328
0x0100333c
0x0100334e
0x00000000
0x01003350
0x01003364
0x01003368
0x0100336e
0x00000000
0x01003378
0x01003387
0x0100338b
0x010033a0
0x010033a9
0x00000000
0x010033a9
0x0100338b
0x0100336e
0x0100334e
0x01003328
0x010032ff
0x0100329c
0x00000000
0x0100326d
0x01003255
0x010031c9
0x010031c9
0x00000000
0x010031c9
0x010031c7
0x010031b2
0x010031a4
0x00000000
0x01003194
0x010031e5
0x0100317e
0x01003153
0x01003139
0x01003094
0x010030a2
0x010030ae
0x010030ca
0x010030ce
0x00000000
0x00000000
0x010030ce
0x010030ae
0x01003092
0x010033bb
0x010033c1
0x010033c8
0x010033c8
0x010033d3

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,10000000,00000000), ref: 01003040
ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 01003073
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 010030A2
ReadFile.KERNELBASE(?,00005A4D,000000F8,?,00000000), ref: 010030CA
RtlAllocateHeap.NTDLL(00000008,00040000), ref: 01003129
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 0100314A
ReadFile.KERNEL32(?,00000000,00040000,?,00000000), ref: 0100316B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 010032F5
HeapAlloc.KERNEL32(00000008,00000000), ref: 0100331A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0100333C
GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 01003346
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01003364
HeapAlloc.KERNEL32(00000008,00000000), ref: 01003381
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 010033A0
SetEnvironmentVariableA.KERNEL32(?,00000000), ref: 010033A9
FindCloseChangeNotification.KERNELBASE(?), ref: 010033C1

Strings

PE, xrefs: 010030E0

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$ByteCharMultiWide$HeapRead$AllocEnvironmentPointerVariable$AllocateChangeCloseCreateFindNotification
String ID: PE
API String ID: 558715291-4258593460
Opcode ID: 7a117e422b0a1a894acefd9d8880e513f77c58c962ccde61173d9d4eb82a6e9e
Instruction ID: bf8ad80c2da08c31ae0c339a365434081412969bf7389dda4636a4a9dec36aeb
Opcode Fuzzy Hash: 7a117e422b0a1a894acefd9d8880e513f77c58c962ccde61173d9d4eb82a6e9e
Instruction Fuzzy Hash: 55A15E71804128AFEB778B58CC85BE9FBB9FB14350F1481E9E689A6290DB714DC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0100400D Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E0100400D() {
				signed int _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				void* __edi;
				CHAR* _t65;
				char* _t67;
				char _t71;
				intOrPtr* _t72;
				signed int _t74;
				signed int* _t75;
				signed int _t76;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t88;
				signed int _t90;
				intOrPtr _t91;
				void* _t96;
				signed char _t97;
				void* _t99;
				char* _t100;
				char* _t101;
				signed int _t102;
				signed int _t104;
				char* _t106;
				signed int _t107;
				signed int _t109;
				void* _t110;
				signed int* _t111;
				signed int _t113;
				signed int _t115;
				int _t118;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				unsigned int _t135;
				signed int _t136;
				int _t139;
				signed int _t142;
				signed int _t145;
				void* _t146;
				signed int _t147;
				signed int _t148;
				void* _t149;
				void* _t150;
				signed int _t156;
				void* _t159;
				signed int _t165;
				signed int _t166;
				void* _t172;
				signed int* _t178;
				void* _t179;
				void* _t180;
				char* _t181;
				signed int* _t182;
				void* _t183;
				signed int* _t185;
				void* _t186;

				GetModuleFileNameA(0, 0x100cf40, 0x104);
				_t65 = 0x100cf40;
				do {
					_t145 =  *_t65;
					_t65 =  &(_t65[1]);
				} while (_t145 != 0);
				_t67 = _t65 - 0x100cf41 + 0x100cf40;
				while(_t67 > 0x100cf40) {
					_t106 = _t67 - 1;
					__eflags =  *_t106 - 0x5c;
					if( *_t106 != 0x5c) {
						_t67 = _t106;
						continue;
					}
					break;
				}
				 *0x100c4b0 = E01003E3A(_t67); // executed
				E01003016(_t145, _t159, 0x100cf40); // executed
				_t101 = GetCommandLineA();
				_v24 = _t101;
				_t107 = 0;
				while(1) {
					_t71 =  *_t101;
					if(_t71 != 0x20 && _t71 != 9 && _t71 != 0x22) {
						break;
					}
					if(_t71 == 0x22) {
						_t107 = 1;
					}
					_t101 = _t101 + 1;
				}
				__eflags = _t107;
				_v24 = _t101;
				if(_t107 != 0) {
					__eflags =  *_t101;
					_t100 = _t101;
					if( *_t101 != 0) {
						while(1) {
							__eflags =  *_t100 - 0x22;
							if( *_t100 == 0x22) {
								break;
							}
							_t100 = _t100 + 1;
							__eflags =  *_t100;
							if( *_t100 != 0) {
								continue;
							} else {
							}
							goto L19;
						}
						 *_t100 = 0x20;
					}
				}
				L19:
				_t72 = _t101;
				_t6 = _t72 + 1; // 0x1
				_t146 = _t6;
				do {
					_t109 =  *_t72;
					_t72 = _t72 + 1;
					__eflags = _t109;
				} while (_t109 != 0);
				_t74 = _t72 - _t146 + _t101 - 1;
				while(1) {
					__eflags = _t74 - _t101;
					if(_t74 < _t101) {
						break;
					}
					_t110 =  *_t74;
					__eflags = _t110 - 0x20;
					if(_t110 == 0x20) {
						L24:
						 *_t74 = 0;
						_t74 = _t74 - 1;
						__eflags = _t74;
						continue;
					} else {
						__eflags = _t110 - 9;
						if(_t110 == 9) {
							goto L24;
						}
					}
					break;
				}
				_t75 =  *0x100c4b0; // 0x7661f8
				_t9 =  &_v8;
				 *_t9 = _v8 & 0x00000000;
				__eflags =  *_t9;
				_t111 = _t75;
				 *0x100d1a0 = 0;
				_t11 =  &(_t111[0]); // 0x7661f9
				_t178 = _t11;
				do {
					_t147 =  *_t111;
					_t111 =  &(_t111[0]);
					__eflags = _t147;
				} while (_t147 != 0);
				_t13 = _t75 - 1; // 0x7661f8
				_t148 = _t111 - _t178 + _t13;
				while(1) {
					__eflags = _t148 - _t75;
					if(_t148 <= _t75) {
						break;
					}
					__eflags =  *_t148 - 0x2e;
					if( *_t148 == 0x2e) {
						_t76 = _t148;
						_t14 = _t76 + 1; // 0x7661f9
						_t179 = _t14;
						do {
							_t113 =  *_t76;
							_t76 = _t76 + 1;
							__eflags = _t113;
						} while (_t113 != 0);
						_t15 = _t76 - _t179 + 1; // 0x7661fa
						_v8 = _t76 - _t179;
						_t115 = _t15 >> 2;
						_t180 = _t148;
						_t118 = memcpy(0x100d1a0, _t180, _t115 << 2) & 0x00000003;
						__eflags = _t118;
						memcpy(_t180 + _t115 + _t115, _t180, _t118);
						_t186 = _t186 + 0x18;
						 *_t148 = 0;
						_t75 =  *0x100c4b0; // 0x7661f8
					} else {
						_t148 = _t148 - 1;
						__eflags = _t148;
						continue;
					}
					L36:
					 *0x100c4a8 = L"";
					__eflags =  *_t101;
					_v12 = _t101;
					if( *_t101 != 0) {
						do {
							__eflags = ( *_v12 | 0x00000020) - ( *_t75 | 0x00000020);
							if(( *_v12 | 0x00000020) != ( *_t75 | 0x00000020)) {
								goto L56;
							} else {
								_t104 =  &(_v12[0]);
								_t21 =  &(_t75[0]); // 0x7661f9
								_t182 = _t21;
								while(1) {
									__eflags = ( *_t182 | 0x00000020) - ( *_t104 | 0x00000020);
									if(( *_t182 | 0x00000020) != ( *_t104 | 0x00000020)) {
										break;
									}
									__eflags =  *_t182;
									if( *_t182 == 0) {
										L43:
										_t166 = 0;
										__eflags =  *_t104 - 0x2e;
										_v20 = 0;
										if( *_t104 == 0x2e) {
											__eflags = _v8;
											if(_v8 > 0) {
												_v16 = _t104;
												_t25 =  &_v16;
												 *_t25 = _v16 - 0x100d1a0;
												__eflags =  *_t25;
												_v20 = 1;
												while(1) {
													_t142 = _v16;
													_t29 = _t166 + 0x100d1a0; // 0x100d1a0
													_t185 = _t29;
													__eflags = ( *(_t185 + _t142) | 0x00000020) - ( *_t185 | 0x00000020);
													if(( *(_t185 + _t142) | 0x00000020) != ( *_t185 | 0x00000020)) {
														break;
													}
													_t166 = _t166 + 1;
													__eflags = _t166 - _v8;
													if(_t166 < _v8) {
														continue;
													} else {
														_t104 = _t104 + _v8;
														__eflags = _t104;
													}
													goto L49;
												}
												_v20 = _v20 & 0x00000000;
											}
										}
										L49:
										_t128 =  *_t104;
										__eflags = _t128 - 0x20;
										if(_t128 == 0x20) {
											L52:
											_t183 = _v24;
											_t129 = _t104 - _t183;
											_t130 = _t129 >> 2;
											memcpy(0x100cbe0, _t183, _t130 << 2);
											__eflags = _v20;
											_t96 = memcpy(_t183 + _t130 + _t130, _t183, _t129 & 0x00000003);
											_t186 = _t186 + 0x18;
											_t172 = _t96 + 0x100cbe0;
											 *_t172 = 0;
											if(__eflags == 0) {
												_t135 = _v8;
												_t156 = _t135;
												_t136 = _t135 >> 2;
												memcpy(_t172, 0x100d1a0, _t136 << 2);
												_t139 = _t156 & 0x00000003;
												__eflags = _t139;
												_t99 = memcpy(0x100d1a0 + _t136 + _t136, 0x100d1a0, _t139);
												_t186 = _t186 + 0x18;
												 *((char*)(_t99 + 0x100cbe0 + _t156)) = 0;
											}
											_t97 = GetFileAttributesA("To Directory:"); // executed
											__eflags = _t97 & 0x00000010;
											if((_t97 & 0x00000010) == 0) {
												 *0x100c4a8 = _t104;
											} else {
												_t75 =  *0x100c4b0; // 0x7661f8
												goto L56;
											}
										} else {
											__eflags = _t128 - 9;
											if(_t128 == 9) {
												goto L52;
											} else {
												__eflags = _t128;
												if(_t128 != 0) {
													goto L56;
												} else {
													goto L52;
												}
											}
										}
									} else {
										_t104 = _t104 + 1;
										_t182 =  &(_t182[0]);
										__eflags = _t182;
										continue;
									}
									goto L60;
								}
								__eflags =  *_t182;
								if( *_t182 != 0) {
									goto L56;
								} else {
									goto L43;
								}
							}
							goto L60;
							L56:
							_v12 =  &(_v12[0]);
							__eflags =  *_v12;
						} while ( *_v12 != 0);
					}
					L60:
					_t165 =  *0x100c4a8; // 0x753804
					_t81 = _t165;
					_t48 = _t81 + 1; // 0x753805
					_t149 = _t48;
					do {
						_t120 =  *_t81;
						_t81 = _t81 + 1;
						__eflags = _t120;
					} while (_t120 != 0);
					_t82 = _t81 - _t149;
					__eflags = _t82 - 3;
					if(_t82 >= 3) {
						_t82 = _t82 + 0xfffffffe;
						__eflags = _t82;
						_v20 = _t82;
						if(_t82 != 0) {
							do {
								__eflags =  *_t165 - 0x20;
								if( *_t165 == 0x20) {
									_t50 = _t165 + 4; // 0x753808
									_t102 = _t50;
									_t82 =  *((intOrPtr*)(_t102 - 3));
									__eflags = _t82 - 0x2d;
									if(_t82 == 0x2d) {
										L67:
										_t83 = _t165;
										_t52 = _t83 + 1; // 0x753805
										_t150 = _t52;
										do {
											_t121 =  *_t83;
											_t83 = _t83 + 1;
											__eflags = _t121;
										} while (_t121 != 0);
										_t82 = _t83 - _t150;
										__eflags = _t82 - 2;
										if(_t82 > 2) {
											_t53 = _t165 + 2; // 0x753806
											_t181 = _t53;
											_t84 =  *_t181;
											__eflags = _t84 - 0x65;
											if(__eflags > 0) {
												_t82 = _t84 - 0x69;
												goto L74;
											} else {
												if(__eflags == 0) {
													L88:
													__imp___strnicmp(_t181, "extract:", 8);
													_t186 = _t186 + 0xc;
													__eflags = _t84;
													if(_t84 != 0) {
														goto L92;
													} else {
														__eflags = _t102;
														goto L90;
													}
												} else {
													_t84 = _t84 - 0x45;
													__eflags = _t84;
													if(_t84 == 0) {
														goto L88;
													} else {
														_t82 = _t84 - 4;
														__eflags = _t82;
														L74:
														if(__eflags == 0) {
															__imp___strnicmp(_t181, "integrate", 9);
															_t186 = _t186 + 0xc;
															__eflags = _t82;
															goto L117;
														} else {
															_t82 = _t82 - 7;
															__eflags = _t82;
															if(_t82 == 0) {
																__imp___strnicmp(_t181, "passive", 7);
																_t186 = _t186 + 0xc;
																__eflags = _t82;
																if(_t82 == 0) {
																	_t82 =  *((intOrPtr*)(_t165 + 9));
																	goto L113;
																}
															} else {
																_t85 = _t82 - 1;
																__eflags = _t85;
																if(_t85 == 0) {
																	__imp___strnicmp(_t181, "quiet", 5);
																	_t186 = _t186 + 0xc;
																	__eflags = _t85;
																	if(_t85 != 0) {
																		_t82 =  *((intOrPtr*)(_t165 + 3));
																	} else {
																		_t82 =  *((intOrPtr*)(_t102 + 3));
																	}
																	__eflags = _t82 - 0x20;
																	if(_t82 == 0x20) {
																		L109:
																		_t82 = 1;
																		 *0x100c4b4 = 1;
																		 *0x101d3e0 = 1;
																	} else {
																		__eflags = _t82;
																		if(_t82 == 0) {
																			goto L109;
																		}
																	}
																} else {
																	_t88 = _t85;
																	__eflags = _t88;
																	if(_t88 == 0) {
																		_t82 =  *((intOrPtr*)(_t165 + 3));
																		__eflags = _t82 - 0x3a;
																		if(_t82 == 0x3a) {
																			L118:
																			 *0x100ce08 = 1;
																		} else {
																			__eflags = _t82 - 0x20;
																			if(_t82 == 0x20) {
																				goto L118;
																			} else {
																				__eflags = _t82;
																				L117:
																				if(__eflags == 0) {
																					goto L118;
																				}
																			}
																		}
																	} else {
																		_t90 = _t88;
																		__eflags = _t90;
																		if(_t90 == 0) {
																			_t82 =  *((intOrPtr*)(_t165 + 3));
																			L113:
																			__eflags = _t82 - 0x20;
																			if(_t82 == 0x20) {
																				L115:
																				 *0x101d3e0 = 1;
																			} else {
																				__eflags = _t82;
																				if(_t82 == 0) {
																					goto L115;
																				}
																			}
																		} else {
																			_t82 = _t90 - 3;
																			__eflags = _t82;
																			if(_t82 == 0) {
																				_t91 =  *((intOrPtr*)(_t165 + 3));
																				__eflags = _t91 - 0x3a;
																				if(_t91 == 0x3a) {
																					L90:
																					 *0x100c4ac = 1;
																					_t82 = E01002F3A(_t102);
																					__eflags = _t82;
																					if(_t82 == 0) {
																						E01003892(0x52);
																						L92:
																						__imp___strnicmp(_t181, "extract", 7);
																						_t186 = _t186 + 0xc;
																						__eflags = _t82;
																						if(_t82 == 0) {
																							_t82 =  *((intOrPtr*)(_t165 + 9));
																							goto L85;
																						}
																					}
																				} else {
																					__eflags = _t91 - 0x50;
																					if(_t91 == 0x50) {
																						L98:
																						_t82 =  *_t102;
																						__eflags = _t82 - 0x20;
																						if(_t82 == 0x20) {
																							L100:
																							_t82 = 1;
																							 *0x100c4ac = 1;
																							 *0x100c054 = 1;
																						} else {
																							__eflags = _t82;
																							if(_t82 == 0) {
																								goto L100;
																							}
																						}
																					} else {
																						__eflags = _t91 - 0x58;
																						if(_t91 == 0x58) {
																							L95:
																							_t82 =  *_t102;
																							__eflags = _t82 - 0x20;
																							if(_t82 == 0x20) {
																								L97:
																								 *0x100c000 =  *0x100c000 & 0x00000000;
																								 *0x100c4ac = 1;
																							} else {
																								__eflags = _t82;
																								if(_t82 == 0) {
																									goto L97;
																								}
																							}
																						} else {
																							__eflags = _t91 - 0x70;
																							if(_t91 == 0x70) {
																								goto L98;
																							} else {
																								__eflags = _t91 - 0x78;
																								if(_t91 == 0x78) {
																									goto L95;
																								} else {
																									L85:
																									__eflags = _t82 - 0x20;
																									if(_t82 == 0x20) {
																										L87:
																										 *0x100c4ac = 1;
																									} else {
																										__eflags = _t82;
																										if(_t82 == 0) {
																											goto L87;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										__eflags = _t82 - 0x2f;
										if(_t82 == 0x2f) {
											goto L67;
										}
									}
								}
								_v20 = _v20 - 1;
								_t165 = _t165 + 1;
								__eflags = _v20;
							} while (_v20 > 0);
						}
					}
					return _t82;
				}
				goto L36;
			}

0x01004025
0x0100402b
0x01004030
0x01004030
0x01004032
0x01004033
0x01004039
0x0100404b
0x01004041
0x01004044
0x01004047
0x01004049
0x00000000
0x01004049
0x00000000
0x01004047
0x01004056
0x0100405b
0x01004066
0x01004068
0x0100406b
0x0100406d
0x0100406d
0x01004071
0x00000000
0x00000000
0x0100407d
0x01004081
0x01004081
0x01004082
0x01004082
0x01004085
0x01004087
0x0100408a
0x0100408c
0x0100408f
0x01004091
0x01004093
0x01004093
0x01004096
0x00000000
0x00000000
0x01004098
0x01004099
0x0100409c
0x00000000
0x00000000
0x0100409e
0x00000000
0x0100409c
0x010040a0
0x010040a0
0x01004091
0x010040a3
0x010040a3
0x010040a5
0x010040a5
0x010040a8
0x010040a8
0x010040aa
0x010040ab
0x010040ab
0x010040b1
0x010040c7
0x010040c7
0x010040c9
0x00000000
0x00000000
0x010040b7
0x010040b9
0x010040bc
0x010040c3
0x010040c3
0x010040c6
0x010040c6
0x00000000
0x010040be
0x010040be
0x010040c1
0x00000000
0x00000000
0x010040c1
0x00000000
0x010040bc
0x010040cb
0x010040d0
0x010040d0
0x010040d0
0x010040d4
0x010040d6
0x010040dd
0x010040dd
0x010040e0
0x010040e0
0x010040e2
0x010040e3
0x010040e3
0x010040e9
0x010040e9
0x010040f5
0x010040f5
0x010040f7
0x00000000
0x00000000
0x010040ef
0x010040f2
0x010040fb
0x010040fd
0x010040fd
0x01004100
0x01004100
0x01004102
0x01004103
0x01004103
0x01004109
0x0100410c
0x01004111
0x01004114
0x0100411f
0x0100411f
0x01004122
0x01004122
0x01004124
0x01004127
0x010040f4
0x010040f4
0x010040f4
0x00000000
0x010040f4
0x0100412c
0x0100412c
0x01004136
0x01004139
0x0100413c
0x01004142
0x0100414f
0x01004151
0x00000000
0x01004157
0x0100415a
0x0100415b
0x0100415b
0x01004167
0x01004171
0x01004173
0x00000000
0x00000000
0x01004160
0x01004163
0x0100417e
0x0100417e
0x01004180
0x01004183
0x01004186
0x01004188
0x0100418b
0x0100418d
0x01004190
0x01004190
0x01004190
0x01004197
0x0100419e
0x0100419e
0x010041a1
0x010041a1
0x010041b2
0x010041b4
0x00000000
0x00000000
0x010041ba
0x010041bb
0x010041be
0x00000000
0x010041c0
0x010041c0
0x010041c0
0x010041c0
0x00000000
0x010041be
0x01004243
0x01004243
0x0100418b
0x010041c3
0x010041c3
0x010041c5
0x010041c8
0x010041d3
0x010041d3
0x010041da
0x010041de
0x010041e6
0x010041ed
0x010041f1
0x010041f1
0x010041f3
0x010041f9
0x010041fc
0x010041fe
0x01004201
0x01004203
0x0100420b
0x0100420f
0x0100420f
0x01004212
0x01004212
0x01004216
0x01004216
0x01004223
0x01004229
0x0100422b
0x0100424c
0x0100422d
0x0100422d
0x00000000
0x0100422d
0x010041ca
0x010041ca
0x010041cd
0x00000000
0x010041cf
0x010041cf
0x010041d1
0x00000000
0x00000000
0x00000000
0x00000000
0x010041d1
0x010041cd
0x01004165
0x01004165
0x01004166
0x01004166
0x00000000
0x01004166
0x00000000
0x01004163
0x01004175
0x01004178
0x00000000
0x00000000
0x00000000
0x00000000
0x01004178
0x00000000
0x01004232
0x01004232
0x01004238
0x01004238
0x01004241
0x01004252
0x01004252
0x01004258
0x0100425a
0x0100425a
0x0100425d
0x0100425d
0x0100425f
0x01004260
0x01004260
0x01004264
0x01004266
0x01004269
0x0100426f
0x0100426f
0x01004272
0x01004275
0x0100427b
0x0100427b
0x0100427e
0x01004284
0x01004284
0x01004287
0x0100428a
0x0100428c
0x01004296
0x01004296
0x01004298
0x01004298
0x0100429b
0x0100429b
0x0100429d
0x0100429e
0x0100429e
0x010042a2
0x010042a4
0x010042a7
0x010042ad
0x010042ad
0x010042b0
0x010042b3
0x010042b6
0x01004388
0x00000000
0x010042bc
0x010042bc
0x01004333
0x0100433b
0x01004341
0x01004344
0x01004346
0x00000000
0x01004348
0x01004348
0x00000000
0x01004348
0x010042be
0x010042be
0x010042be
0x010042c1
0x00000000
0x010042c3
0x010042c3
0x010042c3
0x010042c6
0x010042c6
0x01004450
0x01004456
0x01004459
0x00000000
0x010042cc
0x010042cc
0x010042cc
0x010042cf
0x01004424
0x0100442a
0x0100442d
0x0100442f
0x01004431
0x00000000
0x01004431
0x010042d5
0x010042d5
0x010042d5
0x010042d6
0x010043f0
0x010043f6
0x010043f9
0x010043fb
0x01004417
0x010043fd
0x010043fd
0x010043fd
0x01004400
0x01004402
0x01004408
0x0100440a
0x0100440b
0x01004410
0x01004404
0x01004404
0x01004406
0x00000000
0x00000000
0x01004406
0x010042dc
0x010042dd
0x010042dd
0x010042de
0x010043d9
0x010043dc
0x010043de
0x0100445d
0x0100445d
0x010043e0
0x010043e0
0x010043e2
0x00000000
0x010043e4
0x010043e4
0x0100445b
0x0100445b
0x00000000
0x00000000
0x0100445b
0x010043e2
0x010042e4
0x010042e5
0x010042e5
0x010042e6
0x010043d4
0x01004434
0x01004434
0x01004436
0x0100443c
0x0100443c
0x01004438
0x01004438
0x0100443a
0x00000000
0x00000000
0x0100443a
0x010042ec
0x010042ec
0x010042ec
0x010042ef
0x010042f5
0x010042f8
0x010042fa
0x0100434b
0x0100434c
0x01004356
0x0100435b
0x0100435d
0x01004365
0x0100436a
0x01004372
0x01004378
0x0100437b
0x0100437d
0x01004383
0x00000000
0x01004383
0x0100437d
0x010042fc
0x010042fc
0x010042fe
0x010043b4
0x010043b4
0x010043b6
0x010043b8
0x010043c2
0x010043c4
0x010043c5
0x010043ca
0x010043ba
0x010043ba
0x010043bc
0x00000000
0x00000000
0x010043bc
0x01004304
0x01004304
0x01004306
0x01004390
0x01004390
0x01004392
0x01004394
0x0100439e
0x0100439e
0x010043a5
0x01004396
0x01004396
0x01004398
0x00000000
0x00000000
0x01004398
0x0100430c
0x0100430c
0x0100430e
0x00000000
0x01004314
0x01004314
0x01004316
0x00000000
0x01004318
0x01004318
0x01004318
0x0100431a
0x01004324
0x01004324
0x0100431c
0x0100431c
0x0100431e
0x00000000
0x00000000
0x0100431e
0x0100431a
0x01004316
0x0100430e
0x01004306
0x010042fe
0x010042fa
0x010042ef
0x010042e6
0x010042de
0x010042d6
0x010042cf
0x010042c6
0x010042c1
0x010042bc
0x010042b6
0x0100428e
0x0100428e
0x01004290
0x00000000
0x00000000
0x01004290
0x0100428c
0x01004467
0x0100446a
0x0100446b
0x0100446b
0x0100427b
0x01004275
0x01004479
0x01004479
0x00000000

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe,00000104), ref: 01004025
GetCommandLineA.KERNEL32 ref: 01004060
GetFileAttributesA.KERNELBASE(To Directory:), ref: 01004223
_strnicmp.MSVCRT ref: 0100433B
_strnicmp.MSVCRT ref: 01004372
_strnicmp.MSVCRT ref: 01004450

Strings

Extracting File:, xrefs: 010040D6, 01004116, 01004190, 01004206
integrate, xrefs: 0100444A
passive, xrefs: 0100441E
extract, xrefs: 0100436C
To Directory:, xrefs: 010041E1, 0100421E
extract:, xrefs: 01004335
C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe, xrefs: 0100401D, 01004022, 01004055
quiet, xrefs: 010043EA

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: _strnicmp$File$AttributesCommandLineModuleName
String ID: C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe$Extracting File:$To Directory:$extract$extract:$integrate$passive$quiet
API String ID: 3875041768-3679986037
Opcode ID: ac494798e5bc9b3b8e97eb29fcbcefb1249f91a18fa69446e7f113a224a58319
Instruction ID: ee85d7d4dc22db283b7cf7d6e356c1cdb43bb5f1116dac34ca54e1d5d0c69bec
Opcode Fuzzy Hash: ac494798e5bc9b3b8e97eb29fcbcefb1249f91a18fa69446e7f113a224a58319
Instruction Fuzzy Hash: C2D1F130A042859EFB678B6C98583FA7FE1AB42308F4A41D4DBC1DB2CACB754546C75A

Uniqueness

Uniqueness Score: -1.00%

Function 010028D9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010028D9(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v268;
				signed int _v272;
				signed int _v276;
				int _v280;
				void* __ebx;
				void* __esi;
				intOrPtr _t23;
				signed int _t24;
				signed int _t27;
				signed int _t28;
				int _t33;
				CHAR* _t35;
				signed int _t42;
				intOrPtr _t48;
				void* _t49;
				void* _t50;

				_t23 =  *0x100c028; // 0x9dd8
				_v276 = _v276 & 0x00000000;
				_t49 = SetErrorMode;
				_t48 = _a4;
				_v8 = _t23;
				_t24 = SetErrorMode(0); // executed
				_v280 = _t24;
				SetErrorMode(_t24 | 0x00000001); // executed
				_t27 = GetTickCount();
				_v272 = _v272 & 0x00000000;
				_t42 = _t27;
				while(1) {
					_t28 = _t42;
					_t46 = _t28 % 0xf4240;
					sprintf( &_v268, "%s_%06u_", _t48, _t28 % 0xf4240);
					_t50 = _t50 + 0x10;
					_t42 = _t42 + 1; // executed
					_t33 = CreateDirectoryA( &_v268, 0); // executed
					if(_t33 != 0) {
						break;
					}
					if(GetLastError() == 0xb7) {
						_v272 = _v272 + 1;
						if(_v272 < 0x3e8) {
							continue;
						} else {
						}
					}
					L8:
					SetErrorMode(_v280); // executed
					return E010062FF(_v276, _t42, _v8, _t46, _t49);
				}
				_t35 = RemoveDirectoryA( &_v268); // executed
				if(_t35 == 0) {
					MoveFileExA( &_v268, _t35, 4);
				}
				_v276 = 1;
				goto L8;
			}

0x010028e4
0x010028e9
0x010028f2
0x010028f9
0x010028fe
0x01002901
0x01002903
0x0100290d
0x0100290f
0x01002915
0x0100291c
0x0100291e
0x01002925
0x01002927
0x01002937
0x0100293d
0x01002949
0x0100294a
0x01002952
0x00000000
0x00000000
0x0100295f
0x01002961
0x01002971
0x00000000
0x00000000
0x01002973
0x01002971
0x010029a0
0x010029a6
0x010029ba
0x010029ba
0x0100297c
0x01002984
0x01002990
0x01002990
0x01002996
0x00000000

APIs

SetErrorMode.KERNELBASE(00000000), ref: 01002901
SetErrorMode.KERNELBASE(00000000), ref: 0100290D
GetTickCount.KERNEL32 ref: 0100290F
sprintf.MSVCRT ref: 01002937
CreateDirectoryA.KERNELBASE(?,00000000), ref: 0100294A
GetLastError.KERNEL32 ref: 01002954
RemoveDirectoryA.KERNELBASE(?), ref: 0100297C
MoveFileExA.KERNEL32 ref: 01002990
SetErrorMode.KERNELBASE(?), ref: 010029A6

Strings

%s_%06u_, xrefs: 01002931

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: Error$Mode$Directory$CountCreateFileLastMoveRemoveTicksprintf
String ID: %s_%06u_
API String ID: 2138407651-2224866286
Opcode ID: 605b290757ffbc819f70990fed8fb14aff114087cd0563a7a2d4703900c9114f
Instruction ID: 2b5bf619bf93649879f906ab2fef4dd1de3e953bea1c10fa8e68832a185b186a
Opcode Fuzzy Hash: 605b290757ffbc819f70990fed8fb14aff114087cd0563a7a2d4703900c9114f
Instruction Fuzzy Hash: AC2162719002189BEB22DB64CC4DBDA77BEEB54341F0040A6E685E2181D7B99A84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010037BF Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010037BF(void* __ecx) {
				long _v8;
				int _t4;
				int _t9;
				void* _t16;

				_t4 = GetEnvironmentVariableA("_SFX_CAB_SHUTDOWN_REQUEST", 0, 0);
				if(_t4 == 0) {
					E01002BC4("c:\e2ac7bbaf115a22162e746", "$shtdwn$.req", 0x100d2c0);
					_t4 = CreateFileA(0x100d2c0, 0xc0000000, 3, 0, 1, 0x4000002, 0); // executed
					_t16 = _t4;
					 *0x100c020 = _t16;
					if(_t16 != 0xffffffff) {
						 *0x100cad0 = memset(0x100c8c0, 0, 0xc5 << 2);
						 *0x100c8c0 = 0x6e776453;
						 *0x100c8c4 = 0x10000;
						 *0x100c8c8 = 0xc0000013; // executed
						_t9 = WriteFile(_t16, 0x100c8c0, 0x314,  &_v8, 0); // executed
						if(_t9 == 0 || _v8 != 0x314) {
							_t4 = CloseHandle( *0x100c020);
							 *0x100c020 =  *0x100c020 | 0xffffffff;
						} else {
							_t4 = SetEnvironmentVariableA("_SFX_CAB_SHUTDOWN_REQUEST", 0x100d2c0);
						}
					}
				}
				return _t4;
			}

0x010037cf
0x010037d7
0x010037ee
0x01003804
0x0100380a
0x0100380f
0x01003815
0x01003829
0x0100383a
0x01003844
0x0100384e
0x01003858
0x01003861
0x0100387c
0x01003882
0x01003868
0x0100386e
0x0100386e
0x01003861
0x01003889
0x0100388c

APIs

GetEnvironmentVariableA.KERNEL32(_SFX_CAB_SHUTDOWN_REQUEST,00000000,00000000), ref: 010037CF
CreateFileA.KERNELBASE(c:\e2ac7bbaf115a22162e746\$shtdwn$.req,C0000000,00000003,00000000,00000001,04000002,00000000), ref: 01003804
WriteFile.KERNELBASE(00000000,Sdwn,00000314,?,00000000), ref: 01003858
SetEnvironmentVariableA.KERNEL32(_SFX_CAB_SHUTDOWN_REQUEST,c:\e2ac7bbaf115a22162e746\$shtdwn$.req), ref: 0100386E
CloseHandle.KERNEL32 ref: 0100387C

Strings

Sdwn, xrefs: 0100381A, 01003838
c:\e2ac7bbaf115a22162e746\$shtdwn$.req, xrefs: 010037DE, 010037E3, 01003803, 01003868
_SFX_CAB_SHUTDOWN_REQUEST, xrefs: 010037CA, 01003869
$shtdwn$.req, xrefs: 010037E4
c:\e2ac7bbaf115a22162e746, xrefs: 010037E9

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: EnvironmentFileVariable$CloseCreateHandleWrite
String ID: $shtdwn$.req$Sdwn$_SFX_CAB_SHUTDOWN_REQUEST$c:\e2ac7bbaf115a22162e746$c:\e2ac7bbaf115a22162e746\$shtdwn$.req
API String ID: 510931695-2428724982
Opcode ID: 74f9ad3b8f2023380f4faa6e9c0d97565d17dc7302695f93730564ca81c6b899
Instruction ID: b0220b2b77477a676319b82448efaae5af67ee2cc9e6961861700f30aa540367
Opcode Fuzzy Hash: 74f9ad3b8f2023380f4faa6e9c0d97565d17dc7302695f93730564ca81c6b899
Instruction Fuzzy Hash: C8116D71604340ABF7338B9AAD4DF473AA9F786764F1043A9F1C1A61C8D7765641C770

Uniqueness

Uniqueness Score: -1.00%

Function 010063FF Relevance: 13.6, APIs: 9, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t30;
				intOrPtr* _t31;
				void* _t34;
				void _t36;
				int _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				intOrPtr _t49;
				signed int _t52;
				signed int _t53;
				int _t57;
				void* _t58;

				_push(0x28);
				_push(0x10025e0);
				E010065B8(__ebx, __edi, __esi);
				if( *0x1000000 != 0x5a4d) {
					L4:
					 *(_t58 - 0x1c) =  *(_t58 - 0x1c) & 0x00000000;
				} else {
					_t45 =  *0x100003c; // 0xe0
					if( *((intOrPtr*)(_t45 + 0x1000000)) != 0x4550) {
						goto L4;
					} else {
						_t2 = _t45 + 0x1000018; // 0xa07010b
						_t52 =  *_t2 & 0x0000ffff;
						if(_t52 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t45 + 0x1000074)) - 0xe;
							if( *((intOrPtr*)(_t45 + 0x1000074)) <= 0xe) {
								goto L4;
							} else {
								_t53 = 0;
								__eflags =  *(_t45 + 0x10000e8);
								goto L9;
							}
						} else {
							if(_t52 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t45 + 0x1000084)) - 0xe;
								if( *((intOrPtr*)(_t45 + 0x1000084)) <= 0xe) {
									goto L4;
								} else {
									_t53 = 0;
									__eflags =  *(_t45 + 0x10000f8);
									L9:
									_t10 = __eflags != 0;
									__eflags = _t10;
									 *(_t58 - 0x1c) = _t53 & 0xffffff00 | _t10;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				__set_app_type(1);
				 *0x101d3ec =  *0x101d3ec | 0xffffffff;
				 *0x101d3f0 =  *0x101d3f0 | 0xffffffff;
				_t30 = __p__fmode();
				_t48 =  *0x100c390; // 0x0
				 *_t30 = _t48;
				_t31 = __p__commode();
				_t49 =  *0x100c38c; // 0x0
				 *_t31 = _t49;
				 *0x101d3f4 =  *_adjust_fdiv;
				_t34 = E01003783();
				if( *0x100c02c == 0) {
					__setusermatherr(E01003783);
				}
				E010065A1(_t34);
				_push(0x1002218);
				_push(0x1002214);
				L01006596();
				_t36 =  *0x100c388; // 0x0
				 *(_t58 - 0x24) = _t36;
				 *(_t58 - 0x34) = __getmainargs(_t58 - 0x2c, _t58 - 0x28, _t58 - 0x20,  *0x100c384, _t58 - 0x24);
				_push(0x1002210);
				_push(0x1002208);
				L01006596();
				_t42 =  *(_t58 - 0x20);
				 *__imp____initenv = _t42;
				_push( *(_t58 - 0x20));
				_push( *(_t58 - 0x28));
				_push( *(_t58 - 0x2c));
				L01005E92(); // executed
				_t57 = _t42;
				 *(_t58 - 0x38) = _t57;
				if( *(_t58 - 0x1c) == 0) {
					exit(_t57);
				}
				__imp___cexit();
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				return E010065F3(_t57);
			}

0x010063ff
0x01006401
0x01006406
0x01006414
0x0100643e
0x0100643e
0x01006416
0x01006416
0x01006425
0x00000000
0x01006427
0x01006427
0x01006427
0x01006434
0x01006457
0x0100645e
0x00000000
0x01006460
0x01006460
0x01006462
0x00000000
0x01006462
0x01006436
0x0100643c
0x01006444
0x0100644b
0x00000000
0x0100644d
0x0100644d
0x0100644f
0x01006468
0x01006468
0x01006468
0x0100646b
0x0100646b
0x00000000
0x00000000
0x00000000
0x0100643c
0x01006434
0x01006425
0x0100646e
0x01006474
0x0100647b
0x01006482
0x01006489
0x0100648f
0x01006495
0x01006497
0x0100649d
0x010064a3
0x010064ac
0x010064b1
0x010064bd
0x010064c4
0x010064ca
0x010064cb
0x010064d0
0x010064d5
0x010064da
0x010064df
0x010064e4
0x01006503
0x01006506
0x0100650b
0x01006510
0x01006515
0x0100651e
0x01006520
0x01006523
0x01006526
0x01006529
0x01006531
0x01006533
0x0100653a
0x0100653d
0x0100653d
0x01006543
0x01006578
0x01006583

APIs

__set_app_type.MSVCRT ref: 01006474
__p__fmode.MSVCRT ref: 01006489
__p__commode.MSVCRT ref: 01006497
__setusermatherr.MSVCRT ref: 010064C4
_initterm.MSVCRT ref: 010064DA
__getmainargs.MSVCRT ref: 010064FD
_initterm.MSVCRT ref: 01006510
exit.MSVCRT ref: 0100653D
_cexit.MSVCRT ref: 01006543

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 1729372338-0
Opcode ID: 6af886278659cd1f87929ba10df1e95ca34e58862df1f3af71c4c3f27de72d1c
Instruction ID: 599c4623493fcb82760b158fed09b41a5123095cb67496b16860643f61b92bca
Opcode Fuzzy Hash: 6af886278659cd1f87929ba10df1e95ca34e58862df1f3af71c4c3f27de72d1c
Instruction Fuzzy Hash: 3B315874940205DFEB27DFA4D44CAEC77B2FB18312F10816AF196A62D8DB3B4A54CB21

Uniqueness

Uniqueness Score: -1.00%

Function 01003C0F Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01003C0F(CHAR* _a4) {
				void* _t2;
				void* _t5;

				_t2 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x8000000, 0); // executed
				_t5 = _t2;
				if(_t5 == 0xffffffff) {
					E01003892(_t2);
				}
				SetFilePointer(_t5,  *0x100c018, 0, 0); // executed
				return _t5;
			}

0x01003c2a
0x01003c30
0x01003c35
0x01003c38
0x01003c38
0x01003c48
0x01003c52

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,08000000,00000000), ref: 01003C2A
SetFilePointer.KERNELBASE(00000000,00000000,00000000), ref: 01003C48

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32 ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32 ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$CreateCriticalDeleteErrorExitLastLoadMessagePointerProcessSectionString
String ID:
API String ID: 1911058658-0
Opcode ID: 3db09fa30688c6ade57452f90a721c5f0e3047f88a1d14363bbe33cf621a1cff
Instruction ID: f747d1a96e7ed0c96837ae8def0cda9aa80c9c8a6c6ac268114b6baa7651c347
Opcode Fuzzy Hash: 3db09fa30688c6ade57452f90a721c5f0e3047f88a1d14363bbe33cf621a1cff
Instruction Fuzzy Hash: 8EE086313803247BF5332669AC0EF8579099701B71F204251FB58BA1C0C6A56A40C798

Uniqueness

Uniqueness Score: -1.00%

Function 01003C87 Relevance: 1.5, APIs: 1, Instructions: 47
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E01003C87(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* _a4, void* _a8, long _a12) {
				unsigned int _v0;
				PSID* _v4;
				signed int _v12;
				intOrPtr _v16;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				void* _v24;
				long _v28;
				void** _v32;
				void* _v36;
				void* __esi;
				int _t35;
				intOrPtr _t37;
				void* _t49;
				long _t59;
				long _t63;
				void* _t64;
				signed int _t71;
				signed int _t77;
				signed int _t85;
				intOrPtr _t90;
				unsigned int _t92;
				void* _t104;
				unsigned int _t111;
				intOrPtr _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t119;
				void* _t120;

				_t91 = __edi;
				_t90 = __edx;
				_t65 = __ebx;
				if(_a4 != 0xdadafeed) {
					_t35 = WriteFile(_a4, _a8, _a12,  &_a12, 0); // executed
					if(_t35 != 0) {
						goto L4;
					} else {
						E01003892(0xffffffff);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t120 = _t119 - 0x18;
						_t37 =  *0x100c028; // 0x9dd8
						_t111 = _v0;
						_v16 = _t37;
						_v36 = _a4;
						_v24 = 0;
						_v23 = 0;
						_v22 = 0;
						_v21 = 0;
						_v20 = 0;
						_v19 = 5;
						if(AllocateAndInitializeSid( &_v24, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _v4) == 0 || OpenProcessToken(GetCurrentProcess(), 0x28,  &_v24) == 0) {
							_t42 = 0;
						} else {
							_push(__ebx);
							_t42 = GetTokenInformation(_v24, 4, "c:\e2ac7bbaf115a22162e746\Setup.exe ", 0x10000,  &_v28); // executed
							if(_t42 != 0) {
								_push(__edi);
								_t92 = GetLengthSid( *0x100d3e0);
								_t49 = E01003BE7(_t92);
								 *_t111 = _t49;
								if(_t49 == 0) {
									L14:
									E01003892(8);
									goto L15;
								} else {
									_t114 =  *0x100d3e0; // 0x655c3a63
									_t77 = _t92 >> 2;
									memcpy(_t114 + _t77 + _t77, _t114, memcpy(_t49, _t114, _t77 << 2) & 0x00000003);
									_t120 = _t120 + 0x18;
									_t42 = GetTokenInformation(_v24, 1, "c:\e2ac7bbaf115a22162e746\Setup.exe ", 0x10000,  &_v28); // executed
									if(_t42 != 0) {
										_t111 = GetLengthSid( *0x100d3e0);
										_t49 = E01003BE7(_t111);
										 *_v32 = _t49;
										if(_t49 == 0) {
											goto L14;
										}
										L15:
										_t113 =  *0x100d3e0; // 0x655c3a63
										_t71 = _t111 >> 2;
										_t42 = memcpy(_t113 + _t71 + _t71, _t113, memcpy(_t49, _t113, _t71 << 2) & 0x00000003) + 1;
									}
								}
							}
							_pop(_t65);
						}
						_pop(_t112);
						return E010062FF(_t42, _t65, _v12, _t90, _t112);
					}
				} else {
					_t59 =  *0x100c050; // 0x0
					if(_a12 >= _t59) {
						_a12 = _t59;
					}
					_push(_t110);
					_t115 = _a8;
					_t104 =  *0x100d048; // 0x790f54
					_t85 = _a12 >> 2;
					memcpy(_t115 + _t85 + _t85, _t115, memcpy(_t104, _t115, _t85 << 2) & 0x00000003);
					_t63 = _a12;
					 *0x100c050 =  *0x100c050 - _t63;
					 *0x100d048 =  *0x100d048 + _t63;
					_t64 =  *0x100d048; // 0x790f54
					 *_t64 = 0;
					L4:
					return _a12;
				}
			}

0x01003c87
0x01003c87
0x01003c87
0x01003c93
0x01003ceb
0x01003cf3
0x00000000
0x01003cf5
0x01003cf7
0x01003cfc
0x01003cfd
0x01003cfe
0x01003cff
0x01003d00
0x01003d01
0x01003d07
0x01003d0a
0x01003d13
0x01003d16
0x01003d32
0x01003d35
0x01003d39
0x01003d3d
0x01003d41
0x01003d45
0x01003d49
0x01003d55
0x01003d6e
0x01003d75
0x01003d75
0x01003d8f
0x01003d93
0x01003d99
0x01003da6
0x01003da9
0x01003db1
0x01003db3
0x01003e04
0x01003e06
0x00000000
0x01003db5
0x01003db5
0x01003dc1
0x01003ddb
0x01003ddb
0x01003de0
0x01003de4
0x01003df2
0x01003df5
0x01003e00
0x01003e02
0x00000000
0x00000000
0x01003e0b
0x01003e0d
0x01003e17
0x01003e25
0x01003e25
0x01003de4
0x01003e26
0x01003e27
0x01003e27
0x01003e2b
0x01003e32
0x01003e32
0x01003c95
0x01003c95
0x01003c9d
0x01003c9f
0x01003c9f
0x01003ca5
0x01003ca6
0x01003cac
0x01003cb2
0x01003cbc
0x01003cbe
0x01003cc1
0x01003cc7
0x01003ccd
0x01003cd3
0x01003cd7
0x01003cdb
0x01003cdb

APIs

WriteFile.KERNELBASE(DADAFEED,?,?,?,00000000), ref: 01003CEB

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 64d857ce796dace06822de0efcd78285d4c1ff5c9f778fdfecebaa5c7ebed988
Instruction ID: 8ed4801c38d92fe31a950a2119f22d7affeb1643a363de039ab70ebeba9e11e9
Opcode Fuzzy Hash: 64d857ce796dace06822de0efcd78285d4c1ff5c9f778fdfecebaa5c7ebed988
Instruction Fuzzy Hash: 60012C3120024DAFDB12CFADD800AEA77E9FB58320F448969FA68C7190D779D951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01004590 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01004590(signed int _a4, struct _SECURITY_ATTRIBUTES* _a8, intOrPtr _a12) {
				int _t12;
				CHAR* _t14;
				CHAR* _t15;

				_t14 = _a4;
				_t15 = _t14;
				_a4 = 0 | _a12 == 0x00000000;
				if( *_t14 != 0) {
					do {
						if( *_t15 == 0x5c) {
							 *_t15 = 0;
							_t12 = CreateDirectoryA(_t14, _a8); // executed
							if(_t12 != 0) {
								E0100447F(0x100c00c, _t14);
								_a4 = 1;
							}
							 *_t15 = 0x5c;
						}
						_t15 =  &(_t15[1]);
					} while ( *_t15 != 0);
				}
				return _a4;
			}

0x0100459f
0x010045a5
0x010045a7
0x010045aa
0x010045ac
0x010045af
0x010045b4
0x010045b8
0x010045c0
0x010045c8
0x010045cd
0x010045cd
0x010045d4
0x010045d4
0x010045d7
0x010045d8
0x010045ac
0x010045e3

APIs

CreateDirectoryA.KERNELBASE(?,?), ref: 010045B8

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a9c93d86d7b1e126657db29aee2ea8a09b01b806f2212d3dabd863b7a028eda3
Instruction ID: 9cc6a4ee66b41767d7bcf1e787c71929ede8fd294d86324cd45e64105ddf3fa1
Opcode Fuzzy Hash: a9c93d86d7b1e126657db29aee2ea8a09b01b806f2212d3dabd863b7a028eda3
Instruction Fuzzy Hash: 7CF0B431500385AEFB334F29C804BAABFD89F91751F28809DFAC4CA582D7B58590C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01003C58 Relevance: 1.5, APIs: 1, Instructions: 17
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01003C58(void* _a4, void* _a8, long _a12) {
				int _t7;

				_t7 = ReadFile(_a4, _a8, _a12,  &_a12, 0); // executed
				if(_t7 == 0) {
					E01003892(0xffffffff);
				}
				return _a12;
			}

0x01003c6c
0x01003c74
0x01003c78
0x01003c78
0x01003c81

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 01003C6C

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32 ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32 ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CriticalDeleteErrorExitFileLastLoadMessageProcessReadSectionString
String ID:
API String ID: 896096512-0
Opcode ID: c5cd25c055f1176644a0d9d6a050eae1adbf6e77802f162c6b8565da1953186c
Instruction ID: b5e608f67cd8aa0ec7224ba8d194bf05f248ddf814a44386e79e7048d07bb6a0
Opcode Fuzzy Hash: c5cd25c055f1176644a0d9d6a050eae1adbf6e77802f162c6b8565da1953186c
Instruction Fuzzy Hash: EED0173210034DBFDF129E95CC08EAA3B6DFF44220F084514BA7889090D732D520CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01002C7C Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002C7C(void* _a4, long _a8, long _a12) {
				long _t5;
				long _t6;
				intOrPtr _t8;

				_t5 = _a8;
				if(_a12 == 0) {
					_t8 =  *0x100c018; // 0xa400
					_t5 = _t5 + _t8;
				}
				_t6 = SetFilePointer(_a4, _t5, 0, _a12); // executed
				return _t6 -  *0x100c018;
			}

0x01002c85
0x01002c88
0x01002c8a
0x01002c90
0x01002c90
0x01002c9b
0x01002ca8

APIs

SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 01002C9B

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d8d5cd754932263745f338520652626db3bdb25572505ccd5790d85f059cf7dc
Instruction ID: 4670c305a0b7d71b77fc1b6fc64dcd010d39b6e931a86f05cad5b7c8d19ffb63
Opcode Fuzzy Hash: d8d5cd754932263745f338520652626db3bdb25572505ccd5790d85f059cf7dc
Instruction Fuzzy Hash: 8CD01731100208AFEB22CF48DD09FAA7BA9FB40314F058254F99C86195C776A9A4DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01003BE7 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01003BE7(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x100d078, 8, _a4); // executed
				if(_t2 == 0) {
					E01003892(8);
					return _t2;
				}
				return _t2;
			}

0x01003bf7
0x01003bff
0x01003c03
0x00000000
0x01003c03
0x01003c09

APIs

RtlAllocateHeap.NTDLL(00000008,?), ref: 01003BF7

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32 ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32 ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: AllocateCriticalDeleteErrorExitHeapLastLoadMessageProcessSectionString
String ID:
API String ID: 2723237252-0
Opcode ID: d29ed06aef175119988cce3a01b5eac88403f80cc4c048d63e3ca06fa13aed40
Instruction ID: ad55088b63a8ad1721269f3b50eb0db26e9cccda6a3b5370c978a76dbeb461c3
Opcode Fuzzy Hash: d29ed06aef175119988cce3a01b5eac88403f80cc4c048d63e3ca06fa13aed40
Instruction Fuzzy Hash: E4C012311803087BFA631BAAAC09F553F59B790651F04C051F68C4C090DA62A4555750

Uniqueness

Uniqueness Score: -1.00%

Function 01003941 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01003941() {
				int _t1;

				_t1 = DialogBoxParamA( *0x100c05c, 0x64, 0, E01002E53, 0); // executed
				 *0x100ce04 =  *0x100ce04 & 0x00000000;
				if(_t1 != 0) {
					E01003892(0xffffffff);
					return _t1;
				}
				return _t1;
			}

0x01003952
0x01003958
0x01003961
0x01003965
0x00000000
0x01003965
0x0100396a

APIs

DialogBoxParamA.USER32 ref: 01003952

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32 ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32 ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CriticalDeleteDialogErrorExitLastLoadMessageParamProcessSectionString
String ID:
API String ID: 372479490-0
Opcode ID: 15e03c84a8a15e18858af6215931239894f471006d1615df1c756c50269ef313
Instruction ID: a510406ee53e3107ecf5958c8e1665ca229ba3e50066fc7eea34c27700789f19
Opcode Fuzzy Hash: 15e03c84a8a15e18858af6215931239894f471006d1615df1c756c50269ef313
Instruction Fuzzy Hash: 18D01231280340AAF6335724AE0AF5237A07720B2AF24839173E17C0D4C6EA4820CB68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01003972 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 178
synchronizationlibraryshutdownCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E01003972(void* __ecx, void* __edx, void* __edi, void* __eflags, int _a4, int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v268;
				char _v528;
				signed char _v532;
				struct _OSVERSIONINFOA _v684;
				_Unknown_base(*)()* _v688;
				struct HINSTANCE__* _v692;
				intOrPtr _v696;
				char _v700;
				char _v716;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				struct HINSTANCE__* _t44;
				void* _t46;
				void* _t49;
				long _t53;
				char* _t67;
				void* _t71;
				void* _t77;
				void* _t80;
				void* _t81;
				void* _t85;
				void* _t86;

				_t81 = __edi;
				_t80 = __edx;
				_t77 = __ecx;
				_t37 =  *0x100c028; // 0x9dd8
				_v8 = _t37;
				_v696 = _a16;
				_v700 = 0x10;
				_v688 = 0;
				_t86 = OpenEventA(0x100000, 0, "WFP_IDLE_TRIGGER");
				E0100346E(_t77, "Shutdown Initiated in Self Extractor ");
				if(_t86 == 0) {
					if(_a12 == 0) {
						Sleep(0x2710);
					} else {
						Sleep(0xea60);
					}
				} else {
					WaitForSingleObject(_t86, 0xea60);
					CloseHandle(_t86);
				}
				if(E010034F4(_t80, 0x13, 0,  &_v716,  &_v700) != 0) {
					_t44 = LoadLibraryA("advapi32.dll");
					_v692 = _t44;
					if(_t44 != 0) {
						_v688 = GetProcAddress(_t44, "InitiateSystemShutdownExA");
					}
					if(WaitForSingleObject( *0x100cf24, 0) != 0) {
						_push(_t81);
						L13:
						L13:
						if(_v688 == 0) {
							_t46 = InitiateSystemShutdownA(0, 0, 0, _a8, _a4);
						} else {
							_t46 = _v688(0, _v696, 0, _a8, _a4, _a20);
						}
						_t86 = _t46;
						if(_t86 != 0) {
							goto L28;
						}
						_t53 = GetLastError();
						if(_t53 == 0x45b) {
							L21:
							_t86 = 1;
							goto L28;
						}
						if(_t53 == 0x4f7 || _t53 == 0x15) {
							if(WaitForSingleObject( *0x100cf24, 0xbb8) != 0) {
								goto L13;
							}
							goto L21;
						} else {
							E01003791( &_v528, 0x103, "InitiateSystemShutdown() Failed with error 0x%lx \n", GetLastError());
							E0100346E(_t77,  &_v528);
							_v684.dwOSVersionInfoSize = 0x94;
							GetVersionExA( &_v684);
							if(_v684.dwMajorVersion > 4) {
								_v684.dwOSVersionInfoSize = 0x9c;
								GetVersionExA( &_v684);
								if((_v532 & 0x00000040) != 0 && GetSystemDirectoryA( &_v268, 0x104) != 0) {
									_t67 = strchr( &_v268, 0x5c);
									_pop(_t77);
									_t67[1] = 0;
									_t85 = CreateFileA( &_v268, 0xc0000000, 7, 0, 3, 0x2000000, 0);
									if(_t85 != 0xffffffff) {
										_t86 = FlushFileBuffers(_t85);
										_t71 = CloseHandle(_t85);
										if(_t86 != 0) {
											__imp__NtShutdownSystem(1);
											_t86 = _t71;
										}
									}
								}
							}
						}
						L28:
						L29:
						if(_v692 != 0) {
							FreeLibrary(_v692);
						}
						E0100358B(_t77,  &_v716);
						if(_t86 < 0) {
							E0100346E(_t77, "ShutdownSystem: Failed ");
						}
						_t49 = _t86;
						goto L34;
					}
					_t86 = 1;
					goto L29;
				} else {
					E0100346E(_t77, "Failed to Adjust ENABLE_PRIVILEGE ");
					_t49 = 0;
					L34:
					return E010062FF(_t49, 0, _v8, _t80, _t86);
				}
			}

0x01003972
0x01003972
0x01003972
0x0100397d
0x0100398b
0x01003997
0x0100399d
0x010039a7
0x010039b8
0x010039ba
0x010039c1
0x010039db
0x010039e9
0x010039dd
0x010039e9
0x010039e9
0x010039c3
0x010039c9
0x010039d0
0x010039d0
0x01003a07
0x01003a1f
0x01003a27
0x01003a2d
0x01003a3b
0x01003a3b
0x01003a50
0x01003a5a
0x00000000
0x01003a61
0x01003a67
0x01003a8b
0x01003a69
0x01003a7a
0x01003a7a
0x01003a91
0x01003a95
0x00000000
0x00000000
0x01003a9b
0x01003aa2
0x01003ac5
0x01003ac7
0x00000000
0x01003ac7
0x01003aa9
0x01003ac3
0x00000000
0x00000000
0x00000000
0x01003acd
0x01003ae1
0x01003af0
0x01003b02
0x01003b0c
0x01003b15
0x01003b22
0x01003b2c
0x01003b35
0x01003b56
0x01003b5d
0x01003b69
0x01003b7e
0x01003b83
0x01003b8d
0x01003b8f
0x01003b97
0x01003b9b
0x01003ba1
0x01003ba1
0x01003b97
0x01003b83
0x01003b35
0x01003b15
0x01003ba3
0x01003ba4
0x01003baa
0x01003bb2
0x01003bb2
0x01003bbf
0x01003bc6
0x01003bcd
0x01003bcd
0x01003bd2
0x00000000
0x01003bd2
0x01003a54
0x00000000
0x01003a09
0x01003a0e
0x01003a13
0x01003bd4
0x01003bdf
0x01003bdf

APIs

OpenEventA.KERNEL32(00100000,00000000,WFP_IDLE_TRIGGER), ref: 010039AD

Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 0100348A
Part of subcall function 0100346E: CreateFileA.KERNEL32(0100CD00,C0000000,00000003,00000000,00000003,00000080,00000000,?,?,?,010038D5,?,?,00000200,?), ref: 010034B4
Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 010034DE

WaitForSingleObject.KERNEL32(00000000,0000EA60,Shutdown Initiated in Self Extractor ), ref: 010039C9
CloseHandle.KERNEL32(00000000), ref: 010039D0
Sleep.KERNEL32(00002710,Shutdown Initiated in Self Extractor ), ref: 010039E9
LoadLibraryA.KERNEL32(advapi32.dll), ref: 01003A1F
GetProcAddress.KERNEL32(00000000,InitiateSystemShutdownExA), ref: 01003A35
WaitForSingleObject.KERNEL32(00000000), ref: 01003A48
InitiateSystemShutdownA.ADVAPI32(00000000,00000000,00000000,?,?), ref: 01003A8B
GetLastError.KERNEL32 ref: 01003A9B
WaitForSingleObject.KERNEL32(00000BB8), ref: 01003ABB
GetLastError.KERNEL32 ref: 01003ACD
GetVersionExA.KERNEL32(?,?), ref: 01003B0C
GetVersionExA.KERNEL32(00000094), ref: 01003B2C
GetSystemDirectoryA.KERNEL32 ref: 01003B43
strchr.MSVCRT ref: 01003B56
CreateFileA.KERNEL32(?,C0000000,00000007,00000000,00000003,02000000,00000000), ref: 01003B78
FlushFileBuffers.KERNEL32(00000000), ref: 01003B86
CloseHandle.KERNEL32(00000000), ref: 01003B8F
NtShutdownSystem.NTDLL ref: 01003B9B
FreeLibrary.KERNEL32(?), ref: 01003BB2

Strings

advapi32.dll, xrefs: 01003A1A
InitiateSystemShutdownExA, xrefs: 01003A2F
WFP_IDLE_TRIGGER, xrefs: 01003984
Failed to Adjust ENABLE_PRIVILEGE , xrefs: 01003A09
@, xrefs: 01003B2E
InitiateSystemShutdown() Failed with error 0x%lx , xrefs: 01003AD0
ShutdownSystem: Failed , xrefs: 01003BC8
Shutdown Initiated in Self Extractor , xrefs: 010039B3

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CloseHandle$FileObjectSingleSystemWait$CreateErrorLastLibraryShutdownVersion$AddressBuffersDirectoryEventFlushFreeInitiateLoadOpenProcSleepstrchr
String ID: @$Failed to Adjust ENABLE_PRIVILEGE $InitiateSystemShutdown() Failed with error 0x%lx $InitiateSystemShutdownExA$Shutdown Initiated in Self Extractor $ShutdownSystem: Failed $WFP_IDLE_TRIGGER$advapi32.dll
API String ID: 2638087656-3676156507
Opcode ID: 7a1c7a1b907803973f12d1bf947b1ffc3077485c6b2b2eb9657761a4e00d1aa0
Instruction ID: ea525c0ef0f58f0b04cd7f7f13f08e90f611286073571a1279888c73dc215274
Opcode Fuzzy Hash: 7a1c7a1b907803973f12d1bf947b1ffc3077485c6b2b2eb9657761a4e00d1aa0
Instruction Fuzzy Hash: D4517275900219AFFB73AB64DC8DEDE7BB9BB05304F0101A5F6C9AA081DB758A808B51

Uniqueness

Uniqueness Score: -1.00%

Function 0100358B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
nativeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0100358B(void* __ecx, intOrPtr _a4) {
				void* _v8;
				void* _t7;
				void** _t8;

				_push(__ecx);
				if(_a4 == 0) {
					L6:
					_t7 = 0;
				} else {
					_t8 =  &_v8;
					__imp__NtOpenProcessToken(0xffffffff, 0x28, _t8);
					if(_t8 >= 0) {
						__imp__NtAdjustPrivilegesToken(_v8, 0, _a4, 0, 0, 0);
						if(_t8 < 0) {
							E0100346E(__ecx, "RestorePrivilege(): Failed To Restore Privilege ");
							NtClose(_v8);
							goto L6;
						} else {
							NtClose(_v8);
							_t7 = 1;
						}
					} else {
						E0100346E(__ecx, "RestorePrivilege():Failed To Open Process Token");
						goto L6;
					}
				}
				return _t7;
			}

0x01003590
0x01003597
0x010035ec
0x010035ec
0x01003599
0x01003599
0x010035a1
0x010035a9
0x010035c1
0x010035c9
0x010035de
0x010035e6
0x00000000
0x010035cb
0x010035ce
0x010035d6
0x010035d6
0x010035ab
0x010035b0
0x00000000
0x010035b0
0x010035a9
0x010035f0

APIs

NtOpenProcessToken.NTDLL(000000FF,00000028,?), ref: 010035A1
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 010035C1
NtClose.NTDLL(?), ref: 010035CE

Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 0100348A
Part of subcall function 0100346E: CreateFileA.KERNEL32(0100CD00,C0000000,00000003,00000000,00000003,00000080,00000000,?,?,?,010038D5,?,?,00000200,?), ref: 010034B4
Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 010034DE

Strings

RestorePrivilege(): Failed To Restore Privilege , xrefs: 010035D9
RestorePrivilege():Failed To Open Process Token, xrefs: 010035AB

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: Close$HandleToken$AdjustCreateFileOpenPrivilegesProcess
String ID: RestorePrivilege(): Failed To Restore Privilege $RestorePrivilege():Failed To Open Process Token
API String ID: 1340415033-792189412
Opcode ID: b8a0502ae2661f499545ef8694a518087c712bcdc019db68534c528b41fb345f
Instruction ID: 6003aa7cc984a04d304c8d02ce76eb40705ba2f6e4c4443cd9f7ac574e901191
Opcode Fuzzy Hash: b8a0502ae2661f499545ef8694a518087c712bcdc019db68534c528b41fb345f
Instruction Fuzzy Hash: DAF06235101119FFEB636BA28E0EDDF7EACEF16655F114020B695980A0D732CB00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010034F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtOpenProcessToken.NTDLL(000000FF,00000028,?), ref: 0100352E
NtAdjustPrivilegesToken.NTDLL(?,00000000,00000000,00000000,00000000,?), ref: 01003561
NtClose.NTDLL(?), ref: 0100356E
NtClose.NTDLL(?), ref: 01003579

Strings

NtOpenProcessToken Failed , xrefs: 01003538

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CloseToken$AdjustOpenPrivilegesProcess
String ID: NtOpenProcessToken Failed
API String ID: 2239692276-916547032
Opcode ID: a2bb500f86ff3c270a923705cdf631df0a80daa1bbf9043a241c06063efd5071
Instruction ID: 86087f3b1aaf02d6297fc597292e47099355ceb0a226902c4fcc6e84a4753d95
Opcode Fuzzy Hash: a2bb500f86ff3c270a923705cdf631df0a80daa1bbf9043a241c06063efd5071
Instruction Fuzzy Hash: E311A07590010AAFEB13DFA8C908BEE7BA8FB04305F008125B9A5DE090D372D5009B91

Uniqueness

Uniqueness Score: -1.00%

Function 010062FF Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E010062FF(intOrPtr __eax, intOrPtr __ebx, signed int __ecx, intOrPtr __edx, intOrPtr __esi) {
				char _v0;
				intOrPtr _v8;
				intOrPtr _v804;
				char _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t18;
				signed int _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t29;
				void* _t36;

				_t29 = __esi;
				_t24 = __edx;
				_t19 = __ecx;
				_t18 = __ebx;
				_t10 = __eax;
				_t36 = _t19 -  *0x100c028; // 0x9dd8
				if(_t36 != 0 || (__ecx & 0xffff0000) != 0) {
					_push(_t25);
					 *0x100c168 = _t10;
					 *0x100c164 = _t19;
					 *0x100c160 = _t24;
					 *0x100c15c = _t18;
					 *0x100c158 = _t29;
					 *0x100c154 = _t25;
					 *0x100c180 = ss;
					 *0x100c174 = cs;
					 *0x100c150 = ds;
					 *0x100c14c = es;
					 *0x100c148 = fs;
					 *0x100c144 = gs;
					asm("pushfd");
					_pop( *0x100c178);
					_t11 = _v0;
					 *0x100c17c =  &_v0 + 4;
					 *0x100c170 = _t11;
					 *0x100c0b8 = 0x10001;
					_t6 =  &_v0 - 4; // 0x35ff
					 *0x100c074 = _t11;
					_t12 =  *0x100c028; // 0x9dd8
					_v8 = _t12;
					_t13 =  *0x100c024; // 0xffff6227
					_v8 = _t13;
					 *0x100c16c =  *_t6;
					 *0x100c068 = 0xc0000409;
					 *0x100c06c = 1;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter(0x10025d8);
					_v804 = 1;
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}

0x010062ff
0x010062ff
0x010062ff
0x010062ff
0x010062ff
0x010062ff
0x01006305
0x01006325
0x01006326
0x0100632b
0x01006331
0x01006337
0x0100633d
0x01006343
0x01006349
0x01006350
0x01006357
0x0100635e
0x01006365
0x0100636c
0x01006373
0x01006374
0x0100637a
0x01006383
0x01006389
0x0100638e
0x0100639b
0x0100639e
0x010063a3
0x010063a8
0x010063ab
0x010063b3
0x010063b8
0x010063be
0x010063c8
0x010063ce
0x010063d9
0x010063e4
0x010063f9
0x0100630f
0x0100630f
0x0100630f

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 010063CE
UnhandledExceptionFilter.KERNEL32(010025D8), ref: 010063D9
GetCurrentProcess.KERNEL32(C0000409), ref: 010063EA
TerminateProcess.KERNEL32(00000000), ref: 010063F1

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 4382b4dedff7cdd383e5e3d049ffc534270b9df7dca4059a9d9760ad3e466a85
Instruction ID: 79cc3565e310fce42bdb6c08305b060dbc1bc5133d3f3caeb000c08a82c4a438
Opcode Fuzzy Hash: 4382b4dedff7cdd383e5e3d049ffc534270b9df7dca4059a9d9760ad3e466a85
Instruction Fuzzy Hash: 6C2102B4804200DBF727CF69E2586947BB0FB4A300F50839AF18987398E77A0585CF45

Uniqueness

Uniqueness Score: -1.00%

Function 01008906 Relevance: .3, Instructions: 303
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01008906(intOrPtr* __edx, signed int _a4, signed int _a8, signed char _a11) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t186;
				signed int _t190;
				signed int _t192;
				void* _t196;
				signed int _t209;
				signed int _t214;
				intOrPtr _t215;
				signed int _t221;
				signed int _t222;
				signed char _t223;
				signed int _t224;
				signed int _t226;
				signed int _t231;
				signed int _t232;
				char _t236;
				intOrPtr* _t239;
				char _t244;
				signed int _t245;
				signed char _t248;
				void* _t251;
				signed char _t253;
				signed int _t261;
				void* _t268;
				char _t279;
				unsigned int _t281;
				signed int _t282;
				intOrPtr* _t284;
				intOrPtr _t285;
				signed int _t291;
				intOrPtr _t293;
				intOrPtr _t294;
				unsigned int _t299;
				signed int _t300;
				unsigned int _t301;
				void* _t302;

				_t284 = __edx;
				_t232 = _a4;
				_v5 =  *((intOrPtr*)(__edx + 0x2eb4));
				_v20 =  *((intOrPtr*)(__edx + 0x2b08));
				_v24 =  *__edx;
				_t291 =  *(__edx + 0x2eb0);
				_t186 = _a8 + _t232;
				_t285 =  *((intOrPtr*)(__edx + 0x2b04));
				_v28 = _t186;
				if(_t232 >= _t186) {
					L67:
					 *((char*)(_t284 + 0x2eb4)) = _v5;
					 *(_t284 + 0x2eb0) = _t291;
					 *((intOrPtr*)(_t284 + 0x2b04)) = _t285;
					return _a4;
				} else {
					goto L1;
				}
				do {
					L1:
					_t190 = _t291 >> 0x16;
					if(_t190 >= 0x400) {
						_t192 = 1;
						 *(_t284 + 0x2ebc) = 1;
						_t221 = 0;
					} else {
						_t221 =  *((short*)(_t284 + 0x18 + _t190 * 2));
						_t192 = 1;
					}
					if(_t221 >= 0) {
						L13:
						if( *(_t284 + 0x2ebc) != 0 || _t285 >= _v20) {
							L69:
							return _t192 | 0xffffffff;
						} else {
							_t236 = _v5 -  *(_t221 + _t284 + 0xa18);
							_v12 = _t291 <<  *(_t221 + _t284 + 0xa18);
							_v5 = _t236;
							if(_t236 <= 0) {
								_v12 = _v12 | 0 <<  ~0x00000000;
								_t285 = _t285 + 2;
								_v5 = _v5 + 0x10;
							}
							_t222 = _t221 - 0x100;
							if(_t222 >= 0) {
								_t192 = _t222 & 0x00000007;
								_v16 = _t192;
								if(_t192 != 7) {
									L39:
									_t223 = _t222 >> 3;
									if(_t223 <= 2) {
										_t158 = _t223 * 4; // 0x1000b
										_t239 = _t284 + _t158 + 0xc;
										_t293 =  *_t239;
										if(_t223 == 0) {
											L61:
											_t224 = _a4;
											_t196 = _t192 + 2;
											_a4 = _t224 - _t293;
											do {
												_t294 = _v24;
												_t244 =  *((intOrPtr*)((_a4 &  *(_t284 + 8)) + _t294));
												 *((char*)(_t294 + _t224)) = _t244;
												if(_t224 < 0x101) {
													 *((char*)( *((intOrPtr*)(_t284 + 4)) + _v24 + _t224)) = _t244;
												}
												_t224 = _t224 + 1;
												_a4 = _a4 + 1;
												_t196 = _t196 - 1;
											} while (_t196 > 0);
											_a4 = _t224;
											_t245 = _t224;
											goto L66;
										}
										 *_t239 =  *((intOrPtr*)(_t284 + 0xc));
										L60:
										 *((intOrPtr*)(_t284 + 0xc)) = _t293;
										goto L61;
									}
									_t226 = _t223;
									_t90 = _t226 + 0x10025f0; // 0x0
									_t248 =  *_t90;
									_a11 = _t248;
									if(_t248 < 3) {
										if(_t248 == 0) {
											_t293 = 1;
											L57:
											 *((intOrPtr*)(_t284 + 0x14)) =  *((intOrPtr*)(_t284 + 0x10));
											 *((intOrPtr*)(_t284 + 0x10)) =  *((intOrPtr*)(_t284 + 0xc));
											goto L60;
										}
										_t251 = 0x20;
										_t299 = _v12 >> _t251 - _a11;
										if(_t285 >= _v20) {
											goto L69;
										}
										_t138 = _t226 + 0x10025f0; // 0x0
										_t253 =  *_t138;
										_v12 = _v12 << _t253;
										_v5 = _v5 - _t253;
										if(_v5 <= 0) {
											_v12 = _v12 | 0 <<  ~0x00000000;
											_t285 = _t285 + 2;
											_v5 = _v5 + 0x10;
										}
										_t293 = _t299 +  *((intOrPtr*)(0x1002628 + _t226 * 4));
										_t192 = _v16;
										goto L57;
									}
									_t300 = _t248 & 0x000000ff;
									if(_t300 == 3) {
										_t301 = 0;
										L46:
										_t302 =  *((intOrPtr*)(0x1002628 + _t226 * 4)) + _t301 * 8;
										_t261 =  *((char*)((_v12 >> 0x19) + _t284 + 0xdb4));
										_a8 = _t261;
										if(_t285 >= _v20) {
											goto L69;
										}
										_v12 = _v12 <<  *(_t261 + _t284 + 0xe34);
										_v5 = _v5 -  *((intOrPtr*)(_a8 + _t284 + 0xe34));
										if(_v5 <= 0) {
											_v12 = _v12 | 0 <<  ~0x00000000;
											_t285 = _t285 + 2;
											_v5 = _v5 + 0x10;
										}
										_t293 = _t302 + _a8;
										goto L57;
									}
									_t268 = 0x23;
									_t301 = _v12 >> _t268 - _t300;
									if(_t285 >= _v20) {
										goto L69;
									}
									_t96 = _t226 + 0x10025f0; // 0x0
									_v5 = _v5 + 3 -  *_t96;
									_v12 = _v12 << 0xfffffffffffffffd;
									if(_v5 <= 0) {
										_v12 = _v12 | 0 <<  ~0x00000000;
										_t285 = _t285 + 2;
										_v5 = _v5 + 0x10;
									}
									_t192 = _v16;
									goto L46;
								}
								_t209 = _v12 >> 0x18;
								if(_t209 >= 0x100) {
									 *(_t284 + 0x2ebc) = 1;
									_t192 = 0;
								} else {
									_t192 =  *((short*)(_t284 + 0x818 + _t209 * 2));
								}
								_v16 = _t192;
								if(_t192 >= 0) {
									L33:
									if( *(_t284 + 0x2ebc) != 0) {
										L38:
										_t192 = _t192 + 7;
										_v16 = _t192;
										if( *(_t284 + 0x2ebc) != 0) {
											goto L69;
										}
										goto L39;
									}
									if(_t285 >= _v20) {
										goto L69;
									}
									_v12 = _v12 <<  *(_t192 + _t284 + 0xcb8);
									_t279 = _v5 -  *(_t192 + _t284 + 0xcb8);
									_v5 = _t279;
									if(_t279 <= 0) {
										_v12 = _v12 | 0 <<  ~0x00000000;
										_t285 = _t285 + 2;
										_v5 = _v5 + 0x10;
									}
									_t192 = _v16;
									goto L38;
								} else {
									_t281 = 0x800000;
									do {
										_t214 =  ~_t192;
										if((_v12 & _t281) == 0) {
											if(_t214 + _t214 >= 0x3e4) {
												L30:
												_t192 = 0;
												 *(_t284 + 0x2ebc) = 1;
												goto L31;
											}
											_t192 =  *((short*)(_t284 + 0x233c + _t214 * 4));
											goto L31;
										}
										_t62 = _t214 + 1; // 0x1
										if(_t214 + _t62 >= 0x3e4) {
											goto L30;
										}
										_t192 =  *((short*)(_t284 + 0x233e + _t214 * 4));
										L31:
										_t281 = _t281 >> 1;
									} while (_t192 < 0);
									_v16 = _t192;
									goto L33;
								}
							} else {
								_t282 = _a4;
								_t215 = _v24;
								 *(_t215 + _t282) = _t222;
								 *( *((intOrPtr*)(_t284 + 4)) + _t215 + _t282) = _t222;
								_t245 = _t282 + 1;
								_a4 = _t245;
								goto L66;
							}
						}
					} else {
						_a8 = 0x200000;
						do {
							_t231 =  ~_t221;
							if((_a8 & _t291) == 0) {
								if(_t231 + _t231 >= 0xa80) {
									L11:
									_t221 = 0;
									 *(_t284 + 0x2ebc) = _t192;
									goto L12;
								}
								_t221 =  *((short*)(_t284 + 0xe3c + _t231 * 4));
								goto L12;
							}
							_t20 = _t231 + 1; // 0x1
							if(_t231 + _t20 >= 0xa80) {
								goto L11;
							}
							_t221 =  *((short*)(_t284 + 0xe3e + _t231 * 4));
							L12:
							_a8 = _a8 >> 1;
						} while (_t221 < 0);
						goto L13;
					}
					L66:
					_t291 = _v12;
				} while (_t245 < _v28);
				goto L67;
			}

0x01008906
0x01008914
0x01008917
0x01008920
0x01008925
0x0100892d
0x01008933
0x01008938
0x0100893e
0x01008941
0x01008c9c
0x01008c9f
0x01008ca8
0x01008cae
0x00000000
0x00000000
0x00000000
0x00000000
0x01008947
0x01008947
0x01008949
0x01008951
0x0100895f
0x01008960
0x01008966
0x01008953
0x01008953
0x0100895a
0x0100895a
0x0100896a
0x010089b4
0x010089bb
0x01008cbb
0x00000000
0x010089ca
0x010089d8
0x010089df
0x010089e4
0x010089e7
0x010089f4
0x010089f8
0x010089f9
0x010089f9
0x01008a02
0x01008a04
0x01008a22
0x01008a28
0x01008a2b
0x01008aff
0x01008aff
0x01008b05
0x01008c46
0x01008c46
0x01008c4a
0x01008c4c
0x01008c56
0x01008c56
0x01008c5c
0x01008c5f
0x01008c62
0x01008c6e
0x01008c71
0x01008c74
0x01008c77
0x01008c7f
0x01008c7f
0x01008c82
0x01008c83
0x01008c86
0x01008c87
0x01008c8b
0x01008c8e
0x00000000
0x01008c8e
0x01008c51
0x01008c53
0x01008c53
0x00000000
0x01008c53
0x01008b0b
0x01008b0e
0x01008b0e
0x01008b17
0x01008b1a
0x01008be1
0x01008c32
0x01008c33
0x01008c36
0x01008c3c
0x00000000
0x01008c3c
0x01008be8
0x01008bec
0x01008bf1
0x00000000
0x00000000
0x01008bf7
0x01008bf7
0x01008bfd
0x01008c02
0x01008c09
0x01008c1b
0x01008c1f
0x01008c20
0x01008c20
0x01008c24
0x01008c2b
0x00000000
0x01008c2b
0x01008b20
0x01008b28
0x01008bdb
0x01008b7c
0x01008b83
0x01008b8f
0x01008b97
0x01008b9a
0x00000000
0x00000000
0x01008ba7
0x01008bb4
0x01008bbb
0x01008bcd
0x01008bd1
0x01008bd2
0x01008bd2
0x01008bd6
0x00000000
0x01008bd6
0x01008b30
0x01008b36
0x01008b3b
0x00000000
0x00000000
0x01008b4b
0x01008b51
0x01008b57
0x01008b5e
0x01008b70
0x01008b74
0x01008b75
0x01008b75
0x01008b79
0x00000000
0x01008b79
0x01008a34
0x01008a39
0x01008a45
0x01008a4f
0x01008a3b
0x01008a3b
0x01008a3b
0x01008a53
0x01008a56
0x01008aa6
0x01008aad
0x01008aec
0x01008aec
0x01008af6
0x01008af9
0x00000000
0x00000000
0x00000000
0x01008af9
0x01008ab2
0x00000000
0x00000000
0x01008abf
0x01008ac7
0x01008ad0
0x01008ad3
0x01008ae0
0x01008ae4
0x01008ae5
0x01008ae5
0x01008ae9
0x00000000
0x01008a58
0x01008a58
0x01008a5d
0x01008a60
0x01008a64
0x01008a85
0x01008a91
0x01008a91
0x01008a93
0x00000000
0x01008a93
0x01008a87
0x00000000
0x01008a87
0x01008a66
0x01008a70
0x00000000
0x00000000
0x01008a72
0x01008a9d
0x01008a9d
0x01008a9f
0x01008aa3
0x00000000
0x01008aa3
0x01008a06
0x01008a06
0x01008a09
0x01008a0c
0x01008a14
0x01008a17
0x01008a18
0x00000000
0x01008a18
0x01008a04
0x0100896c
0x0100896c
0x01008973
0x01008973
0x01008978
0x01008999
0x010089a5
0x010089a5
0x010089a7
0x00000000
0x010089a7
0x0100899b
0x00000000
0x0100899b
0x0100897a
0x01008984
0x00000000
0x00000000
0x01008986
0x010089ad
0x010089ad
0x010089b0
0x00000000
0x01008973
0x01008c90
0x01008c93
0x01008c93
0x00000000

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdeacfce3809adc947609343e590c714e8a037b83f6e872e5a04b82d6d4fe78
Instruction ID: 5536dabd8291dbeda9af35510c629b429d179083cdfcac66a6f3fcb092366832
Opcode Fuzzy Hash: 7cdeacfce3809adc947609343e590c714e8a037b83f6e872e5a04b82d6d4fe78
Instruction Fuzzy Hash: 40C18531D096999BEB0BCF68C0947EDBFB0BF05314F18C5AAC8D6AB682D3755585CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01008CC5 Relevance: .3, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01008CC5(intOrPtr* _a4, char _a7, signed int _a8, signed int _a12, signed char _a15) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t185;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed char _t191;
				signed int _t210;
				signed int _t212;
				void* _t214;
				signed int _t230;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr* _t241;
				signed int _t245;
				signed char _t248;
				void* _t249;
				signed char _t251;
				void* _t260;
				signed int _t271;
				signed char _t272;
				unsigned int _t276;
				signed char _t278;
				intOrPtr* _t282;
				intOrPtr _t283;
				intOrPtr _t290;
				intOrPtr _t291;
				unsigned int _t292;
				unsigned int _t294;
				signed int _t295;
				unsigned int _t296;
				void* _t297;
				intOrPtr _t299;

				_t282 = _a4;
				_a7 =  *((intOrPtr*)(_t282 + 0x2eb4));
				_v8 =  *((intOrPtr*)(_t282 + 0x2eb0));
				_v12 =  *((intOrPtr*)(_t282 + 0x2b08));
				_v20 =  *_t282;
				_t185 = _a8;
				_t233 = _a12 + _t185;
				_t283 =  *((intOrPtr*)(_t282 + 0x2b04));
				_v24 = _t233;
				if(_t185 >= _t233) {
					L63:
					 *((char*)(_t282 + 0x2eb4)) = _a7;
					 *((intOrPtr*)(_t282 + 0x2eb0)) = _v8;
					 *((intOrPtr*)(_t282 + 0x2b04)) = _t283;
					 *(_t282 + 0x2ec0) =  *(_t282 + 8) & _t185;
					return _t185 - _v24;
				} else {
					goto L1;
				}
				do {
					L1:
					_t188 = _v8 >> 0x16;
					if(_t188 >= 0x400) {
						 *((intOrPtr*)(_t282 + 0x2ebc)) = 1;
						_t189 = 0;
					} else {
						_t189 =  *((short*)(_t282 + 0x18 + _t188 * 2));
					}
					if(_t189 >= 0) {
						L13:
						if( *((intOrPtr*)(_t282 + 0x2ebc)) != 0) {
							L17:
							_t190 = _t189 - 0x100;
							_a12 = _t190;
							if(_t190 >= 0) {
								_t212 = _t190 & 0x00000007;
								_v16 = _t212;
								if(_t212 != 7) {
									L38:
									_t191 = _t190 >> 3;
									if(_t191 <= 2) {
										_t157 = _t191 * 4; // 0x1000b
										_t241 = _t282 + _t157 + 0xc;
										_t290 =  *_t241;
										if(_t191 == 0) {
											L60:
											_t291 = _v20;
											_t214 = _t212 + 2;
											_t245 = (_a8 - _t290 &  *(_t282 + 8)) + _t291;
											_a12 = _t245;
											do {
												_a8 = _a8 + 1;
												 *((char*)(_t291 + _a8)) =  *_t245;
												_t245 = _a12 + 1;
												_t214 = _t214 - 1;
												_a12 = _t245;
											} while (_t214 > 0);
											goto L62;
										}
										 *_t241 =  *((intOrPtr*)(_t282 + 0xc));
										L59:
										 *((intOrPtr*)(_t282 + 0xc)) = _t290;
										goto L60;
									}
									_t190 = _t191;
									_t88 = _t190 + 0x10025f0; // 0x0
									_t248 =  *_t88;
									_a15 = _t248;
									if(_t248 < 3) {
										if(_t248 == 0) {
											_t290 =  *((intOrPtr*)(0x1002628 + _t190 * 4));
											L56:
											 *((intOrPtr*)(_t282 + 0x14)) =  *((intOrPtr*)(_t282 + 0x10));
											 *((intOrPtr*)(_t282 + 0x10)) =  *((intOrPtr*)(_t282 + 0xc));
											goto L59;
										}
										_t249 = 0x20;
										_t294 = _v8 >> _t249 - _a15;
										if(_t283 >= _v12) {
											L65:
											return _t190 | 0xffffffff;
										}
										_t135 = _t190 + 0x10025f0; // 0x0
										_t251 =  *_t135;
										_a7 = _a7 - _t251;
										_v8 = _v8 << _t251;
										if(_a7 <= 0) {
											_v8 = _v8 | 0 <<  ~0x00000000;
											_t283 = _t283 + 2;
											_a7 = _a7 + 0x10;
										}
										_t290 = _t294 +  *((intOrPtr*)(0x1002628 + _t190 * 4));
										_t212 = _v16;
										goto L56;
									}
									_t295 = _t248 & 0x000000ff;
									_t90 = _t295 - 3; // 0xfd
									if(_t90 == 0) {
										_t296 = 0;
										L45:
										_t297 =  *((intOrPtr*)(0x1002628 + _t190 * 4)) + _t296 * 8;
										_t190 =  *((char*)((_v8 >> 0x19) + _t282 + 0xdb4));
										_a12 = _t190;
										if(_t283 >= _v12) {
											goto L65;
										}
										_a7 = _a7 -  *(_t190 + _t282 + 0xe34);
										_v8 = _v8 <<  *(_t190 + _t282 + 0xe34);
										if(_a7 <= 0) {
											_v8 = _v8 | 0 <<  ~0x00000000;
											_t283 = _t283 + 2;
											_a7 = _a7 + 0x10;
										}
										_t290 = _t297 + _a12;
										goto L56;
									}
									_t260 = 0x23;
									_t296 = _v8 >> _t260 - _t295;
									if(_t283 >= _v12) {
										goto L65;
									}
									_v8 = _v8 << 0xfffffffffffffffd;
									_t96 = _t190 + 0x10025f0; // 0x0
									_a7 = _a7 + 3 -  *_t96;
									if(_a7 <= 0) {
										_v8 = _v8 | 0 <<  ~0x00000000;
										_t283 = _t283 + 2;
										_a7 = _a7 + 0x10;
									}
									_t212 = _v16;
									goto L45;
								}
								_t271 = _v8 >> 0x18;
								if(_t271 >= 0x100) {
									 *((intOrPtr*)(_t282 + 0x2ebc)) = 1;
									_t230 = 0;
								} else {
									_t230 =  *((short*)(_t282 + 0x818 + _t271 * 2));
								}
								if(_t230 >= 0) {
									L32:
									_t299 =  *((intOrPtr*)(_t282 + 0x2ebc));
									if(_t299 != 0) {
										L37:
										_t212 = _t230 + 7;
										_v16 = _t212;
										if(_t299 != 0) {
											goto L65;
										}
										goto L38;
									}
									if(_t283 >= _v12) {
										goto L65;
									}
									_t272 =  *((intOrPtr*)(_t230 + _t282 + 0xcb8));
									_v8 = _v8 << _t272;
									_a7 = _a7 - _t272;
									if(_a7 <= 0) {
										_v8 = _v8 | 0 <<  ~0x00000000;
										_t283 = _t283 + 2;
										_a7 = _a7 + 0x10;
									}
									_t190 = _a12;
									goto L37;
								} else {
									_t276 = 0x800000;
									do {
										_t231 =  ~_t230;
										if((_v8 & _t276) == 0) {
											if(_t231 + _t231 >= 0x3e4) {
												L30:
												_t230 = 0;
												 *((intOrPtr*)(_t282 + 0x2ebc)) = 1;
												goto L31;
											}
											_t230 =  *((short*)(_t282 + 0x233c + _t231 * 4));
											goto L31;
										}
										_t62 = _t231 + 1; // 0x1
										if(_t231 + _t62 >= 0x3e4) {
											goto L30;
										}
										_t230 =  *((short*)(_t282 + 0x233e + _t231 * 4));
										L31:
										_t276 = _t276 >> 1;
									} while (_t230 < 0);
									goto L32;
								}
							}
							_a8 = _a8 + 1;
							 *(_v20 + _a8) = _t190;
							goto L62;
						}
						if(_t283 >= _v12) {
							goto L65;
						}
						_t278 =  *((intOrPtr*)(_t189 + _t282 + 0xa18));
						_a7 = _a7 - _t278;
						_v8 = _v8 << _t278;
						if(_a7 <= 0) {
							_v8 = _v8 | 0 <<  ~0x00000000;
							_t283 = _t283 + 2;
							_a7 = _a7 + 0x10;
						}
						goto L17;
					} else {
						_t292 = 0x200000;
						do {
							_t210 =  ~_t189;
							if((_v8 & _t292) == 0) {
								if(_t210 + _t210 >= 0xa80) {
									L11:
									_t189 = 0;
									 *((intOrPtr*)(_t282 + 0x2ebc)) = 1;
									goto L12;
								}
								_t189 =  *((short*)(_t282 + 0xe3c + _t210 * 4));
								goto L12;
							}
							_t22 = _t210 + 1; // 0x1
							if(_t210 + _t22 >= 0xa80) {
								goto L11;
							}
							_t189 =  *((short*)(_t282 + 0xe3e + _t210 * 4));
							L12:
							_t292 = _t292 >> 1;
						} while (_t189 < 0);
						goto L13;
					}
					L62:
					_t185 = _a8;
				} while (_t185 < _v24);
				goto L63;
			}

0x01008ccd
0x01008cd9
0x01008ce2
0x01008ceb
0x01008cf1
0x01008cf4
0x01008cf7
0x01008cfd
0x01008d03
0x01008d06
0x0100902d
0x01009030
0x01009039
0x01009047
0x0100904d
0x00000000
0x00000000
0x00000000
0x00000000
0x01008d0c
0x01008d0c
0x01008d11
0x01008d1a
0x01008d23
0x01008d29
0x01008d1c
0x01008d1c
0x01008d1c
0x01008d2d
0x01008d76
0x01008d7d
0x01008db4
0x01008db9
0x01008dbb
0x01008dbe
0x01008dd3
0x01008dd9
0x01008ddc
0x01008ea3
0x01008ea3
0x01008ea8
0x01008fe8
0x01008fe8
0x01008fec
0x01008fee
0x01008ff8
0x01009000
0x01009004
0x01009005
0x01009007
0x0100900a
0x0100900f
0x01009012
0x01009018
0x01009019
0x0100901c
0x0100901c
0x00000000
0x0100900a
0x01008ff3
0x01008ff5
0x01008ff5
0x00000000
0x01008ff5
0x01008eae
0x01008eb1
0x01008eb1
0x01008eba
0x01008ebd
0x01008f81
0x01008fce
0x01008fd5
0x01008fd8
0x01008fde
0x00000000
0x01008fde
0x01008f88
0x01008f8c
0x01008f91
0x0100905a
0x00000000
0x0100905a
0x01008f97
0x01008f97
0x01008f9d
0x01008fa0
0x01008fa7
0x01008fb9
0x01008fbd
0x01008fbe
0x01008fbe
0x01008fc2
0x01008fc9
0x00000000
0x01008fc9
0x01008ec3
0x01008ec6
0x01008ecb
0x01008f7b
0x01008f1f
0x01008f26
0x01008f32
0x01008f3a
0x01008f3d
0x00000000
0x00000000
0x01008f51
0x01008f54
0x01008f5b
0x01008f6d
0x01008f71
0x01008f72
0x01008f72
0x01008f76
0x00000000
0x01008f76
0x01008ed3
0x01008ed9
0x01008ede
0x00000000
0x00000000
0x01008eef
0x01008ef4
0x01008efa
0x01008f01
0x01008f13
0x01008f17
0x01008f18
0x01008f18
0x01008f1c
0x00000000
0x01008f1c
0x01008de5
0x01008dea
0x01008df6
0x01008e00
0x01008dec
0x01008dec
0x01008dec
0x01008e04
0x01008e51
0x01008e51
0x01008e59
0x01008e95
0x01008e95
0x01008e9a
0x01008e9d
0x00000000
0x00000000
0x00000000
0x01008e9d
0x01008e5e
0x00000000
0x00000000
0x01008e64
0x01008e6b
0x01008e70
0x01008e77
0x01008e89
0x01008e8d
0x01008e8e
0x01008e8e
0x01008e92
0x00000000
0x01008e06
0x01008e06
0x01008e0b
0x01008e0e
0x01008e12
0x01008e33
0x01008e3f
0x01008e3f
0x01008e41
0x00000000
0x01008e41
0x01008e35
0x00000000
0x01008e35
0x01008e14
0x01008e1e
0x00000000
0x00000000
0x01008e20
0x01008e4b
0x01008e4b
0x01008e4d
0x00000000
0x01008e0b
0x01008e04
0x01008dc6
0x01008dc9
0x00000000
0x01008dc9
0x01008d82
0x00000000
0x00000000
0x01008d88
0x01008d8f
0x01008d92
0x01008d99
0x01008dab
0x01008daf
0x01008db0
0x01008db0
0x00000000
0x01008d2f
0x01008d2f
0x01008d34
0x01008d37
0x01008d3b
0x01008d5c
0x01008d68
0x01008d68
0x01008d6a
0x00000000
0x01008d6a
0x01008d5e
0x00000000
0x01008d5e
0x01008d3d
0x01008d47
0x00000000
0x00000000
0x01008d49
0x01008d70
0x01008d70
0x01008d72
0x00000000
0x01008d34
0x01009021
0x01009021
0x01009024
0x00000000

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79354d64886fc410c0814f504bfd9b30afd0e7d4cac24f3c7e689a98db7d4def
Instruction ID: 05c12d547ef16d3076343c8037f92f088cfa72b28578ee7f0be467a9befaacce
Opcode Fuzzy Hash: 79354d64886fc410c0814f504bfd9b30afd0e7d4cac24f3c7e689a98db7d4def
Instruction Fuzzy Hash: 9BC196319086959FDB0BCF68C0946EDBBB0BF05314F19C6AED9D56B282D7709A85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01008286 Relevance: .3, Instructions: 256
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01008286(intOrPtr* __edx, intOrPtr _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t144;
				signed int _t152;
				signed int _t171;
				signed int _t172;
				signed char _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr _t182;
				signed int _t184;
				intOrPtr* _t185;
				signed int _t187;
				void* _t188;
				signed int _t204;
				signed char _t206;
				unsigned int _t213;
				intOrPtr _t214;
				signed char _t217;
				unsigned int _t224;
				intOrPtr* _t225;
				signed int _t227;
				void* _t229;
				signed int _t233;
				signed int _t234;
				intOrPtr _t236;
				intOrPtr _t240;
				intOrPtr _t243;
				unsigned int _t247;

				_t225 = __edx;
				_t144 =  *((intOrPtr*)(__edx + 0x2eb4));
				_v12 =  *((intOrPtr*)(__edx + 0x2eb0));
				_v16 =  *((intOrPtr*)(__edx + 0x2b04));
				_v20 =  *((intOrPtr*)(__edx + 0x2b08));
				_t182 = _a4;
				_t236 = _a8 + _t182;
				_v5 = _t144;
				_v24 = _t236;
				if(_t182 >= _t236) {
					L54:
					 *(_t225 + 0x2eb4) = _t144;
					 *((intOrPtr*)(_t225 + 0x2eb0)) = _v12;
					 *((intOrPtr*)(_t225 + 0x2b04)) = _v16;
					return _t182;
				} else {
					goto L1;
				}
				do {
					L1:
					_t184 = _v12 >> 0x16;
					if(_t184 >= 0x400) {
						 *((intOrPtr*)(_t225 + 0x2ebc)) = 1;
						_t171 = 0;
					} else {
						_t171 =  *((short*)(_t225 + 0x18 + _t184 * 2));
					}
					if(_t171 >= 0) {
						L13:
						if( *((intOrPtr*)(_t225 + 0x2ebc)) != 0) {
							L17:
							_t172 = _t171 - 0x100;
							if(_t172 >= 0) {
								_t227 = _t172 & 0x00000007;
								if(_t227 != 7) {
									L37:
									_t173 = _t172 >> 3;
									if(_t173 <= 2) {
										_t123 = _t173 * 4; // 0x1000b
										_t185 = _t225 + _t123 + 0xc;
										_t240 =  *_t185;
										if(_t173 == 0) {
											L48:
											_t229 = _t227 + 2;
											_t187 = _a4 - _t240;
											do {
												_t243 = _a4;
												 *((char*)( *_t225 + _t243)) =  *((intOrPtr*)((_t187 &  *(_t225 + 8)) +  *_t225));
												if(_t243 < 0x101) {
													 *((char*)( *((intOrPtr*)(_t225 + 4)) +  *_t225 + _t243)) =  *((intOrPtr*)( *_t225 + _t243));
												}
												_t187 = _t187 + 1;
												_t229 = _t229 - 1;
												_a4 = _t243 + 1;
											} while (_t229 > 0);
											_t144 = _v5;
											goto L53;
										}
										 *_t185 =  *((intOrPtr*)(_t225 + 0xc));
										L47:
										 *((intOrPtr*)(_t225 + 0xc)) = _t240;
										goto L48;
									}
									if(_t173 <= 3) {
										_t240 = 1;
									} else {
										_t177 = _t173;
										_t91 = _t177 + 0x10025f0; // 0x0
										_t152 =  *_t91 & 0x000000ff;
										_t188 = 0x20;
										_t247 = _v12 >> _t188 - _t152;
										_t92 = _t177 + 0x10025f0; // 0x0
										_v5 = _v5 -  *_t92;
										_v12 = _v12 << _t152;
										if(_v5 <= 0) {
											_v5 = _v5 + 0x10;
											_v12 = _v12 | 0 <<  ~0x00000000;
											_v16 = _v16 + 2;
											if(_v5 <= 0) {
												_v16 = _v16 + 2;
												_v12 = _v12 | 0 <<  ~0x00000000;
												_v5 = _v5 + 0x10;
											}
										}
										_t240 = _t247 +  *((intOrPtr*)(0x1002628 + _t177 * 4));
									}
									 *((intOrPtr*)(_t225 + 0x14)) =  *((intOrPtr*)(_t225 + 0x10));
									 *((intOrPtr*)(_t225 + 0x10)) =  *((intOrPtr*)(_t225 + 0xc));
									goto L47;
								}
								_t204 = _v12 >> 0x18;
								if(_t204 >= 0x100) {
									 *((intOrPtr*)(_t225 + 0x2ebc)) = 1;
									_t233 = 0;
								} else {
									_t233 =  *((short*)(_t225 + 0x818 + _t204 * 2));
								}
								if(_t233 >= 0) {
									L32:
									if( *((intOrPtr*)(_t225 + 0x2ebc)) != 0) {
										L36:
										_t227 = _t233 + 7;
										if( *((intOrPtr*)(_t225 + 0x2ebc)) != 0) {
											L56:
											return _t144 | 0xffffffff;
										}
										goto L37;
									}
									if(_v16 >= _v20) {
										goto L56;
									}
									_t206 =  *((intOrPtr*)(_t233 + _t225 + 0xcb8));
									_v12 = _v12 << _t206;
									_t144 = _t144 - _t206;
									_v5 = _t144;
									if(_t144 <= 0) {
										_v16 = _v16 + 2;
										_a8 = 0;
										_t144 = _a8 <<  ~0x00000000;
										_v12 = _v12 | _t144;
										_v5 = _v5 + 0x10;
									}
									goto L36;
								} else {
									_t213 = 0x800000;
									do {
										_t234 =  ~_t233;
										if((_v12 & _t213) == 0) {
											if(_t234 + _t234 >= 0x3e4) {
												L30:
												_t233 = 0;
												 *((intOrPtr*)(_t225 + 0x2ebc)) = 1;
												goto L31;
											}
											_t233 =  *((short*)(_t225 + 0x233c + _t234 * 4));
											goto L31;
										}
										_t62 = _t234 + 1; // 0x1
										if(_t234 + _t62 >= 0x3e4) {
											goto L30;
										}
										_t233 =  *((short*)(_t225 + 0x233e + _t234 * 4));
										L31:
										_t213 = _t213 >> 1;
									} while (_t233 < 0);
									goto L32;
								}
							}
							_t214 = _a4;
							 *(_t214 +  *_t225) = _t172;
							 *( *((intOrPtr*)(_t225 + 4)) +  *_t225 + _t214) = _t172;
							_a4 = _t214 + 1;
							goto L53;
						}
						if(_v16 >= _v20) {
							goto L56;
						}
						_t217 =  *((intOrPtr*)(_t171 + _t225 + 0xa18));
						_v12 = _v12 << _t217;
						_t144 = _t144 - _t217;
						_v5 = _t144;
						if(_t144 <= 0) {
							_v16 = _v16 + 2;
							_a8 = 0;
							_v12 = _v12 | _a8 <<  ~0x00000000;
							_t144 = _v5 + 0x10;
							_v5 = _t144;
						}
						goto L17;
					} else {
						_t224 = 0x200000;
						do {
							_t178 =  ~_t171;
							if((_v12 & _t224) == 0) {
								if(_t178 + _t178 >= 0xa80) {
									L11:
									_t171 = 0;
									 *((intOrPtr*)(_t225 + 0x2ebc)) = 1;
									goto L12;
								}
								_t171 =  *((short*)(_t225 + 0xe3c + _t178 * 4));
								goto L12;
							}
							_t21 = _t178 + 1; // 0x1
							if(_t178 + _t21 >= 0xa80) {
								goto L11;
							} else {
								_t171 =  *((short*)(_t225 + 0xe3e + _t178 * 4));
							}
							L12:
							_t224 = _t224 >> 1;
						} while (_t171 < 0);
						goto L13;
					}
					L53:
					_t182 = _a4;
				} while (_t182 < _v24);
				goto L54;
			}

0x01008286
0x01008294
0x0100829a
0x010082a3
0x010082b1
0x010082b4
0x010082b7
0x010082bc
0x010082bf
0x010082c2
0x01008572
0x01008572
0x0100857b
0x01008584
0x00000000
0x00000000
0x00000000
0x00000000
0x010082c8
0x010082c8
0x010082cd
0x010082d7
0x010082e0
0x010082e6
0x010082d9
0x010082d9
0x010082d9
0x010082ea
0x01008333
0x0100833a
0x01008382
0x01008387
0x01008389
0x010083a6
0x010083ac
0x0100847c
0x0100847c
0x01008482
0x0100851d
0x0100851d
0x01008521
0x01008523
0x0100852d
0x01008531
0x01008532
0x01008534
0x0100853e
0x01008547
0x0100854a
0x01008556
0x01008556
0x0100855a
0x0100855b
0x0100855e
0x0100855e
0x01008563
0x00000000
0x01008563
0x01008528
0x0100852a
0x0100852a
0x00000000
0x0100852a
0x0100848b
0x01008509
0x0100848d
0x01008490
0x01008493
0x01008493
0x0100849c
0x0100849f
0x010084a3
0x010084a9
0x010084ac
0x010084b3
0x010084c8
0x010084d0
0x010084dc
0x010084df
0x010084e6
0x010084f7
0x010084fa
0x010084fa
0x010084df
0x010084fe
0x010084fe
0x0100850d
0x01008513
0x00000000
0x01008513
0x010083b5
0x010083ba
0x010083c6
0x010083d0
0x010083bc
0x010083bc
0x010083bc
0x010083d4
0x01008421
0x01008428
0x0100846c
0x0100846c
0x01008476
0x01008593
0x00000000
0x01008593
0x00000000
0x01008476
0x01008430
0x00000000
0x00000000
0x01008436
0x0100843d
0x01008440
0x01008444
0x01008447
0x01008451
0x01008457
0x01008463
0x01008465
0x01008468
0x01008468
0x00000000
0x010083d6
0x010083d6
0x010083db
0x010083de
0x010083e2
0x01008403
0x0100840f
0x0100840f
0x01008411
0x00000000
0x01008411
0x01008405
0x00000000
0x01008405
0x010083e4
0x010083ee
0x00000000
0x00000000
0x010083f0
0x0100841b
0x0100841b
0x0100841d
0x00000000
0x010083db
0x010083d4
0x0100838b
0x01008390
0x01008398
0x0100839c
0x00000000
0x0100839c
0x01008342
0x00000000
0x00000000
0x01008348
0x0100834f
0x01008352
0x01008356
0x01008359
0x01008363
0x01008369
0x01008377
0x0100837d
0x0100837f
0x0100837f
0x00000000
0x010082ec
0x010082ec
0x010082f1
0x010082f4
0x010082f8
0x01008319
0x01008325
0x01008325
0x01008327
0x00000000
0x01008327
0x0100831b
0x00000000
0x0100831b
0x010082fa
0x01008304
0x00000000
0x01008306
0x01008306
0x01008306
0x0100832d
0x0100832d
0x0100832f
0x00000000
0x010082f1
0x01008566
0x01008566
0x01008569
0x00000000

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4f3ed40784cb1acd205159c057e8a6439da72c959da14e5084bb7fb85de03f
Instruction ID: 73eb1ad3db2b6007352114fa4a889570cc0f90ca5fb72025f5fa2ea13681cd0c
Opcode Fuzzy Hash: 2d4f3ed40784cb1acd205159c057e8a6439da72c959da14e5084bb7fb85de03f
Instruction Fuzzy Hash: 24A19031D082959FDB0ACF58C0942EDFBB1BF45314F59C2EEC9866B282C7715A85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0100859D Relevance: .3, Instructions: 255
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0100859D(signed int _a4, signed int _a7, signed int _a8, signed int _a12, signed char _a15) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _t150;
				signed int _t153;
				intOrPtr* _t157;
				signed int _t158;
				signed int _t161;
				signed int _t162;
				signed int _t175;
				intOrPtr _t179;
				intOrPtr _t182;
				signed int _t187;
				signed char _t192;
				signed char _t194;
				signed int _t197;
				void* _t199;
				signed int _t209;
				signed char _t210;
				unsigned int _t217;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				void* _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr _t239;
				unsigned int _t243;

				_t225 = _a4;
				_t187 =  *(_t225 + 0x2eb0);
				_t179 =  *((intOrPtr*)(_t225 + 0x2b04));
				_a7 =  *((intOrPtr*)(_t225 + 0x2eb4));
				_v20 =  *((intOrPtr*)(_t225 + 0x2b08));
				_t150 = _a8;
				_t236 = _a12 + _t150;
				_v8 = _t187;
				_v16 = _t179;
				_v24 = _t236;
				if(_t150 >= _t236) {
					L55:
					 *((char*)(_t225 + 0x2eb4)) = _a7;
					 *(_t225 + 0x2eb0) = _v8;
					 *((intOrPtr*)(_t225 + 0x2b04)) = _t179;
					 *(_t225 + 0x2ec0) =  *(_t225 + 8) & _t150;
					return _t150 - _v24;
				} else {
					_t238 = 1;
					while(1) {
						_t153 = _t187 >> 0x16;
						if(_t153 >= 0x400) {
							 *((intOrPtr*)(_t225 + 0x2ebc)) = _t238;
							_t227 = 0;
						} else {
							_t227 =  *((short*)(_t225 + 0x18 + _t153 * 2));
						}
						_v12 = _t227;
						if(_t227 >= 0) {
							goto L16;
						}
						_a12 = 0x200000;
						do {
							_t234 =  ~_t227;
							if((_a12 & _t187) == 0) {
								_t153 = _t234 + _t234;
								if(_t153 >= 0xa80) {
									L13:
									_t227 = 0;
									 *((intOrPtr*)(_t225 + 0x2ebc)) = _t238;
									goto L14;
								}
								_t227 =  *((short*)(_t225 + 0xe3c + _t234 * 4));
								goto L14;
							}
							_t24 = _t234 + 1; // 0x1
							_t153 = _t234 + _t24;
							if(_t153 >= 0xa80) {
								goto L13;
							}
							_t227 =  *((short*)(_t225 + 0xe3e + _t234 * 4));
							L14:
							_a12 = _a12 >> 1;
						} while (_t227 < 0);
						_v12 = _t227;
						L16:
						if( *((intOrPtr*)(_t225 + 0x2ebc)) != 0 || _t179 >= _v20) {
							L57:
							return _t153 | 0xffffffff;
						} else {
							_t192 =  *((intOrPtr*)(_t227 + _t225 + 0xa18));
							_v8 = _v8 << _t192;
							_t153 = _a7 - _t192;
							_a15 = _t192;
							_a7 = _t153;
							if(_t153 <= 0) {
								_a12 = 0;
								_v8 = _v8 | _a12 <<  ~0x00000000;
								_t179 = _t179 + 2;
								_t153 = _a7 + 0x10;
								_v16 = _t179;
								_a7 = _t153;
							}
							_t53 =  &_v12;
							 *_t53 = _v12 - 0x100;
							if( *_t53 >= 0) {
								_t229 = _v12 & 0x00000007;
								if(_t229 != 7) {
									L40:
									_t194 = _v12 >> 3;
									if(_t194 <= 2) {
										_t129 = _t194 * 4; // 0x1000b
										_t157 = _t225 + _t129 + 0xc;
										_t239 =  *_t157;
										if(_t194 == 0) {
											L51:
											_t158 = _a8;
											_t231 = _t229 + 2;
											_t197 = _t158 - _t239 &  *(_t225 + 8);
											do {
												 *((char*)( *_t225 + _t158)) =  *((intOrPtr*)( *_t225 + _t197));
												_t158 = _t158 + 1;
												_t197 = _t197 + 1;
												_t231 = _t231 - 1;
											} while (_t231 > 0);
											_t179 = _v16;
											_t238 = 1;
											goto L54;
										}
										 *_t157 =  *((intOrPtr*)(_t225 + 0xc));
										L50:
										 *((intOrPtr*)(_t225 + 0xc)) = _t239;
										goto L51;
									}
									if(_t194 <= 3) {
										_t239 =  *0x1002634; // 0x1
									} else {
										_t161 = _t194;
										_a12 = _t161;
										_t162 =  *(_t161 + 0x10025f0) & 0x000000ff;
										_t199 = 0x20;
										_t243 = _v8 >> _t199 - _t162;
										_t100 = _a12 + 0x10025f0; // 0x0
										_a7 = _a7 -  *_t100;
										_v8 = _v8 << _t162;
										if(_a7 <= 0) {
											_a7 = _a7 + 0x10;
											_v8 = _v8 | 0 <<  ~0x00000000;
											_t182 = _t179 + 2;
											_v16 = _t182;
											if(_a7 <= 0) {
												_v8 = _v8 | 0 <<  ~0x00000000;
												_a7 = _a7 + 0x10;
												_v16 = _t182 + 2;
											}
										}
										_t239 = _t243 +  *((intOrPtr*)(0x1002628 + _a12 * 4));
									}
									 *((intOrPtr*)(_t225 + 0x14)) =  *((intOrPtr*)(_t225 + 0x10));
									 *((intOrPtr*)(_t225 + 0x10)) =  *((intOrPtr*)(_t225 + 0xc));
									goto L50;
								}
								_t209 = _v8 >> 0x18;
								if(_t209 >= 0x100) {
									 *((intOrPtr*)(_t225 + 0x2ebc)) = _t238;
									_t232 = 0;
								} else {
									_t232 =  *((short*)(_t225 + 0x818 + _t209 * 2));
								}
								if(_t232 >= 0) {
									L35:
									if( *((intOrPtr*)(_t225 + 0x2ebc)) != 0) {
										L39:
										_t229 = _t232 + 7;
										if( *((intOrPtr*)(_t225 + 0x2ebc)) != 0) {
											goto L57;
										}
										goto L40;
									}
									if(_t179 >= _v20) {
										goto L57;
									}
									_t210 =  *((intOrPtr*)(_t232 + _t225 + 0xcb8));
									_v8 = _v8 << _t210;
									_t153 = _t153 - _t210;
									_a7 = _t153;
									if(_t153 <= 0) {
										_a12 = 0;
										_t153 = _a12 <<  ~0x00000000;
										_v8 = _v8 | _t153;
										_t179 = _t179 + 2;
										_a7 = _a7 + 0x10;
										_v16 = _t179;
									}
									goto L39;
								} else {
									_t217 = 0x800000;
									do {
										_t233 =  ~_t232;
										if((_v8 & _t217) == 0) {
											if(_t233 + _t233 >= 0x3e4) {
												L33:
												_t232 = 0;
												 *((intOrPtr*)(_t225 + 0x2ebc)) = 1;
												goto L34;
											}
											_t232 =  *((short*)(_t225 + 0x233c + _t233 * 4));
											goto L34;
										}
										_t70 = _t233 + 1; // 0x1
										if(_t233 + _t70 >= 0x3e4) {
											goto L33;
										}
										_t232 =  *((short*)(_t225 + 0x233e + _t233 * 4));
										L34:
										_t217 = _t217 >> 1;
									} while (_t232 < 0);
									goto L35;
								}
							} else {
								_t175 = _a8;
								_a12 = _t225;
								 *((char*)(_t175 +  *_t225)) = _v12;
								_t225 = _a12;
								_t158 = _t175 + 1;
								L54:
								_a8 = _t158;
								if(_t158 < _v24) {
									_t187 = _v8;
									continue;
								}
								goto L55;
							}
						}
					}
				}
			}

0x010085a5
0x010085ae
0x010085b5
0x010085bb
0x010085c8
0x010085cb
0x010085ce
0x010085d3
0x010085d6
0x010085d9
0x010085dc
0x0100887d
0x01008880
0x01008889
0x01008897
0x0100889d
0x00000000
0x010085e2
0x010085e4
0x010085ea
0x010085ec
0x010085f4
0x010085fd
0x01008603
0x010085f6
0x010085f6
0x010085f6
0x01008607
0x0100860a
0x00000000
0x00000000
0x0100860c
0x01008613
0x01008613
0x01008618
0x0100862f
0x01008637
0x01008643
0x01008643
0x01008645
0x00000000
0x01008645
0x01008639
0x00000000
0x01008639
0x0100861a
0x0100861a
0x01008623
0x00000000
0x00000000
0x01008625
0x0100864b
0x0100864b
0x0100864e
0x01008652
0x01008655
0x0100865c
0x010088aa
0x00000000
0x0100866b
0x0100866b
0x01008675
0x01008678
0x0100867c
0x0100867f
0x01008682
0x0100868b
0x01008699
0x010086a0
0x010086a1
0x010086a3
0x010086a6
0x010086a6
0x010086a9
0x010086a9
0x010086b0
0x010086cc
0x010086d2
0x0100879b
0x0100879e
0x010087a4
0x01008840
0x01008840
0x01008844
0x01008846
0x01008850
0x01008850
0x01008858
0x01008859
0x0100885c
0x01008861
0x01008864
0x01008865
0x01008866
0x01008867
0x0100886b
0x01008870
0x00000000
0x01008870
0x0100884b
0x0100884d
0x0100884d
0x00000000
0x0100884d
0x010087ad
0x01008827
0x010087af
0x010087b2
0x010087b5
0x010087b8
0x010087c1
0x010087c4
0x010087cb
0x010087d1
0x010087d4
0x010087db
0x010087e7
0x010087f1
0x010087f5
0x010087fa
0x010087fd
0x0100880f
0x01008814
0x01008818
0x01008818
0x010087fd
0x0100881e
0x0100881e
0x01008830
0x01008836
0x00000000
0x01008836
0x010086db
0x010086e4
0x010086f0
0x010086f6
0x010086e6
0x010086e6
0x010086e6
0x010086fa
0x01008745
0x0100874c
0x0100878b
0x0100878b
0x01008795
0x00000000
0x00000000
0x00000000
0x01008795
0x01008751
0x00000000
0x00000000
0x01008757
0x0100875e
0x01008761
0x01008765
0x01008768
0x01008771
0x0100877d
0x0100877f
0x01008783
0x01008784
0x01008788
0x01008788
0x00000000
0x010086fc
0x010086fc
0x01008701
0x01008701
0x01008706
0x01008727
0x01008733
0x01008733
0x01008735
0x00000000
0x01008735
0x01008729
0x00000000
0x01008729
0x01008708
0x01008712
0x00000000
0x00000000
0x01008714
0x0100873f
0x0100873f
0x01008741
0x00000000
0x01008701
0x010086b2
0x010086b4
0x010086b7
0x010086bd
0x010086c0
0x010086c3
0x01008871
0x01008874
0x01008877
0x010085e7
0x00000000
0x010085e7
0x00000000
0x01008877
0x010086b0
0x0100865c
0x010085ea

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f84ed33e04a50cc75d73480d86f3b8f11bbc8851e627dfa954f843364c247
Instruction ID: 47a47e7724101b81cf1e1fdd9477815481a0082b8eb6285e44efc0e7966f3570
Opcode Fuzzy Hash: 3d9f84ed33e04a50cc75d73480d86f3b8f11bbc8851e627dfa954f843364c247
Instruction Fuzzy Hash: 24B1A735D082959FDB0BCF18C4946EDBBB0BF45310F19C6AFD8969B286C7709685CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100911E Relevance: .2, Instructions: 230
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0100911E(intOrPtr __ebx, intOrPtr __ecx, signed int __edx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v32;
				char _v220;
				char _v732;
				signed int _v736;
				intOrPtr _v740;
				signed int _v744;
				intOrPtr _v748;
				void* __esi;
				signed int _t110;
				signed int _t118;
				signed int _t121;
				signed int _t131;
				signed int _t142;
				signed int _t143;
				signed int _t155;
				signed int _t157;
				void* _t159;
				intOrPtr _t168;
				signed int _t170;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				unsigned int _t185;
				intOrPtr _t188;
				void* _t189;
				int _t192;
				void* _t193;
				void* _t194;

				_t182 = __edx;
				_t156 = __ebx;
				_t110 =  *0x100c028; // 0x9dd8
				_v8 = _t110;
				_t188 = __ecx;
				_v748 = __ecx;
				_v740 = _a12;
				_t192 = 0;
				do {
					 *((char*)(_t193 + _t192 - 0x1c)) = E0100815F(__ecx, 4);
					_t192 = _t192 + 1;
				} while (_t192 < 0x14);
				if( *((intOrPtr*)(_t188 + 0x2ebc)) == 0) {
					_push(__ebx);
					E01009558(_t188, 0x14,  &_v32, 8,  &_v732,  &_v220);
					_t192 = 0;
					if(_a4 <= 0) {
						L61:
						_t118 = 0 |  *((intOrPtr*)(_t188 + 0x2ebc)) == 0x00000000;
						L62:
						_pop(_t156);
						L63:
						return E010062FF(_t118, _t156, _v8, _t182, _t192);
					} else {
						goto L5;
					}
					do {
						L5:
						_t121 =  *(_t188 + 0x2eb0) >> 0x18;
						_t168 = 1;
						if(_t121 >= 0x100) {
							 *((intOrPtr*)(_t188 + 0x2ebc)) = 1;
							_t157 = 0;
						} else {
							_t157 =  *((intOrPtr*)(_t193 + _t121 * 2 - 0x2d8));
						}
						if(_t157 >= 0) {
							L17:
							if(_t157 >= 0x18 || _t157 < 0) {
								 *((intOrPtr*)(_t188 + 0x2ebc)) = _t168;
								goto L22;
							} else {
								if( *((intOrPtr*)(_t188 + 0x2ebc)) != 0) {
									L64:
									_t118 = 0;
									goto L62;
								}
								E010080A3(_t188,  *(_t193 + _t157 - 0x1c) & 0x000000ff);
								_t168 = 1;
								L22:
								if( *((intOrPtr*)(_t188 + 0x2ebc)) != 0) {
									goto L64;
								}
								if(_t157 != 0x11) {
									if(_t157 != 0x12) {
										if(_t157 != 0x13) {
											asm("cdq");
											_t170 = 0x11;
											_t100 = (( *(_t192 + _a8) & 0x000000ff) - _t157 + 0x11) % _t170;
											_t182 = _t100;
											 *(_v740 + _t192) = _t100;
											goto L60;
										}
										_t159 = (E0100815F(_t188, _t168) & 0x000000ff) + 4;
										if(_t159 + _t192 >= _a4) {
											_t159 = _a4 - _t192;
										}
										_t131 =  *(_t188 + 0x2eb0) >> 0x18;
										if(_t131 >= 0x100) {
											_v736 = _v736 & 0x00000000;
											 *((intOrPtr*)(_t188 + 0x2ebc)) = 1;
										} else {
											_v736 =  *((intOrPtr*)(_t193 + _t131 * 2 - 0x2d8));
										}
										if(_v736 >= 0) {
											L48:
											if(_v736 >= 0x18 || _v736 < 0) {
												 *((intOrPtr*)(_t188 + 0x2ebc)) = 1;
												goto L53;
											} else {
												if( *((intOrPtr*)(_t188 + 0x2ebc)) != 0) {
													goto L64;
												}
												E010080A3(_t188,  *(_t193 + _v736 - 0x1c) & 0x000000ff);
												L53:
												if( *((intOrPtr*)(_t188 + 0x2ebc)) != 0) {
													goto L64;
												}
												asm("cdq");
												_t174 = 0x11;
												_t182 = (( *(_t192 + _a8) & 0x000000ff) - _v736 + 0x11) % _t174;
												while(_t159 > 0) {
													_t159 = _t159 - 1;
													if(_t192 >= _a4) {
														L29:
														_t192 = _t192 - 1;
														goto L60;
													}
													 *(_v740 + _t192) = _t182;
													_t192 = _t192 + 1;
												}
												goto L29;
											}
										} else {
											_v744 = 0x800000;
											do {
												_v736 =  ~_v736;
												_t142 = _v736;
												if(( *(_t188 + 0x2eb0) & _v744) == 0) {
													_t182 = _t142 + _t142;
													if(_t142 + _t142 >= 0x5e) {
														L46:
														_v736 = _v736 & 0x00000000;
														 *((intOrPtr*)(_t188 + 0x2ebc)) = 1;
														goto L47;
													}
													_t143 =  *((intOrPtr*)(_t193 + _t142 * 4 - 0xd8));
													L45:
													_v736 = _t143;
													goto L47;
												}
												_t64 = _t142 + 1; // 0x1
												_t182 = _t142 + _t64;
												if(_t142 + _t64 >= 0x5e) {
													goto L46;
												}
												_t143 =  *((intOrPtr*)(_t193 + _t142 * 4 - 0xd6));
												goto L45;
												L47:
												_v744 = _v744 >> 1;
											} while (_v736 < 0);
											goto L48;
										}
									}
									_t182 = (E0100815F(_t188, 5) & 0x000000ff) + 0x14;
									L25:
									if(_t182 + _t192 >= _a4) {
										_t182 = _a4 - _t192;
									}
									if(_t182 > 0) {
										_t175 = _t182;
										_t176 = _t175 >> 2;
										_t189 = _v740 + _t192;
										memset(_t189 + _t176, memset(_t189, 0, _t176 << 2), (_t175 & 0x00000003) << 0);
										_t194 = _t194 + 0x18;
										_t188 = _v748;
										_t192 = _t192 + _t182;
									}
									goto L29;
								}
								_t182 = (E0100815F(_t188, 4) & 0x000000ff) + 4;
								goto L25;
							}
						} else {
							_t185 = 0x800000;
							do {
								_t155 =  ~_t157;
								if(( *(_t188 + 0x2eb0) & _t185) == 0) {
									if(_t155 + _t155 >= 0x5e) {
										L15:
										_t157 = 0;
										 *((intOrPtr*)(_t188 + 0x2ebc)) = _t168;
										goto L16;
									}
									_t157 =  *((intOrPtr*)(_t193 + _t155 * 4 - 0xd8));
									goto L16;
								}
								if(_t155 + _t155 + 1 >= 0x5e) {
									goto L15;
								}
								_t157 =  *((intOrPtr*)(_t193 + _t155 * 4 - 0xd6));
								L16:
								_t185 = _t185 >> 1;
							} while (_t157 < 0);
							goto L17;
						}
						L60:
						_t192 = _t192 + 1;
					} while (_t192 < _a4);
					goto L61;
				}
				_t118 = 0;
				goto L63;
			}

0x0100911e
0x0100911e
0x01009129
0x0100912f
0x01009136
0x01009138
0x0100913e
0x01009144
0x01009146
0x0100914e
0x01009152
0x01009153
0x0100915f
0x01009168
0x01009180
0x01009185
0x0100918a
0x01009415
0x0100941d
0x01009420
0x01009420
0x01009421
0x0100942c
0x00000000
0x00000000
0x00000000
0x01009190
0x01009190
0x01009198
0x0100919b
0x010091a1
0x010091ad
0x010091b3
0x010091a3
0x010091a3
0x010091a3
0x010091b8
0x01009200
0x01009204
0x0100922c
0x00000000
0x0100920b
0x01009212
0x0100942f
0x0100942f
0x00000000
0x0100942f
0x01009222
0x01009229
0x01009232
0x01009239
0x00000000
0x00000000
0x01009243
0x01009291
0x010092a7
0x010093fc
0x010093ff
0x01009400
0x01009400
0x01009408
0x00000000
0x01009408
0x010092b7
0x010092c0
0x010092c5
0x010092c5
0x010092cf
0x010092d8
0x010092eb
0x010092f2
0x010092da
0x010092e2
0x010092e2
0x01009300
0x01009370
0x01009378
0x010093a6
0x00000000
0x01009384
0x0100938b
0x00000000
0x00000000
0x0100939f
0x010093ac
0x010093b3
0x00000000
0x00000000
0x010093ca
0x010093cb
0x010093cc
0x010093e4
0x010093d0
0x010093d4
0x01009287
0x01009287
0x00000000
0x01009287
0x010093e0
0x010093e3
0x010093e3
0x00000000
0x010093e8
0x01009302
0x01009302
0x0100930c
0x01009312
0x0100931e
0x01009325
0x0100933a
0x01009340
0x01009353
0x01009353
0x0100935a
0x00000000
0x0100935a
0x01009342
0x0100934a
0x0100934a
0x00000000
0x0100934a
0x01009327
0x01009327
0x0100932e
0x00000000
0x00000000
0x01009330
0x00000000
0x01009360
0x01009360
0x01009366
0x00000000
0x0100930c
0x01009300
0x0100929e
0x01009253
0x01009259
0x0100925e
0x0100925e
0x01009262
0x0100926a
0x0100926e
0x01009271
0x0100927d
0x0100927d
0x0100927f
0x01009285
0x01009285
0x00000000
0x01009262
0x01009250
0x00000000
0x01009250
0x010091ba
0x010091ba
0x010091bf
0x010091c7
0x010091ca
0x010091e5
0x010091f1
0x010091f1
0x010091f3
0x00000000
0x010091f3
0x010091e7
0x00000000
0x010091e7
0x010091d3
0x00000000
0x00000000
0x010091d5
0x010091f9
0x010091f9
0x010091fb
0x00000000
0x010091bf
0x0100940b
0x0100940b
0x0100940c
0x00000000
0x01009190
0x01009161
0x00000000

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3974dae9ebb7a8bc4aa2b7da6efc4464a47bfbc8cab31630611c404ab64ff985
Instruction ID: 734c5ffc2d1f5eaf6f1fdea0ab5366f13342bdfd70bcbe669edc26b63f45a8e5
Opcode Fuzzy Hash: 3974dae9ebb7a8bc4aa2b7da6efc4464a47bfbc8cab31630611c404ab64ff985
Instruction Fuzzy Hash: 8F910630A0459A9EEB1BDF58C8887FEB3B1BB44708F5080AED98D961C2C7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01009558 Relevance: .2, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E01009558(signed int _a8, intOrPtr _a12, signed int _a16, void* _a20, intOrPtr _a24) {
				char _v5;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v92;
				void _v160;
				signed int _t86;
				signed int _t87;
				int _t88;
				void* _t90;
				signed char _t91;
				signed int _t97;
				int _t106;
				signed char _t129;
				void* _t130;
				signed int _t136;
				void* _t138;
				void* _t139;
				void* _t141;
				signed char _t142;
				signed char _t143;
				signed int _t144;
				signed int _t147;
				intOrPtr _t150;
				signed short* _t151;
				signed int _t156;
				signed int _t160;
				signed int _t161;
				signed int _t169;
				signed int _t170;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed short* _t186;
				signed int _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				void* _t199;
				void* _t202;
				signed int _t205;
				void* _t206;
				signed int _t210;
				signed int* _t211;
				void* _t214;
				void* _t215;
				void* _t216;

				_t136 = 0x10;
				memset( &_v160, 0, _t136 << 2);
				_t216 = _t215 + 0xc;
				_t138 = 0;
				if(_a8 <= 0) {
					L2:
					_v92 = 0;
					_t86 = 1;
					do {
						_t139 = 0x10;
						_t196 = ( *(_t214 + _t86 * 4 - 0xa0) << _t139 - _t86) +  *((intOrPtr*)(_t214 + _t86 * 4 - 0x5c));
						_t86 = _t86 + 1;
						 *((intOrPtr*)(_t214 + _t86 * 4 - 0x5c)) = _t196;
					} while (_t86 <= 0x10);
					if(_v28 == 0x10000) {
						_t210 = _a16 & 0x000000ff;
						_t129 = 0x10 - _a16;
						_t87 = 1;
						_v20 = _t210;
						if(_t210 < 1) {
							L12:
							_t141 = 0x10;
							_t142 = _t141 - _t87;
							do {
								_t179 = 1 << _t142;
								_t87 = _t87 + 1;
								_t142 = _t142 - 1;
								 *(_t214 + _t87 * 4 - 0xa4) = _t179;
							} while (_t87 <= 0x10);
							L14:
							_t143 = _t129 & 0x000000ff;
							_t130 = _a20;
							_t181 =  *(_t214 + _t210 * 4 - 0x58) >> _t143;
							_v24 = _t143;
							if(_t181 != 0x10000) {
								_t202 = _t130 + _t181 * 2;
								_t160 = (1 << _t210) - _t181 << 1;
								_t161 = _t160 >> 2;
								memset(_t202 + _t161, memset(_t202, 0, _t161 << 2), (_t160 & 0x00000003) << 0);
								_t216 = _t216 + 0x18;
							}
							_t144 = _a8;
							_t88 = 0;
							_v12 = _t144;
							_v16 = 0;
							if(_t144 <= 0) {
								L31:
								_t90 = 1;
								goto L32;
							} else {
								do {
									_t91 =  *((intOrPtr*)(_t88 + _a12));
									if(_t91 == 0) {
										goto L30;
									}
									_t147 = (_t91 & 0x000000ff) << 2;
									_t211 = _t214 + _t147 - 0x5c;
									_t197 =  *_t211;
									_t183 =  *((intOrPtr*)(_t214 + _t147 - 0xa0)) + _t197;
									if(_t91 > _a16) {
										 *_t211 = _t183;
										_v5 = _t91 - _a16;
										_t198 = _t197 << _v20;
										_t186 = _t130 + (_t197 >> _v24) * 2;
										do {
											_t150 = _a24;
											if( *_t186 == 0) {
												_t97 = _v12 << 2;
												 *((short*)(_t97 + _t150 + 2)) = 0;
												 *((short*)(_t97 + _t150)) = 0;
												_v12 = _v12 + 1;
												 *_t186 =  ~_v12;
											}
											_t151 = _t150 - ( *_t186 << 2);
											if(_t198 < 0) {
												_t151 =  &(_t151[1]);
											}
											_t198 = _t198 << 1;
											_t78 =  &_v5;
											 *_t78 = _v5 - 1;
											_t186 = _t151;
										} while ( *_t78 != 0);
										 *_t186 = _v16;
										goto L30;
									}
									if(_t183 > 1 << _v20) {
										_t90 = 0;
										L32:
										return _t90;
									}
									if(_t197 < _t183) {
										_t199 = _t130 + _t197 * 2;
										_t156 = _t183 - _t197 >> 1;
										_t130 = _a20;
										_t106 = memset(_t199, _v16, _t156 << 2);
										asm("adc ecx, ecx");
										memset(_t199 + _t156, _t106, 0);
										_t216 = _t216 + 0x18;
									}
									 *_t211 = _t183;
									L30:
									_t88 = _v16 + 1;
									_v16 = _t88;
								} while (_t88 < _a8);
								goto L31;
							}
						}
						_t205 = _t210 - 1;
						do {
							 *(_t214 + _t87 * 4 - 0x5c) =  *(_t214 + _t87 * 4 - 0x5c) >> 0x10;
							_t191 = 1 << _t205;
							_t87 = _t87 + 1;
							_t205 = _t205 - 1;
							 *(_t214 + _t87 * 4 - 0xa4) = _t191;
						} while (_t87 <= _t210);
						if(_t87 > 0x10) {
							goto L14;
						}
						goto L12;
					}
					if(_v28 != 0) {
						return 0;
					}
					_t206 = _a20;
					_t169 = 1 << _a16 << 1;
					_t170 = _t169 >> 2;
					memset(_t206 + _t170, memset(_t206, 0, _t170 << 2), (_t169 & 0x00000003) << 0);
					return 1;
				} else {
					goto L1;
				}
				do {
					L1:
					 *((intOrPtr*)(_t214 + ( *(_t138 + _a12) & 0x000000ff) * 4 - 0xa0)) =  *((intOrPtr*)(_t214 + ( *(_t138 + _a12) & 0x000000ff) * 4 - 0xa0)) + 1;
					_t138 = _t138 + 1;
				} while (_t138 < _a8);
				goto L2;
			}

0x01009569
0x01009570
0x01009570
0x01009574
0x01009579
0x01009591
0x01009594
0x01009597
0x01009599
0x010095a2
0x010095a7
0x010095ab
0x010095af
0x010095af
0x010095bc
0x010095ef
0x010095f6
0x010095fb
0x010095fd
0x01009600
0x01009627
0x01009629
0x0100962a
0x0100962c
0x0100962f
0x01009631
0x01009632
0x01009636
0x01009636
0x0100963f
0x01009643
0x01009646
0x01009649
0x0100964b
0x01009654
0x0100965d
0x01009664
0x01009668
0x01009674
0x01009674
0x01009674
0x01009676
0x01009679
0x0100967d
0x01009680
0x01009683
0x01009756
0x01009758
0x00000000
0x01009689
0x01009689
0x0100968c
0x01009691
0x00000000
0x00000000
0x0100969a
0x010096a4
0x010096a8
0x010096aa
0x010096af
0x010096f2
0x010096fb
0x010096fe
0x01009700
0x01009703
0x01009703
0x0100970b
0x01009710
0x01009713
0x01009718
0x01009721
0x01009724
0x01009724
0x0100972d
0x01009732
0x01009735
0x01009735
0x01009736
0x01009738
0x01009738
0x0100973b
0x0100973b
0x01009743
0x00000000
0x01009743
0x010096bb
0x01009760
0x01009759
0x00000000
0x01009759
0x010096c3
0x010096cf
0x010096da
0x010096de
0x010096e1
0x010096e3
0x010096e5
0x010096e5
0x010096e5
0x010096e8
0x01009746
0x01009749
0x0100974d
0x0100974d
0x00000000
0x01009689
0x01009683
0x01009602
0x01009605
0x0100960c
0x01009613
0x01009615
0x01009616
0x01009619
0x01009619
0x01009625
0x00000000
0x00000000
0x00000000
0x01009625
0x010095c1
0x00000000
0x010095e8
0x010095c6
0x010095cf
0x010095d3
0x010095df
0x00000000
0x00000000
0x00000000
0x00000000
0x0100957b
0x0100957b
0x01009589
0x0100958b
0x0100958c
0x00000000

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc727b130d8a70c901193652c7c29f7f7098ede988ec518b009589487b1a216
Instruction ID: 4a48d19044e3ec236ddfe2700c74ad1dffc8538b678a9b9864d77caf5e4adf83
Opcode Fuzzy Hash: adc727b130d8a70c901193652c7c29f7f7098ede988ec518b009589487b1a216
Instruction Fuzzy Hash: 23610531A0055A8FEF1ACF6CC4905BEB7A2EBC9344F15856DD9DAD7382DA309952CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01003E7A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E01003E7A(void* __edi, struct HWND__* _a4, intOrPtr _a8, signed short _a12) {
				intOrPtr _v8;
				void* _v268;
				char _v528;
				intOrPtr _v544;
				CHAR* _v548;
				long _v552;
				void _v560;
				void* __ebx;
				void* __esi;
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t30;
				void* _t32;
				void* _t42;
				void* _t47;
				void* _t55;
				int _t59;
				signed int _t61;
				void* _t64;
				struct HWND__* _t71;

				_t25 =  *0x100c028; // 0x9dd8
				_v8 = _t25;
				_t27 = _a8 - 0x10;
				_t71 = _a4;
				if(_t27 == 0) {
					L13:
					_push(0);
					L14:
					EndDialog(_t71, ??);
					L15:
					_t30 = 1;
					L16:
					return E010062FF(_t30, _t59, _v8, _t64, _t71);
				}
				_t32 = _t27 - 0x100;
				if(_t32 == 0) {
					LoadStringA( *0x100c05c, 0x20000005,  &_v268, 0x104);
					_t59 = 0;
					SendMessageA(_t71, 0xc, 0,  &_v268);
					SendDlgItemMessageA(_t71, 0x67, 0xc, 0,  &_v268);
					SendDlgItemMessageA(_t71, 0x6c, 0xc, 0, "c:\e2ac7bbaf115a22162e746");
					goto L15;
				}
				if(_t32 != 1) {
					L6:
					_t30 = 0;
					goto L16;
				}
				_t42 = (_a12 & 0x0000ffff) - 1;
				if(_t42 == 0) {
					_v268 = 0;
					SendDlgItemMessageA(_t71, 0x6c, 0xd, 0x104,  &_v268);
					_push(E01003E3A( &_v268));
					goto L14;
				}
				_t47 = _t42 - 1;
				if(_t47 == 0) {
					goto L13;
				}
				if(_t47 == 0x6b) {
					_t59 = 0;
					_v268 = 0;
					LoadStringA( *0x100c05c, 0x20000005,  &_v528, 0x104);
					_t61 = 8;
					memset( &_v560, 0, _t61 << 2);
					_v552 =  &_v268;
					_v548 =  &_v528;
					_t55 =  &_v560;
					_v560 = _t71;
					_v544 = 1;
					__imp__SHBrowseForFolderA(_t55);
					if(_t55 != 0) {
						__imp__SHGetPathFromIDListA(_t55,  &_v268);
						if(_t55 != 0) {
							SendDlgItemMessageA(_t71, 0x6c, 0xc, 0,  &_v268);
						}
					}
					SendMessageA(_t71, 0x28, _t59, _t59);
					_t30 = 1;
					goto L16;
				}
				goto L6;
			}

0x01003e85
0x01003e8a
0x01003e90
0x01003e95
0x01003e99
0x01003fed
0x01003fed
0x01003fef
0x01003ff0
0x01003ff6
0x01003ff8
0x01003ff9
0x01004005
0x01004005
0x01003e9f
0x01003ea4
0x01003fb0
0x01003fbd
0x01003fc3
0x01003fdc
0x01003fe9
0x00000000
0x01003fe9
0x01003eab
0x01003ec4
0x01003ec4
0x00000000
0x01003ec4
0x01003eb1
0x01003eb2
0x01003f7d
0x01003f84
0x01003f96
0x00000000
0x01003f96
0x01003eb8
0x01003eb9
0x00000000
0x00000000
0x01003ec2
0x01003ee2
0x01003ee4
0x01003eea
0x01003ef4
0x01003efb
0x01003f03
0x01003f0f
0x01003f17
0x01003f1f
0x01003f25
0x01003f2b
0x01003f33
0x01003f3d
0x01003f45
0x01003f54
0x01003f54
0x01003f45
0x01003f5f
0x01003f65
0x00000000
0x01003f65
0x00000000

APIs

LoadStringA.USER32 ref: 01003EEA
SHBrowseForFolderA.SHELL32(?), ref: 01003F2B
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 01003F3D
SendDlgItemMessageA.USER32(?,0000006C,0000000C,00000000,?), ref: 01003F54
SendMessageA.USER32 ref: 01003F5F
SendDlgItemMessageA.USER32(?,0000006C,0000000D,00000104,?), ref: 01003F84
LoadStringA.USER32 ref: 01003FB0
SendMessageA.USER32 ref: 01003FC3
SendDlgItemMessageA.USER32(?,00000067,0000000C,00000000,?), ref: 01003FDC
SendDlgItemMessageA.USER32(?,0000006C,0000000C,00000000,c:\e2ac7bbaf115a22162e746), ref: 01003FE9
EndDialog.USER32(?,00000000), ref: 01003FF0

Strings

c:\e2ac7bbaf115a22162e746, xrefs: 01003FDE

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: MessageSend$Item$LoadString$BrowseDialogFolderFromListPath
String ID: c:\e2ac7bbaf115a22162e746
API String ID: 4196404735-1159287823
Opcode ID: 8ff38ef0283e2243d984189d5b9706cb04c242c77a24033a99f4f0c10035e197
Instruction ID: ca6d105f0d69831a8513d52e48f8c2b8b825066bcb4f2ed050d46bdd4aedea35
Opcode Fuzzy Hash: 8ff38ef0283e2243d984189d5b9706cb04c242c77a24033a99f4f0c10035e197
Instruction Fuzzy Hash: 1F416A75504219BEFB63DB649C8DFEE7BB8EB18300F0041A5B6C5E60C0DAB59A858F60

Uniqueness

Uniqueness Score: -1.00%

Function 01002E53 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002E53(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				void* _t14;
				void* _t17;
				void* _t19;
				struct HWND__* _t24;

				if(_a8 == 0x10) {
					 *0x100ce04 = 0;
					EndDialog(_a4, 0);
					L14:
					_t14 = 1;
					L15:
					return _t14;
				}
				if(_a8 == 0x16) {
					if(_a12 == 0) {
						L12:
						_t14 = 0;
						goto L15;
					}
					SetEvent( *0x100cf24);
					_v12 = CreateEventW(0, 1, 0, L"Global\\HotfixNoShutDown");
					_t17 =  *0x100d04c; // 0x36c
					_v8 = _t17;
					if(_v12 != 0 && _t17 != 0) {
						WaitForMultipleObjects(2,  &_v12, 0, 0xffffffff);
						CloseHandle(_v12);
					}
					E01002D78();
					_t19 =  *0x100d04c; // 0x36c
					if(_t19 != 0) {
						TerminateProcess(_t19, 1);
					}
					goto L14;
				}
				if(_a8 != 0x110) {
					goto L12;
				}
				_t24 = _a4;
				 *0x100ce04 = _t24;
				if( *0x100c4b4 != 0) {
					 *0x100cf28 = SetParent(_t24, 0xfffffffd);
					Sleep(0x1f4);
				}
				SetEvent( *0x100cf2c);
				goto L14;
			}

0x01002e5f
0x01002f21
0x01002f27
0x01002f2d
0x01002f2f
0x01002f30
0x01002f32
0x01002f32
0x01002e69
0x01002eb5
0x01002f17
0x01002f17
0x00000000
0x01002f17
0x01002ebd
0x01002ed2
0x01002ed8
0x01002edd
0x01002ee0
0x01002eef
0x01002ef8
0x01002ef8
0x01002efe
0x01002f03
0x01002f0a
0x01002f0f
0x01002f0f
0x00000000
0x01002f0a
0x01002e72
0x00000000
0x00000000
0x01002e7f
0x01002e82
0x01002e87
0x01002e97
0x01002e9c
0x01002e9c
0x01002ea8
0x00000000

APIs

SetParent.USER32(?,000000FD), ref: 01002E8C
Sleep.KERNEL32(000001F4), ref: 01002E9C
SetEvent.KERNEL32 ref: 01002EA8
SetEvent.KERNEL32 ref: 01002EBD
CreateEventW.KERNEL32(00000000,00000001,00000000,Global\HotfixNoShutDown), ref: 01002ECC
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01002EEF
CloseHandle.KERNEL32(?), ref: 01002EF8
TerminateProcess.KERNEL32(0000036C,00000001), ref: 01002F0F
EndDialog.USER32(?,00000000), ref: 01002F27

Strings

Global\HotfixNoShutDown, xrefs: 01002EC3

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: Event$CloseCreateDialogHandleMultipleObjectsParentProcessSleepTerminateWait
String ID: Global\HotfixNoShutDown
API String ID: 2160021069-3107748146
Opcode ID: 400348b860b79de6a0f3343453eb6026b643485889c826b2de8ec5d488a1a1e5
Instruction ID: 565771bbe1ded297f6e1eeab05adb2a6758b43a142e37d2f74b43153d2bd27e5
Opcode Fuzzy Hash: 400348b860b79de6a0f3343453eb6026b643485889c826b2de8ec5d488a1a1e5
Instruction Fuzzy Hash: D2219271405214EFFB339FA4DD0C9AE7FB5EB09751F00816AF695920C9D7BA8980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100360C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 67
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0100360C(void* __ebx, void* __ecx, void* __edi, struct HINSTANCE__* _a4) {
				intOrPtr _v8;
				char _v268;
				char _v528;
				char _v788;
				void* __esi;
				intOrPtr _t11;
				void* _t25;
				void* _t29;
				void* _t31;

				_t25 = __ebx;
				_t11 =  *0x100c028; // 0x9dd8
				_v8 = _t11;
				_t12 = _a4;
				if( *0x100c044 == 0) {
					_push(_t31);
					if(E010061F9(__ecx, _t29, __edi, _t12, "options", "patchdll") == 0 || E010060BE(_t14, 1,  &_v528, 0x104) == 0) {
						GetSystemDirectoryA( &_v788, 0x104);
						_push( &_v268);
						_push("mspatcha.dll");
						_push( &_v788);
					} else {
						_push( &_v268);
						_push( &_v528);
						_push("c:\e2ac7bbaf115a22162e746");
					}
					E01002BC4();
					_t12 = LoadLibraryA( &_v268);
					 *0x100c058 = _t12;
					if(_t12 != 0) {
						 *0x100c044 = GetProcAddress(_t12, "GetFilePatchSignatureA");
						 *0x100c040 = GetProcAddress( *0x100c058, "ApplyPatchToFileA");
					}
					_pop(_t31);
					if( *0x100c044 == 0) {
						 *0x100c044 = 0x1003602;
					}
					if( *0x100c040 == 0) {
						 *0x100c040 = 0x10035f8;
					}
				}
				return E010062FF(_t12, _t25, _v8, _t29, _t31);
			}

0x0100360c
0x0100361e
0x01003623
0x01003626
0x01003629
0x0100362f
0x01003647
0x0100367a
0x01003686
0x01003687
0x01003692
0x0100365d
0x01003663
0x0100366a
0x0100366b
0x0100366b
0x01003693
0x0100369f
0x010036a7
0x010036ac
0x010036c7
0x010036ce
0x010036ce
0x010036da
0x010036db
0x010036dd
0x010036dd
0x010036ee
0x010036f0
0x010036f0
0x010036ee
0x01003703

APIs

GetSystemDirectoryA.KERNEL32 ref: 0100367A
LoadLibraryA.KERNEL32(?), ref: 0100369F
GetProcAddress.KERNEL32(00000000,GetFilePatchSignatureA), ref: 010036BA
GetProcAddress.KERNEL32(ApplyPatchToFileA), ref: 010036CC

Strings

mspatcha.dll, xrefs: 01003687
options, xrefs: 01003635
patchdll, xrefs: 01003630
ApplyPatchToFileA, xrefs: 010036BC
GetFilePatchSignatureA, xrefs: 010036B4
c:\e2ac7bbaf115a22162e746, xrefs: 0100366B

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: ApplyPatchToFileA$GetFilePatchSignatureA$c:\e2ac7bbaf115a22162e746$mspatcha.dll$options$patchdll
API String ID: 2141747552-4049131496
Opcode ID: d75fadbb291985e4ccfd5039247aea78be2d5ca5f0885812797b6874b77ceae2
Instruction ID: 86fcc2cc3a29359986d7a0763a20f979a07127794a10d9aeb92e6956b3d7621c
Opcode Fuzzy Hash: d75fadbb291985e4ccfd5039247aea78be2d5ca5f0885812797b6874b77ceae2
Instruction Fuzzy Hash: 012121B1900218AFFB37DBA9DD0DBD637ACBB09304F0085A5B6C997284D7B99684CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01002D78 Relevance: 15.1, APIs: 10, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002D78() {
				void* _t9;
				void* _t10;
				CHAR* _t11;
				intOrPtr* _t17;
				intOrPtr* _t18;

				EnterCriticalSection(0x100d060);
				_t9 =  *0x100c4a4; // 0x0
				if(_t9 != 0) {
					CloseHandle(_t9);
					 *0x100c4a4 =  *0x100c4a4 & 0x00000000;
				}
				_t10 =  *0x100c020; // 0x378
				if(_t10 != 0xffffffff) {
					_t11 = CloseHandle(_t10);
					 *0x100c020 =  *0x100c020 | 0xffffffff;
				}
				_t17 =  *0x100c004; // 0x7963d8
				while(_t17 != 0x100c004) {
					_t11 =  *(_t17 + 4);
					if(_t11 != 0) {
						_t11 = DeleteFileA(_t11);
						if(_t11 == 0) {
							_t11 = GetLastError();
							if(_t11 != 2 && _t11 != 3) {
								_t11 = MoveFileExA( *(_t17 + 4), 0, 4);
							}
						}
						 *(_t17 + 4) =  *(_t17 + 4) & 0x00000000;
					}
					_t17 =  *_t17;
				}
				_t18 =  *0x100c00c; // 0x796118
				while(_t18 != 0x100c00c) {
					_t11 =  *(_t18 + 4);
					if(_t11 != 0) {
						_t11 = RemoveDirectoryA(_t11);
						if(_t11 == 0) {
							_t11 = GetLastError();
							if(_t11 != 2 && _t11 != 3) {
								_t11 = MoveFileExA( *(_t18 + 4), 0, 4);
							}
						}
						 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
					}
					_t18 =  *_t18;
				}
				LeaveCriticalSection(0x100d060);
				return _t11;
			}

0x01002d82
0x01002d88
0x01002d95
0x01002d98
0x01002d9a
0x01002d9a
0x01002da1
0x01002da9
0x01002dac
0x01002dae
0x01002dae
0x01002db5
0x01002df9
0x01002dc8
0x01002dcd
0x01002dd0
0x01002dd8
0x01002dda
0x01002de3
0x01002df1
0x01002df1
0x01002de3
0x01002df3
0x01002df3
0x01002df7
0x01002df7
0x01002dfd
0x01002e3b
0x01002e0a
0x01002e0f
0x01002e12
0x01002e1a
0x01002e1c
0x01002e25
0x01002e33
0x01002e33
0x01002e25
0x01002e35
0x01002e35
0x01002e39
0x01002e39
0x01002e44
0x01002e4d

APIs

EnterCriticalSection.KERNEL32(0100D060,?,?,?,01003914), ref: 01002D82
CloseHandle.KERNEL32(00000000,?,?,?,01003914), ref: 01002D98
CloseHandle.KERNEL32(00000378,?,?,?,01003914), ref: 01002DAC
DeleteFileA.KERNEL32(?,?,?,?,01003914), ref: 01002DD0
GetLastError.KERNEL32(?,?,?,01003914), ref: 01002DDA
MoveFileExA.KERNEL32 ref: 01002DF1
RemoveDirectoryA.KERNEL32(?,?,?,?,01003914), ref: 01002E12
GetLastError.KERNEL32(?,?,?,01003914), ref: 01002E1C
MoveFileExA.KERNEL32 ref: 01002E33
LeaveCriticalSection.KERNEL32(0100D060,?,?,?,01003914), ref: 01002E44

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$CloseCriticalErrorHandleLastMoveSection$DeleteDirectoryEnterLeaveRemove
String ID:
API String ID: 3032557604-0
Opcode ID: 2a2974ac5940014a36d8b734e7ae464734aed0013697c2f22aefec969e3d7cea
Instruction ID: eaeb66f063d6c446da59646d057841921a657097434ac8a43aedc69f3ce3f5a1
Opcode Fuzzy Hash: 2a2974ac5940014a36d8b734e7ae464734aed0013697c2f22aefec969e3d7cea
Instruction Fuzzy Hash: 9E219F316403409BF6B3DB58DA4DB1A7BAAEB04721F164595F6D6E31C5C739EC00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010033DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010033DB(void* __ecx, void* _a4) {
				long _v8;
				long _v12;
				void* _t10;
				intOrPtr* _t13;
				void* _t16;
				struct _OVERLAPPED* _t20;
				intOrPtr _t24;
				void* _t26;
				void _t27;
				void* _t30;
				void* _t34;

				_v12 = GetLastError();
				_t10 =  *0x100d044; // 0xffffffff
				_t20 = 0;
				if(_t10 == 0) {
					L7:
					_t20 = 1;
				} else {
					SetFilePointer(_t10, 0, 0, 2);
					_t13 = _a4;
					_t34 = _t13 + 1;
					do {
						_t24 =  *_t13;
						_t13 = _t13 + 1;
					} while (_t24 != 0);
					if(WriteFile( *0x100d044, _a4, _t13 - _t34,  &_v8, 0) != 0) {
						_t26 = "\r\n***\r\n\r\n";
						_t16 = _t26;
						_t30 = _t16 + 1;
						do {
							_t27 =  *_t16;
							_t16 = _t16 + 1;
						} while (_t27 != 0);
						if(WriteFile( *0x100d044, _t26, _t16 - _t30,  &_v8, 0) != 0) {
							goto L7;
						}
					}
				}
				SetLastError(_v12);
				return _t20;
			}

0x010033ea
0x010033ed
0x010033f2
0x010033f6
0x01003455
0x01003457
0x010033f8
0x010033fd
0x01003403
0x01003406
0x01003409
0x01003409
0x0100340b
0x0100340c
0x0100342b
0x0100342d
0x01003432
0x01003435
0x01003438
0x01003438
0x0100343a
0x0100343b
0x01003453
0x00000000
0x00000000
0x01003453
0x0100342b
0x0100345b
0x01003466

APIs

GetLastError.KERNEL32(74D0F560,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200,?), ref: 010033E4
SetFilePointer.KERNEL32(FFFFFFFF,00000000,00000000,00000002,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200), ref: 010033FD
WriteFile.KERNEL32(?,?,00000000,00000000,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200), ref: 01003427
WriteFile.KERNEL32(***,***,00000000,00000000,?,?,?,?,?,010034CC,?,?,?,010038D5,?,?), ref: 0100344E
SetLastError.KERNEL32(?,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200,?), ref: 0100345B

Strings

***, xrefs: 0100342D, 01003446, 01003447

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$ErrorLastWrite$Pointer
String ID: ***
API String ID: 1741213463-1787515470
Opcode ID: f259f0daa3fa8cc644dd96105249b9c34566c8285c111745a810dfbc4c84cd6b
Instruction ID: 44ff794e02d1a3db74c08f5772ca78b3d7dcc110a49943917282bb4f95e92f64
Opcode Fuzzy Hash: f259f0daa3fa8cc644dd96105249b9c34566c8285c111745a810dfbc4c84cd6b
Instruction Fuzzy Hash: 4211E5B5600108BFEB138FE8DC8CDAA3FADEB49240F014165BB81DB155EA76AD09C760

Uniqueness

Uniqueness Score: -1.00%

Function 010044AD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E010044AD(intOrPtr* _a4, CHAR* _a8) {
				intOrPtr* _t6;
				char* _t7;
				void* _t14;
				char _t16;
				void* _t23;
				char* _t26;
				CHAR* _t27;
				void* _t28;

				_t6 = _a4;
				_t27 = _a8;
				_t14 = 0;
				_t23 = _t27 - _t6;
				do {
					_t16 =  *_t6;
					 *((char*)(_t23 + _t6)) = _t16;
					_t6 = _t6 + 1;
				} while (_t16 != 0);
				_t7 = strrchr(_t27, 0x2e);
				_t26 = _t7;
				if(_t26 == 0) {
					L7:
					 *_t27 = 0;
				} else {
					__imp___stricmp(_t26, ".sys");
					if(_t7 != 0) {
						goto L7;
					} else {
						_t14 = 1;
						do {
							 *0x101d3e8 =  *0x101d3e8 + 1;
							sprintf(_t26, ".%03u",  *0x101d3e8 % 0x3e8);
							_t28 = _t28 + 0xc;
						} while (GetFileAttributesA(_t27) != 0xffffffff);
						E0100447F(0x100c004, _t27);
					}
				}
				return _t14;
			}

0x010044b2
0x010044b7
0x010044bc
0x010044bf
0x010044c1
0x010044c1
0x010044c3
0x010044c6
0x010044c7
0x010044ce
0x010044d4
0x010044da
0x0100452e
0x0100452e
0x010044dc
0x010044e2
0x010044ec
0x00000000
0x010044ee
0x010044f0
0x010044f1
0x010044ff
0x0100450c
0x01004512
0x0100451c
0x01004527
0x01004527
0x010044ec
0x01004537

APIs

strrchr.MSVCRT ref: 010044CE
_stricmp.MSVCRT(00000000,.sys), ref: 010044E2
sprintf.MSVCRT ref: 0100450C
GetFileAttributesA.KERNEL32(?), ref: 01004516

Strings

.%03u, xrefs: 01004506
.sys, xrefs: 010044DC

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: AttributesFile_stricmpsprintfstrrchr
String ID: .%03u$.sys
API String ID: 3323407637-674990528
Opcode ID: 1ff158e2bc5fa47faf8acc8ac29c6469c21ce8e7ed94fe9ef2c6fd643a7bfcd0
Instruction ID: 49d5ea88e9c73088097ed9a15219229db482fa6d83c04b0c91c0a0ec1b993438
Opcode Fuzzy Hash: 1ff158e2bc5fa47faf8acc8ac29c6469c21ce8e7ed94fe9ef2c6fd643a7bfcd0
Instruction Fuzzy Hash: 9D0190352042005FF3134B6DAC889A73BE9DFCA622F10812EF7C4C31C1CE7588018364

Uniqueness

Uniqueness Score: -1.00%

Function 01003892 Relevance: 7.5, APIs: 5, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01003892(int _a4) {
				char _v132;
				char _v644;
				void* _t19;
				int _t20;

				_t20 = _a4;
				if(_t20 == 0xffffffff) {
					_t20 = GetLastError();
				}
				if( *0x101d3e0 == 0) {
					E01002D09(_t20, 0x200,  &_v644);
					E0100346E(_t19,  &_v644);
					_v132 = 0;
					LoadStringA( *0x100c05c, 0x20000003,  &_v132, 0x80);
					MessageBoxA( *0x100ce04,  &_v644,  &_v132, 0x10010);
				}
				E01002D78();
				if(_t20 == 0) {
					_t20 = _t20 + 1;
				}
				if( *0x100c060 != 0) {
					DeleteCriticalSection(0x100d060);
					 *0x100c060 =  *0x100c060 & 0x00000000;
				}
				ExitProcess(_t20);
			}

0x0100389e
0x010038a4
0x010038ac
0x010038ac
0x010038b5
0x010038c4
0x010038d0
0x010038e9
0x010038ed
0x01003909
0x01003909
0x0100390f
0x01003916
0x01003918
0x01003918
0x01003920
0x01003927
0x0100392d
0x0100392d
0x01003935

APIs

GetLastError.KERNEL32 ref: 010038A6
LoadStringA.USER32 ref: 010038ED
MessageBoxA.USER32 ref: 01003909
DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CriticalDeleteErrorExitLastLoadMessageProcessSectionString
String ID:
API String ID: 3880362259-0
Opcode ID: 0930090407c2940a87bd685511672d1101a90b25c2312edca6e979305b6cca41
Instruction ID: 95fc673a3485858558866d3e75a01873537341b781b9074dca4c1e746b7b8f2d
Opcode Fuzzy Hash: 0930090407c2940a87bd685511672d1101a90b25c2312edca6e979305b6cca41
Instruction Fuzzy Hash: C2018435401118AFFB73EBA4DD8CBE977B8BB04315F140295FAC0A60C4DB795A48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100628C Relevance: 7.5, APIs: 5, Instructions: 36
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0100628C() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t17;

				_t7 =  *0x100c028; // 0x9dd8
				if(_t7 == 0 || _t7 == 0xbb40) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t7 = (_v16 ^ _v20.LowPart ^ _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11) & 0x0000ffff;
					if(_t7 == 0) {
						_t7 = 0xbb40;
					}
					 *0x100c028 = _t7;
				}
				_t17 =  !_t7;
				 *0x100c024 = _t17;
				return _t17;
			}

0x01006294
0x0100629b
0x010062a9
0x010062b5
0x010062bd
0x010062c5
0x010062d1
0x010062df
0x010062e5
0x010062e7
0x010062e7
0x010062ec
0x010062ec
0x010062f1
0x010062f3
0x010062f9

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 010062A9
GetCurrentProcessId.KERNEL32 ref: 010062B5
GetCurrentThreadId.KERNEL32 ref: 010062BD
GetTickCount.KERNEL32 ref: 010062C5
QueryPerformanceCounter.KERNEL32(?), ref: 010062D1

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9f9a8a372e71f4ba5fd6d590d704713b28d7a18848ebf7ccacbe1fec22a7f2bd
Instruction ID: cb9998d7c512c76f87658832ca3486ab159dbae6228a0cd13093ddd9b699de7a
Opcode Fuzzy Hash: 9f9a8a372e71f4ba5fd6d590d704713b28d7a18848ebf7ccacbe1fec22a7f2bd
Instruction Fuzzy Hash: 00F03C36D002189BEB22EBF8E44C59AB7F9EF0C310F4106A1F591E7146DB3AE900CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01002821 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002821(void* __ecx) {
				long _v8;
				void* _t6;
				int _t9;

				_t6 =  *0x100c020; // 0x378
				if(_t6 == 0xffffffff) {
					return _t6;
				}
				SetFilePointer(_t6, 0, 0, 0);
				_t9 = ReadFile( *0x100c020, "Sdwn", 0x314,  &_v8, 0);
				if(_t9 == 0 || _v8 != 0x314 ||  *0x100c8c0 != 0x6e776453) {
					 *0x100c8cb =  *0x100c8cb | 0x00000080;
				} else {
					if(( *0x100c8cb & 0x00000080) == 0) {
						 *0x100c8cb =  *0x100c8cb | 0x00000040;
						 *0x100cacf = 0;
						 *0x100cbd3 = 0;
						_t9 = _snprintf(0x100cd00, 0x103, 0x100cad0);
						if( *0x100c8c4 == 0x10000 && ( *0x100c8c8 & 0x3fffffec) == 0) {
							 *0x100c8cb =  *0x100c8cb & 0x000000bf;
						}
					}
				}
				return _t9;
			}

0x01002827
0x0100282f
0x010028d3
0x010028d3
0x0100283d
0x01002859
0x01002861
0x010028c9
0x01002874
0x0100287b
0x0100287d
0x01002893
0x01002899
0x0100289f
0x010028b2
0x010028c0
0x010028c0
0x010028b2
0x0100287b
0x00000000

APIs

SetFilePointer.KERNEL32(00000378,00000000,00000000,00000000), ref: 0100283D
ReadFile.KERNEL32(Sdwn,00000314,?,00000000), ref: 01002859
_snprintf.MSVCRT ref: 0100289F

Strings

Sdwn, xrefs: 0100284E

Memory Dump Source

Source File: 00000008.00000002.425136735.0000000001002000.00000020.00000001.01000000.00000006.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.425129636.0000000001000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425152658.000000000100C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.425164274.000000000101E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_vcredist_x86_2010.jbxd

Similarity

API ID: File$PointerRead_snprintf
String ID: Sdwn
API String ID: 1063975976-2102837186
Opcode ID: cbd71d36e9f98fb81e9e7a2f7e14d0f9a5e3fb102f12bd1d6d3dfab898bb688e
Instruction ID: 9dcb7796340e3617a47c656186b8592bb183c83f9254e4a58000cb69e97ca3b5
Opcode Fuzzy Hash: cbd71d36e9f98fb81e9e7a2f7e14d0f9a5e3fb102f12bd1d6d3dfab898bb688e
Instruction Fuzzy Hash: F311A176501344ABF7338768AA8DB623BD8A706374F1403D9F5D1A20DAC37A4B84C379

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Setup.exePID: 5876, Parent PID: 5424COMMON

Execution Graph

Execution Coverage:	22.9%
Dynamic/Decrypted Code Coverage:	11.5%
Signature Coverage:	0.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	78

Executed Functions

Function 6B13DBFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174
comCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6B13DBFF(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t65;
				intOrPtr* _t66;
				void* _t71;
				intOrPtr* _t81;
				intOrPtr _t83;
				intOrPtr* _t90;
				void* _t107;
				intOrPtr* _t117;
				intOrPtr* _t134;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t139;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;

				_t147 = __eflags;
				_t131 = __edx;
				E6B16265B(0x6b16603d, __ebx, __edi, __esi);
				_t139 = __ecx;
				_t121 = 0;
				 *((intOrPtr*)(_t142 - 4)) = 0;
				 *((intOrPtr*)(_t142 - 0x24)) = _t143;
				 *_t143 = E6B1583FD( *((intOrPtr*)(_t142 + 8)) + 0xfffffff0) + 0x10;
				_t65 = E6B13D923(0, _t131, _t143, _t139, _t147, _t142 - 0x14, __ecx,  *__ecx); // executed
				_t134 = _t139 + 8;
				 *((char*)(_t142 - 4)) = 1;
				__imp__CoCreateInstance(0x6b137930, 0, 0x17, 0x6b137970, _t134, 0x30); // executed
				 *((intOrPtr*)(_t142 - 0x1c)) = _t65;
				_t148 = _t65;
				if(_t65 >= 0) {
					_t66 =  *_t134;
					_t131 = _t142 - 0x18;
					 *((intOrPtr*)(_t142 - 0x18)) = 0;
					__eflags =  *((intOrPtr*)( *_t66 + 0x104))(_t66,  *((intOrPtr*)(_t142 - 0x14)), _t142 - 0x18);
					if(__eflags != 0) {
						L17:
						_push(_t142 - 0x1c);
						_t135 = 0x6b1379e4;
						E6B14E8E8(0x6b1379e4, _t139, __eflags);
						_push(_t142 - 0x24);
						_push(_t139);
						 *((char*)(_t142 - 4)) = 2;
						_t71 = E6B13DE1D(0x6b1379e4, __eflags);
						_push(_t142 - 0x1c);
						_push(_t71);
						_push(_t142 - 0x30);
						 *((char*)(_t142 - 4)) = 3;
						E6B13CA39(_t121, _t142 - 0x1c, _t131, 0x6b1379e4, _t139, __eflags);
						E6B158460( *((intOrPtr*)(_t142 - 0x24)) + 0xfffffff0, _t131);
						 *((char*)(_t142 - 4)) = 6;
						E6B158460( *((intOrPtr*)(_t142 - 0x1c)) + 0xfffffff0, _t131);
						_push(_t142 - 0x20);
						_t81 = E6B13CAC2(_t121, _t142 - 0x30, _t131, _t135, _t139, __eflags);
						 *((char*)(_t142 - 4)) = 7;
						_push( *_t81);
						_t139 =  *_t139;
						_push(L"m_spDoc->loadXML() failed. Parse error is: %s");
						_push(_t121);
						E6B13B93E(_t121, _t131, _t135, _t139, __eflags);
						 *((char*)(_t142 - 4)) = 6;
						_t83 =  *((intOrPtr*)(_t142 - 0x20));
						goto L6;
					} else {
						__eflags =  *((short*)(_t142 - 0x18)) - 0xffff;
						if(__eflags != 0) {
							goto L17;
						} else {
							 *((intOrPtr*)(_t142 - 0x10)) = 0;
							 *((char*)(_t142 - 4)) = 8;
							_t137 =  *_t134;
							__eflags =  *((intOrPtr*)( *_t137 + 0xb4))(_t137, _t142 - 0x10);
							if(__eflags != 0) {
								_push(_t142 - 0x1c);
								_t135 = 0x6b1379e4;
								E6B14E8E8(0x6b1379e4, _t139, __eflags);
								_push(_t142 - 0x20);
								_push(_t139);
								 *((char*)(_t142 - 4)) = 9;
								_t107 = E6B13DE1D(0x6b1379e4, __eflags);
								_push(_t142 - 0x1c);
								_push(_t107);
								_push(_t142 - 0x30);
								 *((char*)(_t142 - 4)) = 0xa;
								E6B13CA39(0, _t142 - 0x1c, _t131, 0x6b1379e4, _t139, __eflags);
								E6B158460( *((intOrPtr*)(_t142 - 0x20)) + 0xfffffff0, _t131);
								 *((char*)(_t142 - 4)) = 0xd;
								__eflags =  *((intOrPtr*)(_t142 - 0x1c)) + 0xfffffff0;
								E6B158460( *((intOrPtr*)(_t142 - 0x1c)) + 0xfffffff0, _t131);
								_push(_t142 - 0x24);
								_t117 = E6B13CAC2(0, _t142 - 0x30, _t131, _t135, _t139, __eflags);
								 *((char*)(_t142 - 4)) = 0xe;
								_push( *_t117);
								_t139 =  *_t139;
								_push(L"m_spDoc->get_documentElement() failed. Parse error is: %s");
								_push(0);
								E6B13B93E(0, _t131, _t135, _t139, __eflags);
								 *((char*)(_t142 - 4)) = 0xd;
								_t83 =  *((intOrPtr*)(_t142 - 0x24));
								L6:
								__eflags = _t83 + 0xfffffff0;
								E6B158460(_t83 + 0xfffffff0, _t131);
								_push(_t142 - 0x30);
								E6B13D170(_t121, _t142 - 0x3c, _t135, _t139, __eflags);
								E6B15DBDB(_t142 - 0x3c, 0x6b1682a0);
							}
						}
					}
					_t136 =  *((intOrPtr*)(_t142 - 0x10));
					__eflags = _t136 - _t121;
					if(_t136 != _t121) {
						 *((intOrPtr*)( *_t136 + 4))(_t136);
					}
					_t140 = _t139 + 0xc;
					__eflags =  *((intOrPtr*)(_t139 + 0xc)) - _t136;
					if( *((intOrPtr*)(_t139 + 0xc)) != _t136) {
						E6B157D2D(_t136, _t140);
					}
					__eflags = _t136 - _t121;
					if(_t136 != _t121) {
						 *((intOrPtr*)( *_t136 + 8))(_t136);
					}
					 *((char*)(_t142 - 4)) = 1;
					_t90 =  *((intOrPtr*)(_t142 - 0x10));
					__eflags = _t90 - _t121;
					if(_t90 != _t121) {
						 *((intOrPtr*)( *_t90 + 8))(_t90);
					}
					__imp__#6( *((intOrPtr*)(_t142 - 0x14)));
				} else {
					E6B13B93E(0, _t131, _t134,  *_t139, _t148);
					__imp__#6( *((intOrPtr*)(_t142 - 0x14)), 0, L"CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d", _t65);
					_t121 =  *((intOrPtr*)(_t142 - 0x1c));
				}
				E6B158460( *((intOrPtr*)(_t142 + 8)) + 0xfffffff0, _t131);
				return E6B162709(_t121);
			}

0x6b13dbff
0x6b13dbff
0x6b13dc06
0x6b13dc0b
0x6b13dc0d
0x6b13dc0f
0x6b13dc1b
0x6b13dc28
0x6b13dc2e
0x6b13dc33
0x6b13dc44
0x6b13dc48
0x6b13dc4e
0x6b13dc51
0x6b13dc53
0x6b13dc77
0x6b13dc79
0x6b13dc80
0x6b13dc8c
0x6b13dc8e
0x6b13dda2
0x6b13dda5
0x6b13dda6
0x6b13ddab
0x6b13ddb3
0x6b13ddb4
0x6b13ddb5
0x6b13ddb9
0x6b13ddc1
0x6b13ddc2
0x6b13ddc6
0x6b13ddc7
0x6b13ddcb
0x6b13ddd6
0x6b13dddb
0x6b13dde5
0x6b13dded
0x6b13ddf1
0x6b13ddf6
0x6b13ddfa
0x6b13ddfc
0x6b13ddfe
0x6b13de03
0x6b13de04
0x6b13de09
0x6b13de0d
0x00000000
0x6b13dc94
0x6b13dc94
0x6b13dc99
0x00000000
0x6b13dc9f
0x6b13dc9f
0x6b13dca2
0x6b13dca6
0x6b13dcb5
0x6b13dcb7
0x6b13dcc0
0x6b13dcc1
0x6b13dcc6
0x6b13dcce
0x6b13dccf
0x6b13dcd0
0x6b13dcd4
0x6b13dcdc
0x6b13dcdd
0x6b13dce1
0x6b13dce2
0x6b13dce6
0x6b13dcf1
0x6b13dcf6
0x6b13dcfd
0x6b13dd00
0x6b13dd08
0x6b13dd0c
0x6b13dd11
0x6b13dd15
0x6b13dd17
0x6b13dd19
0x6b13dd1e
0x6b13dd1f
0x6b13dd24
0x6b13dd28
0x6b13dd2e
0x6b13dd2e
0x6b13dd31
0x6b13dd39
0x6b13dd3d
0x6b13dd4b
0x6b13dd4b
0x6b13dcb7
0x6b13dc99
0x6b13dd50
0x6b13dd53
0x6b13dd55
0x6b13dd5a
0x6b13dd5a
0x6b13dd5d
0x6b13dd60
0x6b13dd62
0x6b13dd64
0x6b13dd64
0x6b13dd69
0x6b13dd6b
0x6b13dd70
0x6b13dd70
0x6b13dd73
0x6b13dd77
0x6b13dd7a
0x6b13dd7c
0x6b13dd81
0x6b13dd81
0x6b13dd87
0x6b13dc55
0x6b13dc5e
0x6b13dc69
0x6b13dc6f
0x6b13dc6f
0x6b13dd93
0x6b13dd9f

APIs

__EH_prolog3.LIBCMT ref: 6B13DC06

Part of subcall function 6B13D923: __EH_prolog3.LIBCMT ref: 6B13D92A
Part of subcall function 6B13D923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13D960
Part of subcall function 6B13D923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13D9BA
Part of subcall function 6B13D923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13DA0D

CoCreateInstance.OLE32(6B137930,00000000,00000017,6B137970,?,?,?,?,00000030,6B1462D8), ref: 6B13DC48
SysFreeString.OLEAUT32(?), ref: 6B13DC69

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13DE1D: __EH_prolog3.LIBCMT ref: 6B13DE24
Part of subcall function 6B13DE1D: SysFreeString.OLEAUT32(00000000), ref: 6B13DE6B

Part of subcall function 6B13CA39: __EH_prolog3.LIBCMT ref: 6B13CA40

Part of subcall function 6B13CAC2: __EH_prolog3.LIBCMT ref: 6B13CAC9

__CxxThrowException@8.LIBCMT ref: 6B13DD4B
SysFreeString.OLEAUT32(?), ref: 6B13DD87

Part of subcall function 6B13B93E: __EH_prolog3.LIBCMT ref: 6B13B945

Strings

CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 6B13DC58
m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 6B13DD19
m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 6B13DDFE

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$FreeString$Path$CombineCreateException@8FileInstanceModuleNameRelativeThrow
String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
API String ID: 3627190661-2525052916
Opcode ID: fd8b822c81f8824b93ba97edae7bda7b0deb7e221ef084c5bb7260d8da08123d
Instruction ID: bf8743ecd8d41b27278fbd8e594eead153a286e406b5eb674ad51a6fc7ef1875
Opcode Fuzzy Hash: fd8b822c81f8824b93ba97edae7bda7b0deb7e221ef084c5bb7260d8da08123d
Instruction Fuzzy Hash: D3616172800119FFDB00DBF8C885EEEBBB8AF19318F144559E164B7291E778AA15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B15681A Relevance: 10.5, APIs: 7, Instructions: 34
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6B15681A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;

				_push(8);
				E6B16265B(0x6b164888, __ebx, __edi, __esi);
				 *(_t27 - 0x10) = 0;
				 *((intOrPtr*)(_t27 - 4)) = 0;
				 *(_t27 - 0x14) = GetLastError();
				SetLastError(0);
				FormatMessageW(0x500,  *(_t27 + 0xc), 0, 0, _t27 - 0x10, 0,  *(_t27 + 0x10)); // executed
				if(GetLastError() != 0) {
					E6B1583ED();
				}
				SetLastError( *(_t27 - 0x14));
				E6B1581B6( *((intOrPtr*)(_t27 + 8)),  *(_t27 - 0x10));
				return E6B162709(LocalFree( *(_t27 - 0x10)));
			}

0x6b15681a
0x6b156821
0x6b156828
0x6b15682b
0x6b15683d
0x6b156840
0x6b156854
0x6b15685e
0x6b156860
0x6b156860
0x6b156868
0x6b156870
0x6b156883

APIs

__EH_prolog3.LIBCMT ref: 6B156821
GetLastError.KERNEL32(00000008,6B1550A0,?,00000000,00000000,?,?,6B148DC8,?,%1!I64u!,?,?), ref: 6B156834
SetLastError.KERNEL32(00000000,?,6B148DC8,?,%1!I64u!,?,?), ref: 6B156840
FormatMessageW.KERNELBASE(00000500,00000000,00000000,00000000,F69FF218,00000000,F69FF218,?,6B148DC8,?,%1!I64u!,?,?), ref: 6B156854
GetLastError.KERNEL32(?,6B148DC8,?,%1!I64u!,?,?), ref: 6B15685A
SetLastError.KERNEL32(?,?,6B148DC8,?,%1!I64u!,?,?), ref: 6B156868
LocalFree.KERNEL32(F69FF218,?,F69FF218,?,6B148DC8,?,%1!I64u!,?,?), ref: 6B156878

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorLast$FormatFreeH_prolog3LocalMessage
String ID:
API String ID: 69132360-0
Opcode ID: 73c62c2de6cd3ffbf483fa304c3ad25f69625736309d434232688556cab224a1
Instruction ID: 3fa927478ff8e218e79648583a68fae10139cd1c0d2d449c2c904628f2ed22cb
Opcode Fuzzy Hash: 73c62c2de6cd3ffbf483fa304c3ad25f69625736309d434232688556cab224a1
Instruction Fuzzy Hash: A2F0447180022AFFDF10AFB9CC45DAEBA79FFA1741B00401AA520A2060EB748A20DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6B15697A Relevance: 47.7, APIs: 16, Strings: 11, Instructions: 457
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E6B15697A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t191;
				intOrPtr* _t192;
				intOrPtr* _t194;
				intOrPtr* _t196;
				int _t202;
				int _t210;
				intOrPtr* _t215;
				intOrPtr* _t217;
				intOrPtr _t219;
				WCHAR* _t222;
				WCHAR* _t224;
				WCHAR* _t226;
				WCHAR* _t228;
				intOrPtr* _t233;
				void* _t247;
				void* _t250;
				short _t252;
				int _t253;
				intOrPtr* _t254;
				intOrPtr* _t258;
				int _t260;
				int _t262;
				int _t266;
				intOrPtr* _t272;
				int _t283;
				intOrPtr _t285;
				intOrPtr* _t289;
				int _t301;
				int _t312;
				intOrPtr* _t323;
				int _t329;
				intOrPtr* _t336;
				intOrPtr _t347;
				intOrPtr* _t365;
				void* _t384;
				int _t393;
				WCHAR* _t394;
				void* _t397;
				intOrPtr* _t398;
				int _t400;
				WCHAR* _t401;
				int _t405;
				void* _t408;
				int _t409;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t417;

				_t417 = __eflags;
				_t382 = __edi;
				_t373 = __edx;
				E6B16265B(0x6b1666e6, __ebx, __edi, __esi);
				E6B141E75(__ebx, __ecx, __edx, __edi, __esi, _t417);
				 *((intOrPtr*)(_t408 - 4)) = 0;
				 *(_t408 - 0x14) = 0;
				_t191 = _t408 - 0x14;
				 *((char*)(_t408 - 4)) = 1;
				__imp__CoCreateInstance(0x6b137980, 0, 0x17, 0x6b137970, _t191, _t408 - 0x64, 0x68); // executed
				_t393 = _t191;
				_t418 = _t393;
				if(_t393 >= 0) {
					_t192 =  *(_t408 - 0x14);
					 *((intOrPtr*)( *_t192 + 0xfc))(_t192, 0);
					_t194 =  *(_t408 - 0x14);
					 *((intOrPtr*)( *_t194 + 0x118))(_t194, 0);
					_t196 =  *(_t408 - 0x14);
					_t347 =  *_t196;
					 *((intOrPtr*)(_t347 + 0x110))(_t196, 0xffffffff);
					_push(_t347);
					 *(_t408 - 0x50) = _t409;
					_push(_t409);
					_t383 = L"UiInfo.xml";
					E6B14E8E8(L"UiInfo.xml", _t393, __eflags);
					_push(_t408 - 0x18);
					E6B1550FB(0, _t347, __edx, L"UiInfo.xml", _t393, __eflags);
					 *((char*)(_t408 - 4)) = 4;
					_t202 = PathIsRelativeW( *(_t408 - 0x18));
					__eflags = _t202;
					if(_t202 != 0) {
						 *(_t408 - 0x24) = E6B1583FD( *((intOrPtr*)(_t408 - 0x64)) + 0xfffffff0) + 0x10;
						 *((char*)(_t408 - 4)) = 5;
						E6B14F21D(_t408 - 0x24,  *(_t408 - 0x18));
						_t394 =  *(_t408 - 0x24);
						_t383 = PathFileExistsW;
						PathFileExistsW(_t394);
						_t210 = PathFileExistsW(_t394);
						__eflags = _t210;
						if(_t210 != 0) {
							_t383 = _t408 - 0x18;
							E6B14EA8D(_t408 - 0x24, _t408 - 0x18);
						}
						 *((char*)(_t408 - 4)) = 4;
						E6B158460(_t394 - 0x10, _t373);
					} else {
						PathFileExistsW( *(_t408 - 0x18)); // executed
					}
					E6B157CDC(_t408 - 0x74,  *(_t408 - 0x18));
					 *((char*)(_t408 - 4)) = 6;
					 *((intOrPtr*)(_t408 - 0x30)) = 0;
					E6B13B93E(0, _t373, _t383,  *((intOrPtr*)(_t408 + 8)), __eflags); // executed
					_t215 =  *(_t408 - 0x14);
					_t374 = _t408 - 0x30;
					_t411 = _t409 + 0xc - 0x10;
					_t384 = _t411;
					_t397 = _t408 - 0x74;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd"); // executed
					__eflags =  *((intOrPtr*)( *_t215 + 0xe8))(_t215, _t408 - 0x30, 4, L"Loading file - %s",  *(_t408 - 0x18));
					if(__eflags < 0) {
						L35:
						 *(_t408 - 0x24) = 0;
						 *((char*)(_t408 - 4)) = 7;
						_t217 =  *(_t408 - 0x14);
						 *((intOrPtr*)( *_t217 + 0xf0))(_t217, _t408 - 0x24);
						_t219 =  *0x6b16fe10; // 0x6b1333ec
						 *((intOrPtr*)(_t408 - 0x2c)) =  *((intOrPtr*)(_t219 + 0xc))() + 0x10;
						 *((char*)(_t408 - 4)) = 8;
						_t222 =  *(_t408 - 0x24);
						 *((intOrPtr*)( *_t222 + 0x2c))(_t222, _t408 - 0x44);
						_t224 =  *(_t408 - 0x24);
						 *((intOrPtr*)( *_t224 + 0x30))(_t224, _t408 - 0x40);
						 *((intOrPtr*)(_t408 - 0x3c)) = 0;
						 *((intOrPtr*)(_t408 - 0x38)) = 0;
						 *((char*)(_t408 - 4)) = 0xa;
						_t226 =  *(_t408 - 0x24);
						 *((intOrPtr*)( *_t226 + 0x24))(_t226, _t408 - 0x3c);
						_t228 =  *(_t408 - 0x24);
						_t379 = _t408 - 0x38;
						 *((intOrPtr*)( *_t228 + 0x28))(_t228, _t408 - 0x38);
						_t398 = E6B14E8E8( *((intOrPtr*)(_t408 - 0x38)), _t397, __eflags);
						 *((char*)(_t408 - 4)) = 0xb;
						_t233 = E6B14E8E8( *((intOrPtr*)(_t408 - 0x3c)), _t398, __eflags);
						 *((char*)(_t408 - 4)) = 0xc;
						E6B1580BA(_t408 - 0x2c, L"\nValidation FAILED \n\nErr on line: %d @column: %d\n\nReason:\n%s \n\nSrcText:\n%s",  *((intOrPtr*)(_t408 - 0x44)));
						_t412 = _t411 + 0x18;
						E6B158460( *((intOrPtr*)(_t408 - 0x48)) + 0xfffffff0, _t408 - 0x38);
						 *((char*)(_t408 - 4)) = 0xa;
						E6B158460( *(_t408 - 0x50) + 0xfffffff0, _t408 - 0x38);
						_t355 =  *((intOrPtr*)(_t408 + 8));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t408 + 8)))) + 4))(0,  *((intOrPtr*)(_t408 - 0x2c)),  *((intOrPtr*)(_t408 - 0x40)),  *_t233,  *_t398, _t408 - 0x48, _t408 - 0x50);
						_push(_t408 + 8);
						_t387 = L"UIInfo.xml";
						E6B14E8E8(L"UIInfo.xml", _t398, __eflags);
						_push(_t408 + 8);
						 *((char*)(_t408 - 4)) = 0xd;
						_t247 = _t408 - 0x2c;
						goto L29;
					} else {
						__eflags =  *((short*)(_t408 - 0x30)) - 0xffff;
						if(__eflags != 0) {
							goto L35;
						}
						 *(_t408 - 0x20) = 0;
						_t301 = _t408 - 0x20;
						 *((char*)(_t408 - 4)) = 0xe;
						__imp__CoCreateInstance(0x6b137990, 0, 0x17, 0x6b1379a0, _t301); // executed
						_t400 = _t301;
						__eflags = _t400;
						if(__eflags >= 0) {
							_push(_t408 - 0x1c);
							_t390 = L"SetupUi.xsd";
							E6B14E8E8(L"SetupUi.xsd", _t400, __eflags);
							 *((char*)(_t408 - 4)) = 0x11;
							__eflags = PathIsRelativeW( *(_t408 - 0x1c));
							if(__eflags != 0) {
								 *(_t408 - 0x24) = E6B1583FD( *((intOrPtr*)(_t408 - 0x64)) + 0xfffffff0) + 0x10;
								 *((char*)(_t408 - 4)) = 0x12;
								E6B14F21D(_t408 - 0x24,  *(_t408 - 0x1c));
								_t401 =  *(_t408 - 0x24);
								_t390 = PathFileExistsW;
								PathFileExistsW(_t401); // executed
								_t312 = PathFileExistsW(_t401); // executed
								__eflags = _t312;
								if(_t312 != 0) {
									_t390 = _t408 - 0x1c;
									E6B14EA8D(_t408 - 0x24, _t408 - 0x1c);
								}
								 *((char*)(_t408 - 4)) = 0x11;
								E6B158460(_t401 - 0x10, _t374);
							} else {
								PathFileExistsW( *(_t408 - 0x1c));
							}
							E6B13B93E(0, _t374, _t390,  *((intOrPtr*)(_t408 + 8)), __eflags); // executed
							E6B157CDC(_t408 - 0x5c,  *(_t408 - 0x1c));
							 *((char*)(_t408 - 4)) = 0x13;
							_t365 =  *(_t408 - 0x20);
							_t412 = _t411 + 0xc - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd"); // executed
							_t405 =  *((intOrPtr*)( *_t365 + 0x1c))(_t365, L"http://schemas.microsoft.com/SetupUI/2008/01/imui", 4, L"Add to schema collection schema file - %s",  *(_t408 - 0x1c));
							 *((char*)(_t408 - 4)) = 0x11;
							__imp__#9(_t408 - 0x5c);
							__eflags = _t405;
							if(_t405 == 0) {
								L25:
								_t252 = 9;
								 *((short*)(_t408 - 0x5c)) = _t252;
								_t253 =  *(_t408 - 0x20);
								 *(_t408 - 0x54) = _t253;
								__eflags = _t253;
								if(_t253 != 0) {
									 *((intOrPtr*)( *_t253 + 4))(_t253);
								}
								 *((char*)(_t408 - 4)) = 0x14;
								_t254 =  *(_t408 - 0x14);
								_t413 = _t412 - 0x10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t254 + 0x138))(_t254);
								_t398 = __imp__#9;
								 *_t398(_t408 - 0x5c);
								 *(_t408 - 0x28) = 0;
								 *((char*)(_t408 - 4)) = 0x15;
								_t258 =  *(_t408 - 0x14);
								 *((intOrPtr*)( *_t258 + 0x13c))(_t258, _t408 - 0x28);
								_t260 =  *(_t408 - 0x28);
								_t374 = _t408 - 0x34;
								 *(_t408 - 0x34) = 0;
								 *((intOrPtr*)( *_t260 + 0x1c))(_t260, _t408 - 0x34);
								__eflags =  *(_t408 - 0x34);
								if(__eflags == 0) {
									 *((char*)(_t408 - 4)) = 0x11;
									_t262 =  *(_t408 - 0x28);
									__eflags = _t262;
									if(_t262 != 0) {
										 *((intOrPtr*)( *_t262 + 8))(_t262);
									}
									E6B158460( &(( *(_t408 - 0x1c))[0xfffffffffffffff8]), _t374);
									 *((char*)(_t408 - 4)) = 6;
									_t266 =  *(_t408 - 0x20);
									__eflags = _t266;
									if(_t266 != 0) {
										 *((intOrPtr*)( *_t266 + 8))(_t266);
									}
									 *_t398(_t408 - 0x74);
									L16:
									E6B158460( &(( *(_t408 - 0x18))[0xfffffffffffffff8]), _t374);
									L2:
									 *((char*)(_t408 - 4)) = 0;
									_t272 =  *(_t408 - 0x14);
									if(_t272 != 0) {
										 *((intOrPtr*)( *_t272 + 8))(_t272);
									}
									E6B158460( *((intOrPtr*)(_t408 - 0x60)) + 0xfffffff0, _t374);
									return E6B162709(E6B158460( *((intOrPtr*)(_t408 - 0x64)) + 0xfffffff0, _t374));
								} else {
									 *((intOrPtr*)(_t408 - 0x2c)) = 0;
									 *((char*)(_t408 - 4)) = 0x16;
									_t283 =  *(_t408 - 0x28);
									_t379 = _t408 - 0x2c;
									 *((intOrPtr*)( *_t283 + 0x24))(_t283, _t408 - 0x2c);
									_t285 =  *0x6b16fe10; // 0x6b1333ec
									 *(_t408 - 0x24) =  *((intOrPtr*)(_t285 + 0xc))() + 0x10;
									 *((char*)(_t408 - 4)) = 0x17;
									_t289 = E6B14E8E8( *((intOrPtr*)(_t408 - 0x2c)), _t398, __eflags);
									 *((char*)(_t408 - 4)) = 0x18;
									E6B1580BA(_t408 - 0x24, L"\nValidation FAILED \n\n\nReason:\n%s",  *_t289);
									 *((char*)(_t408 - 4)) = 0x17;
									_t412 = _t413 + 0xc;
									__eflags =  *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0;
									E6B158460( *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0, _t408 - 0x2c);
									_t355 =  *((intOrPtr*)(_t408 + 8));
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t408 + 8)))) + 4))(0,  *(_t408 - 0x24), _t408 - 0x3c);
									_push(_t408 + 8);
									_t387 = L"UIInfo.xml";
									E6B14E8E8(L"UIInfo.xml", _t398, __eflags);
									_push(_t408 + 8);
									 *((char*)(_t408 - 4)) = 0x19;
									_t247 = _t408 - 0x24;
									L29:
									_push(_t247);
									_push(_t408 - 0x58);
									E6B13CA39(0, _t355, _t379, _t387, _t398, __eflags);
									_push(0x6b1682a0);
									_t250 = _t408 - 0x58;
									goto L24;
								}
							} else {
								 *(_t408 - 0x54) = 0x6b136e14;
								 *(_t408 - 0x50) = _t405;
								_push(0x6b1682d8);
								_t250 = _t408 - 0x54;
								L24:
								_push(_t250);
								E6B15DBDB();
								goto L25;
							}
						}
						 *(_t408 - 0x54) = 0x6b136e14;
						 *(_t408 - 0x50) = _t400;
						 *((char*)(_t408 - 4)) = 0xf;
						_t323 = E6B13C98C(_t408 - 0x54, _t408 - 0x3c);
						 *((char*)(_t408 - 4)) = 0x10;
						_push( *_t323);
						_push(_t400);
						_push(L"CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s)");
						_push(4);
						E6B13B93E(0, _t374, _t384,  *((intOrPtr*)(_t408 + 8)), __eflags);
						 *((char*)(_t408 - 4)) = 0xf;
						E6B158460( *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0, _t374);
						_push(L"Stopping XML schema validation of UI information and continuing");
						_push(4);
						E6B13B93E(0, _t374, _t384,  *((intOrPtr*)(_t408 + 8)), __eflags);
						 *((char*)(_t408 - 4)) = 6;
						_t329 =  *(_t408 - 0x20);
						__eflags = _t329;
						if(_t329 != 0) {
							 *((intOrPtr*)( *_t329 + 8))(_t329);
						}
						__imp__#9(_t408 - 0x74);
						goto L16;
					}
				}
				 *(_t408 - 0x54) = 0x6b136e14;
				 *(_t408 - 0x50) = _t393;
				 *((char*)(_t408 - 4)) = 2;
				_t336 = E6B13C98C(_t408 - 0x54, _t408 - 0x3c);
				 *((char*)(_t408 - 4)) = 3;
				_push( *_t336);
				_push(_t393);
				_push(L"CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s)");
				_push(4);
				E6B13B93E(0, __edx, __edi,  *((intOrPtr*)(_t408 + 8)), _t418);
				 *((char*)(_t408 - 4)) = 2;
				E6B158460( *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0, __edx);
				_push(L"Stopping XML schema validation of UI information and continuing");
				_push(4);
				E6B13B93E(0, _t373, _t382,  *((intOrPtr*)(_t408 + 8)),  *((intOrPtr*)(_t408 - 0x3c)) + 0xfffffff0);
				goto L2;
			}

0x6b15697a
0x6b15697a
0x6b15697a
0x6b156981
0x6b15698a
0x6b156991
0x6b156994
0x6b156997
0x6b1569a8
0x6b1569ac
0x6b1569b2
0x6b1569b4
0x6b1569b6
0x6b156a36
0x6b156a3d
0x6b156a43
0x6b156a4a
0x6b156a50
0x6b156a53
0x6b156a58
0x6b156a5e
0x6b156a61
0x6b156a64
0x6b156a65
0x6b156a6a
0x6b156a72
0x6b156a73
0x6b156a78
0x6b156a7f
0x6b156a85
0x6b156a87
0x6b156aa2
0x6b156aa5
0x6b156aaf
0x6b156ab4
0x6b156ab7
0x6b156abe
0x6b156ac1
0x6b156ac3
0x6b156ac5
0x6b156aca
0x6b156acd
0x6b156acd
0x6b156ad5
0x6b156ad9
0x6b156a89
0x6b156a8c
0x6b156a8c
0x6b156ae4
0x6b156ae9
0x6b156afa
0x6b156afd
0x6b156b02
0x6b156b0a
0x6b156b0e
0x6b156b11
0x6b156b13
0x6b156b16
0x6b156b17
0x6b156b18
0x6b156b1a
0x6b156b21
0x6b156b23
0x6b156df0
0x6b156df0
0x6b156df3
0x6b156df7
0x6b156e01
0x6b156e07
0x6b156e17
0x6b156e1a
0x6b156e1e
0x6b156e28
0x6b156e2b
0x6b156e35
0x6b156e38
0x6b156e3b
0x6b156e3e
0x6b156e42
0x6b156e4c
0x6b156e4f
0x6b156e54
0x6b156e59
0x6b156e68
0x6b156e6d
0x6b156e75
0x6b156e7a
0x6b156e91
0x6b156e99
0x6b156e9f
0x6b156ea4
0x6b156eae
0x6b156eb6
0x6b156ebc
0x6b156ec2
0x6b156ec3
0x6b156ec8
0x6b156ed0
0x6b156ed1
0x6b156ed5
0x00000000
0x6b156b29
0x6b156b29
0x6b156b2e
0x00000000
0x00000000
0x6b156b34
0x6b156b37
0x6b156b48
0x6b156b4c
0x6b156b52
0x6b156b54
0x6b156b56
0x6b156bd6
0x6b156bd7
0x6b156bdc
0x6b156be1
0x6b156bee
0x6b156bf0
0x6b156c0b
0x6b156c0e
0x6b156c18
0x6b156c1d
0x6b156c20
0x6b156c27
0x6b156c2a
0x6b156c2c
0x6b156c2e
0x6b156c33
0x6b156c36
0x6b156c36
0x6b156c3e
0x6b156c42
0x6b156bf2
0x6b156bf5
0x6b156bf5
0x6b156c54
0x6b156c62
0x6b156c67
0x6b156c6b
0x6b156c70
0x6b156c77
0x6b156c78
0x6b156c79
0x6b156c80
0x6b156c84
0x6b156c8a
0x6b156c8e
0x6b156c94
0x6b156c96
0x6b156cb0
0x6b156cb2
0x6b156cb3
0x6b156cb7
0x6b156cba
0x6b156cbd
0x6b156cbf
0x6b156cc4
0x6b156cc4
0x6b156cc7
0x6b156ccb
0x6b156cd0
0x6b156cd8
0x6b156cd9
0x6b156cda
0x6b156cdc
0x6b156cdd
0x6b156ce3
0x6b156ced
0x6b156cef
0x6b156cf2
0x6b156cf6
0x6b156d00
0x6b156d06
0x6b156d09
0x6b156d0d
0x6b156d13
0x6b156d16
0x6b156d19
0x6b156db8
0x6b156dbc
0x6b156dbf
0x6b156dc1
0x6b156dc6
0x6b156dc6
0x6b156dcf
0x6b156dd4
0x6b156dd8
0x6b156ddb
0x6b156ddd
0x6b156de2
0x6b156de2
0x6b156de9
0x6b156bc3
0x6b156bc9
0x6b156a08
0x6b156a08
0x6b156a0b
0x6b156a10
0x6b156a15
0x6b156a15
0x6b156a1e
0x6b156a33
0x6b156d1f
0x6b156d1f
0x6b156d22
0x6b156d26
0x6b156d2b
0x6b156d30
0x6b156d33
0x6b156d43
0x6b156d49
0x6b156d51
0x6b156d56
0x6b156d65
0x6b156d6a
0x6b156d71
0x6b156d74
0x6b156d77
0x6b156d7f
0x6b156d85
0x6b156d8b
0x6b156d8c
0x6b156d91
0x6b156d99
0x6b156d9a
0x6b156d9e
0x6b156da1
0x6b156da1
0x6b156da5
0x6b156da6
0x6b156dab
0x6b156db0
0x00000000
0x6b156db0
0x6b156c98
0x6b156c98
0x6b156c9f
0x6b156ca2
0x6b156ca7
0x6b156caa
0x6b156caa
0x6b156cab
0x00000000
0x6b156cab
0x6b156c96
0x6b156b58
0x6b156b5f
0x6b156b69
0x6b156b6d
0x6b156b72
0x6b156b76
0x6b156b78
0x6b156b7c
0x6b156b81
0x6b156b83
0x6b156b88
0x6b156b95
0x6b156b9a
0x6b156b9f
0x6b156ba1
0x6b156ba6
0x6b156baa
0x6b156baf
0x6b156bb1
0x6b156bb6
0x6b156bb6
0x6b156bbd
0x00000000
0x6b156bbd
0x6b156b23
0x6b1569b8
0x6b1569bf
0x6b1569c9
0x6b1569cd
0x6b1569d2
0x6b1569d6
0x6b1569d8
0x6b1569dc
0x6b1569e1
0x6b1569e3
0x6b1569e8
0x6b1569f5
0x6b1569fa
0x6b1569ff
0x6b156a01
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B156981

Part of subcall function 6B141E75: __EH_prolog3.LIBCMT ref: 6B141E7C
Part of subcall function 6B141E75: GetThreadLocale.KERNEL32(?,00000004,6B146734,0000004C,0000004C,6B147142,?,00000000), ref: 6B141E8E

CoCreateInstance.OLE32(6B137980,00000000,00000017,6B137970,?,?,00000068,6B1565A6,?,?,?,?,6B152A30,?,00000000,?), ref: 6B1569AC
PathIsRelativeW.SHLWAPI(?,?,?,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 6B156A7F
PathFileExistsW.KERNELBASE(?,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271), ref: 6B156A8C
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6B156ABE
PathFileExistsW.SHLWAPI(?,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271), ref: 6B156AC1
CoCreateInstance.OLE32(6B137990,00000000,00000017,6B1379A0,?), ref: 6B156B4C

Part of subcall function 6B13C98C: GetThreadLocale.KERNEL32 ref: 6B13C999

Part of subcall function 6B13B93E: __EH_prolog3.LIBCMT ref: 6B13B945

Part of subcall function 6B14F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6B13C3AE), ref: 6B14F241

VariantClear.OLEAUT32(?), ref: 6B156BBD

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

PathIsRelativeW.SHLWAPI(?,?), ref: 6B156BE8
PathFileExistsW.SHLWAPI(?), ref: 6B156BF5
PathFileExistsW.KERNELBASE(?,?), ref: 6B156C27
PathFileExistsW.KERNELBASE(?), ref: 6B156C2A
VariantClear.OLEAUT32(?), ref: 6B156C8E
__CxxThrowException@8.LIBCMT ref: 6B156CAB
VariantClear.OLEAUT32(?), ref: 6B156CED
VariantClear.OLEAUT32(?), ref: 6B156DE9

Part of subcall function 6B13CA39: __EH_prolog3.LIBCMT ref: 6B13CA40

Strings

Loading file - %s, xrefs: 6B156AF3
SetupUi.xsd, xrefs: 6B156BD7
CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s), xrefs: 6B1569DC
UiInfo.xml, xrefs: 6B156A65
Stopping XML schema validation of UI information and continuing, xrefs: 6B1569FA, 6B156B9A
CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s), xrefs: 6B156B7C
Validation FAILED Reason:%s, xrefs: 6B156D5F
Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s, xrefs: 6B156E8B
http://schemas.microsoft.com/SetupUI/2008/01/imui, xrefs: 6B156C7A
Add to schema collection schema file - %s, xrefs: 6B156C4D
UIInfo.xml, xrefs: 6B156D8C, 6B156EC3

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Path$ExistsFile$H_prolog3$ClearVariant$CreateInstanceLocaleRelativeThread$AppendException@8Throw
String ID: Validation FAILED Reason:%s$Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s$Add to schema collection schema file - %s$CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s)$CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s)$Loading file - %s$SetupUi.xsd$Stopping XML schema validation of UI information and continuing$UIInfo.xml$UiInfo.xml$http://schemas.microsoft.com/SetupUI/2008/01/imui
API String ID: 3881019808-2332759018
Opcode ID: 3fdc3c481e8ad4e1bdd06cfe9fdb09583ccf935b862833f2d94aeb4cc1ddb744
Instruction ID: d39b2ed5c7bc212dc4a8b2e28aab81affd1cbabc8d87067e3e1dd402a994c99f
Opcode Fuzzy Hash: 3fdc3c481e8ad4e1bdd06cfe9fdb09583ccf935b862833f2d94aeb4cc1ddb744
Instruction Fuzzy Hash: 58025BB2D0025DFFDF00DBE8C989ADDBBB5AF09318F244198E514BB241D739AA15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B1404F9 Relevance: 42.2, APIs: 28, Instructions: 157
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E6B1404F9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t47;
				intOrPtr* _t53;
				void* _t56;
				void* _t65;
				int _t92;
				intOrPtr* _t101;
				void* _t110;
				void* _t114;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t120;
				void* _t121;

				_t121 = __eflags;
				_t110 = __edx;
				E6B16265B(0x6b16598d, __ebx, __edi, __esi);
				_t117 =  *((intOrPtr*)(_t119 + 8));
				_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x74)))) + 0x1c))(0x2c);
				_t47 =  *((intOrPtr*)( *_t101 + 0x18))();
				 *((intOrPtr*)(_t119 - 0x10)) = _t120;
				 *_t120 = E6B1583FD( *_t47 - 0x10) + 0x10;
				 *(_t119 - 4) =  *(_t119 - 4) & 0x00000000;
				_t53 =  *((intOrPtr*)( *_t101 + 0x14))(_t101);
				_push(_t101);
				 *((intOrPtr*)(_t119 - 0x14)) = _t120;
				_t56 = E6B1583FD( *_t53 - 0x10);
				 *(_t119 - 4) =  *(_t119 - 4) | 0xffffffff;
				 *_t120 = _t56 + 0x10;
				E6B14FB4F(_t101, _t110, _t120, _t117, _t121);
				_t114 = GetDlgItem;
				if(IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x65)) == 0 && IsDlgButtonChecked( *(_t117 + 4), 0x65) != 0 && IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x66)) != 0) {
					CheckDlgButton( *(_t117 + 4), 0x65, 0);
					CheckDlgButton( *(_t117 + 4), 0x66, 1);
				}
				if(IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x66)) == 0 && IsDlgButtonChecked( *(_t117 + 4), 0x66) != 0) {
					_t92 = IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x65));
					_t127 = _t92;
					if(_t92 != 0) {
						CheckDlgButton( *(_t117 + 4), 0x66, 0);
						CheckDlgButton( *(_t117 + 4), 0x65, 1);
					}
				}
				_t65 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 8)) + 0x74)))) + 4))();
				_push(_t101);
				_push(_t119 - 0x38);
				E6B13F2BE(_t65, _t110, _t114, _t117, _t127);
				 *(_t119 - 4) = 1;
				E6B13F415(_t119 - 0x38, GetParent( *(_t117 + 4))); // executed
				if(IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x65)) != 0 || IsWindowEnabled(GetDlgItem( *(_t117 + 4), 0x66)) != 0) {
					E6B13E389(_t117 + 4, 2); // executed
				} else {
					E6B13F4D6(_t119 - 0x38, GetParent( *(_t117 + 4)));
					EnableWindow(GetDlgItem(GetParent( *(_t117 + 4)),  *(_t119 - 0x28)), 1);
				}
				SetWindowLongW( *(_t117 + 4), 0xfffffff4, 0x6b);
				SetWindowTextW(GetParent( *(_t117 + 4)),  *( *((intOrPtr*)(_t119 + 8)) + 0x58)); // executed
				PostMessageW( *(_t117 + 4), 0x6f5, 0, 0); // executed
				E6B140913(_t110, _t119 - 0x38);
				return E6B162709(1);
			}

0x6b1404f9
0x6b1404f9
0x6b140500
0x6b140505
0x6b140510
0x6b140516
0x6b14051f
0x6b14052c
0x6b14052e
0x6b140536
0x6b14053b
0x6b14053f
0x6b140544
0x6b140549
0x6b140550
0x6b140552
0x6b140557
0x6b14056d
0x6b140597
0x6b1405a4
0x6b1405a4
0x6b1405ba
0x6b1405d3
0x6b1405d9
0x6b1405db
0x6b1405e4
0x6b1405f1
0x6b1405f1
0x6b1405db
0x6b1405ff
0x6b140602
0x6b140606
0x6b140609
0x6b14060e
0x6b140622
0x6b140639
0x6b14067a
0x6b140649
0x6b140656
0x6b14066d
0x6b14066d
0x6b140686
0x6b14069d
0x6b1406af
0x6b1406b8
0x6b1406c5

APIs

__EH_prolog3.LIBCMT ref: 6B140500

Part of subcall function 6B1583FD: _memcpy_s.LIBCMT ref: 6B15844E

Part of subcall function 6B14FB4F: __EH_prolog3.LIBCMT ref: 6B14FB56
Part of subcall function 6B14FB4F: GetParent.USER32(00000001), ref: 6B14FB6B
Part of subcall function 6B14FB4F: SendMessageW.USER32(00000000,00000481,00000001,00000000), ref: 6B14FB78
Part of subcall function 6B14FB4F: GetParent.USER32(00000001), ref: 6B14FBB5
Part of subcall function 6B14FB4F: SendMessageW.USER32(00000000,0000047E,?,?), ref: 6B14FBC1
Part of subcall function 6B14FB4F: GetParent.USER32(00000001), ref: 6B14FBD3
Part of subcall function 6B14FB4F: SendMessageW.USER32(00000000,00000480,?,?), ref: 6B14FBDF

GetDlgItem.USER32 ref: 6B140562
IsWindowEnabled.USER32(00000000), ref: 6B140565
IsDlgButtonChecked.USER32(000000FF,00000065), ref: 6B140574
GetDlgItem.USER32 ref: 6B140583
IsWindowEnabled.USER32(00000000), ref: 6B140586
CheckDlgButton.USER32(000000FF,00000065,00000000), ref: 6B140597
CheckDlgButton.USER32(000000FF,00000066,00000001), ref: 6B1405A4
GetDlgItem.USER32 ref: 6B1405AF
IsWindowEnabled.USER32(00000000), ref: 6B1405B2
IsDlgButtonChecked.USER32(000000FF,00000066), ref: 6B1405C1
GetDlgItem.USER32 ref: 6B1405D0
IsWindowEnabled.USER32(00000000), ref: 6B1405D3
CheckDlgButton.USER32(000000FF,00000066,00000000), ref: 6B1405E4
CheckDlgButton.USER32(000000FF,00000065,00000001), ref: 6B1405F1
GetParent.USER32(00000001), ref: 6B140618
GetDlgItem.USER32 ref: 6B14062C
IsWindowEnabled.USER32(00000000), ref: 6B140635
GetDlgItem.USER32 ref: 6B140640
IsWindowEnabled.USER32(00000000), ref: 6B140643
GetParent.USER32(00000001), ref: 6B14064C
GetParent.USER32(00000001), ref: 6B14065E
GetDlgItem.USER32 ref: 6B140668
EnableWindow.USER32(00000000,00000001), ref: 6B14066D
SetWindowLongW.USER32 ref: 6B140686
GetParent.USER32(00000001), ref: 6B140695
SetWindowTextW.USER32(00000000,?), ref: 6B14069D
PostMessageW.USER32(00000001,000006F5,00000000,00000000), ref: 6B1406AF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$ItemParent$ButtonEnabled$CheckMessage$Send$CheckedH_prolog3$EnableLongPostText_memcpy_s
String ID:
API String ID: 1237731162-0
Opcode ID: 8d77680f9779f50729dd701a4df95a97b1d917194635bd0a7f845bc895211f47
Instruction ID: 550f37134b0f50292f3c443fb4ecae5be76365c24c437f5635935bbaa6c2d67a
Opcode Fuzzy Hash: 8d77680f9779f50729dd701a4df95a97b1d917194635bd0a7f845bc895211f47
Instruction Fuzzy Hash: 03513771640705BBDB20AF75CD4EF4A7BB6EF15B51F004428F156AB6A0EB79EA20CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6B142B11 Relevance: 38.9, APIs: 11, Strings: 11, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6B142B11(void* __ebx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t227;
				intOrPtr* _t228;
				intOrPtr* _t233;
				void* _t242;
				intOrPtr* _t243;
				short* _t248;
				void* _t266;
				WCHAR* _t268;
				void* _t278;
				short* _t280;
				void* _t285;
				signed int _t307;
				signed int _t308;
				signed int _t311;
				signed int _t312;
				int _t321;
				int _t322;
				signed int _t325;
				long _t334;
				intOrPtr* _t345;
				intOrPtr* _t352;
				intOrPtr* _t364;
				void* _t372;
				signed int _t382;
				intOrPtr* _t387;
				WCHAR* _t412;
				WCHAR** _t418;
				intOrPtr* _t435;
				void* _t443;
				intOrPtr* _t445;
				void* _t447;
				void* _t448;
				short* _t452;

				_t448 = __eflags;
				_t425 = __edx;
				_push(0x88);
				E6B16265B(0x6b166a61, __ebx, __edi, __esi);
				 *(_t447 - 0x40) =  *(_t447 - 0x40) & 0x00000000;
				_push(_t447 - 0x20);
				E6B14E8E8(L"WizardImages", __esi, _t448);
				 *(_t447 - 4) =  *(_t447 - 4) & 0x00000000;
				E6B13D65F( *(_t447 + 0xc), __ebx, _t447 - 0x68, _t447 - 0x20);
				 *(_t447 - 4) = 2;
				E6B158460( *(_t447 - 0x20) + 0xfffffff0, __edx);
				_push(_t447 - 0x14);
				E6B14E8E8(L"HeaderImage", __esi, _t448);
				 *(_t447 - 4) = 3;
				_t227 = E6B13D65F(_t447 - 0x68, __ebx, _t447 - 0x5c, _t447 - 0x14);
				_t409 = _t447 - 0x24;
				_t438 = _t227;
				 *(_t447 - 4) = 4;
				_t228 = E6B13D76F(_t447 - 0x24, L"HeaderImage", _t227, _t448);
				 *(_t447 - 4) = 5;
				_push(_t447 - 0x18);
				E6B14E8E8( *_t228, _t227, _t448);
				E6B158460( *((intOrPtr*)(_t447 - 0x24)) + 0xfffffff0, _t425);
				 *(_t447 - 4) = 8;
				_t233 =  *((intOrPtr*)(_t447 - 0x5c));
				_t449 = _t233;
				if(_t233 != 0) {
					 *((intOrPtr*)( *_t233 + 8))(_t233);
				}
				 *(_t447 - 4) = 9;
				E6B158460( *((intOrPtr*)(_t447 - 0x14)) + 0xfffffff0, _t425);
				_push(_t447 - 0x48);
				E6B14E8E8(L"Watermark", _t438, _t449);
				 *(_t447 - 4) = 0xa;
				_t242 = E6B13D65F(_t447 - 0x68, _t409, _t447 - 0x94, _t447 - 0x48);
				_t410 = _t447 - 0x40;
				_t439 = _t242;
				 *(_t447 - 4) = 0xb;
				_t243 = E6B13D76F(_t447 - 0x40, L"Watermark", _t242, _t449);
				_t414 = _t447 - 0x1c;
				 *(_t447 - 4) = 0xc;
				_push(_t447 - 0x1c);
				E6B14E8E8( *_t243, _t242, _t449);
				E6B158460( *(_t447 - 0x40) + 0xfffffff0, _t425);
				 *(_t447 - 4) = 0xf;
				_t248 =  *(_t447 - 0x94);
				_t450 = _t248;
				if(_t248 != 0) {
					_t414 =  *_t248;
					 *((intOrPtr*)( *_t248 + 8))(_t248);
				}
				 *(_t447 - 4) = 0x10;
				E6B158460( *((intOrPtr*)(_t447 - 0x48)) + 0xfffffff0, _t425);
				_push(_t447 - 0x14);
				E6B14E8E8(L"Caption", _t439, _t450);
				 *(_t447 - 4) = 0x11;
				E6B13D65F( *(_t447 + 0xc), _t410, _t447 - 0x5c, _t447 - 0x14);
				 *(_t447 - 4) = 0x13;
				E6B158460( *((intOrPtr*)(_t447 - 0x14)) + 0xfffffff0, _t425);
				_push(_t447 + 0xc);
				E6B14E8E8(L"Default", _t439, _t450);
				 *(_t447 - 4) = 0x14;
				_t266 = E6B13D6C4(_t447 - 0x5c, _t410, _t414, _t447 - 0x3c, _t447 + 0xc);
				_t411 = _t447 - 0x50;
				 *(_t447 - 4) = 0x15;
				E6B13D76F(_t447 - 0x50, L"Default", _t266, _t450);
				 *(_t447 - 4) = 0x17;
				_t268 =  *(_t447 - 0x3c);
				_t441 = 0;
				if(_t268 != 0) {
					_t414 =  *_t268;
					 *((intOrPtr*)( *_t268 + 8))(_t268);
				}
				_t452 =  &(( *(_t447 + 0xc))[0xfffffffffffffff8]);
				E6B158460( &(( *(_t447 + 0xc))[0xfffffffffffffff8]), _t425);
				 *(_t447 - 0x3c) = _t441;
				 *(_t447 - 0x38) = _t441;
				 *(_t447 - 0x34) = _t441;
				 *(_t447 - 4) = 0x19;
				 *(_t447 - 0x7c) = L"Install";
				 *(_t447 - 0x78) = L"Repair";
				 *(_t447 - 0x74) = L"Uninstall";
				 *(_t447 - 0x70) = L"CreateLayout";
				 *(_t447 - 0x6c) = L"UninstallPatch";
				 *(_t447 + 0xc) = _t441;
				do {
					_t434 =  *((intOrPtr*)(_t447 +  *(_t447 + 0xc) * 4 - 0x7c));
					_push(_t447 - 0x14);
					E6B14E8E8( *((intOrPtr*)(_t447 +  *(_t447 + 0xc) * 4 - 0x7c)), _t441, _t452);
					 *(_t447 - 4) = 0x1a;
					_t278 = E6B13D6C4(_t447 - 0x5c, _t411, _t414, _t447 - 0x88, _t447 - 0x14);
					_t411 = _t447 - 0x20;
					 *(_t447 - 4) = 0x1b;
					E6B13D76F(_t447 - 0x20,  *((intOrPtr*)(_t447 +  *(_t447 + 0xc) * 4 - 0x7c)), _t278, _t452);
					 *(_t447 - 4) = 0x1d;
					_t280 =  *(_t447 - 0x88);
					if(_t280 != 0) {
						_t414 =  *_t280;
						 *((intOrPtr*)( *_t280 + 8))(_t280);
					}
					 *(_t447 - 4) = 0x1e;
					E6B158460( *((intOrPtr*)(_t447 - 0x14)) + 0xfffffff0, _t425);
					_t285 = E6B158199( *(_t447 - 0x20));
					_t443 = _t447 - 0x20;
					_t454 = _t285;
					if(_t285 <= 0) {
						_t443 = _t447 - 0x50;
					}
					_push(_t447 - 0x24);
					E6B14E8E8(_t434, _t443, _t454);
					_push(_t443);
					_push(_t447 - 0x24);
					_t441 = _t447 - 0x3c;
					 *(_t447 - 4) = 0x1f;
					E6B14F5FD(_t411, _t414, _t434, _t447 - 0x3c, _t454); // executed
					E6B158460( *((intOrPtr*)(_t447 - 0x24)) + 0xfffffff0, _t425);
					 *(_t447 - 4) = 0x19;
					E6B158460( *(_t447 - 0x20) + 0xfffffff0, _t425);
					 *(_t447 + 0xc) =  &(( *(_t447 + 0xc))[0]);
					_t455 =  *(_t447 + 0xc) - 5;
				} while ( *(_t447 + 0xc) < 5);
				_push(_t447 - 0x30);
				E6B141E75(_t411, _t414, _t425, _t434, _t441, _t455);
				 *(_t447 - 4) = 0x20;
				if(PathIsRelativeW( *(_t447 - 0x18)) != 0) {
					 *(_t447 + 0xc) = E6B1583FD( *((intOrPtr*)(_t447 - 0x30)) + 0xfffffff0) + 0x10;
					 *(_t447 - 4) = 0x21;
					E6B14F21D(_t447 + 0xc,  *((intOrPtr*)(_t447 - 0x2c)));
					E6B14F21D(_t447 + 0xc,  *(_t447 - 0x18));
					_t411 =  *(_t447 + 0xc);
					_t444 = PathFileExistsW;
					_t307 = PathFileExistsW(_t411); // executed
					__eflags = _t307;
					if(_t307 == 0) {
						_t434 = _t447 + 0xc;
						E6B14EA8D(_t447 - 0x30, _t447 + 0xc);
						E6B14F21D(_t447 + 0xc,  *(_t447 - 0x18));
						_t411 =  *(_t447 + 0xc);
					}
					_t308 = PathFileExistsW(_t411); // executed
					__eflags = _t308;
					if(_t308 == 0) {
						_t124 = _t411 - 0x10; // -11
						 *(_t447 - 4) = 0x20;
						E6B158460(_t124, _t425);
						_t311 = 0;
						__eflags = 0;
						goto L21;
					} else {
						_t434 = _t447 - 0x18;
						E6B14EA8D(_t447 + 0xc, _t447 - 0x18);
						_t118 = _t411 - 0x10; // -11
						 *(_t447 - 4) = 0x20;
						E6B158460(_t118, _t425);
						goto L18;
					}
				} else {
					_t444 = PathFileExistsW;
					_t311 = PathFileExistsW( *(_t447 - 0x18)) & 0xffffff00 | _t403 != 0x00000000;
					L21:
					_t458 = _t311;
					if(_t311 != 0) {
						L18:
						_t312 = PathIsRelativeW( *(_t447 - 0x1c));
						__eflags = _t312;
						if(_t312 != 0) {
							goto L24;
						} else {
							_t382 = PathFileExistsW( *(_t447 - 0x1c));
							__eflags = _t382;
							_t325 = _t382 & 0xffffff00 | _t382 != 0x00000000;
							goto L31;
						}
					} else {
						E6B13C9BB(_t411, _t414, _t434, _t444, _t458);
						_t444 = 0x6b136e38;
						 *((intOrPtr*)(_t447 - 0x44)) = 0x6b136e38;
						 *(_t447 - 4) = 0x22;
						_t387 = E6B13CB96(_t411, _t447 - 0x44, _t425, _t434, 0x6b136e38, _t458);
						 *(_t447 - 4) = 0x23;
						_t425 =  *( *(_t447 + 0x10));
						( *( *(_t447 + 0x10)))[2](0,  *_t387, _t447 + 0xc, _t447 - 0x44, _t447 - 0x18);
						 *(_t447 - 4) = 0x22;
						E6B158460( &(( *(_t447 + 0xc))[0xfffffffffffffff8]),  *( *(_t447 + 0x10)));
						_push(_t447 - 0x44);
						_t414 = _t447 - 0x28;
						E6B13D1B4(_t411, _t447 - 0x28, _t434, 0x6b136e38,  &(( *(_t447 + 0xc))[0xfffffffffffffff8]));
						 *(_t447 - 0x28) = 0x6b136e38;
						_push(0x6b168364);
						_t372 = _t447 - 0x28;
						L23:
						_push(_t372);
						E6B15DBDB();
						L24:
						 *(_t447 + 0xc) = E6B1583FD( *((intOrPtr*)(_t447 - 0x30)) + 0xfffffff0) + 0x10;
						 *(_t447 - 4) = 0x24;
						E6B14F21D(_t447 + 0xc,  *((intOrPtr*)(_t447 - 0x2c)));
						E6B14F21D(_t447 + 0xc,  *(_t447 - 0x1c));
						_t411 =  *(_t447 + 0xc);
						_t321 = PathFileExistsW(_t411); // executed
						if(_t321 == 0) {
							_t434 = _t447 + 0xc;
							E6B14EA8D(_t447 - 0x30, _t447 + 0xc);
							E6B14F21D(_t447 + 0xc,  *(_t447 - 0x1c));
							_t411 =  *(_t447 + 0xc);
						}
						_t322 = PathFileExistsW(_t411); // executed
						if(_t322 == 0) {
							_t172 = _t411 - 0x10; // -11
							 *(_t447 - 4) = 0x20;
							E6B158460(_t172, _t425);
							_t325 = 0;
							__eflags = 0;
							L31:
							__eflags = _t325;
							if(__eflags == 0) {
								E6B13C9BB(_t411, _t414, _t434, _t444, __eflags);
								_t444 = 0x6b136e38;
								 *(_t447 - 0x28) = 0x6b136e38;
								 *(_t447 - 4) = 0x25;
								_t364 = E6B13CB96(_t411, _t447 - 0x28, _t425, _t434, 0x6b136e38, __eflags);
								 *(_t447 - 4) = 0x26;
								_t425 =  *( *(_t447 + 0x10));
								( *( *(_t447 + 0x10)))[2](0,  *_t364, _t447 + 0xc, _t447 - 0x28, _t447 - 0x1c);
								 *(_t447 - 4) = 0x25;
								E6B158460( &(( *(_t447 + 0xc))[0xfffffffffffffff8]),  *( *(_t447 + 0x10)));
								_push(_t447 - 0x28);
								_t414 = _t447 - 0x4c;
								E6B13D1B4(_t411, _t447 - 0x4c, _t434, 0x6b136e38, __eflags);
								 *(_t447 - 0x4c) = 0x6b136e38;
								_push(0x6b168364);
								_t372 = _t447 - 0x4c;
								goto L23;
							}
						} else {
							E6B14EA8D(_t447 + 0xc, _t447 - 0x1c);
							_t155 = _t411 - 0x10; // -11
							E6B158460(_t155, _t425);
						}
					}
				}
				 *(_t447 - 4) = 0x27;
				_t435 =  *((intOrPtr*)(_t447 + 8));
				 *_t435 = 0x6b13731c;
				 *((intOrPtr*)(_t435 + 4)) = E6B1583FD( &(( *(_t447 - 0x1c))[0xfffffffffffffff8])) + 0x10;
				 *(_t447 - 4) = 0x28;
				 *((intOrPtr*)(_t435 + 8)) = E6B1583FD( &(( *(_t447 - 0x18))[0xfffffffffffffff8])) + 0x10;
				_t445 = _t435 + 0xc;
				_t334 = 0;
				 *_t445 = 0;
				 *((intOrPtr*)(_t445 + 4)) = 0;
				 *((intOrPtr*)(_t445 + 8)) = 0;
				 *(_t447 - 4) = 0x2a;
				 *(_t447 + 0xc) = 0;
				if( *(_t447 - 0x34) <= 0) {
					L37:
					E6B158460( *((intOrPtr*)(_t447 - 0x2c)) + 0xfffffff0, _t425);
					E6B158460( *((intOrPtr*)(_t447 - 0x30)) + 0xfffffff0, _t425);
					E6B14F5A3(_t447 - 0x3c);
					E6B158460( *(_t447 - 0x50) + 0xfffffff0, _t425);
					 *(_t447 - 4) = 0x10;
					_t345 =  *((intOrPtr*)(_t447 - 0x5c));
					if(_t345 != 0) {
						 *((intOrPtr*)( *_t345 + 8))(_t345);
					}
					E6B158460( &(( *(_t447 - 0x1c))[0xfffffffffffffff8]), _t425);
					E6B158460( &(( *(_t447 - 0x18))[0xfffffffffffffff8]), _t425);
					 *(_t447 - 4) =  *(_t447 - 4) | 0xffffffff;
					_t352 =  *((intOrPtr*)(_t447 - 0x68));
					if(_t352 != 0) {
						 *((intOrPtr*)( *_t352 + 8))(_t352);
					}
					return E6B162709(_t435);
				} else {
					_t412 =  *(_t447 - 0x3c);
					_t418 =  *(_t447 - 0x38) - _t412;
					 *(_t447 + 0x10) = _t418;
					while( *(_t447 + 0xc) >= _t334) {
						_t425 =  *(_t447 + 0xc);
						_t464 =  *(_t447 + 0xc) -  *(_t447 - 0x34);
						if( *(_t447 + 0xc) >=  *(_t447 - 0x34)) {
							break;
						} else {
							_push(_t418 + _t412);
							_push(_t412);
							E6B14F5FD(_t412, _t418 + _t412, _t435, _t445, _t464);
							 *(_t447 + 0xc) =  &(( *(_t447 + 0xc))[0]);
							_t412 =  &(_t412[2]);
							if( *(_t447 + 0xc) <  *(_t447 - 0x34)) {
								_t418 =  *(_t447 + 0x10);
								_t334 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L37;
							}
						}
						goto L43;
					}
					RaiseException(0xc000008c, 1, _t334, _t334);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  &(_t418[1]);
				}
				L43:
			}

0x6b142b11
0x6b142b11
0x6b142b11
0x6b142b1b
0x6b142b20
0x6b142b27
0x6b142b2d
0x6b142b32
0x6b142b41
0x6b142b46
0x6b142b50
0x6b142b58
0x6b142b5e
0x6b142b6e
0x6b142b72
0x6b142b77
0x6b142b7a
0x6b142b7c
0x6b142b80
0x6b142b88
0x6b142b8e
0x6b142b8f
0x6b142b9a
0x6b142b9f
0x6b142ba3
0x6b142ba6
0x6b142ba8
0x6b142bad
0x6b142bad
0x6b142bb0
0x6b142bba
0x6b142bc2
0x6b142bc8
0x6b142bdb
0x6b142bdf
0x6b142be4
0x6b142be7
0x6b142be9
0x6b142bed
0x6b142bf2
0x6b142bf5
0x6b142bfb
0x6b142bfc
0x6b142c07
0x6b142c0c
0x6b142c10
0x6b142c16
0x6b142c18
0x6b142c1a
0x6b142c1d
0x6b142c1d
0x6b142c20
0x6b142c2a
0x6b142c32
0x6b142c38
0x6b142c44
0x6b142c4c
0x6b142c51
0x6b142c5b
0x6b142c63
0x6b142c69
0x6b142c79
0x6b142c7d
0x6b142c82
0x6b142c87
0x6b142c8b
0x6b142c90
0x6b142c94
0x6b142c97
0x6b142c9b
0x6b142c9d
0x6b142ca0
0x6b142ca0
0x6b142ca6
0x6b142ca9
0x6b142cae
0x6b142cb1
0x6b142cb4
0x6b142cb7
0x6b142cbb
0x6b142cc2
0x6b142cc9
0x6b142cd0
0x6b142cd7
0x6b142cde
0x6b142ce1
0x6b142ce4
0x6b142ceb
0x6b142cec
0x6b142cff
0x6b142d03
0x6b142d08
0x6b142d0d
0x6b142d11
0x6b142d16
0x6b142d1a
0x6b142d22
0x6b142d24
0x6b142d27
0x6b142d27
0x6b142d2a
0x6b142d34
0x6b142d3c
0x6b142d41
0x6b142d44
0x6b142d46
0x6b142d48
0x6b142d48
0x6b142d4e
0x6b142d4f
0x6b142d54
0x6b142d58
0x6b142d59
0x6b142d5c
0x6b142d60
0x6b142d6b
0x6b142d70
0x6b142d7a
0x6b142d7f
0x6b142d82
0x6b142d82
0x6b142d8f
0x6b142d90
0x6b142d95
0x6b142da4
0x6b142dc9
0x6b142dcc
0x6b142dd6
0x6b142de1
0x6b142de6
0x6b142de9
0x6b142df0
0x6b142df2
0x6b142df4
0x6b142df9
0x6b142dfc
0x6b142e06
0x6b142e0b
0x6b142e0b
0x6b142e0f
0x6b142e11
0x6b142e13
0x6b142e4c
0x6b142e4f
0x6b142e53
0x6b142e58
0x6b142e58
0x00000000
0x6b142e15
0x6b142e18
0x6b142e1b
0x6b142e20
0x6b142e23
0x6b142e27
0x00000000
0x6b142e27
0x6b142da6
0x6b142da9
0x6b142db3
0x6b142e5a
0x6b142e5a
0x6b142e5c
0x6b142e2c
0x6b142e2f
0x6b142e35
0x6b142e37
0x00000000
0x6b142e3d
0x6b142e40
0x6b142e42
0x6b142e44
0x00000000
0x6b142e44
0x6b142e5e
0x6b142e66
0x6b142e6b
0x6b142e70
0x6b142e7a
0x6b142e7e
0x6b142e86
0x6b142e8c
0x6b142e91
0x6b142e94
0x6b142e9e
0x6b142ea6
0x6b142ea7
0x6b142eaa
0x6b142eaf
0x6b142eb2
0x6b142eb7
0x6b142eba
0x6b142eba
0x6b142ebb
0x6b142ec0
0x6b142ece
0x6b142ed1
0x6b142edb
0x6b142ee6
0x6b142eeb
0x6b142eef
0x6b142ef3
0x6b142ef8
0x6b142efb
0x6b142f05
0x6b142f0a
0x6b142f0a
0x6b142f0e
0x6b142f12
0x6b142f84
0x6b142f87
0x6b142f8b
0x6b142f90
0x6b142f90
0x6b142f92
0x6b142f92
0x6b142f94
0x6b142f9e
0x6b142fa3
0x6b142fa8
0x6b142fb2
0x6b142fb6
0x6b142fbe
0x6b142fc4
0x6b142fc9
0x6b142fcc
0x6b142fd6
0x6b142fde
0x6b142fdf
0x6b142fe2
0x6b142fe7
0x6b142fea
0x6b142fef
0x00000000
0x6b142fef
0x6b142f14
0x6b142f1a
0x6b142f1f
0x6b142f22
0x6b142f22
0x6b142f12
0x6b142e5c
0x6b142f27
0x6b142f2e
0x6b142f34
0x6b142f42
0x6b142f45
0x6b142f57
0x6b142f5a
0x6b142f5d
0x6b142f5f
0x6b142f61
0x6b142f64
0x6b142f67
0x6b142f6b
0x6b142f71
0x6b143028
0x6b14302e
0x6b143039
0x6b143041
0x6b14304c
0x6b143051
0x6b143055
0x6b14305a
0x6b14305f
0x6b14305f
0x6b143068
0x6b143073
0x6b143078
0x6b14307c
0x6b143081
0x6b143086
0x6b143086
0x6b143090
0x6b142f77
0x6b142f77
0x6b142f7d
0x6b142f7f
0x6b142ffc
0x6b143005
0x6b143008
0x6b14300b
0x00000000
0x6b143011
0x6b143013
0x6b143014
0x6b143015
0x6b14301a
0x6b143020
0x6b143026
0x6b142ff7
0x6b142ffa
0x6b142ffa
0x00000000
0x00000000
0x00000000
0x00000000
0x6b143026
0x00000000
0x6b14300b
0x6b14309c
0x6b1430a2
0x6b1430a3
0x6b1430a4
0x6b1430a5
0x6b1430a6
0x6b1430a7
0x6b1430ab
0x6b1430ab
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B142B1B

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Part of subcall function 6B13D76F: SysFreeString.OLEAUT32(00000000), ref: 6B13D7CA

PathIsRelativeW.SHLWAPI(?,00000001,?,000000FF,?,?,?,?,00000001,?,?,?,000000FF,00000088,6B156F88,?), ref: 6B142D9C
PathFileExistsW.SHLWAPI(?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B142DAF
PathFileExistsW.KERNELBASE(00000005,?,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6B142DF0
PathFileExistsW.KERNELBASE(00000005,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B142E0F
PathIsRelativeW.SHLWAPI(00000001,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B142E2F
PathFileExistsW.SHLWAPI(00000001,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B142E40
__CxxThrowException@8.LIBCMT ref: 6B142EBB
PathFileExistsW.KERNELBASE(00000005,00000001,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6B142EEF

Part of subcall function 6B14F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6B13C3AE), ref: 6B14F241

PathFileExistsW.KERNELBASE(00000005,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B142F0E

Part of subcall function 6B1583FD: _memcpy_s.LIBCMT ref: 6B15844E

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 6B14309C

Strings

Default, xrefs: 6B142C64
HeaderImage, xrefs: 6B142B59
CreateLayout, xrefs: 6B142CD0
Repair, xrefs: 6B142CC2
WizardImages, xrefs: 6B142B28
UninstallPatch, xrefs: 6B142CD7
Watermark, xrefs: 6B142BC3
Install, xrefs: 6B142CBB
Uninstall, xrefs: 6B142CC9
%, xrefs: 6B142FCC
Caption, xrefs: 6B142C33

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Path$ExistsFile$H_prolog3$Relative$AppendExceptionException@8FreeRaiseStringThrow_memcpy_s
String ID: %$Caption$CreateLayout$Default$HeaderImage$Install$Repair$Uninstall$UninstallPatch$Watermark$WizardImages
API String ID: 2164894574-1575104729
Opcode ID: b7e234b346720d6027cf5a24e5bce92106d051dc57fddac8ed3fe3a25ea3c332
Instruction ID: fa483251515afc9ab09221d549050dd4d084f0a19e9e9af36ffea6562defead6
Opcode Fuzzy Hash: b7e234b346720d6027cf5a24e5bce92106d051dc57fddac8ed3fe3a25ea3c332
Instruction Fuzzy Hash: BA120C7291025DFFDF00DBB8C985ADDBBB8AF05318F148195E424FB281D738AA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B13BE03 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6B13BE03(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t216;
				void* _t236;
				intOrPtr* _t258;
				void* _t259;
				void* _t260;

				_t260 = __eflags;
				_t236 = __edx;
				_push(4);
				E6B16265B(0x6b165b96, __ebx, __edi, __esi);
				_t216 =  *((intOrPtr*)(_t259 + 8));
				 *_t216 = 0x6b136de8;
				_push(_t216 + 8);
				 *((intOrPtr*)(_t216 + 4)) = 0x6b136de0;
				E6B14E8E8(__ecx, __esi, _t260);
				_t258 = _t216 + 0xc;
				 *((intOrPtr*)(_t259 - 4)) = 0;
				 *_t258 = 0;
				 *((intOrPtr*)(_t258 + 4)) = 0;
				 *((intOrPtr*)(_t258 + 8)) = 0;
				 *((char*)(_t259 - 4)) = 1;
				_t261 =  *((intOrPtr*)(_t216 + 0x10));
				if( *((intOrPtr*)(_t216 + 0x10)) == 0) {
					_push(_t259 - 0x10);
					E6B14E8E8(L"CEIPconsent", _t258, _t261);
					 *((char*)(_t259 - 4)) = 2;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"chainingpackage", _t258, _t261);
					 *((char*)(_t259 - 4)) = 3;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"createlayout", _t258, _t261);
					 *((char*)(_t259 - 4)) = 4;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"lcid", _t258, _t261);
					 *((char*)(_t259 - 4)) = 5;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"log", _t258, _t261);
					 *((char*)(_t259 - 4)) = 6;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"msioptions", _t258, _t261);
					 *((char*)(_t259 - 4)) = 7;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"norestart", _t258, _t261);
					 *((char*)(_t259 - 4)) = 8;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"passive", _t258, _t261);
					 *((char*)(_t259 - 4)) = 9;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"showfinalerror", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xa;
					E6B14F35E(_t259 - 0x10, _t258); // executed
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"pipe", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xb;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"promptrestart", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xc;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8("q", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xd;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"repair", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xe;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"serialdownload", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0xf;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"uninstall", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x10;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"parameterfolder", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x11;
					E6B14F35E(_t259 - 0x10, _t258);
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"NoSetupVersionCheck", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x12;
					E6B14F35E(_t259 - 0x10, _t258); // executed
					 *((char*)(_t259 - 4)) = 1;
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_push(_t259 - 0x10);
					E6B14E8E8(L"uninstallpatch", _t258, _t261);
					 *((char*)(_t259 - 4)) = 0x13;
					E6B14F35E(_t259 - 0x10, _t258);
					E6B158460( *((intOrPtr*)(_t259 - 0x10)) + 0xfffffff0, _t236);
					_t216 =  *((intOrPtr*)(_t259 + 8));
				}
				return E6B162709(_t216);
			}

0x6b13be03
0x6b13be03
0x6b13be03
0x6b13be0a
0x6b13be0f
0x6b13be15
0x6b13be1b
0x6b13be1e
0x6b13be25
0x6b13be2c
0x6b13be2f
0x6b13be32
0x6b13be34
0x6b13be37
0x6b13be3a
0x6b13be3e
0x6b13be41
0x6b13be4a
0x6b13be50
0x6b13be58
0x6b13be5c
0x6b13be61
0x6b13be6b
0x6b13be73
0x6b13be79
0x6b13be81
0x6b13be85
0x6b13be8a
0x6b13be94
0x6b13be9c
0x6b13bea2
0x6b13beaa
0x6b13beae
0x6b13beb3
0x6b13bebd
0x6b13bec5
0x6b13becb
0x6b13bed3
0x6b13bed7
0x6b13bedc
0x6b13bee6
0x6b13beee
0x6b13bef4
0x6b13befc
0x6b13bf00
0x6b13bf05
0x6b13bf0f
0x6b13bf17
0x6b13bf1d
0x6b13bf25
0x6b13bf29
0x6b13bf2e
0x6b13bf38
0x6b13bf40
0x6b13bf46
0x6b13bf4e
0x6b13bf52
0x6b13bf57
0x6b13bf61
0x6b13bf69
0x6b13bf6f
0x6b13bf77
0x6b13bf7b
0x6b13bf80
0x6b13bf8a
0x6b13bf92
0x6b13bf98
0x6b13bfa0
0x6b13bfa4
0x6b13bfa9
0x6b13bfb3
0x6b13bfbb
0x6b13bfc1
0x6b13bfc9
0x6b13bfcd
0x6b13bfd2
0x6b13bfdc
0x6b13bfe4
0x6b13bfea
0x6b13bff2
0x6b13bff6
0x6b13bffb
0x6b13c005
0x6b13c00d
0x6b13c013
0x6b13c01b
0x6b13c01f
0x6b13c024
0x6b13c02e
0x6b13c036
0x6b13c03c
0x6b13c044
0x6b13c048
0x6b13c04d
0x6b13c057
0x6b13c05f
0x6b13c065
0x6b13c06a
0x6b13c071
0x6b13c076
0x6b13c080
0x6b13c088
0x6b13c08e
0x6b13c096
0x6b13c09a
0x6b13c09f
0x6b13c0a9
0x6b13c0b1
0x6b13c0b7
0x6b13c0bf
0x6b13c0c3
0x6b13c0c8
0x6b13c0d2
0x6b13c0da
0x6b13c0e0
0x6b13c0e8
0x6b13c0ec
0x6b13c0f1
0x6b13c0fb
0x6b13c103
0x6b13c109
0x6b13c111
0x6b13c115
0x6b13c120
0x6b13c125
0x6b13c125
0x6b13c12f

APIs

__EH_prolog3.LIBCMT ref: 6B13BE0A

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14F35E: __EH_prolog3.LIBCMT ref: 6B14F365
Part of subcall function 6B14F35E: __recalloc.LIBCMT ref: 6B14F3A7

Strings

promptrestart, xrefs: 6B13BFE5
passive, xrefs: 6B13BF6A
parameterfolder, xrefs: 6B13C0B2
pipe, xrefs: 6B13BFBC
CEIPconsent, xrefs: 6B13BE4B
createlayout, xrefs: 6B13BE9D
msioptions, xrefs: 6B13BF18
log, xrefs: 6B13BEEF
uninstallpatch, xrefs: 6B13C104
serialdownload, xrefs: 6B13C060
lcid, xrefs: 6B13BEC6
chainingpackage, xrefs: 6B13BE74
NoSetupVersionCheck, xrefs: 6B13C0DB
uninstall, xrefs: 6B13C089
norestart, xrefs: 6B13BF41
showfinalerror, xrefs: 6B13BF93
repair, xrefs: 6B13C037

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
API String ID: 1900422986-634121796
Opcode ID: b03a38f0ede29feedcdaac38fe93a9f50b1f15603559027cf6c39eca8b8c77d4
Instruction ID: f8e932210e4467932d121420b45ecdd8545c8b67284e75c15003b2c056c9a843
Opcode Fuzzy Hash: b03a38f0ede29feedcdaac38fe93a9f50b1f15603559027cf6c39eca8b8c77d4
Instruction Fuzzy Hash: 70A1D5A281026DEBDF10D7F8C8857EDB7A4AF0532CF284584E474A7382D779A6499732

Uniqueness

Uniqueness Score: -1.00%

Function 6B146199 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E6B146199(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t140;
				signed int _t144;
				intOrPtr* _t149;
				signed int _t161;
				void* _t165;
				void* _t166;
				intOrPtr* _t179;
				signed int _t192;
				signed int _t196;
				void* _t197;
				void* _t199;
				intOrPtr _t209;
				intOrPtr* _t233;
				intOrPtr* _t237;
				intOrPtr* _t238;
				signed int _t254;
				void* _t255;
				intOrPtr* _t258;
				void* _t261;
				signed int _t283;
				intOrPtr* _t288;
				void* _t289;
				void* _t291;
				void* _t296;
				void* _t297;
				intOrPtr* _t298;
				void* _t299;

				_t299 = __eflags;
				_t273 = __edx;
				_t258 = __ecx;
				_push(0x3c);
				E6B16265B(0x6b1667f1, __ebx, __edi, __esi);
				_t288 = __ecx;
				_t254 =  *(_t296 + 8);
				 *(_t296 - 4) = 0;
				 *_t254 = 0x6b137550;
				 *((intOrPtr*)(_t254 + 4)) = 0;
				 *((intOrPtr*)(_t254 + 8)) = 0;
				 *((intOrPtr*)(_t254 + 0xc)) = 0;
				 *(_t296 - 4) = 1;
				_push(_t296 - 0x14);
				 *((intOrPtr*)(_t254 + 0x10)) = __ecx;
				E6B14E8E8(L"Strings.xml", __ecx, _t299);
				_push(_t296 - 0x24);
				 *(_t296 - 4) = 2;
				_t278 = E6B141E75(_t254, _t258, __edx, L"Strings.xml", _t288, _t299);
				 *(_t296 - 4) = 3;
				if(PathIsRelativeW( *(_t296 - 0x14)) != 0) {
					 *(_t296 - 0x18) = E6B1583FD( *_t278 - 0x10) + 0x10;
					 *(_t296 - 4) = 4;
					E6B14F21D(_t296 - 0x18,  *(_t296 - 0x14));
					_t278 = PathFileExistsW; // executed
					PathFileExistsW( *(_t296 - 0x18)); // executed
					_t140 = PathFileExistsW( *(_t296 - 0x18)); // executed
					__eflags = _t140;
					if(_t140 == 0) {
						 *(_t296 - 4) = 3;
						E6B158460( &(( *(_t296 - 0x18))[0xfffffffffffffff8]), _t273);
						_t144 = 0;
						__eflags = 0;
						goto L5;
					} else {
						_t278 = _t296 - 0x14;
						E6B14EA8D(_t296 - 0x18, _t296 - 0x14);
						 *(_t296 - 4) = 3;
						E6B158460( &(( *(_t296 - 0x18))[0xfffffffffffffff8]), _t273);
						goto L6;
					}
				} else {
					_t144 = PathFileExistsW( *(_t296 - 0x14)) & 0xffffff00 | _t252 != 0x00000000;
					L5:
					_t302 = _t144;
					if(_t144 == 0) {
						E6B13C9BB(_t254, _t258, _t278, _t288, __eflags);
						 *(_t296 - 0x1c) = 0x6b136e38;
						 *(_t296 - 4) = 5;
						_t149 = E6B13CB96(_t254, _t296 - 0x1c, _t273, 0x6b136e38, _t288, __eflags);
						 *(_t296 - 4) = 6;
						_t274 =  *_t288;
						 *((intOrPtr*)( *_t288 + 4))(0,  *_t149, _t296 + 0xc, _t296 - 0x1c, _t296 - 0x14);
						 *(_t296 - 4) = 5;
						E6B158460( *((intOrPtr*)(_t296 + 0xc)) + 0xfffffff0,  *_t288);
						_push(_t296 - 0x1c);
						_t261 = _t296 - 0x2c;
						E6B13D1B4(_t254, _t261, 0x6b136e38, _t288, __eflags);
						 *(_t296 - 0x2c) = 0x6b136e38;
						E6B15DBDB(_t296 - 0x2c, 0x6b168364);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x24);
						E6B16265B(0x6b165889, _t254, 0x6b136e38, _t288);
						_t255 = _t261;
						_t289 = _t255 + 4;
						_t161 = E6B14F693(_t289,  *(_t296 + 8));
						__eflags = _t161 - 0xffffffff;
						if(__eflags == 0) {
							L18:
							E6B14E8E8(L"UIInfo.xml", _t289, __eflags);
							 *(_t296 - 4) =  *(_t296 - 4) & 0x00000000;
							_t165 = E6B14F143(_t255,  *(_t296 + 8), _t289, __eflags);
							_t282 = _t165;
							 *(_t296 - 4) = 1;
							_t166 = E6B14F0E8(_t255, _t165, _t289, __eflags);
							 *(_t296 - 4) = 2;
							E6B13CA39(_t255, _t296 - 0x10, _t274, _t165, _t289, __eflags);
							E6B158460( &(( *(_t296 - 0x14))[0xfffffffffffffff8]), _t274);
							E6B158460( &(( *(_t296 - 0x18))[0xfffffffffffffff8]), _t274);
							 *(_t296 - 4) = 6;
							E6B158460( *((intOrPtr*)(_t296 - 0x10)) + 0xfffffff0, _t274);
							_t179 = E6B13CAC2(_t255, _t296 - 0x24, _t274, _t165, _t289, __eflags);
							 *(_t296 - 4) = 7;
							_t275 =  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x10))));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x10)))) + 4))(0,  *_t179, _t296 + 8, _t296 - 0x24, _t166, _t296 - 0x10, _t296 - 0x14, L"\' was not found in UiInfo.xml", _t296 - 0x18, L"String for StringID \'", _t296 - 0x10);
							 *(_t296 - 4) = 6;
							E6B158460( *(_t296 + 8) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x10)))));
							_push(_t296 - 0x24);
							_t266 = _t296 - 0x30;
							E6B13D170(_t255, _t296 - 0x30, _t165, _t289, __eflags);
							E6B15DBDB(_t296 - 0x30, 0x6b1682a0);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(0x20);
							E6B16265B(0x6b16653e, _t255, _t282, _t289);
							_push(_t296 - 0x20);
							_t192 = E6B13D349(_t255, _t266, _t282, _t289, __eflags);
							 *(_t296 - 4) =  *(_t296 - 4) & 0x00000000;
							_t283 =  *(_t296 - 0x20);
							__eflags = _t283;
							if(_t283 != 0) {
								_t196 =  *(_t296 + 8) + 4;
								__eflags = _t196;
								 *(_t296 + 8) = _t196;
								do {
									_t197 = E6B13D76F(_t296 - 0x14, _t283, _t296 - 0x20, __eflags); // executed
									_t291 = _t197;
									_push(_t296 - 0x20);
									 *(_t296 - 4) = 1;
									_t199 = E6B13D2B6(_t296 - 0x10, _t266, _t275, _t283, _t291, __eflags);
									_push(_t291);
									_push(_t199);
									 *(_t296 - 4) = 2;
									E6B14F5FD(_t296 - 0x10, _t266, _t283,  *(_t296 + 8), __eflags);
									E6B158460( *((intOrPtr*)(_t296 - 0x10)) + 0xfffffff0, _t275);
									 *(_t296 - 4) = 0;
									E6B158460( &(( *(_t296 - 0x14))[0xfffffffffffffff8]), _t275);
									_push(_t296 - 0x2c);
									_t266 = _t296 - 0x20;
									_t209 =  *((intOrPtr*)(E6B13D4C5(_t296 - 0x10, _t296 - 0x20, _t283,  *(_t296 + 8), __eflags)));
									__eflags = _t283 - _t209;
									if(_t283 != _t209) {
										E6B157D2D(_t209, _t296 - 0x20);
										_t283 =  *(_t296 - 0x20);
									}
									_t192 =  *(_t296 - 0x2c);
									__eflags = _t192;
									if(_t192 != 0) {
										_t266 =  *_t192;
										_t192 =  *((intOrPtr*)( *_t192 + 8))(_t192);
									}
									__eflags = _t283;
								} while (__eflags != 0);
							}
							 *(_t296 - 4) =  *(_t296 - 4) | 0xffffffff;
							__eflags = _t283;
							if(_t283 != 0) {
								_t192 =  *((intOrPtr*)( *_t283 + 8))(_t283);
							}
							return E6B162709(_t192);
						} else {
							__eflags = _t161;
							if(__eflags < 0) {
								L17:
								RaiseException(0xc000008c, 1, 0, 0);
								goto L18;
							} else {
								__eflags = _t161 -  *((intOrPtr*)(_t289 + 8));
								if(__eflags >= 0) {
									goto L17;
								} else {
									return E6B162709( *((intOrPtr*)(_t289 + 4)) + _t161 * 4);
								}
							}
						}
					} else {
						L6:
						E6B13B93E(_t254, _t273, _t278, _t288, _t302); // executed
						_t298 = _t297 + 0xc;
						E6B158460( *(_t296 - 0x20) + 0xfffffff0, _t273);
						E6B158460( *((intOrPtr*)(_t296 - 0x24)) + 0xfffffff0, _t273);
						 *((intOrPtr*)(_t296 - 0x48)) = _t288;
						__imp__CoInitialize(0, 4, L"Successfuly found file %s ",  *(_t296 - 0x14));
						 *((intOrPtr*)(_t296 - 0x40)) = 0;
						 *((intOrPtr*)(_t296 + 0xc)) = _t298;
						 *_t298 = 0;
						E6B13D214(_t296 - 0x3c, _t258,  *((intOrPtr*)(_t296 + 0xc)), _t288);
						 *(_t296 - 4) = 7;
						_push(_t258);
						 *((intOrPtr*)(_t296 + 0xc)) = _t298;
						 *_t298 = E6B1583FD( &(( *(_t296 - 0x14))[0xfffffffffffffff8])) + 0x10; // executed
						E6B13DBFF(_t254, _t296 - 0x48, _t273, 0, _t298, _t302); // executed
						_push(_t296 + 0xc);
						E6B14E8E8(L"Strings", _t298, _t302);
						 *(_t296 - 4) = 8;
						E6B13D65F(_t296 - 0x3c, _t254, _t296 - 0x30, _t296 + 0xc);
						_push(_t254);
						 *(_t296 - 4) = 9;
						L19(); // executed
						 *(_t296 - 4) = 8;
						_t233 =  *((intOrPtr*)(_t296 - 0x30));
						if(_t233 != 0) {
							 *((intOrPtr*)( *_t233 + 8))(_t233);
						}
						E6B158460( *((intOrPtr*)(_t296 + 0xc)) + 0xfffffff0, _t273);
						 *(_t296 - 4) = 2;
						_t237 =  *((intOrPtr*)(_t296 - 0x3c));
						if(_t237 != 0) {
							 *((intOrPtr*)( *_t237 + 8))(_t237);
						}
						_t238 =  *((intOrPtr*)(_t296 - 0x40));
						if(_t238 != 0) {
							 *((intOrPtr*)( *_t238 + 8))(_t238);
						}
						__imp__CoUninitialize();
						E6B158460( &(( *(_t296 - 0x14))[0xfffffffffffffff8]), _t273);
						return E6B162709(_t254);
					}
				}
			}

0x6b146199
0x6b146199
0x6b146199
0x6b146199
0x6b1461a0
0x6b1461a5
0x6b1461a7
0x6b1461ac
0x6b1461af
0x6b1461b5
0x6b1461b8
0x6b1461bb
0x6b1461c1
0x6b1461c5
0x6b1461cb
0x6b1461ce
0x6b1461d6
0x6b1461d7
0x6b1461e0
0x6b1461e2
0x6b1461f1
0x6b146210
0x6b146213
0x6b14621d
0x6b146225
0x6b14622b
0x6b146230
0x6b146232
0x6b146234
0x6b146252
0x6b14625c
0x6b146261
0x6b146261
0x00000000
0x6b146236
0x6b146239
0x6b14623c
0x6b146241
0x6b14624b
0x00000000
0x6b14624b
0x6b1461f3
0x6b1461fe
0x6b146263
0x6b146263
0x6b146265
0x6b146363
0x6b14636d
0x6b146377
0x6b14637b
0x6b146380
0x6b146386
0x6b14638d
0x6b146390
0x6b14639a
0x6b1463a2
0x6b1463a3
0x6b1463a6
0x6b1463b4
0x6b1463b7
0x6b1463bc
0x6b1463bd
0x6b1463be
0x6b1463bf
0x6b1463c0
0x6b1463c1
0x6b1463c2
0x6b1463c9
0x6b1463ce
0x6b1463d3
0x6b1463d6
0x6b1463db
0x6b1463de
0x6b146408
0x6b146411
0x6b146416
0x6b146426
0x6b146434
0x6b146436
0x6b14643a
0x6b146448
0x6b14644c
0x6b146457
0x6b146462
0x6b146467
0x6b146471
0x6b14647d
0x6b146482
0x6b14648b
0x6b146490
0x6b146493
0x6b14649d
0x6b1464a5
0x6b1464a6
0x6b1464a9
0x6b1464b7
0x6b1464bc
0x6b1464bd
0x6b1464be
0x6b1464bf
0x6b1464c0
0x6b1464c1
0x6b1464c2
0x6b1464c9
0x6b1464d1
0x6b1464d2
0x6b1464d7
0x6b1464db
0x6b1464de
0x6b1464e0
0x6b1464e5
0x6b1464e5
0x6b1464e8
0x6b1464eb
0x6b1464f1
0x6b1464f6
0x6b1464fb
0x6b1464ff
0x6b146503
0x6b146508
0x6b14650c
0x6b14650d
0x6b146511
0x6b14651c
0x6b146521
0x6b14652b
0x6b146533
0x6b146534
0x6b14653c
0x6b14653e
0x6b146540
0x6b146547
0x6b14654c
0x6b14654c
0x6b14654f
0x6b146552
0x6b146554
0x6b146556
0x6b146559
0x6b146559
0x6b14655c
0x6b14655c
0x6b1464eb
0x6b146560
0x6b146564
0x6b146566
0x6b14656b
0x6b14656b
0x6b146573
0x6b1463e0
0x6b1463e0
0x6b1463e2
0x6b1463f7
0x6b146402
0x00000000
0x6b1463e4
0x6b1463e4
0x6b1463e7
0x00000000
0x6b1463e9
0x6b1463f4
0x6b1463f4
0x6b1463e7
0x6b1463e2
0x6b14626b
0x6b14626b
0x6b146275
0x6b14627d
0x6b146283
0x6b14628e
0x6b146296
0x6b146299
0x6b1462a3
0x6b1462ac
0x6b1462af
0x6b1462b1
0x6b1462b6
0x6b1462bd
0x6b1462c1
0x6b1462d1
0x6b1462d3
0x6b1462db
0x6b1462e1
0x6b1462f1
0x6b1462f5
0x6b1462fa
0x6b1462fd
0x6b146301
0x6b146306
0x6b14630a
0x6b14630f
0x6b146314
0x6b146314
0x6b14631d
0x6b146322
0x6b146326
0x6b14632b
0x6b146330
0x6b146330
0x6b146333
0x6b146338
0x6b14633d
0x6b14633d
0x6b146340
0x6b14634c
0x6b146358
0x6b146358
0x6b146265

APIs

__EH_prolog3.LIBCMT ref: 6B1461A0

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B141E75: __EH_prolog3.LIBCMT ref: 6B141E7C
Part of subcall function 6B141E75: GetThreadLocale.KERNEL32(?,00000004,6B146734,0000004C,0000004C,6B147142,?,00000000), ref: 6B141E8E

PathIsRelativeW.SHLWAPI(?,?,?,0000003C,6B157332,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6B1461E9
PathFileExistsW.SHLWAPI(?), ref: 6B1461F6
PathFileExistsW.KERNELBASE(?,?), ref: 6B14622B
PathFileExistsW.KERNELBASE(?), ref: 6B146230
CoInitialize.OLE32(00000000), ref: 6B146299
CoUninitialize.OLE32(?,?), ref: 6B146340
__CxxThrowException@8.LIBCMT ref: 6B1463B7
__EH_prolog3.LIBCMT ref: 6B1463C9

Strings

Strings.xml, xrefs: 6B1461C6
Successfuly found file %s , xrefs: 6B14626E
' was not found in UiInfo.xml, xrefs: 6B14642B
Strings, xrefs: 6B1462DC
String for StringID ', xrefs: 6B14641D
UIInfo.xml, xrefs: 6B14640C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3Path$ExistsFile$Exception@8InitializeLocaleRelativeThreadThrowUninitialize
String ID: ' was not found in UiInfo.xml$String for StringID '$Strings$Strings.xml$Successfuly found file %s $UIInfo.xml
API String ID: 1923347782-1246989722
Opcode ID: efe2a8c8f2f6037826be326878e2ed9d34474a807fd84720ef9747952589126e
Instruction ID: 4fcc6a4c4cd5bb28681adc2bb6e30b8f4e753881368f9384f1b7e1fe07aff1a7
Opcode Fuzzy Hash: efe2a8c8f2f6037826be326878e2ed9d34474a807fd84720ef9747952589126e
Instruction Fuzzy Hash: 72A14FB2900149FFDF00DFB8C946B9EBBB8AF05318F148195E524E7291EB38DA15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14BCBB Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 111
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E6B14BCBB(void* __ebx, void* __ecx, void* __edx, void* __edi, long __esi, void* __eflags) {
				long _t82;
				void* _t83;
				void* _t84;

				_t84 = __eflags;
				_t82 = __esi;
				_push(0xc);
				E6B16265B(0x6b165dd0, __ebx, __edi, __esi);
				if(E6B151DCD(__ebx, __edx, __edi, __esi, _t84) == 0) {
					SetWindowLongW( *(__esi + 8), 0xfffffff0, GetWindowLongW( *(__esi + 8), 0xfffffff0) | 0x00020000); // executed
					 *(_t83 - 0x10) = GetSystemMenu( *(__esi + 8), 0);
					_push(_t83 - 0x14);
					E6B14E8E8(L"IDS_RESTORE", __esi, __eflags);
					 *(_t83 - 4) = 0;
					_push(_t83 - 0x14);
					InsertMenuW( *(_t83 - 0x10), 0, 0x400, 0xf120,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x8fc))))))()));
					 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
					E6B158460( *((intOrPtr*)(_t83 - 0x14)) + 0xfffffff0, _t83 - 0x14);
					_push(_t83 - 0x18);
					E6B14E8E8(L"IDS_MINIMIZE", __esi, __eflags);
					 *(_t83 - 4) = 1;
					_push(_t83 - 0x18);
					InsertMenuW( *(_t83 - 0x10), 2, 0x400, 0xf020,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x8fc))))))()));
					__eflags =  *((intOrPtr*)(_t83 - 0x18)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t83 - 0x18)) + 0xfffffff0, _t83 - 0x18);
					InsertMenuW( *(_t83 - 0x10), 3, 0x400, 0xf00f, 0);
					SetMenuItemBitmaps( *(_t83 - 0x10), 0xf120, 0, 2, 2);
					SetMenuItemBitmaps( *(_t83 - 0x10), 0xf020, 0, 3, 3);
					DrawMenuBar( *(__esi + 8)); // executed
				} else {
					SendMessageW( *(__esi + 8), 0x46b, 0, 0);
					EnableMenuItem(GetSystemMenu( *(__esi + 8), 0), 0xf060, 1);
				}
				 *( *(_t82 + 0x8f4)) =  *(_t82 + 8);
				 *((intOrPtr*)(_t82 + 0x900)) = SetWindowLongW( *(_t82 + 8), 0xfffffffc, E6B14BF84);
				return E6B162709(SetWindowLongW( *(_t82 + 8), 0xffffffeb, _t82));
			}

0x6b14bcbb
0x6b14bcbb
0x6b14bcbb
0x6b14bcc2
0x6b14bcce
0x6b14bd15
0x6b14bd27
0x6b14bd2d
0x6b14bd33
0x6b14bd38
0x6b14bd46
0x6b14bd5f
0x6b14bd61
0x6b14bd6b
0x6b14bd73
0x6b14bd79
0x6b14bd7e
0x6b14bd90
0x6b14bda5
0x6b14bdaa
0x6b14bdad
0x6b14bdc3
0x6b14bdd9
0x6b14bde5
0x6b14bdea
0x6b14bcd0
0x6b14bcdc
0x6b14bcf4
0x6b14bcf4
0x6b14be04
0x6b14be14
0x6b14be21

APIs

__EH_prolog3.LIBCMT ref: 6B14BCC2

Part of subcall function 6B151DCD: __EH_prolog3.LIBCMT ref: 6B151DD4
Part of subcall function 6B151DCD: GetCommandLineW.KERNEL32(00000018,6B14B178,00000000,?,?,6B14AC46,?), ref: 6B151DD9

SendMessageW.USER32(?,0000046B,00000000,00000000), ref: 6B14BCDC
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 6B14BCED
EnableMenuItem.USER32 ref: 6B14BCF4
GetWindowLongW.USER32(?,000000F0), ref: 6B14BD04
SetWindowLongW.USER32 ref: 6B14BD15
GetSystemMenu.USER32(?,00000000), ref: 6B14BD21
InsertMenuW.USER32(?,00000000,00000400,0000F120,00000000), ref: 6B14BD5F
InsertMenuW.USER32(?,00000002,00000400,0000F020,00000000), ref: 6B14BDA5
InsertMenuW.USER32(?,00000003,00000400,0000F00F,00000000), ref: 6B14BDC3
SetMenuItemBitmaps.USER32(?,0000F120,00000000,00000002,00000002), ref: 6B14BDD9
SetMenuItemBitmaps.USER32(?,0000F020,00000000,00000003,00000003), ref: 6B14BDE5
KiUserCallbackDispatcher.NTDLL(?), ref: 6B14BDEA
SetWindowLongW.USER32 ref: 6B14BE0C
SetWindowLongW.USER32 ref: 6B14BE1A

Strings

IDS_MINIMIZE, xrefs: 6B14BD74
IDS_RESTORE, xrefs: 6B14BD2E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Menu$LongWindow$InsertItem$BitmapsH_prolog3System$CallbackCommandDispatcherEnableLineMessageSendUser
String ID: IDS_MINIMIZE$IDS_RESTORE
API String ID: 435486374-4171729070
Opcode ID: 92ce0229c77274b57080ff18272785b88d5e2441450822d17d6260e3cf5cf94a
Instruction ID: 67e228ae669f88b855048f9d79baf333e6b1ece960f5781b655c82fac648c497
Opcode Fuzzy Hash: 92ce0229c77274b57080ff18272785b88d5e2441450822d17d6260e3cf5cf94a
Instruction Fuzzy Hash: 13417E7514031ABFDF20ABA9CC89F6EBBB5FF49714F204614F225A61E0DB74A920DB14

Uniqueness

Uniqueness Score: -1.00%

Function 6B14A80E Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 201
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E6B14A80E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR** _t67;
				WCHAR** _t73;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t90;
				intOrPtr* _t96;
				void* _t105;
				signed int _t110;
				long _t117;
				intOrPtr* _t122;
				void* _t135;
				long _t139;
				intOrPtr* _t140;
				intOrPtr* _t148;
				void* _t162;
				void* _t165;
				intOrPtr* _t170;
				struct HWND__** _t174;
				struct HWND__** _t179;
				void* _t182;
				signed int _t183;

				_t162 = __edx;
				E6B16265B(0x6b166cc0, __ebx, __edi, __esi);
				_t165 = __ecx;
				_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1ac)))) + 0x4c))();
				_t148 = _t170;
				_t135 =  *((intOrPtr*)( *_t170))(0x38);
				if(_t135 <= 0) {
					L5:
					 *((char*)(_t165 + 0x1bc)) = 1;
					L6:
					_t67 = E6B149A1E(_t165 + 0x1b8, _t165, _t182 - 0x10, _t189);
					SetWindowTextW(GetDlgItem( *(_t165 + 4), 0x65),  *_t67); // executed
					E6B158460( *(_t182 - 0x10) + 0xfffffff0, _t162);
					_t73 = E6B149B4C(_t182 - 0x10, _t148, _t162, _t165, _t165 + 0x1c0, _t189);
					_t174 = _t165 + 4;
					SetWindowTextW(GetDlgItem( *_t174, 0x69),  *_t73); // executed
					E6B158460( *(_t182 - 0x10) + 0xfffffff0, _t162);
					if( *((char*)(_t165 + 0x1b4)) != 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t182 - 0x20)) = 0;
						 *((intOrPtr*)(_t182 - 0x1c)) = 0;
						 *((intOrPtr*)(_t182 - 0x18)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0;
						_t80 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac)))) + 0x48))();
						_t163 =  *_t80;
						 *(_t182 - 0x10) =  *((intOrPtr*)( *_t80))();
						_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac))))))();
						__eflags = _t83 - 4;
						if(_t83 == 4) {
							L13:
							 *( *((intOrPtr*)(_t165 + 0x68)) + 4) = 0x6a;
							_t140 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x198)))) + 0x14))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac))))))());
							_t90 =  *((intOrPtr*)( *_t140 + 0x18))();
							 *(_t182 - 0x10) = _t183;
							 *_t183 = E6B1583FD( *_t90 - 0x10) + 0x10;
							 *((char*)(_t182 - 4)) = 1;
							_t96 =  *((intOrPtr*)( *_t140 + 0x14))(_t140);
							 *(_t182 - 0x14) = _t183;
							 *_t183 = E6B1583FD( *_t96 - 0x10) + 0x10;
							 *((char*)(_t182 - 4)) = 0;
							E6B14FB4F(_t140, _t163, _t165, _t165, __eflags);
							E6B13E389(_t165 + 4, 0); // executed
							_t105 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x198)))) + 4))(_t140);
							_push(_t140);
							_push(_t182 - 0x44);
							E6B13F2BE(_t105, _t163, _t165, _t165, __eflags);
							 *((char*)(_t182 - 4)) = 2;
							_t179 = _t165 + 4;
							E6B13F415(_t182 - 0x44, GetParent( *_t179)); // executed
							_t110 = E6B151DCD(GetParent, _t163, _t165, _t179, __eflags);
							__eflags = _t110;
							if(_t110 != 0) {
								E6B13F4D6(_t182 - 0x44, GetParent( *_t179));
								_t122 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1ac)))) + 0x10))();
								_t163 =  *_t122;
								 *((intOrPtr*)( *_t122 + 4))(4, L"All buttons hidden in passive mode");
							}
							SetWindowLongW( *_t179, 0xfffffff4, 0x6a);
							SetWindowTextW(GetParent( *_t179),  *(_t165 + 0x58)); // executed
							PostMessageW( *_t179, 0x6f5, 0, 0); // executed
							E6B140913(_t163, _t182 - 0x44);
							_t139 = 1;
							L12:
							E6B14F3EC(_t182 - 0x20);
							_t117 = _t139;
							L8:
							return E6B162709(_t117);
						}
						__eflags =  *(_t182 - 0x10);
						if( *(_t182 - 0x10) != 0) {
							goto L13;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x74)))) + 0xc))(0x77777777);
						PostMessageW( *_t174, 0x691, 0x77777777, 0);
						goto L12;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x74)))) + 0xc))(0x80004005);
					PostMessageW( *_t174, 0x691, 0x80004005, 0);
					_t117 = 0;
					goto L8;
				}
				 *(_t182 - 0x10) =  *(_t182 - 0x10) & 0x00000000;
				if(_t135 <= 0) {
					goto L5;
				} else {
					goto L2;
				}
				do {
					L2:
					_push( *(_t182 - 0x10));
					_t148 = _t170;
					if( *((intOrPtr*)( *_t170 + 0x14))() != 0) {
						goto L4;
					}
					_push( *(_t182 - 0x10));
					_t148 = _t170;
					if( *((intOrPtr*)( *_t170 + 0x10))() == 0) {
						goto L6;
					}
					L4:
					 *(_t182 - 0x10) =  *(_t182 - 0x10) + 1;
					_t189 =  *(_t182 - 0x10) - _t135;
				} while ( *(_t182 - 0x10) < _t135);
				goto L5;
			}

0x6b14a80e
0x6b14a815
0x6b14a81a
0x6b14a827
0x6b14a82b
0x6b14a82f
0x6b14a833
0x6b14a861
0x6b14a861
0x6b14a868
0x6b14a871
0x6b14a885
0x6b14a891
0x6b14a89f
0x6b14a8a8
0x6b14a8b5
0x6b14a8c1
0x6b14a8cd
0x6b14a8f7
0x6b14a8f9
0x6b14a8fc
0x6b14a8ff
0x6b14a902
0x6b14a90d
0x6b14a910
0x6b14a91c
0x6b14a921
0x6b14a923
0x6b14a926
0x6b14a956
0x6b14a959
0x6b14a97c
0x6b14a982
0x6b14a98b
0x6b14a998
0x6b14a99a
0x6b14a9a2
0x6b14a9ab
0x6b14a9b8
0x6b14a9bc
0x6b14a9c0
0x6b14a9ca
0x6b14a9d7
0x6b14a9da
0x6b14a9de
0x6b14a9e1
0x6b14a9e6
0x6b14a9f0
0x6b14a9fb
0x6b14aa00
0x6b14aa05
0x6b14aa07
0x6b14aa11
0x6b14aa1e
0x6b14aa21
0x6b14aa2c
0x6b14aa2c
0x6b14aa35
0x6b14aa48
0x6b14aa59
0x6b14aa62
0x6b14aa69
0x6b14a94a
0x6b14a94d
0x6b14a952
0x6b14a8f1
0x6b14a8f6
0x6b14a8f6
0x6b14a928
0x6b14a92b
0x00000000
0x00000000
0x6b14a938
0x6b14a944
0x00000000
0x6b14a944
0x6b14a8dc
0x6b14a8e9
0x6b14a8ef
0x00000000
0x6b14a8ef
0x6b14a835
0x6b14a83b
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14a83d
0x6b14a83d
0x6b14a83d
0x6b14a842
0x6b14a849
0x00000000
0x00000000
0x6b14a84b
0x6b14a850
0x6b14a857
0x00000000
0x00000000
0x6b14a859
0x6b14a859
0x6b14a85c
0x6b14a85c
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B14A815
GetDlgItem.USER32 ref: 6B14A87D
SetWindowTextW.USER32(00000000,?), ref: 6B14A885
GetDlgItem.USER32 ref: 6B14A8AD
SetWindowTextW.USER32(00000000,?), ref: 6B14A8B5
PostMessageW.USER32(?,00000691,80004005,00000000), ref: 6B14A8E9
PostMessageW.USER32(?,00000691,77777777,00000000), ref: 6B14A944
GetParent.USER32(00000002), ref: 6B14A9F5
GetParent.USER32(00000002), ref: 6B14AA0B
SetWindowLongW.USER32 ref: 6B14AA35
GetParent.USER32(00000002), ref: 6B14AA40
SetWindowTextW.USER32(00000000,?), ref: 6B14AA48
PostMessageW.USER32(00000002,000006F5,00000000,00000000), ref: 6B14AA59

Strings

wwww, xrefs: 6B14A932
All buttons hidden in passive mode, xrefs: 6B14AA23

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$MessageParentPostText$Item$H_prolog3Long
String ID: All buttons hidden in passive mode$wwww
API String ID: 3938074132-3958308462
Opcode ID: 8151119a6289bc1c213a57f761638fa164c730b4b9cd788272c8cc0c1a623a40
Instruction ID: dda4535c52443716a955aeb96e1ce0d416a3a524bacbe8b82b8c9e4b13720fd7
Opcode Fuzzy Hash: 8151119a6289bc1c213a57f761638fa164c730b4b9cd788272c8cc0c1a623a40
Instruction Fuzzy Hash: 1A81A175A00216FFDB10DF78C889A9DBBB4FF09305F1105A8E655AB3A0DB35AD15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B155A85 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E6B155A85(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t47;
				long _t48;
				intOrPtr _t53;
				WCHAR* _t71;
				signed int _t79;
				long _t87;
				signed int _t95;
				long _t98;
				void* _t119;
				WCHAR** _t126;
				void* _t127;

				_t119 = __edx;
				E6B162693(0x6b165c58, __ebx, __edi, __esi);
				_t126 =  *(_t127 + 8);
				 *((intOrPtr*)(_t127 - 0x14)) = 0;
				E6B1583B4(_t126);
				 *((intOrPtr*)(_t127 - 4)) = 0;
				_t103 = 1;
				 *((intOrPtr*)(_t127 - 0x14)) = 1;
				_t47 =  *(_t127 + 0x14)(0x410, 0,  *((intOrPtr*)(_t127 + 0xc)), 0x24);
				 *(_t127 + 0x14) = _t47;
				if(_t47 == 0) {
					_t48 = GetLastError();
					_push(L"OpenProcess");
					_push(5);
					E6B13C71B( *((intOrPtr*)(_t127 + 0x10)), _t48, _t119, 0, _t126, __eflags);
				} else {
					_push(_t127 - 0x1c);
					_push(4);
					_push(_t127 - 0x18);
					_push(_t47); // executed
					if( *((intOrPtr*)(_t127 + 0x18))() == 0) {
						_t53 =  *0x6b16fe10; // 0x6b1333ec
						 *((intOrPtr*)(_t127 + 0xc)) =  *((intOrPtr*)(_t53 + 0xc))() + 0x10;
						 *((intOrPtr*)(_t127 - 4)) = 1;
						E6B1580BA(_t127 + 0xc, L"EnumProcessModules failed with error %u, will try GetProcessImageFileName", GetLastError());
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x10)))) + 4))(5,  *((intOrPtr*)(_t127 + 0xc)));
						_push(_t127 + 0x18);
						 *((char*)(_t127 - 4)) = 2;
						E6B14E8E8(L"psapi.dll", _t126, __eflags);
						_push(_t127 + 0x18);
						_push(_t127 - 0x30);
						 *((char*)(_t127 - 4)) = 3;
						E6B13EE95(1,  *((intOrPtr*)(_t127 + 0x10)), L"psapi.dll", _t126, __eflags);
						E6B158460( *((intOrPtr*)(_t127 + 0x18)) + 0xfffffff0, _t119);
						_push(_t127 - 0x30);
						 *((char*)(_t127 - 4)) = 6;
						 *((intOrPtr*)(_t127 + 0x1c)) = E6B1575EA(1,  *((intOrPtr*)(_t127 + 0x10)), _t119, L"psapi.dll", _t126, __eflags);
						_t71 =  *_t126;
						_t112 = 1 -  *((intOrPtr*)(_t71 - 4));
						__eflags =  *((intOrPtr*)(_t71 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t71 - 4));
						if(( *((intOrPtr*)(_t71 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t71 - 4))) < 0) {
							_t112 = _t126;
							E6B15827A(0x104, _t126);
						}
						__eflags =  *((intOrPtr*)(_t127 + 0x1c))( *(_t127 + 0x14),  *_t126, 0x104);
						if(__eflags != 0) {
							L6B14F1A2(_t76 | 0xffffffff, _t103, _t126);
							_t79 =  *_t126;
							__eflags =  *((intOrPtr*)(_t79 - 4)) - _t103;
							if( *((intOrPtr*)(_t79 - 4)) > _t103) {
								_t79 = E6B1581DE(_t112, _t126,  *((intOrPtr*)(_t79 - 0xc)));
							}
							PathStripPathW( *_t126);
						} else {
							_t87 = GetLastError();
							_t103 =  *((intOrPtr*)(_t127 + 0x10));
							_push(L"GetProcessImageFileName");
							_push(5);
							_t79 = E6B13C71B( *((intOrPtr*)(_t127 + 0x10)), _t87, _t119, 0x104, _t126, __eflags);
						}
						L6B14F1A2(_t79 | 0xffffffff, _t103, _t126);
						E6B13EF49(_t127 - 0x30, _t119);
						__eflags =  *((intOrPtr*)(_t127 + 0xc)) + 0xfffffff0;
						E6B158460( *((intOrPtr*)(_t127 + 0xc)) + 0xfffffff0, _t119);
					} else {
						if(( *((intOrPtr*)( *_t126 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)( *_t126 - 4))) < 0) {
							E6B15827A(0x104, _t126);
						}
						_t95 =  *((intOrPtr*)(_t127 + 0x1c))( *(_t127 + 0x14),  *((intOrPtr*)(_t127 - 0x18)),  *_t126, 0x104);
						_t134 = _t95;
						if(_t95 == 0) {
							_t98 = GetLastError();
							_t103 =  *((intOrPtr*)(_t127 + 0x10));
							_push(L"GetModuleBaseName");
							_push(5);
							_t95 = E6B13C71B( *((intOrPtr*)(_t127 + 0x10)), _t98, _t119, 0x104, _t126, _t134);
						}
						L6B14F1A2(_t95 | 0xffffffff, _t103, _t126);
					}
					CloseHandle( *(_t127 + 0x14)); // executed
				}
				return E6B162709(_t126);
			}

0x6b155a85
0x6b155a8c
0x6b155a91
0x6b155a96
0x6b155a99
0x6b155a9e
0x6b155aa7
0x6b155aad
0x6b155ab0
0x6b155ab3
0x6b155ab8
0x6b155c8d
0x6b155c96
0x6b155c9b
0x6b155c9f
0x6b155abe
0x6b155ac1
0x6b155ac2
0x6b155ac7
0x6b155ac8
0x6b155ace
0x6b155b23
0x6b155b33
0x6b155b36
0x6b155b49
0x6b155b5b
0x6b155b61
0x6b155b67
0x6b155b6b
0x6b155b73
0x6b155b77
0x6b155b78
0x6b155b7c
0x6b155b87
0x6b155b8f
0x6b155b90
0x6b155b99
0x6b155b9c
0x6b155ba0
0x6b155bad
0x6b155baf
0x6b155bb3
0x6b155bb5
0x6b155bb5
0x6b155bc4
0x6b155bc6
0x6b155be4
0x6b155be9
0x6b155beb
0x6b155bee
0x6b155bf4
0x6b155bf4
0x6b155bfb
0x6b155bc8
0x6b155bc8
0x6b155bce
0x6b155bd1
0x6b155bd6
0x6b155bda
0x6b155bda
0x6b155c04
0x6b155c3f
0x6b155c7a
0x6b155c7d
0x6b155ad0
0x6b155ae3
0x6b155ae9
0x6b155ae9
0x6b155af8
0x6b155afb
0x6b155afd
0x6b155aff
0x6b155b05
0x6b155b08
0x6b155b0d
0x6b155b11
0x6b155b11
0x6b155b19
0x6b155b19
0x6b155c85
0x6b155c85
0x6b155cab

APIs

__EH_prolog3_catch.LIBCMT ref: 6B155A8C
EnumProcessModules.KERNELBASE(00000000,?,00000004,?), ref: 6B155AC9
GetModuleBaseNameW.KERNELBASE(?,?,?,00000104), ref: 6B155AF8
GetLastError.KERNEL32 ref: 6B155AFF

Part of subcall function 6B14F21D: _wcsnlen.LIBCMT ref: 6B14F1B2

GetLastError.KERNEL32 ref: 6B155B39
GetProcessImageFileNameW.KERNELBASE(?,?,00000104,?,?,?,?), ref: 6B155BC1
GetLastError.KERNEL32 ref: 6B155BC8
PathStripPathW.SHLWAPI(?), ref: 6B155BFB

Part of subcall function 6B1581DE: _memcpy_s.LIBCMT ref: 6B158224

CloseHandle.KERNELBASE(?), ref: 6B155C85
GetLastError.KERNEL32 ref: 6B155C8D

Strings

psapi.dll, xrefs: 6B155B62
GetModuleBaseName, xrefs: 6B155B08
GetProcessImageFileName, xrefs: 6B155BD1
EnumProcessModules failed with error %u, will try GetProcessImageFileName, xrefs: 6B155B43
OpenProcess, xrefs: 6B155C96

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorLast$NamePathProcess$BaseCloseEnumFileH_prolog3_catchHandleImageModuleModulesStrip_memcpy_s_wcsnlen
String ID: EnumProcessModules failed with error %u, will try GetProcessImageFileName$GetModuleBaseName$GetProcessImageFileName$OpenProcess$psapi.dll
API String ID: 3659575423-952504876
Opcode ID: f12393f6272ec4a3a08aaeba2308fbf086cfe5e12b419229292111aaf1dfaac2
Instruction ID: 0380cd38ff2f3786d11a347560f93ec734bcce0bc645f36e96e13b76285756d9
Opcode Fuzzy Hash: f12393f6272ec4a3a08aaeba2308fbf086cfe5e12b419229292111aaf1dfaac2
Instruction Fuzzy Hash: 85518FB2A00109FFDB00DFB8C849EAE7BA5EF55355F004518F661D7290EB78DA21CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B149D5D Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E6B149D5D(void** __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				signed int _v16;
				WCHAR* _v20;
				void* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				void* _t56;
				signed int _t58;
				signed int _t67;
				void** _t69;
				intOrPtr _t70;
				signed int _t76;
				void* _t80;
				signed int _t84;
				struct HINSTANCE__* _t87;
				void* _t90;
				void* _t91;

				_t91 = __eflags;
				_t80 = __edi;
				_t79 = __edx;
				_t73 = __ebx;
				_push(0x2c);
				E6B16265B(0x6b165df8, __ebx, __edi, __esi);
				_push( &_v20);
				_v56 = L"Rotate1.ico";
				_v52 = L"Rotate2.ico";
				_v48 = L"Rotate3.ico";
				_v44 = L"Rotate4.ico";
				_v40 = L"Rotate5.ico";
				_v36 = L"Rotate6.ico";
				_v32 = L"Rotate7.ico";
				_v28 = L"Rotate8.ico";
				E6B13C419(__ebx, __edx, __edi, __esi, _t91);
				_v4 = _v4 & 0x00000000;
				E6B14F21D( &_v20, L"graphics");
				_v16 = _v16 & 0x00000000;
				do {
					E6B14F21D( &_v20,  *((intOrPtr*)(_t87 + _v16 * 4 - 0x38)));
					_t56 = LoadImageW(0, _v20, 1, 0x10, 0x10, 0x10); // executed
					_v24 = _t56;
					if(_t56 == 0) {
						_t58 = _v16 + 1;
						__eflags = _t58;
						_push(_t58);
						_push(L"LoadImage failed for rotation icon %d");
						_push(1);
						E6B13B93E(_t73, _t79, _t80,  *((intOrPtr*)(_t80 + 0x20)), _t58);
						_t90 = _t90 + 0xc;
					} else {
						_t76 =  *(_t80 + 8);
						_t67 =  *(_t80 + 0xc);
						if(_t76 != _t67) {
							L11:
							_t69 =  *((intOrPtr*)(_t80 + 4)) +  *(_t80 + 8) * 4;
							if(_t69 != 0) {
								 *_t69 = _v24;
							}
							 *(_t80 + 8) =  *(_t80 + 8) + 1;
						} else {
							_t79 =  *((intOrPtr*)(_t80 + 4));
							if( &_v24 >= _t79) {
								_t73 =  &_v24;
								if( &_v24 < _t79 + _t67 * 4) {
									E6B1583CE(_t76, 0x80004005);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									return LoadImageW(_t87, ??, ??, ??, ??, ??);
								}
							}
							if(_t67 != 0) {
								_t84 = _t76 + _t76;
								__eflags = _t84;
								if(_t84 >= 0) {
									__eflags = _t84 - 0x1fffffff;
									if(_t84 <= 0x1fffffff) {
										goto L9;
									}
								}
							} else {
								_t84 = 1;
								L9:
								_t70 = E6B158EAA(_t79, _t84, 4);
								_t90 = _t90 + 0xc;
								if(_t70 != 0) {
									 *(_t80 + 0xc) = _t84;
									 *((intOrPtr*)(_t80 + 4)) = _t70;
									goto L11;
								}
							}
						}
					}
					E6B14F25E( &_v20);
					_v16 = _v16 + 1;
				} while (_v16 < 8);
				E6B158460( &(_v20[0xfffffffffffffff8]), _t79);
				return E6B162709(1);
			}

0x6b149d5d
0x6b149d5d
0x6b149d5d
0x6b149d5d
0x6b149d5d
0x6b149d64
0x6b149d6c
0x6b149d6d
0x6b149d74
0x6b149d7b
0x6b149d82
0x6b149d89
0x6b149d90
0x6b149d97
0x6b149d9e
0x6b149da5
0x6b149daa
0x6b149db6
0x6b149dbb
0x6b149dbf
0x6b149dc9
0x6b149ddf
0x6b149de1
0x6b149de6
0x6b149e55
0x6b149e55
0x6b149e56
0x6b149e57
0x6b149e5c
0x6b149e5e
0x6b149e63
0x6b149de8
0x6b149de8
0x6b149deb
0x6b149df0
0x6b149e38
0x6b149e3e
0x6b149e43
0x6b149e48
0x6b149e48
0x6b149e4a
0x6b149df2
0x6b149df2
0x6b149dfa
0x6b149dff
0x6b149e04
0x6b149e93
0x6b149e98
0x6b149e99
0x6b149e9a
0x6b149e9b
0x6b149e9c
0x6b149e9d
0x6b149ea4
0x6b149ea4
0x6b149e04
0x6b149e0c
0x6b149e13
0x6b149e16
0x6b149e18
0x6b149e1a
0x6b149e20
0x00000000
0x00000000
0x6b149e20
0x6b149e0e
0x6b149e10
0x6b149e22
0x6b149e26
0x6b149e2b
0x6b149e30
0x6b149e32
0x6b149e35
0x00000000
0x6b149e35
0x6b149e30
0x6b149e0c
0x6b149df0
0x6b149e69
0x6b149e6e
0x6b149e71
0x6b149e81
0x6b149e8d

APIs

__EH_prolog3.LIBCMT ref: 6B149D64

Part of subcall function 6B13C419: __EH_prolog3.LIBCMT ref: 6B13C420
Part of subcall function 6B13C419: GetModuleFileNameW.KERNEL32(6B130000,00000010,00000104), ref: 6B13C46D

Part of subcall function 6B14F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6B13C3AE), ref: 6B14F241

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010,6B135524,graphics,?,?,?,?,?,?,?,0000002C), ref: 6B149DDF
__recalloc.LIBCMT ref: 6B149E26

Strings

Rotate6.ico, xrefs: 6B149D90
Rotate7.ico, xrefs: 6B149D97
Rotate4.ico, xrefs: 6B149D82
Rotate2.ico, xrefs: 6B149D74
LoadImage failed for rotation icon %d, xrefs: 6B149E57
Rotate1.ico, xrefs: 6B149D6D
graphics, xrefs: 6B149DAE
Rotate8.ico, xrefs: 6B149D9E
Rotate5.ico, xrefs: 6B149D89
Rotate3.ico, xrefs: 6B149D7B

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$AppendFileImageLoadModuleNamePath__recalloc
String ID: LoadImage failed for rotation icon %d$Rotate1.ico$Rotate2.ico$Rotate3.ico$Rotate4.ico$Rotate5.ico$Rotate6.ico$Rotate7.ico$Rotate8.ico$graphics
API String ID: 1265402300-2721559919
Opcode ID: 830a3690eb127bbd6b84108f953c4c9fd72c6cb1ed529d32e740cc7740d2d75c
Instruction ID: 2956c59869bb8d165aef436c5adcb7965910f50dab76b614258cdfe47cb5ae2a
Opcode Fuzzy Hash: 830a3690eb127bbd6b84108f953c4c9fd72c6cb1ed529d32e740cc7740d2d75c
Instruction Fuzzy Hash: 4E415C7190022AFFDB00CFA4CA52BADB775FF05B95F500124DA24BB281E779A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B145163 Relevance: 22.0, APIs: 1, Strings: 11, Instructions: 1046
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E6B145163(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t492;
				intOrPtr* _t494;
				void* _t503;
				intOrPtr* _t505;
				void* _t514;
				intOrPtr* _t516;
				void* _t525;
				intOrPtr* _t527;
				void* _t536;
				intOrPtr* _t538;
				void* _t549;
				void* _t550;
				intOrPtr* _t552;
				intOrPtr* _t553;
				void* _t567;
				void* _t568;
				intOrPtr* _t570;
				intOrPtr* _t571;
				void* _t585;
				void* _t586;
				intOrPtr* _t588;
				intOrPtr* _t589;
				void* _t603;
				void* _t604;
				intOrPtr* _t606;
				intOrPtr* _t607;
				void* _t621;
				void* _t622;
				intOrPtr* _t624;
				intOrPtr* _t625;
				void* _t639;
				void* _t640;
				intOrPtr* _t642;
				intOrPtr* _t643;
				void* _t657;
				void* _t658;
				intOrPtr* _t660;
				intOrPtr* _t661;
				void* _t675;
				void* _t676;
				intOrPtr* _t678;
				intOrPtr* _t679;
				void* _t693;
				void* _t694;
				intOrPtr* _t696;
				intOrPtr* _t697;
				void* _t711;
				void* _t712;
				intOrPtr* _t714;
				intOrPtr* _t715;
				void* _t729;
				void* _t730;
				intOrPtr* _t732;
				intOrPtr* _t733;
				void* _t747;
				void* _t748;
				intOrPtr* _t750;
				intOrPtr* _t751;
				void* _t765;
				void* _t766;
				intOrPtr* _t768;
				intOrPtr* _t769;
				void* _t783;
				void* _t784;
				intOrPtr* _t786;
				intOrPtr* _t787;
				void* _t801;
				void* _t802;
				intOrPtr* _t804;
				intOrPtr* _t805;
				intOrPtr* _t842;
				intOrPtr _t882;
				intOrPtr _t904;
				intOrPtr _t1044;
				intOrPtr _t1050;
				void* _t1051;
				intOrPtr _t1052;
				void* _t1053;

				_t1053 = __eflags;
				_t1045 = __esi;
				_t1003 = __edx;
				_push(0x48);
				E6B16265B(0x6b167824, __ebx, __edi, __esi);
				 *(_t1051 - 4) =  *(_t1051 - 4) & 0x00000000;
				_t882 =  *((intOrPtr*)(_t1051 + 8));
				_push(_t882);
				E6B14396A(_t882, _t1051 + 0xc, __edx, __edi, __esi, _t1053);
				_push(_t1051 - 0x14);
				 *(_t1051 - 4) = 1;
				E6B14E8E8(L"Static", _t1045, _t1053);
				_t1046 = _t1051 + 0xc;
				 *((intOrPtr*)(_t1051 - 0x24)) = _t1052;
				 *(_t1051 - 4) = 2;
				E6B13D7DD(_t882, __edx, _t1051 - 0x14, _t1051 + 0xc, _t1053, _t1051 + 0xc, _t1052, _t1051 + 0xc);
				_t1047 = _t1051 - 0x30;
				_t492 = E6B13D868(_t1046, _t1051 - 0x30,  *((intOrPtr*)(_t1051 + 0x18)));
				_t903 = _t882 + 0x3c;
				_push(_t492);
				_push(_t903);
				 *(_t1051 - 4) = 3;
				 *((intOrPtr*)(_t1051 - 0x10)) = _t903;
				E6B1425B2(_t882, __edx, _t1046, _t1051 - 0x30, _t1053);
				 *(_t1051 - 4) = 5;
				_t494 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1054 = _t494;
				if(_t494 != 0) {
					_t903 =  *_t494;
					 *((intOrPtr*)( *_t494 + 8))(_t494);
				}
				 *(_t1051 - 4) = 6;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				E6B14E8E8(L"SysLink", _t1047, _t1054);
				 *((intOrPtr*)(_t1051 - 0x24)) = _t1052;
				_t1048 = _t1051 + 0xc;
				 *(_t1051 - 4) = 7;
				E6B13D7DD(_t882, _t1003, _t1051 - 0x18, _t1051 + 0xc, _t1054, _t1051 + 0xc, _t1052, _t903);
				_t1049 = _t1051 - 0x3c;
				_t503 = E6B13D868(_t1048, _t1051 - 0x3c, _t1051 - 0x18);
				_t904 = _t882 + 0x4c;
				_push(_t904);
				 *(_t1051 - 4) = 8;
				 *((intOrPtr*)(_t1051 - 0x24)) = _t904;
				E6B1428EE(_t503, _t1003, _t1048, _t1051 - 0x3c, _t1054);
				 *(_t1051 - 4) = 0xa;
				_t505 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1055 = _t505;
				if(_t505 != 0) {
					 *((intOrPtr*)( *_t505 + 8))(_t505);
				}
				 *(_t1051 - 4) = 0xb;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_t884 = L"Success";
				_push(_t1051 - 0x14);
				E6B14E8E8(L"Success", _t1049, _t1055);
				 *(_t1051 - 4) = 0xc;
				_t514 = E6B13D65F(_t1051 + 0xc, L"Success", _t1051 - 0x30, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				 *(_t1051 - 4) = 0xd;
				_t1050 =  *((intOrPtr*)(_t1051 + 8));
				_push(_t514);
				_push(_t1050 + 0x5c);
				E6B143AD4(_t884, _t1050 + 0x5c, _t1003, _t884, _t1050, _t1055);
				 *(_t1051 - 4) = 0xf;
				_t516 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1056 = _t516;
				if(_t516 != 0) {
					 *((intOrPtr*)( *_t516 + 8))(_t516);
				}
				 *(_t1051 - 4) = 0x10;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"Failure", _t1050, _t1056);
				 *(_t1051 - 4) = 0x11;
				_t525 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x3c, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t525);
				_push(_t1050 + 0x94);
				 *(_t1051 - 4) = 0x12;
				E6B143AD4(_t884, _t1050 + 0x94, _t1003, L"Failure", _t1050, _t1056);
				 *(_t1051 - 4) = 0x14;
				_t527 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1057 = _t527;
				if(_t527 != 0) {
					 *((intOrPtr*)( *_t527 + 8))(_t527);
				}
				 *(_t1051 - 4) = 0x15;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"NothingApplies", _t1050, _t1057);
				 *(_t1051 - 4) = 0x16;
				_t536 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x30, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t536);
				_push(_t1050 + 0xcc);
				 *(_t1051 - 4) = 0x17;
				E6B143AD4(_t884, _t1050 + 0xcc, _t1003, L"NothingApplies", _t1050, _t1057);
				 *(_t1051 - 4) = 0x19;
				_t538 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1058 = _t538;
				if(_t538 != 0) {
					 *((intOrPtr*)( *_t538 + 8))(_t538);
				}
				 *(_t1051 - 4) = 0x1a;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x1c);
				E6B14E8E8(L"Install", _t1050, _t1058);
				_push(_t1051 - 0x18);
				 *(_t1051 - 4) = 0x1b;
				E6B14E8E8(_t884, _t1050, _t1058);
				 *(_t1051 - 4) = 0x1c;
				_t549 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x48, _t1051 - 0x18);
				 *(_t1051 - 4) = 0x1d;
				_t550 = E6B13D65F(_t549, _t884, _t1051 - 0x3c, _t1051 - 0x1c);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t550);
				_push(_t1050 + 0x104);
				 *(_t1051 - 4) = 0x1e;
				E6B143AD4(_t884, _t1050 + 0x104, _t1003, _t884, _t1050, _t1058);
				 *(_t1051 - 4) = 0x20;
				_t552 =  *((intOrPtr*)(_t1051 - 0x3c));
				if(_t552 != 0) {
					 *((intOrPtr*)( *_t552 + 8))(_t552);
				}
				 *(_t1051 - 4) = 0x21;
				_t553 =  *((intOrPtr*)(_t1051 - 0x48));
				_t1060 = _t553;
				if(_t553 != 0) {
					 *((intOrPtr*)( *_t553 + 8))(_t553);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x23;
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x20);
				E6B14E8E8(L"Repair", _t1050, _t1060);
				_push(_t1051 - 0x14);
				 *(_t1051 - 4) = 0x24;
				E6B14E8E8(_t884, _t1050, _t1060);
				 *(_t1051 - 4) = 0x25;
				_t567 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x54, _t1051 - 0x14);
				 *(_t1051 - 4) = 0x26;
				_t568 = E6B13D65F(_t567, _t884, _t1051 - 0x30, _t1051 - 0x20);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t568);
				_push(_t1050 + 0x13c);
				 *(_t1051 - 4) = 0x27;
				E6B143AD4(_t884, _t1050 + 0x13c, _t1003, _t884, _t1050, _t1060);
				 *(_t1051 - 4) = 0x29;
				_t570 =  *((intOrPtr*)(_t1051 - 0x30));
				if(_t570 != 0) {
					 *((intOrPtr*)( *_t570 + 8))(_t570);
				}
				 *(_t1051 - 4) = 0x2a;
				_t571 =  *((intOrPtr*)(_t1051 - 0x54));
				_t1062 = _t571;
				if(_t571 != 0) {
					 *((intOrPtr*)( *_t571 + 8))(_t571);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x2c;
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"Uninstall", _t1050, _t1062);
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x2d;
				E6B14E8E8(_t884, _t1050, _t1062);
				 *(_t1051 - 4) = 0x2e;
				_t585 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x2f;
				_t586 = E6B13D65F(_t585, _t884, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t586);
				_push(_t1050 + 0x174);
				 *(_t1051 - 4) = 0x30;
				E6B143AD4(_t884, _t1050 + 0x174, _t1003, _t884, _t1050, _t1062);
				 *(_t1051 - 4) = 0x32;
				_t588 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t588 != 0) {
					 *((intOrPtr*)( *_t588 + 8))(_t588);
				}
				 *(_t1051 - 4) = 0x33;
				_t589 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1064 = _t589;
				if(_t589 != 0) {
					 *((intOrPtr*)( *_t589 + 8))(_t589);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x35;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"CreateLayout", _t1050, _t1064);
				_push(_t1051 - 0x20);
				 *(_t1051 - 4) = 0x36;
				E6B14E8E8(_t884, _t1050, _t1064);
				 *(_t1051 - 4) = 0x37;
				_t603 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x30, _t1051 - 0x20);
				 *(_t1051 - 4) = 0x38;
				_t604 = E6B13D65F(_t603, _t884, _t1051 - 0x54, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t604);
				_push(_t1050 + 0x1ac);
				 *(_t1051 - 4) = 0x39;
				E6B143AD4(_t884, _t1050 + 0x1ac, _t1003, _t884, _t1050, _t1064);
				 *(_t1051 - 4) = 0x3b;
				_t606 =  *((intOrPtr*)(_t1051 - 0x54));
				if(_t606 != 0) {
					 *((intOrPtr*)( *_t606 + 8))(_t606);
				}
				 *(_t1051 - 4) = 0x3c;
				_t607 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1066 = _t607;
				if(_t607 != 0) {
					 *((intOrPtr*)( *_t607 + 8))(_t607);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x3e;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"UninstallPatch", _t1050, _t1066);
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x3f;
				E6B14E8E8(_t884, _t1050, _t1066);
				 *(_t1051 - 4) = 0x40;
				_t621 = E6B13D65F(_t1051 + 0xc, _t884, _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x41;
				_t622 = E6B13D65F(_t621, _t884, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t622);
				_push(_t1050 + 0x1e4);
				 *(_t1051 - 4) = 0x42;
				E6B143AD4(_t884, _t1050 + 0x1e4, _t1003, _t884, _t1050, _t1066);
				 *(_t1051 - 4) = 0x44;
				_t624 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t624 != 0) {
					 *((intOrPtr*)( *_t624 + 8))(_t624);
				}
				 *(_t1051 - 4) = 0x45;
				_t625 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1068 = _t625;
				if(_t625 != 0) {
					 *((intOrPtr*)( *_t625 + 8))(_t625);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x47;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"Install", _t1050, _t1068);
				_t885 = L"Failure";
				_push(_t1051 - 0x20);
				 *(_t1051 - 4) = 0x48;
				E6B14E8E8(L"Failure", _t1050, _t1068);
				 *(_t1051 - 4) = 0x49;
				_t639 = E6B13D65F(_t1051 + 0xc, L"Failure", _t1051 - 0x30, _t1051 - 0x20);
				 *(_t1051 - 4) = 0x4a;
				_t640 = E6B13D65F(_t639, _t885, _t1051 - 0x54, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t640);
				_push(_t1050 + 0x21c);
				 *(_t1051 - 4) = 0x4b;
				E6B143AD4(_t885, _t1050 + 0x21c, _t1003, _t885, _t1050, _t1068);
				 *(_t1051 - 4) = 0x4d;
				_t642 =  *((intOrPtr*)(_t1051 - 0x54));
				if(_t642 != 0) {
					 *((intOrPtr*)( *_t642 + 8))(_t642);
				}
				 *(_t1051 - 4) = 0x4e;
				_t643 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1070 = _t643;
				if(_t643 != 0) {
					 *((intOrPtr*)( *_t643 + 8))(_t643);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x50;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"Repair", _t1050, _t1070);
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x51;
				E6B14E8E8(_t885, _t1050, _t1070);
				 *(_t1051 - 4) = 0x52;
				_t657 = E6B13D65F(_t1051 + 0xc, _t885, _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x53;
				_t658 = E6B13D65F(_t657, _t885, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t658);
				_push(_t1050 + 0x254);
				 *(_t1051 - 4) = 0x54;
				E6B143AD4(_t885, _t1050 + 0x254, _t1003, _t885, _t1050, _t1070);
				 *(_t1051 - 4) = 0x56;
				_t660 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t660 != 0) {
					 *((intOrPtr*)( *_t660 + 8))(_t660);
				}
				 *(_t1051 - 4) = 0x57;
				_t661 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1072 = _t661;
				if(_t661 != 0) {
					 *((intOrPtr*)( *_t661 + 8))(_t661);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x59;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"Uninstall", _t1050, _t1072);
				_push(_t1051 - 0x20);
				 *(_t1051 - 4) = 0x5a;
				E6B14E8E8(_t885, _t1050, _t1072);
				 *(_t1051 - 4) = 0x5b;
				_t675 = E6B13D65F(_t1051 + 0xc, _t885, _t1051 - 0x30, _t1051 - 0x20);
				 *(_t1051 - 4) = 0x5c;
				_t676 = E6B13D65F(_t675, _t885, _t1051 - 0x54, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t676);
				_push(_t1050 + 0x28c);
				 *(_t1051 - 4) = 0x5d;
				E6B143AD4(_t885, _t1050 + 0x28c, _t1003, _t885, _t1050, _t1072);
				 *(_t1051 - 4) = 0x5f;
				_t678 =  *((intOrPtr*)(_t1051 - 0x54));
				if(_t678 != 0) {
					 *((intOrPtr*)( *_t678 + 8))(_t678);
				}
				 *(_t1051 - 4) = 0x60;
				_t679 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1074 = _t679;
				if(_t679 != 0) {
					 *((intOrPtr*)( *_t679 + 8))(_t679);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x62;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"CreateLayout", _t1050, _t1074);
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x63;
				E6B14E8E8(_t885, _t1050, _t1074);
				 *(_t1051 - 4) = 0x64;
				_t693 = E6B13D65F(_t1051 + 0xc, _t885, _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x65;
				_t694 = E6B13D65F(_t693, _t885, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t694);
				_push(_t1050 + 0x2c4);
				 *(_t1051 - 4) = 0x66;
				E6B143AD4(_t885, _t1050 + 0x2c4, _t1003, _t885, _t1050, _t1074);
				 *(_t1051 - 4) = 0x68;
				_t696 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t696 != 0) {
					 *((intOrPtr*)( *_t696 + 8))(_t696);
				}
				 *(_t1051 - 4) = 0x69;
				_t697 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1076 = _t697;
				if(_t697 != 0) {
					 *((intOrPtr*)( *_t697 + 8))(_t697);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x6b;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"UninstallPatch", _t1050, _t1076);
				_push(_t1051 - 0x20);
				 *(_t1051 - 4) = 0x6c;
				E6B14E8E8(_t885, _t1050, _t1076);
				 *(_t1051 - 4) = 0x6d;
				_t711 = E6B13D65F(_t1051 + 0xc, _t885, _t1051 - 0x30, _t1051 - 0x20);
				 *(_t1051 - 4) = 0x6e;
				_t712 = E6B13D65F(_t711, _t885, _t1051 - 0x54, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t712);
				_push(_t1050 + 0x2fc);
				 *(_t1051 - 4) = 0x6f;
				E6B143AD4(_t885, _t1050 + 0x2fc, _t1003, _t885, _t1050, _t1076);
				 *(_t1051 - 4) = 0x71;
				_t714 =  *((intOrPtr*)(_t1051 - 0x54));
				if(_t714 != 0) {
					 *((intOrPtr*)( *_t714 + 8))(_t714);
				}
				 *(_t1051 - 4) = 0x72;
				_t715 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1078 = _t715;
				if(_t715 != 0) {
					 *((intOrPtr*)( *_t715 + 8))(_t715);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x74;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"Install", _t1050, _t1078);
				_t886 = L"NothingApplies";
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x75;
				E6B14E8E8(L"NothingApplies", _t1050, _t1078);
				 *(_t1051 - 4) = 0x76;
				_t729 = E6B13D65F(_t1051 + 0xc, L"NothingApplies", _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x77;
				_t730 = E6B13D65F(_t729, _t886, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t730);
				_push(_t1050 + 0x334);
				 *(_t1051 - 4) = 0x78;
				E6B143AD4(_t886, _t1050 + 0x334, _t1003, _t886, _t1050, _t1078);
				 *(_t1051 - 4) = 0x7a;
				_t732 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t732 != 0) {
					 *((intOrPtr*)( *_t732 + 8))(_t732);
				}
				 *(_t1051 - 4) = 0x7b;
				_t733 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1080 = _t733;
				if(_t733 != 0) {
					 *((intOrPtr*)( *_t733 + 8))(_t733);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x7d;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"Repair", _t1050, _t1080);
				_push(_t1051 - 0x20);
				 *(_t1051 - 4) = 0x7e;
				E6B14E8E8(_t886, _t1050, _t1080);
				 *(_t1051 - 4) = 0x7f;
				_t747 = E6B13D65F(_t1051 + 0xc, _t886, _t1051 - 0x30, _t1051 - 0x20);
				 *(_t1051 - 4) = 0x80;
				_t748 = E6B13D65F(_t747, _t886, _t1051 - 0x54, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t748);
				_push(_t1050 + 0x36c);
				 *(_t1051 - 4) = 0x81;
				E6B143AD4(_t886, _t1050 + 0x36c, _t1003, _t886, _t1050, _t1080);
				 *(_t1051 - 4) = 0x83;
				_t750 =  *((intOrPtr*)(_t1051 - 0x54));
				if(_t750 != 0) {
					 *((intOrPtr*)( *_t750 + 8))(_t750);
				}
				 *(_t1051 - 4) = 0x84;
				_t751 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1082 = _t751;
				if(_t751 != 0) {
					 *((intOrPtr*)( *_t751 + 8))(_t751);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x86;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"Uninstall", _t1050, _t1082);
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x87;
				E6B14E8E8(_t886, _t1050, _t1082);
				 *(_t1051 - 4) = 0x88;
				_t765 = E6B13D65F(_t1051 + 0xc, _t886, _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x89;
				_t766 = E6B13D65F(_t765, _t886, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t766);
				_push(_t1050 + 0x3a4);
				 *(_t1051 - 4) = 0x8a;
				E6B143AD4(_t886, _t1050 + 0x3a4, _t1003, _t886, _t1050, _t1082);
				 *(_t1051 - 4) = 0x8c;
				_t768 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t768 != 0) {
					 *((intOrPtr*)( *_t768 + 8))(_t768);
				}
				 *(_t1051 - 4) = 0x8d;
				_t769 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1084 = _t769;
				if(_t769 != 0) {
					 *((intOrPtr*)( *_t769 + 8))(_t769);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x8f;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x14);
				E6B14E8E8(L"CreateLayout", _t1050, _t1084);
				_push(_t1051 - 0x20);
				 *(_t1051 - 4) = 0x90;
				E6B14E8E8(_t886, _t1050, _t1084);
				 *(_t1051 - 4) = 0x91;
				_t783 = E6B13D65F(_t1051 + 0xc, _t886, _t1051 - 0x30, _t1051 - 0x20);
				 *(_t1051 - 4) = 0x92;
				_t784 = E6B13D65F(_t783, _t886, _t1051 - 0x54, _t1051 - 0x14);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t784);
				_push(_t1050 + 0x3dc);
				 *(_t1051 - 4) = 0x93;
				E6B143AD4(_t886, _t1050 + 0x3dc, _t1003, _t886, _t1050, _t1084);
				 *(_t1051 - 4) = 0x95;
				_t786 =  *((intOrPtr*)(_t1051 - 0x54));
				if(_t786 != 0) {
					 *((intOrPtr*)( *_t786 + 8))(_t786);
				}
				 *(_t1051 - 4) = 0x96;
				_t787 =  *((intOrPtr*)(_t1051 - 0x30));
				_t1086 = _t787;
				if(_t787 != 0) {
					 *((intOrPtr*)( *_t787 + 8))(_t787);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x20)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0x98;
				E6B158460( *((intOrPtr*)(_t1051 - 0x14)) + 0xfffffff0, _t1003);
				_push(_t1051 - 0x18);
				E6B14E8E8(L"UninstallPatch", _t1050, _t1086);
				_push(_t1051 - 0x1c);
				 *(_t1051 - 4) = 0x99;
				E6B14E8E8(_t886, _t1050, _t1086);
				 *(_t1051 - 4) = 0x9a;
				_t801 = E6B13D65F(_t1051 + 0xc, _t886, _t1051 - 0x3c, _t1051 - 0x1c);
				 *(_t1051 - 4) = 0x9b;
				_t802 = E6B13D65F(_t801, _t886, _t1051 - 0x48, _t1051 - 0x18);
				_push( *((intOrPtr*)(_t1051 + 0x18)));
				_push(_t802);
				_push(_t1050 + 0x414);
				 *(_t1051 - 4) = 0x9c;
				E6B143AD4(_t886, _t1050 + 0x414, _t1003, _t886, _t1050, _t1086);
				 *(_t1051 - 4) = 0x9e;
				_t804 =  *((intOrPtr*)(_t1051 - 0x48));
				if(_t804 != 0) {
					 *((intOrPtr*)( *_t804 + 8))(_t804);
				}
				 *(_t1051 - 4) = 0x9f;
				_t805 =  *((intOrPtr*)(_t1051 - 0x3c));
				_t1088 = _t805;
				if(_t805 != 0) {
					 *((intOrPtr*)( *_t805 + 8))(_t805);
				}
				E6B158460( *((intOrPtr*)(_t1051 - 0x1c)) + 0xfffffff0, _t1003);
				 *(_t1051 - 4) = 0xa1;
				E6B158460( *((intOrPtr*)(_t1051 - 0x18)) + 0xfffffff0, _t1003);
				_t1044 =  *((intOrPtr*)(_t1051 - 0x24));
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x44c);
				E6B14507E(_t1050 + 0x5c, _t1050 + 0x104, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x47c);
				 *(_t1051 - 4) = 0xa2;
				E6B14507E(_t1050 + 0x94, _t1050 + 0x21c, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x4ac);
				 *(_t1051 - 4) = 0xa3;
				E6B14507E(_t1050 + 0xcc, _t1050 + 0x334, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x4dc);
				 *(_t1051 - 4) = 0xa4;
				E6B14507E(_t1050 + 0x5c, _t1050 + 0x13c, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x50c);
				 *(_t1051 - 4) = 0xa5;
				E6B14507E(_t1050 + 0x94, _t1050 + 0x254, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x53c);
				 *(_t1051 - 4) = 0xa6;
				E6B14507E(_t1050 + 0xcc, _t1050 + 0x36c, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x56c);
				 *(_t1051 - 4) = 0xa7;
				E6B14507E(_t1050 + 0x5c, _t1050 + 0x174, _t1044, _t1050, _t1088);
				 *(_t1051 - 4) = 0xa8;
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x59c);
				E6B14507E(_t1050 + 0x94, _t1050 + 0x28c, _t1044, _t1050, _t1088); // executed
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x5cc);
				 *(_t1051 - 4) = 0xa9;
				E6B14507E(_t1050 + 0xcc, _t1050 + 0x3a4, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x5fc);
				 *(_t1051 - 4) = 0xaa;
				E6B14507E(_t1050 + 0x5c, _t1050 + 0x1ac, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x62c);
				 *(_t1051 - 4) = 0xab;
				E6B14507E(_t1050 + 0x94, _t1050 + 0x2c4, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x65c);
				 *(_t1051 - 4) = 0xac;
				E6B14507E(_t1050 + 0xcc, _t1050 + 0x3dc, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x68c);
				 *(_t1051 - 4) = 0xad;
				E6B14507E(_t1050 + 0x5c, _t1050 + 0x1e4, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x6bc);
				 *(_t1051 - 4) = 0xae;
				E6B14507E(_t1050 + 0x94, _t1050 + 0x2fc, _t1044, _t1050, _t1088);
				_push(_t1044);
				_push( *((intOrPtr*)(_t1051 - 0x10)));
				_push(_t1050);
				_push(_t1050 + 0x6ec);
				 *(_t1051 - 4) = 0xaf;
				E6B14507E(_t1050 + 0xcc, _t1050 + 0x414, _t1044, _t1050, _t1088);
				 *(_t1051 - 4) =  *(_t1051 - 4) | 0xffffffff;
				_t842 =  *((intOrPtr*)(_t1051 + 0xc));
				if(_t842 != 0) {
					 *((intOrPtr*)( *_t842 + 8))(_t842);
				}
				return E6B162709(_t1050);
			}

0x6b145163
0x6b145163
0x6b145163
0x6b145163
0x6b14516a
0x6b14516f
0x6b145173
0x6b145176
0x6b14517a
0x6b145182
0x6b145188
0x6b14518c
0x6b145194
0x6b14519a
0x6b1451a4
0x6b1451a8
0x6b1451af
0x6b1451b2
0x6b1451b7
0x6b1451ba
0x6b1451bb
0x6b1451bc
0x6b1451c0
0x6b1451c3
0x6b1451c8
0x6b1451cc
0x6b1451cf
0x6b1451d1
0x6b1451d3
0x6b1451d6
0x6b1451d6
0x6b1451d9
0x6b1451e3
0x6b1451f1
0x6b1451f9
0x6b1451fd
0x6b145206
0x6b14520a
0x6b145211
0x6b145214
0x6b145219
0x6b14521c
0x6b14521f
0x6b145223
0x6b145226
0x6b14522b
0x6b14522f
0x6b145232
0x6b145234
0x6b145239
0x6b145239
0x6b14523c
0x6b145246
0x6b14524e
0x6b145253
0x6b145256
0x6b145266
0x6b14526a
0x6b14526f
0x6b145272
0x6b145276
0x6b14527c
0x6b14527d
0x6b14527e
0x6b145283
0x6b145287
0x6b14528a
0x6b14528c
0x6b145291
0x6b145291
0x6b145294
0x6b14529e
0x6b1452a6
0x6b1452ac
0x6b1452bc
0x6b1452c0
0x6b1452c5
0x6b1452ce
0x6b1452cf
0x6b1452d0
0x6b1452d4
0x6b1452d9
0x6b1452dd
0x6b1452e0
0x6b1452e2
0x6b1452e7
0x6b1452e7
0x6b1452ea
0x6b1452f4
0x6b1452fc
0x6b145302
0x6b145312
0x6b145316
0x6b14531b
0x6b145324
0x6b145325
0x6b145326
0x6b14532a
0x6b14532f
0x6b145333
0x6b145336
0x6b145338
0x6b14533d
0x6b14533d
0x6b145340
0x6b14534a
0x6b145352
0x6b145358
0x6b145360
0x6b145363
0x6b145367
0x6b145377
0x6b14537b
0x6b145388
0x6b14538c
0x6b145391
0x6b14539a
0x6b14539b
0x6b14539c
0x6b1453a0
0x6b1453a5
0x6b1453a9
0x6b1453ae
0x6b1453b3
0x6b1453b3
0x6b1453b6
0x6b1453ba
0x6b1453bd
0x6b1453bf
0x6b1453c4
0x6b1453c4
0x6b1453cd
0x6b1453d2
0x6b1453dc
0x6b1453e4
0x6b1453ea
0x6b1453f2
0x6b1453f5
0x6b1453f9
0x6b145409
0x6b14540d
0x6b14541a
0x6b14541e
0x6b145423
0x6b14542c
0x6b14542d
0x6b14542e
0x6b145432
0x6b145437
0x6b14543b
0x6b145440
0x6b145445
0x6b145445
0x6b145448
0x6b14544c
0x6b14544f
0x6b145451
0x6b145456
0x6b145456
0x6b14545f
0x6b145464
0x6b14546e
0x6b145476
0x6b14547c
0x6b145484
0x6b145487
0x6b14548b
0x6b14549b
0x6b14549f
0x6b1454ac
0x6b1454b0
0x6b1454b5
0x6b1454be
0x6b1454bf
0x6b1454c0
0x6b1454c4
0x6b1454c9
0x6b1454cd
0x6b1454d2
0x6b1454d7
0x6b1454d7
0x6b1454da
0x6b1454de
0x6b1454e1
0x6b1454e3
0x6b1454e8
0x6b1454e8
0x6b1454f1
0x6b1454f6
0x6b145500
0x6b145508
0x6b14550e
0x6b145516
0x6b145519
0x6b14551d
0x6b14552d
0x6b145531
0x6b14553e
0x6b145542
0x6b145547
0x6b145550
0x6b145551
0x6b145552
0x6b145556
0x6b14555b
0x6b14555f
0x6b145564
0x6b145569
0x6b145569
0x6b14556c
0x6b145570
0x6b145573
0x6b145575
0x6b14557a
0x6b14557a
0x6b145583
0x6b145588
0x6b145592
0x6b14559a
0x6b1455a0
0x6b1455a8
0x6b1455ab
0x6b1455af
0x6b1455bf
0x6b1455c3
0x6b1455d0
0x6b1455d4
0x6b1455d9
0x6b1455e2
0x6b1455e3
0x6b1455e4
0x6b1455e8
0x6b1455ed
0x6b1455f1
0x6b1455f6
0x6b1455fb
0x6b1455fb
0x6b1455fe
0x6b145602
0x6b145605
0x6b145607
0x6b14560c
0x6b14560c
0x6b145615
0x6b14561a
0x6b145624
0x6b14562c
0x6b145632
0x6b14563a
0x6b14563f
0x6b145642
0x6b145646
0x6b145656
0x6b14565a
0x6b145667
0x6b14566b
0x6b145670
0x6b145679
0x6b14567a
0x6b14567b
0x6b14567f
0x6b145684
0x6b145688
0x6b14568d
0x6b145692
0x6b145692
0x6b145695
0x6b145699
0x6b14569c
0x6b14569e
0x6b1456a3
0x6b1456a3
0x6b1456ac
0x6b1456b1
0x6b1456bb
0x6b1456c3
0x6b1456c9
0x6b1456d1
0x6b1456d4
0x6b1456d8
0x6b1456e8
0x6b1456ec
0x6b1456f9
0x6b1456fd
0x6b145702
0x6b14570b
0x6b14570c
0x6b14570d
0x6b145711
0x6b145716
0x6b14571a
0x6b14571f
0x6b145724
0x6b145724
0x6b145727
0x6b14572b
0x6b14572e
0x6b145730
0x6b145735
0x6b145735
0x6b14573e
0x6b145743
0x6b14574d
0x6b145755
0x6b14575b
0x6b145763
0x6b145766
0x6b14576a
0x6b14577a
0x6b14577e
0x6b14578b
0x6b14578f
0x6b145794
0x6b14579d
0x6b14579e
0x6b14579f
0x6b1457a3
0x6b1457a8
0x6b1457ac
0x6b1457b1
0x6b1457b6
0x6b1457b6
0x6b1457b9
0x6b1457bd
0x6b1457c0
0x6b1457c2
0x6b1457c7
0x6b1457c7
0x6b1457d0
0x6b1457d5
0x6b1457df
0x6b1457e7
0x6b1457ed
0x6b1457f5
0x6b1457f8
0x6b1457fc
0x6b14580c
0x6b145810
0x6b14581d
0x6b145821
0x6b145826
0x6b14582f
0x6b145830
0x6b145831
0x6b145835
0x6b14583a
0x6b14583e
0x6b145843
0x6b145848
0x6b145848
0x6b14584b
0x6b14584f
0x6b145852
0x6b145854
0x6b145859
0x6b145859
0x6b145862
0x6b145867
0x6b145871
0x6b145879
0x6b14587f
0x6b145887
0x6b14588a
0x6b14588e
0x6b14589e
0x6b1458a2
0x6b1458af
0x6b1458b3
0x6b1458b8
0x6b1458c1
0x6b1458c2
0x6b1458c3
0x6b1458c7
0x6b1458cc
0x6b1458d0
0x6b1458d5
0x6b1458da
0x6b1458da
0x6b1458dd
0x6b1458e1
0x6b1458e4
0x6b1458e6
0x6b1458eb
0x6b1458eb
0x6b1458f4
0x6b1458f9
0x6b145903
0x6b14590b
0x6b145911
0x6b145919
0x6b14591e
0x6b145921
0x6b145925
0x6b145935
0x6b145939
0x6b145946
0x6b14594a
0x6b14594f
0x6b145958
0x6b145959
0x6b14595a
0x6b14595e
0x6b145963
0x6b145967
0x6b14596c
0x6b145971
0x6b145971
0x6b145974
0x6b145978
0x6b14597b
0x6b14597d
0x6b145982
0x6b145982
0x6b14598b
0x6b145990
0x6b14599a
0x6b1459a2
0x6b1459a8
0x6b1459b0
0x6b1459b3
0x6b1459b7
0x6b1459c7
0x6b1459cb
0x6b1459d8
0x6b1459dc
0x6b1459e1
0x6b1459ea
0x6b1459eb
0x6b1459ec
0x6b1459f0
0x6b1459f5
0x6b1459f9
0x6b1459fe
0x6b145a03
0x6b145a03
0x6b145a06
0x6b145a0a
0x6b145a0d
0x6b145a0f
0x6b145a14
0x6b145a14
0x6b145a1d
0x6b145a22
0x6b145a2c
0x6b145a34
0x6b145a3a
0x6b145a42
0x6b145a45
0x6b145a49
0x6b145a59
0x6b145a5d
0x6b145a6a
0x6b145a6e
0x6b145a73
0x6b145a7c
0x6b145a7d
0x6b145a7e
0x6b145a82
0x6b145a87
0x6b145a8b
0x6b145a90
0x6b145a95
0x6b145a95
0x6b145a98
0x6b145a9c
0x6b145a9f
0x6b145aa1
0x6b145aa6
0x6b145aa6
0x6b145aaf
0x6b145ab4
0x6b145abe
0x6b145ac6
0x6b145acc
0x6b145ad4
0x6b145ad7
0x6b145adb
0x6b145aeb
0x6b145aef
0x6b145afc
0x6b145b00
0x6b145b05
0x6b145b0e
0x6b145b0f
0x6b145b10
0x6b145b14
0x6b145b19
0x6b145b1d
0x6b145b22
0x6b145b27
0x6b145b27
0x6b145b2a
0x6b145b2e
0x6b145b31
0x6b145b33
0x6b145b38
0x6b145b38
0x6b145b41
0x6b145b46
0x6b145b50
0x6b145b58
0x6b145b5e
0x6b145b66
0x6b145b69
0x6b145b6d
0x6b145b7d
0x6b145b81
0x6b145b8e
0x6b145b92
0x6b145b97
0x6b145ba0
0x6b145ba1
0x6b145ba2
0x6b145ba6
0x6b145bab
0x6b145baf
0x6b145bb4
0x6b145bb9
0x6b145bb9
0x6b145bbc
0x6b145bc0
0x6b145bc3
0x6b145bc5
0x6b145bca
0x6b145bca
0x6b145bd3
0x6b145bd8
0x6b145be2
0x6b145be7
0x6b145bea
0x6b145beb
0x6b145bf4
0x6b145bf5
0x6b145bff
0x6b145c04
0x6b145c05
0x6b145c0e
0x6b145c0f
0x6b145c1c
0x6b145c20
0x6b145c25
0x6b145c26
0x6b145c2f
0x6b145c30
0x6b145c3d
0x6b145c41
0x6b145c46
0x6b145c47
0x6b145c50
0x6b145c51
0x6b145c5b
0x6b145c5f
0x6b145c64
0x6b145c65
0x6b145c6e
0x6b145c6f
0x6b145c7c
0x6b145c80
0x6b145c85
0x6b145c86
0x6b145c8f
0x6b145c90
0x6b145c9d
0x6b145ca1
0x6b145ca6
0x6b145ca7
0x6b145cb0
0x6b145cb1
0x6b145cbb
0x6b145cbf
0x6b145cc4
0x6b145cc8
0x6b145cc9
0x6b145cd2
0x6b145cd3
0x6b145ce0
0x6b145ce5
0x6b145ce6
0x6b145cef
0x6b145cf0
0x6b145cfd
0x6b145d01
0x6b145d06
0x6b145d07
0x6b145d10
0x6b145d11
0x6b145d1b
0x6b145d1f
0x6b145d24
0x6b145d25
0x6b145d2e
0x6b145d2f
0x6b145d3c
0x6b145d40
0x6b145d45
0x6b145d46
0x6b145d4f
0x6b145d50
0x6b145d5d
0x6b145d61
0x6b145d66
0x6b145d67
0x6b145d70
0x6b145d71
0x6b145d7b
0x6b145d7f
0x6b145d84
0x6b145d85
0x6b145d8e
0x6b145d8f
0x6b145d9c
0x6b145da0
0x6b145da5
0x6b145da6
0x6b145daf
0x6b145db0
0x6b145dbd
0x6b145dc1
0x6b145dc6
0x6b145dca
0x6b145dcf
0x6b145dd4
0x6b145dd4
0x6b145dde

APIs

__EH_prolog3.LIBCMT ref: 6B14516A

Part of subcall function 6B14396A: __EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D7DD: __EH_prolog3.LIBCMT ref: 6B13D7E4
Part of subcall function 6B13D7DD: SysFreeString.OLEAUT32(00000000), ref: 6B13D83A

Part of subcall function 6B1425B2: __EH_prolog3.LIBCMT ref: 6B1425B9

Part of subcall function 6B143AD4: __EH_prolog3.LIBCMT ref: 6B143ADB

Part of subcall function 6B14507E: __EH_prolog3.LIBCMT ref: 6B145085

Strings

Success, xrefs: 6B14524E
CreateLayout, xrefs: 6B145509, 6B1457E8, 6B145AC7
Repair, xrefs: 6B1453E5, 6B1456C4, 6B1459A3
UninstallPatch, xrefs: 6B14559B, 6B14587A, 6B145B59
~, xrefs: 6B1459B3
Install, xrefs: 6B145353, 6B14562D, 6B14590C
SysLink, xrefs: 6B1451EC
NothingApplies, xrefs: 6B1452FD, 6B145919
Static, xrefs: 6B145183
Uninstall, xrefs: 6B145477, 6B145756, 6B145A35
Failure, xrefs: 6B1452A7, 6B14563A

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$FreeString
String ID: CreateLayout$Failure$Install$NothingApplies$Repair$Static$Success$SysLink$Uninstall$UninstallPatch$~
API String ID: 2872891630-930184743
Opcode ID: 1d1f66cf290b7396f30a1b609b4f47fe3b8d30550c7a0c62c7ba955131434d88
Instruction ID: 894bc1b1bedbdcec582190acad125ed8a765d83622c74638c2038aa15d2be668
Opcode Fuzzy Hash: 1d1f66cf290b7396f30a1b609b4f47fe3b8d30550c7a0c62c7ba955131434d88
Instruction Fuzzy Hash: 50926E7180014DFFDF11CBF8C944EDEBBB8AF19218F144199E565E7281DB38AA0ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B156525 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 199
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E6B156525(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t85;
				intOrPtr _t89;
				intOrPtr _t95;
				void* _t96;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t117;
				void* _t124;
				intOrPtr* _t126;
				intOrPtr* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t170;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr* _t179;
				void* _t180;

				_t180 = __eflags;
				E6B162693(0x6b167cf2, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t178 - 0x2c)) = 0;
				E6B14E8E8(L"threw exception", 0, _t180);
				 *((intOrPtr*)(_t178 - 4)) = 1;
				_t85 = E6B14E93B("IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT", 0, _t180);
				 *((char*)(_t178 - 4)) = 2;
				 *((intOrPtr*)(_t178 - 0x44)) = _t178 - 0x18;
				_t89 = E6B1583FD( *_t85 - 0x10) + 0x10;
				 *((intOrPtr*)(_t178 - 0x40)) = _t89;
				 *((char*)(_t178 - 4)) = 3;
				_t170 =  *((intOrPtr*)(_t178 + 0x14));
				 *((intOrPtr*)(_t178 - 0x3c)) = _t170;
				 *((intOrPtr*)( *_t170 + 8))(L"Entering Function", _t89, _t178 - 0x28, _t178 - 0x18, 0x5c);
				E6B158460( *((intOrPtr*)(_t178 - 0x28)) + 0xfffffff0,  *_t170);
				__imp__CoInitialize(0); // executed
				 *((char*)(_t178 - 4)) = 7;
				E6B15697A(__ebx, _t170,  *_t170, _t170, 0, _t180, _t170); // executed
				 *((intOrPtr*)(_t178 - 0x1c)) = 0;
				_t95 = _t178 - 0x1c;
				 *((char*)(_t178 - 4)) = 8;
				__imp__CoCreateInstance(0x6b137930, 0, 0x17, 0x6b137970, _t95); // executed
				if(_t95 < 0) {
					L19:
					 *((intOrPtr*)(_t178 - 0x34)) = _t95;
					 *((intOrPtr*)(_t178 - 0x38)) = 0x6b136e14;
					_push(0x6b1682d8);
					_t96 = _t178 - 0x38;
					L18:
					_push(_t96);
					_t95 = E6B15DBDB();
					goto L19;
				}
				_t157 =  *((intOrPtr*)(_t178 - 0x1c));
				_t151 = _t178 - 0x20;
				_push(_t178 - 0x20);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc)))));
				 *((intOrPtr*)(_t178 - 0x20)) = 0;
				_t166 =  *_t157;
				_push(_t157); // executed
				if( *((intOrPtr*)( *_t157 + 0x104))() != 0 ||  *((short*)(_t178 - 0x20)) != 0xffff) {
					L17:
					_push(_t178 + 0x10);
					E6B14E8E8(L"UIInfo.xml", 0, __eflags);
					_push(_t178 + 0xc);
					 *((char*)(_t178 - 4)) = 0xe;
					E6B14E8E8(L"Xml Document load failure", 0, __eflags);
					_push(_t178 + 0x10);
					_push(_t178 + 0xc);
					_push(_t178 - 0x68);
					 *((char*)(_t178 - 4)) = 0xf;
					E6B13CA39(_t151, _t157, _t166, L"Xml Document load failure", 0, __eflags);
					_push(0x6b1682a0);
					_t96 = _t178 - 0x68;
					goto L18;
				} else {
					 *((intOrPtr*)(_t178 + 0xc)) = 0;
					 *((char*)(_t178 - 4)) = 9;
					_t108 =  *((intOrPtr*)(_t178 - 0x1c));
					_t157 =  *_t108;
					_t166 = _t178 + 0xc;
					_push(_t178 + 0xc);
					_push(_t108);
					if( *((intOrPtr*)(_t157 + 0xb4))() != 0) {
						 *((char*)(_t178 - 4)) = 8;
						_t110 =  *((intOrPtr*)(_t178 + 0xc));
						__eflags = _t110;
						if(__eflags != 0) {
							_t157 =  *_t110;
							 *((intOrPtr*)( *_t110 + 8))(_t110);
						}
						goto L17;
					}
					_t153 = E6B158199(L"succeeded");
					E6B15811C(_t178 - 0x18, _t113, _t157, L"succeeded");
					_push(_t170);
					_push( *((intOrPtr*)(_t178 + 0x10)));
					_push(_t157);
					_t158 =  *((intOrPtr*)(_t178 + 0xc));
					 *_t179 =  *((intOrPtr*)(_t178 + 0xc));
					_t117 =  *((intOrPtr*)(_t178 + 0xc));
					 *((intOrPtr*)(_t178 - 0x24)) = _t179;
					_t185 = _t117;
					if(_t117 != 0) {
						_t158 =  *_t117;
						 *((intOrPtr*)( *_t117 + 4))(_t117);
					}
					E6B13D214(_t178 - 0x50);
					_push(_t178 - 0x24);
					 *((char*)(_t178 - 4)) = 0xa;
					E6B14E8E8(L"UI", _t178 - 0x50, _t185);
					 *((char*)(_t178 - 4)) = 0xb;
					_t124 = E6B13D65F(_t178 - 0x50, _t153, _t178 - 0x5c, _t178 - 0x24);
					 *((char*)(_t178 - 4)) = 0xc;
					_t177 =  *((intOrPtr*)(_t178 + 0x14));
					_push(_t177);
					_push( *((intOrPtr*)(_t178 + 0x10)));
					_push(_t124);
					_push( *((intOrPtr*)(_t178 + 8)));
					E6B156EE2(_t153, _t158, _t166, L"UI", _t177, _t185); // executed
					 *((char*)(_t178 - 4)) = 0xb;
					_t126 =  *((intOrPtr*)(_t178 - 0x5c));
					 *((intOrPtr*)(_t178 - 0x2c)) = 1;
					if(_t126 != 0) {
						 *((intOrPtr*)( *_t126 + 8))(_t126);
					}
					E6B158460( *((intOrPtr*)(_t178 - 0x24)) + 0xfffffff0, _t166);
					 *((char*)(_t178 - 4)) = 9;
					_t130 =  *((intOrPtr*)(_t178 - 0x50));
					if(_t130 != 0) {
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
					 *((char*)(_t178 - 4)) = 8;
					_t131 =  *((intOrPtr*)(_t178 + 0xc));
					if(_t131 != 0) {
						 *((intOrPtr*)( *_t131 + 8))(_t131);
					}
					 *((char*)(_t178 - 4)) = 7;
					_t132 =  *((intOrPtr*)(_t178 - 0x1c));
					if(_t132 != 0) {
						 *((intOrPtr*)( *_t132 + 8))(_t132);
					}
					__imp__CoUninitialize(); // executed
					 *((char*)(_t178 - 4)) = 0xd;
					 *((intOrPtr*)( *_t177 + 4))(4, L" exiting function/method");
					 *((intOrPtr*)( *_t177 + 0xc))( *((intOrPtr*)(_t178 - 0x18)));
					E6B158460( *((intOrPtr*)(_t178 - 0x40)) + 0xfffffff0, _t166);
					E6B158460( *((intOrPtr*)(_t178 - 0x18)) + 0xfffffff0, _t166);
					return E6B162709( *((intOrPtr*)(_t178 + 8)));
				}
			}

0x6b156525
0x6b15652c
0x6b15653c
0x6b15653f
0x6b15654d
0x6b156554
0x6b156559
0x6b156565
0x6b15656d
0x6b156570
0x6b156573
0x6b156577
0x6b156584
0x6b156587
0x6b156590
0x6b156596
0x6b15659d
0x6b1565a1
0x6b1565a6
0x6b1565a9
0x6b1565ba
0x6b1565be
0x6b1565c6
0x6b156778
0x6b156778
0x6b15677b
0x6b156782
0x6b156787
0x6b156772
0x6b156772
0x6b156773
0x00000000
0x6b156773
0x6b1565d1
0x6b1565d4
0x6b1565d7
0x6b1565d8
0x6b1565d9
0x6b1565dc
0x6b1565de
0x6b1565e7
0x6b156735
0x6b156738
0x6b15673e
0x6b156746
0x6b15674c
0x6b156750
0x6b156758
0x6b15675c
0x6b156760
0x6b156761
0x6b156765
0x6b15676a
0x6b15676f
0x00000000
0x6b1565f8
0x6b1565f8
0x6b1565fb
0x6b1565ff
0x6b156602
0x6b156604
0x6b156607
0x6b156608
0x6b156611
0x6b156724
0x6b156728
0x6b15672b
0x6b15672d
0x6b15672f
0x6b156732
0x6b156732
0x00000000
0x6b15672d
0x6b156624
0x6b156629
0x6b15662e
0x6b15662f
0x6b156632
0x6b156633
0x6b156638
0x6b15663a
0x6b15663d
0x6b156640
0x6b156642
0x6b156644
0x6b156647
0x6b156647
0x6b15664d
0x6b156655
0x6b15665b
0x6b15665f
0x6b15666e
0x6b156672
0x6b156677
0x6b15667b
0x6b15667e
0x6b15667f
0x6b156682
0x6b156683
0x6b156686
0x6b15668b
0x6b15668f
0x6b156692
0x6b15669b
0x6b1566a0
0x6b1566a0
0x6b1566a9
0x6b1566ae
0x6b1566b2
0x6b1566b7
0x6b1566bc
0x6b1566bc
0x6b1566bf
0x6b1566c3
0x6b1566c8
0x6b1566cd
0x6b1566cd
0x6b1566d0
0x6b1566d4
0x6b1566d9
0x6b1566de
0x6b1566de
0x6b1566e1
0x6b1566ec
0x6b1566f6
0x6b156700
0x6b156709
0x6b156714
0x6b156721
0x6b156721

APIs

__EH_prolog3_catch.LIBCMT ref: 6B15652C

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14E93B: __EH_prolog3.LIBCMT ref: 6B14E942

CoInitialize.OLE32(00000000), ref: 6B156596

Part of subcall function 6B15697A: __EH_prolog3.LIBCMT ref: 6B156981
Part of subcall function 6B15697A: CoCreateInstance.OLE32(6B137980,00000000,00000017,6B137970,?,?,00000068,6B1565A6,?,?,?,?,6B152A30,?,00000000,?), ref: 6B1569AC

CoCreateInstance.OLE32(6B137930,00000000,00000017,6B137970,00000001,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?), ref: 6B1565BE
CoUninitialize.OLE32(00000001,?,00000000,00000000,?,?,succeeded,?,?,?,6B152A30,?,00000000,?,00000000,00000000), ref: 6B1566DE
__CxxThrowException@8.LIBCMT ref: 6B156773

Strings

Xml Document load failure, xrefs: 6B156747
exiting function/method, xrefs: 6B1566E7
IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT, xrefs: 6B156548
succeeded, xrefs: 6B156617, 6B156623
Entering Function, xrefs: 6B15657D
threw exception, xrefs: 6B156537
UIInfo.xml, xrefs: 6B156739

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$CreateInstance$Exception@8H_prolog3_catchInitializeThrowUninitialize
String ID: exiting function/method$Entering Function$IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT$UIInfo.xml$Xml Document load failure$succeeded$threw exception
API String ID: 4239111664-3845428783
Opcode ID: 54b9a65c4cf716c35e26317ab5ec85d2477a918a0f5a2cd91bcb789056aceb78
Instruction ID: 7dc95e78b114dc5651fe260e22c4353ba1a9429b1b084846fc950fc1727e28d4
Opcode Fuzzy Hash: 54b9a65c4cf716c35e26317ab5ec85d2477a918a0f5a2cd91bcb789056aceb78
Instruction Fuzzy Hash: E8814EB290015DFFDB00CFB8C844ADEBBB9AF09318F148059E464EB241D739DA56CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B1402E2 Relevance: 21.2, APIs: 14, Instructions: 184
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E6B1402E2(void* __ecx, void* __eflags) {
				struct HWND__* _v8;
				intOrPtr* _v12;
				void* _t64;
				void* _t66;
				intOrPtr* _t70;
				intOrPtr* _t79;
				intOrPtr* _t89;
				void* _t99;
				void* _t101;
				void* _t104;
				intOrPtr _t117;
				intOrPtr* _t118;
				signed int _t155;
				struct HWND__* _t158;
				void* _t163;
				void* _t165;

				_t165 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_t163 = __ecx;
				GetDlgItem( *(__ecx + 4), 0x65);
				E6B13EDAE(_t163 + 0x7c, _t165);
				GetDlgItem( *(_t163 + 4), 0x66);
				E6B13EDAE(_t163 + 0xa8, _t165);
				GetDlgItem( *(_t163 + 4), 0x69);
				_t155 = _t163 + 0xd4;
				E6B13EDAE(_t155, _t165);
				if( *((char*)(_t155 + 0x28)) == 0) {
					ShowWindow( *(_t155 + 4), 0);
				}
				_t64 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x104))))))();
				_t117 = 3;
				if(_t64 != _t117) {
					_t66 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x104))))))();
					_t117 = 2;
					__eflags = _t66 - _t117;
					if(_t66 == _t117) {
						SendMessageW( *(_t163 + 0xac), 0xf5, 0, 0);
						goto L6;
					}
				} else {
					SendMessageW( *(_t163 + 0x80), 0xf5, 0, 0);
					L6:
					 *((intOrPtr*)(_t163 + 0x100)) = _t117;
				}
				_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x74)))) + 0x1c))();
				_t70 =  *((intOrPtr*)( *_t118 + 0x24))();
				_v8 =  *(_t163 + 4);
				_v12 = _t70;
				SetWindowTextW( *(_t163 + 0x80),  *( *((intOrPtr*)( *_t70))())); // executed
				E6B13EDE8(_v12 + 4,  &_v8, GetDlgItem(_v8, 0x65));
				if( *((intOrPtr*)( *_v12 + 8))() == 0) {
					EnableWindow( *(_t163 + 0x80), 0);
				}
				_t79 =  *((intOrPtr*)( *_t118 + 0x28))();
				_v12 = _t79;
				SetWindowTextW( *(_t163 + 0xac),  *( *((intOrPtr*)( *_t79))())); // executed
				E6B13EDE8(_v12 + 4,  &_v8, GetDlgItem(_v8, 0x66));
				if( *((intOrPtr*)( *_v12 + 8))() == 0) {
					EnableWindow( *(_t163 + 0xac), 0);
				}
				_t89 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x2c))()))))();
				_v12 = _t89;
				SetDlgItemTextW( *(_t163 + 4), 0x69,  *( *((intOrPtr*)( *_t89 + 0x14))())); // executed
				E6B13EDE8(_v12,  &_v8,  *(_t163 + 0xd8));
				asm("sbb edi, edi");
				_t158 =  *( ~_t155 & _t163 + 0x000000d8);
				SetWindowLongW(_t158, 0xfffffff0, GetWindowLongW(_t158, 0xfffffff0) | 0x00002400);
				_t99 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x104)))) + 0x3c))();
				_t170 = _t99 - 1;
				if(_t99 == 1) {
					E6B15017C(_t163 + 0x110,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x2c))())) + 4))(),  *(_t163 + 4)); // executed
				}
				_t101 =  *((intOrPtr*)( *_t118 + 0x20))();
				_t104 = E6B14FC53(_t163 + 0x110,  *((intOrPtr*)( *_t118 + 0x1c))(), _t170,  *(_t163 + 4), _t101); // executed
				return _t104;
			}

0x6b1402e2
0x6b1402e7
0x6b1402e8
0x6b1402f2
0x6b1402f9
0x6b140300
0x6b14030a
0x6b140314
0x6b14031e
0x6b140320
0x6b14032a
0x6b140333
0x6b14033a
0x6b14033a
0x6b140348
0x6b14034c
0x6b14034f
0x6b14036a
0x6b14036e
0x6b14036f
0x6b140371
0x6b140382
0x00000000
0x6b140382
0x6b140351
0x6b140382
0x6b140382
0x6b140388
0x6b140388
0x6b140396
0x6b14039c
0x6b1403a4
0x6b1403a9
0x6b1403b6
0x6b1403d2
0x6b1403e1
0x6b1403eb
0x6b1403eb
0x6b1403f5
0x6b1403fc
0x6b140409
0x6b140425
0x6b140434
0x6b14043e
0x6b14043e
0x6b14044f
0x6b140455
0x6b140462
0x6b140475
0x6b14047c
0x6b140486
0x6b14049a
0x6b1404a8
0x6b1404ab
0x6b1404ae
0x6b1404ca
0x6b1404ca
0x6b1404d6
0x6b1404ea
0x6b1404f3

APIs

GetDlgItem.USER32 ref: 6B1402F9

Part of subcall function 6B13EDAE: SetWindowTextW.USER32(?,?), ref: 6B13EDC5

GetDlgItem.USER32 ref: 6B14030A
GetDlgItem.USER32 ref: 6B14031E
ShowWindow.USER32(?,00000000), ref: 6B14033A
SendMessageW.USER32(?,000000F5,00000000,00000000), ref: 6B140382
SetWindowTextW.USER32(?,00000000), ref: 6B1403B6
GetDlgItem.USER32 ref: 6B1403C1
EnableWindow.USER32(?,00000000), ref: 6B1403EB
SetWindowTextW.USER32(?,00000000), ref: 6B140409
GetDlgItem.USER32 ref: 6B140414
EnableWindow.USER32(?,00000000), ref: 6B14043E
SetDlgItemTextW.USER32 ref: 6B140462
GetWindowLongW.USER32(?,000000F0), ref: 6B14048B
SetWindowLongW.USER32 ref: 6B14049A

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Item$Text$EnableLong$MessageSendShow
String ID:
API String ID: 3359463025-0
Opcode ID: e0cb5559df0b10d9d64990ee36680b166e73f83d00c05427b9fe85945c6822e7
Instruction ID: 2c0983fadd492a6bb17e94cb969383b4ad2f6b8b95738195b0a5a8205bc56260
Opcode Fuzzy Hash: e0cb5559df0b10d9d64990ee36680b166e73f83d00c05427b9fe85945c6822e7
Instruction Fuzzy Hash: A8616D35600610EFDB209F74C889F99BBF6FF49711F1044A8E557DB2A0DB74A954CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6B13D923 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 228
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E6B13D923(void* __ebx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t85;
				int _t90;
				WCHAR* _t101;
				long _t105;
				void* _t110;
				int _t113;
				void* _t123;
				void* _t132;
				void* _t136;
				WCHAR* _t179;
				WCHAR* _t187;
				void** _t188;
				void** _t189;
				WCHAR* _t190;
				struct _OVERLAPPED* _t192;
				WCHAR* _t194;
				void* _t196;
				void* _t197;
				void* _t198;

				_t198 = __eflags;
				_t179 = __edx;
				E6B16265B(0x6b165a67, __ebx, __edi, __esi);
				_t192 = 0;
				 *(_t196 - 0x30) = 0;
				_t166 = 1;
				 *((intOrPtr*)(_t196 - 4)) = 1;
				_t85 =  *0x6b16fe10; // 0x6b1333ec
				_t169 = 0x6b16fe10;
				 *(_t196 - 0x14) =  *((intOrPtr*)(_t85 + 0xc))(0x30) + 0x10;
				 *((char*)(_t196 - 4)) = 2;
				_push(_t196 - 0x20);
				E6B14E8E8( *(_t196 + 0xc), 0, _t198);
				_t90 = PathIsRelativeW( *(_t196 - 0x20));
				E6B158460( &(( *(_t196 - 0x20))[0xfffffffffffffff8]), _t179);
				if(_t90 == 0) {
					_push(_t196 - 0x20);
					E6B14E8E8( *(_t196 + 0xc), 0, __eflags);
					 *((char*)(_t196 - 4)) = 5;
					E6B14EA8D(_t196 - 0x20, _t196 - 0x14);
					__eflags =  &(( *(_t196 - 0x20))[0xfffffffffffffff8]);
					E6B158460( &(( *(_t196 - 0x20))[0xfffffffffffffff8]), _t179);
				} else {
					_t136 =  *0x6b16fe10; // 0x6b1333ec
					_t11 =  *((intOrPtr*)(_t136 + 0xc))() + 0x10; // 0x10
					_t190 = _t11;
					 *(_t196 - 0x18) = _t190;
					 *((char*)(_t196 - 4)) = 3;
					_t200 =  *((intOrPtr*)(_t190 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t190 - 4));
					if(( *((intOrPtr*)(_t190 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t190 - 4))) < 0) {
						E6B15827A(0x104, _t196 - 0x18);
						_t190 =  *(_t196 - 0x18);
					}
					L6B14F1A2(GetModuleFileNameW( *0x6b172f90, _t190, 0x104) | 0xffffffff, 0x104, _t196 - 0x18);
					_push(_t196 - 0x20);
					E6B14E8E8(_t190, _t196 - 0x18, _t200);
					 *((char*)(_t196 - 4)) = 4;
					E6B14F25E(_t196 - 0x20);
					_t179 =  *(_t196 - 0x14);
					_t194 =  *(_t196 + 0xc);
					 *(_t196 - 0x28) =  *(_t196 - 0x20);
					_t169 = 1 -  *((intOrPtr*)(_t179 - 4));
					if(( *((intOrPtr*)(_t179 - 8)) - 0x00000104 | 1 -  *((intOrPtr*)(_t179 - 4))) < 0) {
						_t169 = _t196 - 0x14;
						E6B15827A(0x104, _t196 - 0x14);
						_t179 =  *(_t196 - 0x14);
					}
					L6B14F1A2(PathCombineW(_t179,  *(_t196 - 0x28), _t194) | 0xffffffff, 0x104, _t196 - 0x14);
					E6B158460( &(( *(_t196 - 0x20))[0xfffffffffffffff8]), _t179);
					_t33 = _t190 - 0x10; // 0x0
					E6B158460(_t33, _t179);
					_t166 = 1;
					_t192 = 0;
				}
				 *(_t196 - 0x2c) = _t192;
				 *(_t196 - 0x28) = _t192;
				 *((char*)(_t196 - 4)) = 6;
				_t101 = E6B157F22(_t196 - 0x2c,  *(_t196 - 0x14), 0x80000000, _t166, 3, 0x80, _t192); // executed
				_t187 = _t101;
				_t202 = _t187 - _t192;
				if(_t187 < _t192) {
					_push(_t187);
					_push( *(_t196 - 0x14));
					_push(L"ReadXML failed to open XML file %s, with error %d");
					_push(_t192);
					_t192 =  *(_t196 + 0x10);
					E6B13B93E(_t166, _t179, _t187, _t192, _t202);
					_t197 = _t197 + 0x10;
					 *((intOrPtr*)(_t196 - 0x24)) = 0x6b136e14;
					 *(_t196 - 0x20) = _t187;
					_push(0x6b1682d8);
					_t132 = _t196 - 0x24;
					L9:
					_push(_t132);
					E6B15DBDB();
				}
				E6B157E56(_t169, _t196 - 0x2c, _t192, _t192, 2); // executed
				 *(_t196 - 0x3c) = _t192;
				 *(_t196 - 0x38) = _t192;
				_t105 = SetFilePointer( *(_t196 - 0x2c), _t192, _t196 - 0x38, _t166); // executed
				 *(_t196 - 0x3c) = _t105;
				E6B157E56(_t169, _t196 - 0x2c, 2, _t192, _t192); // executed
				_t110 =  *(_t196 - 0x3c) + 0xfffffffe >> 1;
				if(_t110 < 0) {
					_push(0x80070057);
					L12:
					_t110 = E6B1583CE(_t169);
				}
				if(_t110 != _t192) {
					__imp__#4(_t192, _t110); // executed
					_t169 =  *(_t196 + 8);
					 *( *(_t196 + 8)) = _t110;
					__eflags = _t110 - _t192;
					if(_t110 != _t192) {
						_t188 =  *(_t196 + 8);
					} else {
						_push(0x8007000e);
						goto L12;
					}
				} else {
					_t188 =  *(_t196 + 8);
					 *_t188 = _t192;
				}
				_t180 = _t196 - 0x34;
				 *(_t196 - 0x30) = _t166;
				 *(_t196 - 0x34) = _t192;
				_t113 = ReadFile( *(_t196 - 0x2c),  *_t188,  *(_t196 - 0x3c) + 0xfffffffe, _t196 - 0x34, _t192); // executed
				if(_t113 != _t192) {
					_t166 = 0;
					__eflags = 0;
				} else {
					_t166 = E6B157F08();
				}
				if(_t166 < _t192) {
					_t123 =  *0x6b16fe10; // 0x6b1333ec
					 *(_t196 - 0x20) =  *((intOrPtr*)(_t123 + 0xc))() + 0x10;
					 *((char*)(_t196 - 4)) = 7;
					E6B1580BA(_t196 - 0x20, L"Could not find mandatory data file %s. This is a bad package.",  *(_t196 - 0x14));
					_t189 =  *(_t196 + 0x10);
					_t197 = _t197 + 0xc;
					 *((intOrPtr*)( *_t189 + 4))(_t192,  *(_t196 - 0x20));
					_t169 = _t189;
					 *((intOrPtr*)( *_t189 + 4))(7,  *(_t196 - 0x20));
					 *((intOrPtr*)(_t196 - 0x1c)) = 0x6b136e14;
					 *(_t196 - 0x18) = _t166;
					_push(0x6b1682d8);
					_t132 = _t196 - 0x1c;
					goto L9;
				}
				__eflags =  *(_t196 - 0x2c) - _t192;
				if( *(_t196 - 0x2c) != _t192) {
					CloseHandle( *(_t196 - 0x2c)); // executed
				}
				E6B158460( &(( *(_t196 - 0x14))[0xfffffffffffffff8]), _t180);
				__eflags =  &(( *(_t196 + 0xc))[0xfffffffffffffff8]);
				E6B158460( &(( *(_t196 + 0xc))[0xfffffffffffffff8]), _t180);
				return E6B162709(_t188);
			}

0x6b13d923
0x6b13d923
0x6b13d92a
0x6b13d92f
0x6b13d931
0x6b13d936
0x6b13d937
0x6b13d93a
0x6b13d93f
0x6b13d94a
0x6b13d950
0x6b13d957
0x6b13d958
0x6b13d960
0x6b13d96e
0x6b13d975
0x6b13da3e
0x6b13da3f
0x6b13da4a
0x6b13da4e
0x6b13da56
0x6b13da59
0x6b13d97b
0x6b13d97b
0x6b13d988
0x6b13d988
0x6b13d98b
0x6b13d98e
0x6b13d9a1
0x6b13d9a3
0x6b13d9aa
0x6b13d9af
0x6b13d9af
0x6b13d9c6
0x6b13d9ce
0x6b13d9cf
0x6b13d9d7
0x6b13d9db
0x6b13d9e3
0x6b13d9e6
0x6b13d9eb
0x6b13d9f2
0x6b13d9f9
0x6b13d9fd
0x6b13da00
0x6b13da05
0x6b13da05
0x6b13da19
0x6b13da24
0x6b13da29
0x6b13da2c
0x6b13da33
0x6b13da34
0x6b13da34
0x6b13da5e
0x6b13da61
0x6b13da72
0x6b13da7c
0x6b13da81
0x6b13da83
0x6b13da85
0x6b13da87
0x6b13da88
0x6b13da8b
0x6b13da90
0x6b13da91
0x6b13da94
0x6b13da99
0x6b13da9c
0x6b13daa3
0x6b13daa6
0x6b13daab
0x6b13daae
0x6b13daae
0x6b13daaf
0x6b13daaf
0x6b13dabc
0x6b13daca
0x6b13dacd
0x6b13dad0
0x6b13dad8
0x6b13dae1
0x6b13daec
0x6b13daee
0x6b13daf0
0x6b13daf5
0x6b13daf5
0x6b13daf5
0x6b13dafc
0x6b13db07
0x6b13db0d
0x6b13db10
0x6b13db12
0x6b13db14
0x6b13db1d
0x6b13db16
0x6b13db16
0x00000000
0x6b13db16
0x6b13dafe
0x6b13dafe
0x6b13db01
0x6b13db01
0x6b13db26
0x6b13db32
0x6b13db35
0x6b13db38
0x6b13db40
0x6b13db4b
0x6b13db4b
0x6b13db42
0x6b13db47
0x6b13db47
0x6b13db4f
0x6b13db51
0x6b13db61
0x6b13db64
0x6b13db74
0x6b13db79
0x6b13db7e
0x6b13db87
0x6b13db91
0x6b13db93
0x6b13db96
0x6b13db9d
0x6b13dba0
0x6b13dba5
0x00000000
0x6b13dba5
0x6b13dbad
0x6b13dbb0
0x6b13dbb5
0x6b13dbb5
0x6b13dbc1
0x6b13dbc9
0x6b13dbcc
0x6b13dbd8

APIs

__EH_prolog3.LIBCMT ref: 6B13D92A

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13D960
GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13D9BA
PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13DA0D
__CxxThrowException@8.LIBCMT ref: 6B13DAAF
SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000), ref: 6B13DAD0
SysAllocStringLen.OLEAUT32(00000000,?), ref: 6B13DB07
ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13DB38
CloseHandle.KERNELBASE(?,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13DBB5

Strings

ReadXML failed to open XML file %s, with error %d, xrefs: 6B13DA8B
Could not find mandatory data file %s. This is a bad package., xrefs: 6B13DB6E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: File$H_prolog3Path$AllocCloseCombineException@8HandleModuleNamePointerReadRelativeStringThrow
String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
API String ID: 3690754453-4172873023
Opcode ID: 3fa6f61781763c56978865a822a3501195388a0b4665fbe7d83b9e0404edaf76
Instruction ID: f6ef897ddcc88313089402b6502e8d8e7d51057223bd23fea8a61c4d6b865d03
Opcode Fuzzy Hash: 3fa6f61781763c56978865a822a3501195388a0b4665fbe7d83b9e0404edaf76
Instruction Fuzzy Hash: 0F912872900129FBCF01DFB8C885ADEBBB5FF49314F114525E521B7290E738AA25CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B14AAC2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E6B14AAC2(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, char _a12, char _a15) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t47;
				struct HWND__* _t55;
				WCHAR** _t59;
				intOrPtr* _t69;
				intOrPtr* _t72;
				void* _t79;
				struct _CRITICAL_SECTION* _t80;
				void* _t93;
				void* _t96;
				intOrPtr _t99;

				_t83 = __ecx;
				_push(__ecx);
				_t99 = _a4;
				if( *((char*)(_t99 + 0x1b5)) != 0) {
					L21:
					return _t47;
				}
				_push(_t79);
				if(_a12 != 1) {
					L11:
					_t80 = _t99 + 0x140;
					EnterCriticalSection(_t80);
					_push(_a8);
					_t93 = _t80 + 0x1c;
					if(_a12 == 0) {
						_t93 = _t80 + 0x28;
					}
					E6B149EC0(_t83, _t93);
					_t47 =  *(_t80 + 0x18);
					if(_t47 != 0) {
						_t47 = _t47 - 1;
						 *(_t80 + 0x18) = _t47;
					}
					LeaveCriticalSection(_t80);
					EnterCriticalSection(_t80);
					_a15 =  *(_t80 + 0x18) == 0;
					LeaveCriticalSection(_t80);
					_t115 = _a15;
					if(_a15 != 0) {
						_t96 = E6B14A09F(_t80, _t115);
						if( *((char*)(_t99 + 0x174)) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x74)))) + 4))(1);
						}
						_t84 =  *((intOrPtr*)(_t99 + 0x74));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x74)))) + 0xc))(_t96);
						_t47 = IsWindow( *(_t99 + 4));
						_t117 = _t47;
						if(_t47 != 0) {
							_t47 = E6B14B167(_t99, _t80, _t84, _t90, _t117, _a8); // executed
						}
					}
					goto L20;
				} else {
					_t55 =  *(_t99 + 0x130);
					if(_t55 != 0) {
						ShowWindow(_t55, 0); // executed
					}
					_t83 =  *((intOrPtr*)(_t99 + 0x1ac));
					 *((char*)(_t99 + 0x1bd)) = 1;
					if( *((intOrPtr*)( *( *((intOrPtr*)(_t99 + 0x1ac))) + 0x50))() == 0) {
						L9:
						 *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x68)) + 4)) = 0xffffff96;
						_t109 = _a8;
						if(_a8 == 0) {
							_t59 = E6B149AD4( &_v8, 0, _t99 + 0x1b8, _t109);
							SetWindowTextW(GetDlgItem( *(_a4 + 4), 0x68),  *_t59); // executed
							E6B158460(_v8 + 0xfffffff0, _t90);
							_t99 = _a4;
						}
						goto L11;
					}
					if(_a8 == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x70))))))(_t99 + 0x188);
						_t69 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x1ac)))) + 0x10))();
						_t90 =  *_t69;
						_t83 = _t69;
						 *((intOrPtr*)( *_t69 + 4))(4, L"Launching Install operation. Download operation is completed.");
						goto L9;
					}
					_t72 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x1ac)))) + 0x10))();
					_t90 =  *_t72;
					 *((intOrPtr*)( *_t72 + 4))(1, L"Download failed. No performer will be called.");
					_t83 =  *((intOrPtr*)(_t99 + 0x74));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t99 + 0x74)))) + 0xc))(_a8);
					_t47 = IsWindow( *(_t99 + 4));
					_t108 = _t47;
					if(_t47 == 0) {
						L20:
						goto L21;
					}
					E6B14B167(_t99, _t79, _t83, _t90, _t108, _a8);
					goto L9;
				}
			}

0x6b14aac2
0x6b14aac7
0x6b14aac9
0x6b14aad3
0x6b14ac48
0x6b14ac4a
0x6b14ac4a
0x6b14aadd
0x6b14aadf
0x6b14abbf
0x6b14abbf
0x6b14abc6
0x6b14abd0
0x6b14abd3
0x6b14abd6
0x6b14abd8
0x6b14abd8
0x6b14abdb
0x6b14abe0
0x6b14abe5
0x6b14abe7
0x6b14abe8
0x6b14abe8
0x6b14abf2
0x6b14abf5
0x6b14ac00
0x6b14ac04
0x6b14ac06
0x6b14ac0a
0x6b14ac18
0x6b14ac1a
0x6b14ac23
0x6b14ac23
0x6b14ac26
0x6b14ac2c
0x6b14ac32
0x6b14ac38
0x6b14ac3a
0x6b14ac41
0x6b14ac41
0x6b14ac3a
0x00000000
0x6b14aae5
0x6b14aae5
0x6b14aaef
0x6b14aaf3
0x6b14aaf3
0x6b14aaf9
0x6b14aaff
0x6b14ab0d
0x6b14ab7c
0x6b14ab7f
0x6b14ab86
0x6b14ab89
0x6b14ab94
0x6b14abab
0x6b14abb7
0x6b14abbc
0x6b14abbc
0x00000000
0x6b14ab89
0x6b14ab12
0x6b14ab61
0x6b14ab6b
0x6b14ab6e
0x6b14ab77
0x6b14ab79
0x00000000
0x6b14ab79
0x6b14ab1c
0x6b14ab1f
0x6b14ab2a
0x6b14ab2d
0x6b14ab35
0x6b14ab3b
0x6b14ab41
0x6b14ab43
0x6b14ac46
0x00000000
0x6b14ac47
0x6b14ab4e
0x00000000
0x6b14ab4e

APIs

ShowWindow.USER32(?,00000000), ref: 6B14AAF3
IsWindow.USER32(?), ref: 6B14AB3B
GetDlgItem.USER32 ref: 6B14ABA3
SetWindowTextW.USER32(00000000,?), ref: 6B14ABAB
EnterCriticalSection.KERNEL32(?), ref: 6B14ABC6
LeaveCriticalSection.KERNEL32(?), ref: 6B14ABF2
EnterCriticalSection.KERNEL32(?), ref: 6B14ABF5
LeaveCriticalSection.KERNEL32(6B14A159,?), ref: 6B14AC04
IsWindow.USER32(?), ref: 6B14AC32

Strings

Download failed. No performer will be called., xrefs: 6B14AB21
Launching Install operation. Download operation is completed., xrefs: 6B14AB70

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CriticalSectionWindow$EnterLeave$ItemShowText
String ID: Download failed. No performer will be called.$Launching Install operation. Download operation is completed.
API String ID: 1766897411-1922595129
Opcode ID: 9b872a9499bcb288ed94e85e644c02f196817cabd59cb621bb1332360fde9c85
Instruction ID: 352d8c846859921d7ad2282ff1a1540c2fe8ef4d42a70ef49a7fed2cd501c912
Opcode Fuzzy Hash: 9b872a9499bcb288ed94e85e644c02f196817cabd59cb621bb1332360fde9c85
Instruction Fuzzy Hash: A5518C34200604FFDB21DF34C888B8A7BA6FF4A715F1185A8F8668B2A1DB75E844CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B14A6A1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 121
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E6B14A6A1(void* __ecx, void* __eflags) {
				char _v5;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t37;
				struct HWND__* _t39;
				struct HWND__* _t41;
				struct HWND__* _t45;
				char _t50;
				intOrPtr _t51;
				intOrPtr* _t52;
				void* _t57;
				intOrPtr* _t58;
				void* _t90;
				void* _t93;
				void* _t94;

				_push(__ecx);
				_t90 = __ecx;
				_t37 = E6B14A214( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1ac))))))());
				if(_t37 >= 2 && (_t37 <= 5 || _t37 == 9)) {
					 *((intOrPtr*)(_t90 + 0x1c4)) = _t37;
				}
				_t93 = _t90 + 0x130;
				_t39 = GetDlgItem( *(_t90 + 4), 0x66);
				 *_t93 = _t39;
				if(_t39 != 0) {
					SetPropW(_t39, L"RotatingIconDisplayTHIS", _t93); // executed
				}
				if( *(_t93 + 8) == 1) {
					SetTimer( *_t93, 2, 0x3e8, E6B14A051); // executed
					 *(_t93 + 8) =  *(_t93 + 8) & 0x00000000;
				}
				_t94 = _t90 + 0x124;
				_t41 = GetDlgItem( *(_t90 + 4), 0x6a);
				 *_t94 = _t41;
				_t105 = _t41;
				if(_t41 != 0) {
					SetPropW(_t41, L"RotatingIconDisplayTHIS", _t94);
				}
				E6B14A027(_t94);
				E6B14995F(GetDlgItem( *(_t90 + 4), 0x67), _t90 + 0x78, _t105);
				_t45 = GetDlgItem( *(_t90 + 4), 0x6b);
				_t96 = _t90 + 0xa0;
				E6B14995F(_t45, _t90 + 0xa0, _t105);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1ac)))) + 4))();
				_v5 = 0;
				_t50 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1ac)))) + 8))( &_v5);
				 *((char*)(_t90 + 0x1b4)) = _t50;
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1ac))));
				if(_t50 == 0) {
					_t52 =  *((intOrPtr*)(_t51 + 0x10))();
					_push(L"Item(s) availability state is \"Error\". Exiting setup.");
					_push(0);
				} else {
					_t57 =  *((intOrPtr*)(_t51 + 0x50))();
					_t107 = _t57;
					_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x70))));
					_push(_t90 + 0x178);
					if(_t57 != 0) {
						 *_t58();
						_t52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1ac)))) + 0x10))();
						_push(L"Launching Download operation. Install operation will follow after download is complete.");
					} else {
						 *_t58(); // executed
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x70))))))(_t90 + 0x188); // executed
						_t52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1ac)))) + 0x10))();
						_push(L"Launching Download and Install operations simultaneously.");
					}
					_push(4);
				}
				 *((intOrPtr*)( *_t52 + 4))();
				return E6B14F532( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x1ac)))) + 0x14))(5),  *_t52, _t90, _t96, _t107);
			}

0x6b14a6a6
0x6b14a6aa
0x6b14a6b6
0x6b14a6be
0x6b14a6ca
0x6b14a6ca
0x6b14a6dc
0x6b14a6e2
0x6b14a6e4
0x6b14a6e8
0x6b14a6f1
0x6b14a6f1
0x6b14a6fb
0x6b14a70b
0x6b14a711
0x6b14a711
0x6b14a71b
0x6b14a721
0x6b14a723
0x6b14a725
0x6b14a727
0x6b14a730
0x6b14a730
0x6b14a736
0x6b14a747
0x6b14a751
0x6b14a757
0x6b14a75f
0x6b14a76c
0x6b14a778
0x6b14a77f
0x6b14a788
0x6b14a790
0x6b14a792
0x6b14a7df
0x6b14a7e2
0x6b14a7e7
0x6b14a794
0x6b14a794
0x6b14a7a0
0x6b14a7a2
0x6b14a7a4
0x6b14a7a5
0x6b14a7cb
0x6b14a7d5
0x6b14a7d8
0x6b14a7a7
0x6b14a7a7
0x6b14a7b5
0x6b14a7bf
0x6b14a7c2
0x6b14a7c2
0x6b14a7c7
0x6b14a7c7
0x6b14a7ed
0x6b14a808

APIs

Part of subcall function 6B14A214: __CxxThrowException@8.LIBCMT ref: 6B14A228

GetDlgItem.USER32 ref: 6B14A6E2
SetPropW.USER32(00000000,RotatingIconDisplayTHIS,?), ref: 6B14A6F1
SetTimer.USER32(?,00000002,000003E8,Function_0001A051), ref: 6B14A70B
GetDlgItem.USER32 ref: 6B14A721
SetPropW.USER32(00000000,RotatingIconDisplayTHIS,?), ref: 6B14A730
GetDlgItem.USER32 ref: 6B14A740
GetDlgItem.USER32 ref: 6B14A751

Strings

Launching Download and Install operations simultaneously., xrefs: 6B14A7C2
RotatingIconDisplayTHIS, xrefs: 6B14A6EB, 6B14A72A
Item(s) availability state is "Error". Exiting setup., xrefs: 6B14A7E2
Launching Download operation. Install operation will follow after download is complete., xrefs: 6B14A7D8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Item$Prop$Exception@8ThrowTimer
String ID: Item(s) availability state is "Error". Exiting setup.$Launching Download and Install operations simultaneously.$Launching Download operation. Install operation will follow after download is complete.$RotatingIconDisplayTHIS
API String ID: 3010864479-2919304341
Opcode ID: 5f92c75991f8cf2dc7184a32d73ca0a9d9f6938b9248e33878e0346ac6ea69b9
Instruction ID: 1a0d6003dd304b46aabd0938ab9c886b10f376119095eccc6e9696f0c6942298
Opcode Fuzzy Hash: 5f92c75991f8cf2dc7184a32d73ca0a9d9f6938b9248e33878e0346ac6ea69b9
Instruction Fuzzy Hash: 08418935700602BFDB149F74C888E86F7B5FF1A306F0141A8E66ADB2A1DB35E810CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B14BF84 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6B14BF84(void* __ecx, void* __edi, struct HWND__* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				struct tagMENUITEMINFOW _v52;
				void* __ebx;
				void* __esi;
				void* __ebp;
				struct HWND__* _t33;
				int _t34;
				long _t38;
				void* _t44;
				intOrPtr _t47;

				_t38 = GetWindowLongW(_a4, 0xffffffeb);
				if(_a8 == 0x1c) {
					__eflags = _a12;
					if(_a12 != 0) {
						L10:
						return  *((intOrPtr*)(_t38 + 0x900))(_a4, _a8, _a12, _a16);
					}
					PostMessageW(_a4, 0x67c, 0, 0);
					L14:
					return 0;
				}
				if(_a8 == 0x112) {
					__eflags = _a12 - 0xf060;
					if(_a12 != 0xf060) {
						goto L10;
					}
					E6B15AF90( &(_v52.fMask), 0, 0x2c);
					_v52.cbSize = 0x30;
					_v52.fMask = 1;
					GetMenuItemInfoW(GetSystemMenu(_a4, 0), 0xf060, 0,  &_v52);
					__eflags = _v52.fState & 0x00000003;
					if((_v52.fState & 0x00000003) != 0) {
						goto L14;
					}
					goto L10;
				}
				if(_a8 != 0x67c) {
					goto L10;
				} else {
					_t33 = GetForegroundWindow();
					if(_t33 != 0 && _t33 != _a4) {
						_t34 = IsWindowVisible(_t33);
						_t47 =  *((intOrPtr*)(_t38 + 0x8f8));
						_t55 = _t34;
						if(_t34 != 0) {
							_push(L"WM_ACTIVATEAPP: Focus stealer\'s windows WAS visible, NOT taking back focus");
							_push(4);
							E6B13B93E(_t38, _t44, __edi, _t47, __eflags);
						} else {
							_push(L"WM_ACTIVATEAPP: Focus stealer\'s windows was NOT visible, taking back focus");
							_push(4);
							E6B13B93E(_t38, _t44, __edi, _t47, _t55);
							SetForegroundWindow(_a4);
						}
					}
					goto L14;
				}
			}

0x6b14bf9d
0x6b14bf9f
0x6b14c06e
0x6b14c072
0x6b14c056
0x00000000
0x6b14c062
0x6b14c080
0x6b14c086
0x00000000
0x6b14c086
0x6b14bfac
0x6b14c014
0x6b14c017
0x00000000
0x00000000
0x6b14c021
0x6b14c035
0x6b14c03c
0x6b14c04a
0x6b14c050
0x6b14c054
0x00000000
0x00000000
0x00000000
0x6b14c054
0x6b14bfb5
0x00000000
0x6b14bfbb
0x6b14bfbb
0x6b14bfc3
0x6b14bfd3
0x6b14bfd9
0x6b14bfdf
0x6b14bfe1
0x6b14bfff
0x6b14c004
0x6b14c006
0x6b14bfe3
0x6b14bfe3
0x6b14bfe8
0x6b14bfea
0x6b14bff4
0x6b14bff4
0x6b14bfe1
0x00000000
0x6b14bfc3

APIs

GetWindowLongW.USER32(?,000000EB), ref: 6B14BF93
GetForegroundWindow.USER32 ref: 6B14BFBB
SetForegroundWindow.USER32(?), ref: 6B14BFF4
IsWindowVisible.USER32(?), ref: 6B14BFD3

Part of subcall function 6B13B93E: __EH_prolog3.LIBCMT ref: 6B13B945

_memset.LIBCMT ref: 6B14C021
GetSystemMenu.USER32(?,00000000,0000F060,00000000,?), ref: 6B14C043
GetMenuItemInfoW.USER32(00000000), ref: 6B14C04A
PostMessageW.USER32(?,0000067C,00000000,00000000), ref: 6B14C080

Strings

WM_ACTIVATEAPP: Focus stealer's windows was NOT visible, taking back focus, xrefs: 6B14BFE3
0, xrefs: 6B14C035
WM_ACTIVATEAPP: Focus stealer's windows WAS visible, NOT taking back focus, xrefs: 6B14BFFF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$ForegroundMenu$H_prolog3InfoItemLongMessagePostSystemVisible_memset
String ID: 0$WM_ACTIVATEAPP: Focus stealer's windows WAS visible, NOT taking back focus$WM_ACTIVATEAPP: Focus stealer's windows was NOT visible, taking back focus
API String ID: 105400089-2282623533
Opcode ID: f40c30461fe5e301e1726b89c77fb46b991aaa5b43fd54cdac60056e7b4a9f88
Instruction ID: 775b6637e5aae60eef52e65396ca3ae2a7caa0186b1d78248ccef3289eb5d3c0
Opcode Fuzzy Hash: f40c30461fe5e301e1726b89c77fb46b991aaa5b43fd54cdac60056e7b4a9f88
Instruction Fuzzy Hash: E821AE75944319FFEF205F74CC09F8E3B78AB147A5F108425FA18AA0D0E7B99564CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6B156EE2 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 369
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B156EE2(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t175;
				intOrPtr* _t177;
				void* _t186;
				intOrPtr* _t189;
				void* _t200;
				intOrPtr _t201;
				intOrPtr* _t206;
				intOrPtr* _t207;
				void* _t221;
				void* _t222;
				intOrPtr* _t225;
				intOrPtr* _t226;
				void* _t240;
				void* _t241;
				intOrPtr* _t244;
				intOrPtr* _t245;
				void* _t259;
				intOrPtr* _t263;
				void* _t277;
				void* _t278;
				intOrPtr* _t281;
				intOrPtr* _t282;
				void* _t296;
				void* _t297;
				intOrPtr* _t299;
				intOrPtr* _t300;
				intOrPtr _t325;
				char* _t326;
				intOrPtr* _t365;
				intOrPtr* _t377;
				void* _t378;
				void* _t379;
				void* _t381;

				_t381 = __eflags;
				_t358 = __edx;
				_push(0x44);
				E6B16265B(0x6b167c4a, __ebx, __edi, __esi);
				_t377 =  *((intOrPtr*)(_t378 + 8));
				 *(_t378 - 4) =  *(_t378 - 4) & 0x00000000;
				_t325 =  *((intOrPtr*)(_t378 + 0x14));
				_push(_t378 - 0x10);
				 *_t377 = 0x6b13755c;
				 *((intOrPtr*)(_t377 + 4)) = _t325;
				E6B14E8E8(L"ResourceDll", _t377, _t381);
				 *(_t378 - 4) = 1;
				_t175 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t325, _t378 - 0x28, _t378 - 0x10);
				_push(_t325);
				_push(_t377 + 8);
				 *(_t378 - 4) = 2;
				E6B1431A0(_t325, _t175, __edx, L"ResourceDll", _t377, _t381); // executed
				 *(_t378 - 4) = 4;
				_t177 =  *((intOrPtr*)(_t378 - 0x28));
				_t382 = _t177;
				if(_t177 != 0) {
					 *((intOrPtr*)( *_t177 + 8))(_t177);
				}
				 *(_t378 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t378 - 0x10)) + 0xfffffff0, _t358);
				_t326 = L"Windows";
				_push(_t378 - 0x14);
				E6B14E8E8(_t326, _t377, _t382);
				 *(_t378 - 4) = 6;
				_t186 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x34, _t378 - 0x14);
				 *(_t378 - 4) = 7;
				E6B142B11(_t326, _t358, _t326, _t377, _t382, _t377 + 0x18, _t186,  *((intOrPtr*)(_t378 + 0x14))); // executed
				 *(_t378 - 4) = 9;
				_t189 =  *((intOrPtr*)(_t378 - 0x34));
				_t383 = _t189;
				if(_t189 != 0) {
					 *((intOrPtr*)( *_t189 + 8))(_t189);
				}
				 *(_t378 - 4) = 0xa;
				E6B158460( *((intOrPtr*)(_t378 - 0x14)) + 0xfffffff0, _t358);
				_push(_t378 - 0x18);
				E6B14E8E8(L"WelcomePage", _t377, _t383);
				_push(_t378 - 0x10);
				 *(_t378 - 4) = 0xb;
				E6B14E8E8(_t326, _t377, _t383);
				 *(_t378 - 4) = 0xc;
				_t200 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x40, _t378 - 0x10);
				 *(_t378 - 4) = 0xd;
				_t201 = E6B13D65F(_t200, _t326, _t378 - 0x28, _t378 - 0x18);
				 *((intOrPtr*)(_t378 - 0x1c)) = _t201;
				_push( *((intOrPtr*)(_t378 + 0x14)));
				_t365 = _t377 + 0x30;
				_push(_t201);
				_t44 = _t365 + 4; // 0x5
				 *(_t378 - 4) = 0xe;
				 *((intOrPtr*)(_t378 - 0x14)) = _t365;
				E6B143AD4(_t326, _t378 - 0x28, _t358, _t365, _t377, _t383);
				_t47 = _t365 + 0x3c; // 0x3d
				 *(_t378 - 4) = 0xf;
				E6B14396A(_t326,  *((intOrPtr*)(_t378 - 0x1c)), _t358, _t365, _t377, _t383);
				 *_t365 = 0x6b137374;
				 *(_t378 - 4) = 0x11;
				_t206 =  *((intOrPtr*)(_t378 - 0x28));
				if(_t206 != 0) {
					 *((intOrPtr*)( *_t206 + 8))(_t206);
				}
				 *(_t378 - 4) = 0x12;
				_t207 =  *((intOrPtr*)(_t378 - 0x40));
				_t385 = _t207;
				if(_t207 != 0) {
					 *((intOrPtr*)( *_t207 + 8))(_t207);
				}
				E6B158460( *((intOrPtr*)(_t378 - 0x10)) + 0xfffffff0, _t358);
				 *(_t378 - 4) = 0x14;
				E6B158460( *((intOrPtr*)(_t378 - 0x18)) + 0xfffffff0, _t358);
				_push(_t378 - 0x1c);
				E6B14E8E8(L"EulaPage", _t377, _t385);
				_push(_t378 - 0x14);
				 *(_t378 - 4) = 0x15;
				E6B14E8E8(_t326, _t377, _t385);
				 *(_t378 - 4) = 0x16;
				_t221 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x4c, _t378 - 0x14);
				 *(_t378 - 4) = 0x17;
				_t222 = E6B13D65F(_t221, _t326, _t378 - 0x34, _t378 - 0x1c);
				_push( *((intOrPtr*)(_t378 + 0x14)));
				 *(_t378 - 4) = 0x18;
				_push(_t222);
				_push(_t377 + 0xa8);
				E6B1445DE(_t326, _t378 - 0x34, _t358, _t326, _t377, _t385);
				 *(_t378 - 4) = 0x1a;
				_t225 =  *((intOrPtr*)(_t378 - 0x34));
				if(_t225 != 0) {
					 *((intOrPtr*)( *_t225 + 8))(_t225);
				}
				 *(_t378 - 4) = 0x1b;
				_t226 =  *((intOrPtr*)(_t378 - 0x4c));
				_t387 = _t226;
				if(_t226 != 0) {
					 *((intOrPtr*)( *_t226 + 8))(_t226);
				}
				E6B158460( *((intOrPtr*)(_t378 - 0x14)) + 0xfffffff0, _t358);
				 *(_t378 - 4) = 0x1d;
				E6B158460( *((intOrPtr*)(_t378 - 0x1c)) + 0xfffffff0, _t358);
				_push(_t378 - 0x10);
				E6B14E8E8(L"ProgressPage", _t377, _t387);
				_push(_t378 - 0x18);
				 *(_t378 - 4) = 0x1e;
				E6B14E8E8(_t326, _t377, _t387);
				 *(_t378 - 4) = 0x1f;
				_t240 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x28, _t378 - 0x18);
				 *(_t378 - 4) = 0x20;
				_t241 = E6B13D65F(_t240, _t326, _t378 - 0x40, _t378 - 0x10);
				_push( *((intOrPtr*)(_t378 + 0x14)));
				 *(_t378 - 4) = 0x21;
				_push(_t241);
				_push(_t377 + 0x1b8);
				E6B144E46(_t326, _t358, _t326, _t377, _t387);
				 *(_t378 - 4) = 0x23;
				_t244 =  *((intOrPtr*)(_t378 - 0x40));
				if(_t244 != 0) {
					 *((intOrPtr*)( *_t244 + 8))(_t244);
				}
				 *(_t378 - 4) = 0x24;
				_t245 =  *((intOrPtr*)(_t378 - 0x28));
				_t389 = _t245;
				if(_t245 != 0) {
					 *((intOrPtr*)( *_t245 + 8))(_t245);
				}
				E6B158460( *((intOrPtr*)(_t378 - 0x18)) + 0xfffffff0, _t358);
				 *(_t378 - 4) = 0x26;
				E6B158460( *((intOrPtr*)(_t378 - 0x10)) + 0xfffffff0, _t358);
				_push(_t378 - 0x14);
				E6B14E8E8(L"FinishPage", _t377, _t389);
				_push(_t378 - 0x1c);
				 *(_t378 - 4) = 0x27;
				E6B14E8E8(_t326, _t377, _t389);
				_push( *((intOrPtr*)(_t378 + 0x14)));
				 *(_t378 - 4) = 0x28;
				_t259 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x4c, _t378 - 0x1c);
				 *(_t378 - 4) = 0x29;
				 *((intOrPtr*)(_t378 - 0x18)) = _t379 - 0xc;
				_t359 = _t378 - 0x14;
				E6B13D65F(_t259, _t326, _t379 - 0xc, _t378 - 0x14);
				_push(_t377 + 0x348); // executed
				E6B145163(_t326, _t378 - 0x14, _t326, _t377, _t389); // executed
				 *(_t378 - 4) = 0x2b;
				_t263 =  *((intOrPtr*)(_t378 - 0x4c));
				_t390 = _t263;
				if(_t263 != 0) {
					 *((intOrPtr*)( *_t263 + 8))(_t263);
				}
				E6B158460( *((intOrPtr*)(_t378 - 0x1c)) + 0xfffffff0, _t359);
				 *(_t378 - 4) = 0x2d;
				E6B158460( *((intOrPtr*)(_t378 - 0x14)) + 0xfffffff0, _t359);
				_push(_t378 - 0x10);
				E6B14E8E8(L"MaintenanceModePage", _t377, _t390);
				_push(_t378 - 0x18);
				 *(_t378 - 4) = 0x2e;
				E6B14E8E8(_t326, _t377, _t390);
				 *(_t378 - 4) = 0x2f;
				_t277 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x34, _t378 - 0x18);
				 *(_t378 - 4) = 0x30;
				_t278 = E6B13D65F(_t277, _t326, _t378 - 0x40, _t378 - 0x10);
				_push( *((intOrPtr*)(_t378 + 0x14)));
				 *(_t378 - 4) = 0x31;
				_push(_t278);
				_push(_t377 + 0xa64);
				E6B1460C9(_t326, _t359, _t326, _t377, _t390);
				 *(_t378 - 4) = 0x33;
				_t281 =  *((intOrPtr*)(_t378 - 0x40));
				if(_t281 != 0) {
					 *((intOrPtr*)( *_t281 + 8))(_t281);
				}
				 *(_t378 - 4) = 0x34;
				_t282 =  *((intOrPtr*)(_t378 - 0x34));
				_t392 = _t282;
				if(_t282 != 0) {
					 *((intOrPtr*)( *_t282 + 8))(_t282);
				}
				E6B158460( *((intOrPtr*)(_t378 - 0x18)) + 0xfffffff0, _t359);
				 *(_t378 - 4) = 0x36;
				E6B158460( *((intOrPtr*)(_t378 - 0x10)) + 0xfffffff0, _t359);
				_push(_t378 - 0x14);
				E6B14E8E8(L"SystemRequirementsPage", _t377, _t392);
				_push(_t378 - 0x1c);
				_t375 = _t326;
				 *(_t378 - 4) = 0x37;
				E6B14E8E8(_t326, _t377, _t392);
				 *(_t378 - 4) = 0x38;
				_t296 = E6B13D65F( *((intOrPtr*)(_t378 + 0xc)), _t326, _t378 - 0x28, _t378 - 0x1c);
				 *(_t378 - 4) = 0x39;
				_t297 = E6B13D65F(_t296, _t326, _t378 - 0x4c, _t378 - 0x14);
				_push( *((intOrPtr*)(_t378 + 0x14)));
				_push(_t377 + 0xca8);
				_t327 = _t297;
				 *(_t378 - 4) = 0x3a;
				E6B144B2A(_t297, _t377 + 0xca8, _t359, _t326, _t377, _t392);
				 *(_t378 - 4) = 0x3c;
				_t299 =  *((intOrPtr*)(_t378 - 0x4c));
				if(_t299 != 0) {
					 *((intOrPtr*)( *_t299 + 8))(_t299);
				}
				 *(_t378 - 4) = 0x3d;
				_t300 =  *((intOrPtr*)(_t378 - 0x28));
				if(_t300 != 0) {
					 *((intOrPtr*)( *_t300 + 8))(_t300);
				}
				E6B158460( *((intOrPtr*)(_t378 - 0x1c)) + 0xfffffff0, _t359);
				 *(_t378 - 4) = 0x3f;
				E6B158460( *((intOrPtr*)(_t378 - 0x14)) + 0xfffffff0, _t359);
				_push( *((intOrPtr*)(_t378 + 0x10)));
				E6B146199(_t327,  *((intOrPtr*)(_t378 + 0x14)), _t359, _t375, _t377,  *((intOrPtr*)(_t378 - 0x14)) + 0xfffffff0, _t377 + 0xddc); // executed
				return E6B162709(_t377);
			}

0x6b156ee2
0x6b156ee2
0x6b156ee2
0x6b156ee9
0x6b156eee
0x6b156ef1
0x6b156ef5
0x6b156efb
0x6b156f01
0x6b156f07
0x6b156f0a
0x6b156f1a
0x6b156f1e
0x6b156f23
0x6b156f27
0x6b156f2a
0x6b156f2e
0x6b156f33
0x6b156f37
0x6b156f3a
0x6b156f3c
0x6b156f41
0x6b156f41
0x6b156f44
0x6b156f4e
0x6b156f56
0x6b156f5b
0x6b156f5e
0x6b156f6e
0x6b156f72
0x6b156f7a
0x6b156f83
0x6b156f88
0x6b156f8c
0x6b156f8f
0x6b156f91
0x6b156f96
0x6b156f96
0x6b156f99
0x6b156fa3
0x6b156fab
0x6b156fb1
0x6b156fb9
0x6b156fbc
0x6b156fc0
0x6b156fd0
0x6b156fd4
0x6b156fe1
0x6b156fe5
0x6b156fea
0x6b156fed
0x6b156ff0
0x6b156ff3
0x6b156ff4
0x6b156ff7
0x6b156ffc
0x6b156fff
0x6b157004
0x6b157007
0x6b15700f
0x6b157014
0x6b15701a
0x6b15701e
0x6b157023
0x6b157028
0x6b157028
0x6b15702b
0x6b15702f
0x6b157032
0x6b157034
0x6b157039
0x6b157039
0x6b157042
0x6b157047
0x6b157051
0x6b157059
0x6b15705f
0x6b157067
0x6b15706a
0x6b15706e
0x6b15707e
0x6b157082
0x6b15708f
0x6b157093
0x6b157098
0x6b15709b
0x6b15709f
0x6b1570a6
0x6b1570a7
0x6b1570ac
0x6b1570b0
0x6b1570b5
0x6b1570ba
0x6b1570ba
0x6b1570bd
0x6b1570c1
0x6b1570c4
0x6b1570c6
0x6b1570cb
0x6b1570cb
0x6b1570d4
0x6b1570d9
0x6b1570e3
0x6b1570eb
0x6b1570f1
0x6b1570f9
0x6b1570fc
0x6b157100
0x6b157110
0x6b157114
0x6b157121
0x6b157125
0x6b15712a
0x6b15712d
0x6b157131
0x6b157138
0x6b157139
0x6b15713e
0x6b157142
0x6b157147
0x6b15714c
0x6b15714c
0x6b15714f
0x6b157153
0x6b157156
0x6b157158
0x6b15715d
0x6b15715d
0x6b157166
0x6b15716b
0x6b157175
0x6b15717d
0x6b157183
0x6b15718b
0x6b15718e
0x6b157192
0x6b157197
0x6b1571a5
0x6b1571a9
0x6b1571b1
0x6b1571b7
0x6b1571ba
0x6b1571bf
0x6b1571ca
0x6b1571cb
0x6b1571d0
0x6b1571d4
0x6b1571d7
0x6b1571d9
0x6b1571de
0x6b1571de
0x6b1571e7
0x6b1571ec
0x6b1571f6
0x6b1571fe
0x6b157204
0x6b15720c
0x6b15720f
0x6b157213
0x6b157223
0x6b157227
0x6b157234
0x6b157238
0x6b15723d
0x6b157240
0x6b157244
0x6b15724b
0x6b15724c
0x6b157251
0x6b157255
0x6b15725a
0x6b15725f
0x6b15725f
0x6b157262
0x6b157266
0x6b157269
0x6b15726b
0x6b157270
0x6b157270
0x6b157279
0x6b15727e
0x6b157288
0x6b157290
0x6b157296
0x6b15729e
0x6b15729f
0x6b1572a1
0x6b1572a5
0x6b1572b5
0x6b1572b9
0x6b1572c6
0x6b1572ca
0x6b1572cf
0x6b1572d8
0x6b1572d9
0x6b1572db
0x6b1572df
0x6b1572e4
0x6b1572e8
0x6b1572ed
0x6b1572f2
0x6b1572f2
0x6b1572f5
0x6b1572f9
0x6b1572fe
0x6b157303
0x6b157303
0x6b15730c
0x6b157311
0x6b15731b
0x6b157320
0x6b15732d
0x6b157339

APIs

__EH_prolog3.LIBCMT ref: 6B156EE9

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B1431A0: __EH_prolog3.LIBCMT ref: 6B1431A7
Part of subcall function 6B1431A0: _wcschr.LIBCMT ref: 6B1431E8
Part of subcall function 6B1431A0: __CxxThrowException@8.LIBCMT ref: 6B1432A2
Part of subcall function 6B1431A0: PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,6B156F33,?,?,00000000,00000044,6B15668B,?,00000000,00000000,?,?,succeeded), ref: 6B1432B9
Part of subcall function 6B1431A0: PathFileExistsW.SHLWAPI(00000000,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B1432C6

Part of subcall function 6B1445DE: __EH_prolog3.LIBCMT ref: 6B1445E5

Part of subcall function 6B1460C9: __EH_prolog3.LIBCMT ref: 6B1460D0

Strings

?, xrefs: 6B157311
MaintenanceModePage, xrefs: 6B1571FF
ProgressPage, xrefs: 6B1570EC
ResourceDll, xrefs: 6B156EFC
WelcomePage, xrefs: 6B156FAC
EulaPage, xrefs: 6B15705A
SystemRequirementsPage, xrefs: 6B157291
Windows, xrefs: 6B156F56
FinishPage, xrefs: 6B15717E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$Exception@8ExistsFileRelativeThrow_wcschr
String ID: ?$EulaPage$FinishPage$MaintenanceModePage$ProgressPage$ResourceDll$SystemRequirementsPage$WelcomePage$Windows
API String ID: 1182493169-944454811
Opcode ID: faa53c880db6d95439ef49aa1673c7bbd779036f23a2caba1bad2e2b9de1bdd2
Instruction ID: 0ce14d0fad8d5a4746dfd2bbdf3404500284113b15a98dfc7fc1bab7b7b3301b
Opcode Fuzzy Hash: faa53c880db6d95439ef49aa1673c7bbd779036f23a2caba1bad2e2b9de1bdd2
Instruction Fuzzy Hash: B3F13CB290014DEFDF01CBF8C945BEEBBB8AF09318F144199E564E7281DB389A45DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B1431A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6B1431A0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				char** _t78;
				int _t96;
				signed int _t99;
				intOrPtr* _t104;
				void* _t112;
				void* _t132;
				intOrPtr _t135;
				intOrPtr* _t150;
				intOrPtr* _t176;
				void* _t178;
				void* _t179;
				void* _t181;

				_t181 = __eflags;
				_t170 = __edx;
				_push(0x28);
				E6B16265B(0x6b1665ae, __ebx, __edi, __esi);
				 *(_t178 - 0x1c) =  *(_t178 - 0x1c) & 0x00000000;
				_t159 = _t178 - 0x1c;
				_t78 = E6B13D76F(_t178 - 0x1c, __edi, __ecx, _t181);
				_t175 = 0;
				_t162 = _t178 - 0x10;
				 *((intOrPtr*)(_t178 - 4)) = 0;
				_t172 =  *_t78;
				_push(_t178 - 0x10);
				E6B14E8E8( *_t78, 0, _t181);
				 *((char*)(_t178 - 4)) = 2;
				E6B158460( *(_t178 - 0x1c) + 0xfffffff0, _t170);
				_t83 =  *(_t178 - 0x10);
				if( *((intOrPtr*)( *(_t178 - 0x10) - 0xc)) > 0) {
					_t132 = E6B15975E(_t83, 0x5c);
					_pop(_t162);
					if(_t132 != 0) {
						_t184 = _t132 -  *(_t178 - 0x10) >> 1 - 0xffffffff;
						if(_t132 -  *(_t178 - 0x10) >> 1 != 0xffffffff) {
							_t135 =  *0x6b16fe10; // 0x6b1333ec
							 *((intOrPtr*)(_t178 + 8)) =  *((intOrPtr*)(_t135 + 0xc))() + 0x10;
							 *((char*)(_t178 - 4)) = 3;
							E6B1580BA(_t178 + 8, L"UiInfo.xml has INVALID ResourceDLLName %s",  *(_t178 - 0x10));
							_t179 = _t179 + 0xc;
							_t172 = L"UIInfo.xml";
							E6B14E8E8(L"UIInfo.xml", 0, _t184);
							 *((char*)(_t178 - 4)) = 4;
							E6B13CA39(_t159, 0x6b16fe10, _t170, L"UIInfo.xml", 0, _t184);
							 *((char*)(_t178 - 4)) = 6;
							E6B158460( &(( *(_t178 - 0x14))[0xfffffffffffffff8]), _t170);
							_t150 = E6B13CAC2(_t159, _t178 - 0x34, _t170, L"UIInfo.xml", 0, _t184);
							 *((char*)(_t178 - 4)) = 7;
							_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc))));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc)))) + 4))(0,  *_t150, _t178 - 0x1c, _t178 - 0x34, _t178 + 8, _t178 - 0x14, _t178 - 0x14);
							 *((char*)(_t178 - 4)) = 6;
							_t185 =  *(_t178 - 0x1c) + 0xfffffff0;
							E6B158460( *(_t178 - 0x1c) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc)))));
							_push(_t178 - 0x34);
							_t162 = _t178 - 0x28;
							E6B13D170(_t159, _t178 - 0x28, _t172, 0,  *(_t178 - 0x1c) + 0xfffffff0);
							_push(0x6b1682a0);
							_t112 = _t178 - 0x28;
							L4:
							_push(_t112);
							E6B15DBDB();
						}
					}
				}
				_push(_t178 - 0x24);
				_t176 = E6B141E75(_t159, _t162, _t170, _t172, _t175, _t185);
				 *((char*)(_t178 - 4)) = 8;
				if(PathIsRelativeW( *(_t178 - 0x10)) != 0) {
					 *(_t178 - 0x14) = E6B1583FD( *_t176 - 0x10) + 0x10;
					 *((char*)(_t178 - 4)) = 9;
					E6B14F21D(_t178 - 0x14,  *((intOrPtr*)(_t176 + 4)));
					E6B14F21D(_t178 - 0x14,  *(_t178 - 0x10));
					_t159 =  *(_t178 - 0x14);
					_t176 = PathFileExistsW;
					PathFileExistsW(_t159); // executed
					_t96 = PathFileExistsW(_t159); // executed
					__eflags = _t96;
					if(_t96 == 0) {
						 *((char*)(_t178 - 4)) = 8;
						E6B158460(_t159 - 0x10, _t170);
						_t99 = 0;
						__eflags = 0;
						goto L10;
					} else {
						_t172 = _t178 - 0x10;
						E6B14EA8D(_t178 - 0x14, _t178 - 0x10);
						 *((char*)(_t178 - 4)) = 8;
						E6B158460(_t159 - 0x10, _t170);
					}
				} else {
					_t99 = PathFileExistsW( *(_t178 - 0x10)) & 0xffffff00 | _t131 != 0x00000000;
					L10:
					_t188 = _t99;
					if(_t99 == 0) {
						E6B13C9BB(_t159, _t162, _t172, _t176, __eflags);
						_t175 = 0x6b136e38;
						 *((intOrPtr*)(_t178 - 0x18)) = 0x6b136e38;
						 *((char*)(_t178 - 4)) = 0xa;
						_t104 = E6B13CB96(_t159, _t178 - 0x18, _t170, _t172, 0x6b136e38, __eflags);
						 *((char*)(_t178 - 4)) = 0xb;
						_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc))));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc)))) + 4))(0,  *_t104, _t178 + 8, _t178 - 0x18, _t178 - 0x10);
						 *((char*)(_t178 - 4)) = 0xa;
						E6B158460( *((intOrPtr*)(_t178 + 8)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xc)))));
						_push(_t178 - 0x18);
						_t162 = _t178 - 0x30;
						E6B13D1B4(_t159, _t178 - 0x30, _t172, 0x6b136e38, __eflags);
						 *((intOrPtr*)(_t178 - 0x30)) = 0x6b136e38;
						_push(0x6b168364);
						_t112 = _t178 - 0x30;
						goto L4;
					}
				}
				_push( *(_t178 - 0x10));
				_t177 =  *((intOrPtr*)(_t178 + 0xc));
				_push(L"Successfuly found file %s ");
				_push(4); // executed
				E6B13B93E(_t159, _t170, _t172,  *((intOrPtr*)(_t178 + 0xc)), _t188); // executed
				 *((char*)(_t178 - 4)) = 2;
				E6B158460( *((intOrPtr*)(_t178 - 0x20)) + 0xfffffff0, _t170);
				E6B158460( *((intOrPtr*)(_t178 - 0x24)) + 0xfffffff0, _t170);
				_push( *((intOrPtr*)(_t178 + 8)));
				E6B1433F3(_t178 - 0x10,  *((intOrPtr*)(_t178 + 0xc)), _t170, _t172, _t177, _t188); // executed
				E6B158460( &(( *(_t178 - 0x10))[0xfffffffffffffff8]), _t170);
				return E6B162709( *((intOrPtr*)(_t178 + 8)));
			}

0x6b1431a0
0x6b1431a0
0x6b1431a0
0x6b1431a7
0x6b1431ac
0x6b1431b0
0x6b1431b5
0x6b1431ba
0x6b1431bc
0x6b1431bf
0x6b1431c2
0x6b1431c4
0x6b1431c5
0x6b1431ca
0x6b1431d4
0x6b1431d9
0x6b1431df
0x6b1431e8
0x6b1431ee
0x6b1431f1
0x6b1431fc
0x6b1431ff
0x6b143205
0x6b143215
0x6b143218
0x6b143228
0x6b14322d
0x6b143234
0x6b143239
0x6b14324a
0x6b14324e
0x6b143253
0x6b14325d
0x6b143269
0x6b143271
0x6b143277
0x6b14327b
0x6b14327e
0x6b143285
0x6b143288
0x6b143290
0x6b143291
0x6b143294
0x6b143299
0x6b14329e
0x6b1432a1
0x6b1432a1
0x6b1432a2
0x6b1432a2
0x6b1431ff
0x6b1431f1
0x6b1432aa
0x6b1432b0
0x6b1432b2
0x6b1432c1
0x6b1432e0
0x6b1432e3
0x6b1432ed
0x6b1432f8
0x6b1432fd
0x6b143300
0x6b143307
0x6b14330a
0x6b14330c
0x6b14330e
0x6b14332c
0x6b143330
0x6b143335
0x6b143335
0x00000000
0x6b143310
0x6b143313
0x6b143316
0x6b14331e
0x6b143322
0x6b143322
0x6b1432c3
0x6b1432ce
0x6b143337
0x6b143337
0x6b143339
0x6b143395
0x6b14339a
0x6b14339f
0x6b1433a9
0x6b1433ad
0x6b1433b5
0x6b1433bb
0x6b1433c0
0x6b1433c3
0x6b1433cd
0x6b1433d5
0x6b1433d6
0x6b1433d9
0x6b1433de
0x6b1433e1
0x6b1433e6
0x00000000
0x6b1433e6
0x6b143339
0x6b14333b
0x6b14333e
0x6b143341
0x6b143346
0x6b143348
0x6b14334d
0x6b14335a
0x6b143365
0x6b14336a
0x6b143372
0x6b14337d
0x6b14338a

APIs

__EH_prolog3.LIBCMT ref: 6B1431A7

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

_wcschr.LIBCMT ref: 6B1431E8
__CxxThrowException@8.LIBCMT ref: 6B1432A2

Part of subcall function 6B15DBDB: RaiseException.KERNEL32(?,?,6B159236,?,?,?,?,?,6B159236,?,6B167F54,6B1722B4), ref: 6B15DC1D

PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,6B156F33,?,?,00000000,00000044,6B15668B,?,00000000,00000000,?,?,succeeded), ref: 6B1432B9
PathFileExistsW.SHLWAPI(00000000,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B1432C6
PathFileExistsW.KERNELBASE(?,00000000,?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6B143307
PathFileExistsW.KERNELBASE(?,?,?,?,6B152A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6B14E271,00000000), ref: 6B14330A

Part of subcall function 6B13CA39: __EH_prolog3.LIBCMT ref: 6B13CA40

Part of subcall function 6B13CAC2: __EH_prolog3.LIBCMT ref: 6B13CAC9

Part of subcall function 6B13D170: __EH_prolog3.LIBCMT ref: 6B13D177

Strings

Successfuly found file %s , xrefs: 6B143341
UiInfo.xml has INVALID ResourceDLLName %s, xrefs: 6B143222
UIInfo.xml, xrefs: 6B143234

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$ExistsFile$ExceptionException@8RaiseRelativeThrow_wcschr
String ID: Successfuly found file %s $UIInfo.xml$UiInfo.xml has INVALID ResourceDLLName %s
API String ID: 1926448744-2896109536
Opcode ID: 51aa714d33d06fc9ac52a4726c8d290c4928af23c00add0f827e8aedadec29dc
Instruction ID: 8d79339ab8dd2028ef4ef294f29744d16d7d1aa527f68b8bdd1783487189ae63
Opcode Fuzzy Hash: 51aa714d33d06fc9ac52a4726c8d290c4928af23c00add0f827e8aedadec29dc
Instruction Fuzzy Hash: 0B7140B2900159FFCF00DBF8C985AEEBBB8BF05318F144555E424B7281EB38AA15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B148A1A Relevance: 16.7, APIs: 11, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B148A1A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t70;
				struct HWND__* _t78;
				void* _t104;
				intOrPtr* _t113;
				intOrPtr* _t119;
				void* _t122;
				void* _t126;
				void* _t137;
				intOrPtr* _t141;
				void* _t171;
				struct HWND__** _t176;
				void* _t178;
				void* _t181;
				struct HWND__* _t182;
				void* _t183;

				_t183 = __eflags;
				E6B16265B(0x6b16598d, __ebx, __edi, __esi);
				_t178 = __ecx;
				 *( *((intOrPtr*)(__ecx + 0x68)) + 4) = 0x67;
				 *(_t181 - 0x10) = GetTickCount();
				E6B148C2A(GetTickCount, _t171, __edi, _t178, _t183); // executed
				_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x12c)))) + 0x14))(0x2c);
				 *(_t181 - 0x14) = _t70;
				 *((intOrPtr*)(_t70->i + 0x10))(GetTickCount() -  *(_t181 - 0x10));
				if( *((char*)(_t178 + 0x128)) == 0) {
					_t141 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0x20))();
					_t176 = _t178 + 4;
					 *(_t181 - 0x10) =  *_t176;
					_t78 =  *((intOrPtr*)( *_t141 + 0x20))();
					 *(_t181 - 0x14) = _t78;
					SetWindowTextW( *(_t178 + 0x104),  *( *(_t78->i)()));
					E6B13EDE8( *(_t181 - 0x14) + 4, _t181 - 0x10,  *(_t178 + 0x104));
					 *(_t181 - 0x14) =  *((intOrPtr*)( *_t141 + 0x24))();
					E6B13EDE8( *(_t181 - 0x14), _t181 - 0x10, GetDlgItem( *(_t181 - 0x10), 0x6f));
					 *(_t181 - 0x14) =  *((intOrPtr*)( *_t141 + 0x28))();
					E6B13EDE8( *(_t181 - 0x14), _t181 - 0x10, GetDlgItem( *(_t181 - 0x10), 0x70));
					 *(_t181 - 0x14) =  *(_t178 + 0x9c);
					E6B13EDE8( *((intOrPtr*)( *_t141 + 0x2c))(), _t181 - 0x10,  *(_t181 - 0x14));
					 *(_t181 - 0x14) =  *(_t178 + 0xd0);
					E6B13EDE8( *((intOrPtr*)( *_t141 + 0x30))(), _t181 - 0x10,  *(_t181 - 0x14));
					 *(_t181 - 0x14) =  *_t176;
					_t104 =  *((intOrPtr*)( *_t141 + 0x38))();
					_t173 =  *((intOrPtr*)( *_t141 + 0x34))();
					E6B151601(_t178 + 0x148, _t106, __eflags,  *(_t181 - 0x14), _t104);
					__eflags =  *((char*)(_t178 + 0x128));
					if( *((char*)(_t178 + 0x128)) != 0) {
						_push(3);
						_pop(1);
					}
					E6B13E389(_t176, 1);
					_t113 =  *((intOrPtr*)( *_t141 + 0x18))();
					 *(_t181 - 0x10) = _t182;
					 *(_t181 - 0x14) = _t182;
					_t182->i = E6B1583FD( *_t113 - 0x10) + 0x10;
					 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
					_t119 =  *((intOrPtr*)( *_t141 + 0x14))(_t141);
					 *(_t181 - 0x14) = _t182;
					 *(_t181 - 0x14) = _t182;
					_t122 = E6B1583FD( *_t119 - 0x10);
					 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
					_t182->i = _t122 + 0x10;
					E6B14FB4F(_t141, _t173, _t176, _t178, __eflags);
					_t126 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 4))(_t141);
					_push(_t141);
					_push(_t181 - 0x38);
					E6B13F2BE(_t126, _t173, _t176, _t178, __eflags);
					 *(_t181 - 4) = 1;
					E6B13F415(_t181 - 0x38, GetParent( *_t176));
					SetWindowLongW( *_t176, 0xfffffff4, 0x67);
					SetWindowTextW(GetParent( *_t176),  *(_t178 + 0x58));
					PostMessageW( *_t176, 0x6f5, 0, 0);
					E6B140913(_t173, _t181 - 0x38);
					_t137 = 1;
					__eflags = 1;
				} else {
					_t137 = 0;
				}
				return E6B162709(_t137);
			}

0x6b148a1a
0x6b148a21
0x6b148a26
0x6b148a31
0x6b148a3a
0x6b148a3d
0x6b148a4a
0x6b148a4f
0x6b148a5b
0x6b148a65
0x6b148a76
0x6b148a78
0x6b148a7d
0x6b148a84
0x6b148a8b
0x6b148a99
0x6b148aaf
0x6b148ac0
0x6b148ad1
0x6b148ae2
0x6b148af3
0x6b148afe
0x6b148b11
0x6b148b1c
0x6b148b2f
0x6b148b36
0x6b148b3d
0x6b148b51
0x6b148b53
0x6b148b5b
0x6b148b62
0x6b148b64
0x6b148b66
0x6b148b66
0x6b148b6a
0x6b148b73
0x6b148b7c
0x6b148b7f
0x6b148b8c
0x6b148b8e
0x6b148b96
0x6b148b9c
0x6b148ba2
0x6b148ba5
0x6b148baa
0x6b148bb3
0x6b148bb5
0x6b148bbf
0x6b148bc2
0x6b148bc6
0x6b148bc9
0x6b148bce
0x6b148be3
0x6b148bee
0x6b148bfd
0x6b148c0e
0x6b148c17
0x6b148c1e
0x6b148c1e
0x6b148a67
0x6b148a67
0x6b148a67
0x6b148c24

APIs

__EH_prolog3.LIBCMT ref: 6B148A21
GetTickCount.KERNEL32 ref: 6B148A38

Part of subcall function 6B148C2A: __EH_prolog3.LIBCMT ref: 6B148C31

GetTickCount.KERNEL32 ref: 6B148A52
SetWindowTextW.USER32(?,?), ref: 6B148A99
GetDlgItem.USER32 ref: 6B148AC3
GetDlgItem.USER32 ref: 6B148AE5

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CountH_prolog3ItemTick$TextWindow
String ID:
API String ID: 3171788341-0
Opcode ID: 7a1340b474ee728e1b467fcdce0b839d3f584b5bd7245149e456f4f1ebe4e92f
Instruction ID: 5b9d86173dff49b95fefb5fd0665e30b67f31b7f3d500c0106e5cde4898a9739
Opcode Fuzzy Hash: 7a1340b474ee728e1b467fcdce0b839d3f584b5bd7245149e456f4f1ebe4e92f
Instruction Fuzzy Hash: 74612B75A00215EFCB04DFB4C998AAEBBB5FF49304F100868E156E73A1DB34EA14CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B13C78F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E6B13C78F(signed int __ecx, intOrPtr __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v16;
				char _v24;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t43;
				char _t46;
				void* _t50;
				void* _t51;
				char* _t52;
				intOrPtr* _t60;
				void* _t70;
				void* _t71;
				void* _t73;
				void* _t83;
				void* _t84;
				signed int _t94;
				intOrPtr _t96;
				void* _t98;
				void* _t105;
				signed int _t106;
				signed int _t108;
				void* _t117;

				_t96 = __edx;
				_t43 =  *0x6b16f0a0; // 0xf69ff218
				 *[fs:0x0] =  &_v16;
				_t106 = __ecx;
				_t46 =  *0x6b16fe10; // 0x6b1333ec
				_t89 = 0x6b16fe10;
				_v40 =  *((intOrPtr*)(_t46 + 0xc))(_t43 ^ (_t108 & 0xfffffff8) - 0x00000018, _t98, _t105, _t84,  *[fs:0x0], 0x6b16618f, 0xffffffff) + 0x10;
				_t85 = 0;
				_v8 = 0;
				_t50 = E6B13C4A9(__edx);
				_t114 = _t50;
				if(_t50 == 0) {
					__eflags = __edx - 0x80004004;
					if(__eflags != 0) {
						_v36 = 0;
						_t89 =  &_v36;
						_v8 = 2;
						_t51 = E6B13C280(0,  &_v36, __edx, __edx, __ecx, __eflags);
						__imp__#7(_v40, __edx);
						__eflags = _t51;
						_t52 =  &_v48;
						if(__eflags != 0) {
							_push(_v44);
							_push(__edx);
							_push(L"Final Result: Installation failed with error code: (0x%08lX), \"%s\"");
							goto L10;
						} else {
							_push(__edx);
							_push(L"Final Result: Installation failed with error code: (0x%08lX)");
							goto L8;
						}
						goto L11;
					} else {
						E6B15811C( &_v40, E6B158199(L"Final Result: Installation aborted"), 0x6b16fe10, L"Final Result: Installation aborted");
						_t85 = 0;
					}
				} else {
					_v36 = 0;
					_t89 =  &_v36;
					_v8 = 1;
					_t83 = E6B13C280(0,  &_v36, __edx, __edx, __ecx, _t114); // executed
					__imp__#7(_v40, __edx);
					_t115 = _t83;
					_t52 =  &_v48;
					if(_t83 != 0) {
						_push(_v44);
						_push(__edx);
						_push(L"Final Result: Installation completed successfully with success code: (0x%08lX), \"%s\"");
						L10:
						_push(_t52);
						E6B1580BA();
					} else {
						_push(__edx);
						_push(L"Final Result: Installation completed successfully with success code: (0x%08lX)");
						L8:
						_push(_t52);
						E6B1580BA();
					}
					L11:
					_v16 = _t85;
					__imp__#6(_v44);
				}
				_push( &_v44);
				E6B14E8E8(".", _t106, _t115);
				_v24 = 3;
				_t116 =  *_t106 |  *(_t106 + 4);
				if(( *_t106 |  *(_t106 + 4)) != 0) {
					_t71 = E6B158C72(_t89, _t96, _t116, _t85);
					_t94 =  *_t106;
					_t106 =  *(_t106 + 4);
					asm("sbb edx, esi");
					_t85 =  &_v44;
					_v44 = _t71 - _t94;
					_v40 = _t96;
					_t73 = E6B13C4DC( &_v44,  &_v52, ".", _t106, _t116);
					_v24 = 4;
					E6B14EA8D(_t73,  &_v48);
					_v24 = 3;
					_t117 = _v52 + 0xfffffff0;
					E6B158460(_v52 + 0xfffffff0, _t96);
				}
				_t60 = E6B14F092(_t85,  &_v56, _t106, _t117);
				_v32 = 5;
				_t97 =  *_a4; // executed
				 *((intOrPtr*)( *_a4 + 0x4c))( *_t60,  &_v52,  &_v48);
				E6B158460(_v64 + 0xfffffff0,  *_a4);
				E6B158460(_v60 + 0xfffffff0,  *_a4);
				_t70 = E6B158460(_v68 + 0xfffffff0, _t97);
				 *[fs:0x0] = _v44;
				return _t70;
			}

0x6b13c78f
0x6b13c7ab
0x6b13c7b7
0x6b13c7bd
0x6b13c7c1
0x6b13c7c6
0x6b13c7d1
0x6b13c7d5
0x6b13c7d9
0x6b13c7dd
0x6b13c7e2
0x6b13c7e4
0x6b13c81f
0x6b13c825
0x6b13c843
0x6b13c848
0x6b13c84c
0x6b13c851
0x6b13c85a
0x6b13c860
0x6b13c862
0x6b13c866
0x6b13c879
0x6b13c87d
0x6b13c87e
0x00000000
0x6b13c868
0x6b13c868
0x6b13c869
0x00000000
0x6b13c869
0x00000000
0x6b13c827
0x6b13c83a
0x6b13c83f
0x6b13c83f
0x6b13c7e6
0x6b13c7e6
0x6b13c7eb
0x6b13c7ef
0x6b13c7f4
0x6b13c7fd
0x6b13c803
0x6b13c805
0x6b13c809
0x6b13c813
0x6b13c817
0x6b13c818
0x6b13c883
0x6b13c883
0x6b13c884
0x6b13c80b
0x6b13c80b
0x6b13c80c
0x6b13c86e
0x6b13c86e
0x6b13c86f
0x6b13c874
0x6b13c88c
0x6b13c88c
0x6b13c894
0x6b13c894
0x6b13c89e
0x6b13c8a4
0x6b13c8a9
0x6b13c8b0
0x6b13c8b3
0x6b13c8b6
0x6b13c8bc
0x6b13c8be
0x6b13c8c3
0x6b13c8c9
0x6b13c8cd
0x6b13c8d1
0x6b13c8d5
0x6b13c8de
0x6b13c8e3
0x6b13c8e8
0x6b13c8f1
0x6b13c8f4
0x6b13c8f4
0x6b13c907
0x6b13c90f
0x6b13c916
0x6b13c918
0x6b13c922
0x6b13c92e
0x6b13c93a
0x6b13c943
0x6b13c951

APIs

SysStringLen.OLEAUT32(?), ref: 6B13C7FD
__time64.LIBCMT ref: 6B13C8B6

Part of subcall function 6B13C280: __EH_prolog3.LIBCMT ref: 6B13C287
Part of subcall function 6B13C280: OutputDebugStringW.KERNEL32(?,?,?,00000008,6B13C856), ref: 6B13C2A8

SysFreeString.OLEAUT32(?), ref: 6B13C894

Strings

Final Result: Installation aborted, xrefs: 6B13C827, 6B13C835
Final Result: Installation failed with error code: (0x%08lX), xrefs: 6B13C869
Final Result: Installation completed successfully with success code: (0x%08lX), "%s", xrefs: 6B13C818
Final Result: Installation completed successfully with success code: (0x%08lX), xrefs: 6B13C80C
Final Result: Installation failed with error code: (0x%08lX), "%s", xrefs: 6B13C87E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: String$DebugFreeH_prolog3Output__time64
String ID: Final Result: Installation aborted$Final Result: Installation completed successfully with success code: (0x%08lX)$Final Result: Installation completed successfully with success code: (0x%08lX), "%s"$Final Result: Installation failed with error code: (0x%08lX)$Final Result: Installation failed with error code: (0x%08lX), "%s"
API String ID: 1943088043-1330816492
Opcode ID: 4ed8da9adb8f784122d2cdeddf0567ac69878a6d7fbd5194b3fa1c4fab61c747
Instruction ID: 136824c511c9913765dbdc20147aa873a404622b735db10b38b1e46bca66b2b2
Opcode Fuzzy Hash: 4ed8da9adb8f784122d2cdeddf0567ac69878a6d7fbd5194b3fa1c4fab61c747
Instruction Fuzzy Hash: 9A518E72508351BFC310DF78D885A5BBBE5AF95728F000A6DF49193291E738D9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B14795B Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B14795B(intOrPtr* __ebx, signed int __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t95;
				signed int _t99;
				signed int _t113;
				signed int _t114;
				signed int _t120;
				signed int _t127;
				signed int _t136;
				intOrPtr* _t144;
				intOrPtr _t145;
				intOrPtr _t149;
				signed int _t152;
				signed int _t159;
				intOrPtr* _t163;
				signed int _t164;
				void* _t166;
				void* _t167;

				_t167 = __eflags;
				_t163 = __esi;
				_t152 = __edx;
				_t144 = __ebx;
				_push(0x2c);
				E6B16265B(0x6b1663e6, __ebx, __edi, __esi);
				_push(_t166 - 0x10);
				E6B14E8E8(L" complete", __esi, _t167);
				 *(_t166 - 4) =  *(_t166 - 4) & 0x00000000;
				_push(_t166 - 0x1c);
				E6B14E8E8(L"Action", __esi, _t167);
				 *(_t166 - 4) = 1;
				 *((intOrPtr*)(_t166 - 0x18)) = _t166 - 0x10;
				 *((intOrPtr*)(_t166 - 0x14)) = __esi;
				 *((intOrPtr*)( *__esi + 8))();
				E6B1510A6(__ebx);
				 *(_t166 - 0x38) = 0;
				 *((intOrPtr*)(_t166 - 0x34)) = 0;
				 *((intOrPtr*)(_t166 - 0x30)) = 0;
				 *((intOrPtr*)(_t166 - 0x2c)) = __esi;
				EnumWindows(0x6b147c3f, _t166 - 0x38); // executed
				 *(_t166 - 4) = 3;
				E6B147BC5(_t166 - 0x28, __ebx, __esi, _t166 - 0x38, __esi, L"Action", L"Enumerating incompatible processes");
				_push(__ebx);
				_push( *(_t166 + 8));
				 *(_t166 - 4) = 4;
				L12();
				_t168 =  *((intOrPtr*)(__ebx + 4));
				_t95 =  *__esi;
				if( *((intOrPtr*)(__ebx + 4)) != 0) {
					 *((intOrPtr*)(_t95 + 4))(2, L"Blocking Processes");
					__eflags =  *0x6b173040 & 0x00000001;
					if(( *0x6b173040 & 0x00000001) == 0) {
						 *0x6b173040 =  *0x6b173040 | 0x00000001;
						__eflags =  *0x6b173040;
						_push(0x6b17303c);
						 *(_t166 - 4) = 5;
						E6B14E8E8(L"[ProcessID] [ImageName] [WindowTitle] [WindowVisible]", __esi, __eflags);
						E6B158907(__eflags, 0x6b167e3f);
						 *(_t166 - 4) = 4;
					}
					 *((intOrPtr*)( *_t163 + 4))(2,  *0x6b17303c);
					_t99 =  *(_t144 + 4);
					_t159 = 0;
					__eflags = _t99;
					if(_t99 <= 0) {
						goto L2;
					} else {
						_t35 = _t166 + 8;
						 *_t35 =  *(_t166 + 8) & 0;
						__eflags =  *_t35;
						while(1) {
							__eflags = _t159;
							if(_t159 < 0) {
								break;
							}
							__eflags = _t159 - _t99;
							if(_t159 >= _t99) {
								break;
							} else {
								_t152 =  *_t163;
								 *((intOrPtr*)(_t152 + 4))(2,  *((intOrPtr*)( *_t144 +  *(_t166 + 8) + 0x10)));
								_t99 =  *(_t144 + 4);
								 *(_t166 + 8) =  *(_t166 + 8) + 0x14;
								_t159 = _t159 + 1;
								__eflags = _t159 - _t99;
								if(_t159 < _t99) {
									continue;
								} else {
									goto L2;
								}
							}
							goto L30;
						}
						RaiseException(0xc000008c, 1, 0, 0);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xc);
						E6B16265B(0x6b163f1f, _t144, _t159, _t163);
						_t111 = 0;
						 *(_t166 - 0x10) = 0;
						__eflags =  *(_t159 + 4);
						if( *(_t159 + 4) > 0) {
							 *((intOrPtr*)(_t166 - 0x14)) = 0;
							do {
								_t113 =  *(_t166 + 8);
								_t164 = 0;
								__eflags =  *(_t113 + 4);
								if( *(_t113 + 4) > 0) {
									while(1) {
										_t114 =  *(_t166 - 0x10);
										__eflags = _t114;
										if(_t114 < 0) {
											break;
										}
										__eflags = _t114 -  *(_t159 + 4);
										if(_t114 >=  *(_t159 + 4)) {
											break;
										}
										_t52 = E6B1583FD( *((intOrPtr*)( *_t159 +  *((intOrPtr*)(_t166 - 0x14)) + 4)) - 0x10) + 0x10; // 0x10
										_t145 = _t52;
										 *((intOrPtr*)(_t166 - 0x18)) = _t145;
										_t152 = 0;
										 *(_t166 - 4) = 0;
										__eflags = _t164;
										if(_t164 < 0) {
											L29:
											_push(_t152);
											_push(_t152);
											L28:
											RaiseException(0xc000008c, 1, ??, ??);
											goto L29;
										}
										_t120 =  *(_t166 + 8);
										__eflags = _t164 -  *((intOrPtr*)(_t120 + 4));
										if(_t164 >=  *((intOrPtr*)(_t120 + 4))) {
											goto L29;
										}
										_t149 =  *((intOrPtr*)( *_t120 + _t164 * 4));
										__eflags =  *(_t166 - 0x10) -  *(_t159 + 4);
										if( *(_t166 - 0x10) >=  *(_t159 + 4)) {
											goto L29;
										}
										_t127 = E6B14EB56( *_t159 +  *((intOrPtr*)(_t166 - 0x14)) + 4, _t149);
										__eflags = _t127;
										if(_t127 == 0) {
											__eflags =  *(_t166 - 0x10) -  *(_t159 + 4);
											if( *(_t166 - 0x10) >=  *(_t159 + 4)) {
												break;
											}
											_push( *_t159 +  *((intOrPtr*)(_t166 - 0x14)));
											E6B150FBC( *((intOrPtr*)(_t166 + 0xc)));
											_t71 = _t166 - 4;
											 *_t71 =  *(_t166 - 4) | 0xffffffff;
											__eflags =  *_t71;
											_t73 = _t145 - 0x10; // 0x0
											E6B158460(_t73, 0);
										} else {
											 *(_t166 - 4) =  *(_t166 - 4) | 0xffffffff;
											_t64 = _t145 - 0x10; // 0x0
											E6B158460(_t64, 0);
											_t136 =  *(_t166 + 8);
											_t164 = _t164 + 1;
											__eflags = _t164 -  *((intOrPtr*)(_t136 + 4));
											if(_t164 <  *((intOrPtr*)(_t136 + 4))) {
												continue;
											} else {
											}
										}
										goto L25;
									}
									_push(0);
									_push(0);
									goto L28;
								}
								L25:
								 *(_t166 - 0x10) =  *(_t166 - 0x10) + 1;
								_t111 =  *(_t166 - 0x10);
								 *((intOrPtr*)(_t166 - 0x14)) =  *((intOrPtr*)(_t166 - 0x14)) + 0x14;
								__eflags =  *(_t166 - 0x10) -  *(_t159 + 4);
							} while ( *(_t166 - 0x10) <  *(_t159 + 4));
						}
						return E6B162709(_t111);
					}
				} else {
					 *((intOrPtr*)(_t95 + 4))(2, L"No Blocking Processes");
					L2:
					E6B1510A6(_t166 - 0x28);
					E6B1510A6(_t166 - 0x38);
					_push(_t166 - 0x1c);
					 *(_t166 - 4) = 0;
					E6B13B8EF(_t144, _t166 - 0x38, _t163, _t168); // executed
					E6B158460( *(_t166 - 0x10) + 0xfffffff0, _t152);
					return E6B162709(0);
				}
				L30:
			}

0x6b14795b
0x6b14795b
0x6b14795b
0x6b14795b
0x6b14795b
0x6b147962
0x6b14796a
0x6b147970
0x6b147975
0x6b14797c
0x6b147982
0x6b147987
0x6b147993
0x6b147996
0x6b14799e
0x6b1479a3
0x6b1479aa
0x6b1479ad
0x6b1479b0
0x6b1479bc
0x6b1479bf
0x6b1479cb
0x6b1479cf
0x6b1479d4
0x6b1479d5
0x6b1479db
0x6b1479df
0x6b1479e4
0x6b1479e8
0x6b1479ec
0x6b147a31
0x6b147a34
0x6b147a3b
0x6b147a3d
0x6b147a3d
0x6b147a44
0x6b147a4e
0x6b147a52
0x6b147a5c
0x6b147a62
0x6b147a62
0x6b147a72
0x6b147a75
0x6b147a78
0x6b147a7a
0x6b147a7c
0x00000000
0x6b147a82
0x6b147a82
0x6b147a82
0x6b147a82
0x6b147a85
0x6b147a85
0x6b147a87
0x00000000
0x00000000
0x6b147a89
0x6b147a8b
0x00000000
0x6b147a8d
0x6b147a92
0x6b147a9c
0x6b147a9f
0x6b147aa2
0x6b147aa6
0x6b147aa7
0x6b147aa9
0x00000000
0x6b147aab
0x00000000
0x6b147aab
0x6b147aa9
0x00000000
0x6b147a8b
0x6b147abb
0x6b147ac1
0x6b147ac2
0x6b147ac3
0x6b147ac4
0x6b147ac5
0x6b147ac6
0x6b147ac7
0x6b147ace
0x6b147ad3
0x6b147ad5
0x6b147ad8
0x6b147adb
0x6b147ae1
0x6b147ae4
0x6b147ae4
0x6b147ae7
0x6b147ae9
0x6b147aec
0x6b147af2
0x6b147af2
0x6b147af5
0x6b147af7
0x00000000
0x00000000
0x6b147afd
0x6b147b00
0x00000000
0x00000000
0x6b147b16
0x6b147b16
0x6b147b19
0x6b147b1c
0x6b147b1e
0x6b147b21
0x6b147b23
0x6b147bbc
0x6b147bbc
0x6b147bbd
0x6b147baf
0x6b147bb6
0x00000000
0x6b147bb6
0x6b147b29
0x6b147b2c
0x6b147b2f
0x00000000
0x00000000
0x6b147b3a
0x6b147b3f
0x6b147b42
0x00000000
0x00000000
0x6b147b4e
0x6b147b53
0x6b147b55
0x6b147b71
0x6b147b74
0x00000000
0x00000000
0x6b147b7e
0x6b147b7f
0x6b147b84
0x6b147b84
0x6b147b84
0x6b147b88
0x6b147b8b
0x6b147b57
0x6b147b57
0x6b147b5b
0x6b147b5e
0x6b147b63
0x6b147b66
0x6b147b67
0x6b147b6a
0x00000000
0x00000000
0x6b147b6c
0x6b147b6a
0x00000000
0x6b147b55
0x6b147bab
0x6b147bad
0x00000000
0x6b147bad
0x6b147b90
0x6b147b90
0x6b147b93
0x6b147b96
0x6b147b9a
0x6b147b9a
0x6b147ae4
0x6b147ba8
0x6b147ba8
0x6b1479ee
0x6b1479f5
0x6b1479f8
0x6b1479fb
0x6b147a03
0x6b147a0b
0x6b147a0c
0x6b147a10
0x6b147a1b
0x6b147a27
0x6b147a27
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B147962

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

EnumWindows.USER32(6B147C3F,?), ref: 6B1479BF

Part of subcall function 6B147BC5: _calloc.LIBCMT ref: 6B147BE6

Part of subcall function 6B147AC7: __EH_prolog3.LIBCMT ref: 6B147ACE

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 6B147ABB

Strings

No Blocking Processes, xrefs: 6B1479EE
complete, xrefs: 6B14796B
Blocking Processes, xrefs: 6B147A2A
[ProcessID] [ImageName] [WindowTitle] [WindowVisible], xrefs: 6B147A49
Enumerating incompatible processes, xrefs: 6B14798E
Action, xrefs: 6B14797D, 6B14799B

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$EnumExceptionRaiseWindows_calloc
String ID: complete$Action$Blocking Processes$Enumerating incompatible processes$No Blocking Processes$[ProcessID] [ImageName] [WindowTitle] [WindowVisible]
API String ID: 3326300193-1989790735
Opcode ID: ca0b6db040a546de4ebb7070d4b727e4056140b69fb6a452fd520b03ab97e0ec
Instruction ID: 62f28a7b14294092c284a25855b2563f101066286fb5f0ca92f22bcf3dbd6c6b
Opcode Fuzzy Hash: ca0b6db040a546de4ebb7070d4b727e4056140b69fb6a452fd520b03ab97e0ec
Instruction Fuzzy Hash: E0418E72900219FFDB00DFA8C889F9DBBB5AF48758F248059E544BB241D778D646CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14FC53 Relevance: 15.5, APIs: 10, Instructions: 458
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6B14FC53(intOrPtr __ecx, intOrPtr* __edx, void* __eflags, struct HWND__* _a4, int _a8) {
				signed int _v12;
				long _v16;
				signed int _v24;
				signed int _v32;
				void* _v44;
				signed int _v48;
				char _v52;
				char _v56;
				struct tagRECT _v72;
				char _v76;
				int _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v100;
				signed int _v104;
				int _v108;
				intOrPtr _v112;
				int _v116;
				intOrPtr* _v120;
				void* _v124;
				int _v128;
				int _v132;
				void* _v136;
				int _v140;
				char _v144;
				void* _v148;
				int _v152;
				int _v156;
				struct HWND__* _v160;
				char _v164;
				struct HWND__* _v168;
				intOrPtr _v172;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t173;
				signed int _t175;
				void* _t191;
				void* _t197;
				intOrPtr* _t209;
				intOrPtr* _t215;
				void* _t219;
				intOrPtr* _t226;
				intOrPtr* _t227;
				char _t240;
				char _t243;
				intOrPtr* _t245;
				void* _t249;
				intOrPtr* _t251;
				void* _t255;
				void* _t264;
				intOrPtr _t265;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr* _t270;
				intOrPtr* _t276;
				void* _t279;
				intOrPtr* _t286;
				void* _t289;
				intOrPtr* _t307;
				int _t314;
				intOrPtr* _t316;
				void* _t319;
				intOrPtr* _t321;
				intOrPtr* _t328;
				int _t329;
				void* _t330;
				intOrPtr* _t382;
				intOrPtr* _t384;
				intOrPtr _t410;
				void* _t412;
				intOrPtr _t418;
				int _t427;
				void* _t428;
				signed int _t431;
				int _t433;
				void* _t434;

				_t434 = __eflags;
				_t396 = __edx;
				_push(0xffffffff);
				_push(0x6b165487);
				_push( *[fs:0x0]);
				_t433 = (_t431 & 0xfffffff8) - 0x50;
				_t173 =  *0x6b16f0a0; // 0xf69ff218
				_v24 = _t173 ^ _t433;
				_t175 =  *0x6b16f0a0; // 0xf69ff218
				_push(_t175 ^ _t433);
				 *[fs:0x0] =  &_v16;
				_t427 = _a8;
				_t410 = __ecx;
				_v72.top = __ecx;
				_t328 = __edx;
				_v80 = _t427;
				_v76 = SendMessageW(_a4, 0x31, 0, 0);
				_v72.bottom =  *((intOrPtr*)(_t410 + 8));
				_push( &_v56);
				E6B14E8E8(L"$$", _t427, _t434);
				_v12 = _v12 & 0x00000000;
				_v56 =  *((intOrPtr*)(_v72.bottom - 0xc));
				_push( &_v52);
				E6B14E8E8(L"$$", _t427, _t434);
				_v52 =  *((intOrPtr*)(_v56 - 0xc));
				_v104 = _v104 & 0x00000000;
				_v16 = 1;
				if( *((intOrPtr*)( *_t328))() <= 0) {
					L12:
					_t329 = 0;
					_v100 = 0;
					_t191 =  *((intOrPtr*)( *_t427))();
					_t440 = _t191;
					if(_t191 <= 0) {
						L19:
						E6B158460(_v56 + 0xfffffff0, _t396);
						_t197 = E6B158460(_v72.right + 0xfffffff0, _t396);
						 *[fs:0x0] = _v24;
						_pop(_t412);
						_pop(_t428);
						_pop(_t330);
						return E6B1587C1(_t197, _t330, _v32 ^ _t433, _t396, _t412, _t428);
					}
					_v92 = _v76 + 0xc;
					while(1) {
						_v48 = _v48 & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t427 + 4))()))))(_t329);
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t427 + 4))())) + 4))(_t329);
						_t209 =  *((intOrPtr*)( *_t427 + 4))(_t329);
						_v112 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t427 + 4))())) + 8))(_t329);
						_v56 = _v112 +  *((intOrPtr*)( *_t209))();
						_t215 =  *((intOrPtr*)( *_t427 + 4))(_t329);
						_v120 =  *((intOrPtr*)( *_t427 + 4))(_t329);
						_t219 =  *((intOrPtr*)( *_t215 + 4))();
						_v72.bottom = _t219 +  *((intOrPtr*)( *_v120 + 0xc))();
						MapDialogRect(_a4,  &_v72);
						if(E6B1591B7(_t219 +  *((intOrPtr*)( *_v120 + 0xc))(), _t427, _t440, 0x28) == 0) {
							_t418 = 0;
							__eflags = 0;
						} else {
							_t418 = E6B154371(_t224,  *((intOrPtr*)(_v100 + 4)));
						}
						_v120 = _t418;
						_t226 =  *((intOrPtr*)( *_t427 + 4))(_t329);
						 *_t433 =  *_t433 & 0x00000000;
						_t396 =  *_t226;
						_v108 = _t433;
						_t227 =  *((intOrPtr*)( *_t226 + 0x14))();
						 *_t433 =  &_v76;
						_v108 = _t433;
						E6B154454(_t418, _a4, _t226,  *_t227, _t427);
						SendMessageW( *(_t418 + 4), 0x30, _v128, 1);
						ShowWindow( *(_t418 + 4), 1);
						E6B154800( &_v140, _v136);
						_v144 = _v144 + 1;
						if(_v144 >=  *((intOrPtr*)( *_v132))()) {
							goto L19;
						}
						_t329 = _v128;
						_t427 = _v116;
					}
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_v48 = _v48 & 0x00000000;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t240 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t328 + 4))()))))(_v104);
					_v52 = _t240;
					_t243 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t328 + 4))())) + 4))(_v108);
					_v52 = _t243;
					_t245 =  *((intOrPtr*)( *_t328 + 4))(_v112);
					_v116 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t328 + 4))())) + 8))(_v116);
					_t249 =  *((intOrPtr*)( *_t245))();
					_v56 = _v116 + _t249;
					_t251 =  *((intOrPtr*)( *_t328 + 4))(_v120);
					_v124 =  *((intOrPtr*)( *_t328 + 4))(_v124);
					_t255 =  *((intOrPtr*)( *_t251 + 4))();
					_v72.bottom = _t255 +  *((intOrPtr*)( *_v124 + 0xc))();
					MapDialogRect(_a4,  &_v72);
					_v124 = 0;
					_t264 = E6B158199( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t328 + 4))())) + 0x14))(_v128))));
					_push(_v132);
					_t265 =  *_t328;
					if(_t264 <= 0) {
						_t268 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t265 + 4))())) + 0x18))()));
						__eflags =  *(_t268 - 0xc);
						_push(_v136);
						_t269 =  *_t328;
						if( *(_t268 - 0xc) <= 0) {
							_t270 =  *((intOrPtr*)(_t269 + 4))();
							_t396 =  *_t270;
							__eflags =  *( *((intOrPtr*)( *((intOrPtr*)( *_t270 + 0x1c))())) - 0xc);
							if(__eflags > 0) {
								_t276 =  *((intOrPtr*)( *_t328 + 4))(_v140);
								_t396 =  *_t276;
								_t382 = _t276;
								_t279 = LoadImageW(0,  *( *((intOrPtr*)( *_t276 + 0x1c))()), 0, 0, 0, 0x10);
								_v136 = _t279;
								__eflags = _t279;
								if(__eflags != 0) {
									_v132 = _t433;
									 *_t433 = 0;
									_v132 = _t433;
									 *_t433 =  &_v88;
									E6B14F8DE( &_v140, _a4, _t382, 0x6b1379e4, 0x5000020e, _t382);
									E6B14F933( &_v164,  &_v144, _v160);
									_t427 = _v156;
								}
							}
						} else {
							_t286 =  *((intOrPtr*)(_t269 + 4))();
							_t396 =  *_t286;
							_t384 = _t286;
							_t289 = LoadImageW(0,  *( *((intOrPtr*)( *_t286 + 0x18))()), 1, 0, 0, 0x10);
							_v132 = _t289;
							__eflags = _t289;
							if(__eflags != 0) {
								_v128 = _t433;
								 *_t433 = 0;
								_v128 = _t433;
								 *_t433 =  &_v84;
								E6B14F8DE( &_v136, _a4, _t384, 0x6b1379e4, 0x50000203, _t384);
								SendMessageW(_v160, 0x170, _v156, 0);
							}
						}
					} else {
						E6B154755(_t295,  &_v100,  &_v104,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t265 + 4))())) + 0x14))());
						_v72.bottom = 2;
						_v140 = _t433;
						 *_t433 = 0;
						_v140 = _t433;
						 *_t433 =  &_v92;
						E6B14F8DE( &_v144, _a4, _t295, _v116, 0x40000000, _t295); // executed
						ShowWindow(_v168, 1); // executed
						SendMessageW(_v168, 0x30, _v152, 1);
						_t307 =  *((intOrPtr*)( *_t328 + 4))(_v172);
						_t396 =  *_t307;
						if( *((intOrPtr*)( *_t307 + 0x20))() != 0) {
							_t314 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t328 + 4))())) + 0x24))(_v140);
							_v132 = _t314;
							_t316 =  *((intOrPtr*)( *_t328 + 4))(_v144);
							_t396 =  *_t316;
							_v140 =  *((intOrPtr*)( *_t316 + 0x24))();
							_t319 =  *((intOrPtr*)( *_v136 + 4))();
							_t321 =  *((intOrPtr*)( *_v140))();
							_v140 = _t433;
							 *_t433 = E6B1583FD( *_t321 - 0x10) + 0x10;
							E6B13F589(_t328,  *_t316, E6B1583FD( *_t321 - 0x10) + 0x10, _v144, _v140, _t319, 0, 0);
						}
						_v52 = 1;
						E6B158460(_v108 + 0xfffffff0, _t396);
					}
					_v140 = _v140 + 1;
				} while (_v140 <  *((intOrPtr*)( *_t328))());
				goto L12;
			}

0x6b14fc53
0x6b14fc53
0x6b14fc5b
0x6b14fc5d
0x6b14fc68
0x6b14fc69
0x6b14fc6c
0x6b14fc73
0x6b14fc7a
0x6b14fc81
0x6b14fc86
0x6b14fc8c
0x6b14fc98
0x6b14fc9a
0x6b14fc9e
0x6b14fca0
0x6b14fcaa
0x6b14fcb1
0x6b14fcb9
0x6b14fcbf
0x6b14fcc4
0x6b14fcd0
0x6b14fcd8
0x6b14fcd9
0x6b14fce5
0x6b14fce9
0x6b14fcee
0x6b14fcfe
0x6b14ffe7
0x6b14ffe9
0x6b14ffed
0x6b14fff1
0x6b14fff3
0x6b14fff5
0x6b15013f
0x6b150146
0x6b150152
0x6b15015b
0x6b150163
0x6b150164
0x6b150165
0x6b150174
0x6b150174
0x6b150002
0x6b150010
0x6b150010
0x6b15001b
0x6b15001c
0x6b15001d
0x6b15002c
0x6b15003f
0x6b150048
0x6b150060
0x6b15006e
0x6b150075
0x6b150082
0x6b15008a
0x6b1500a2
0x6b1500a6
0x6b1500b6
0x6b1500c8
0x6b1500c8
0x6b1500b8
0x6b1500c4
0x6b1500c4
0x6b1500cf
0x6b1500d3
0x6b1500d9
0x6b1500dc
0x6b1500e0
0x6b1500e4
0x6b1500f0
0x6b1500f2
0x6b1500fb
0x6b15010b
0x6b150116
0x6b150124
0x6b15012f
0x6b150139
0x00000000
0x00000000
0x6b150008
0x6b15000c
0x6b15000c
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14fd04
0x6b14fd04
0x6b14fd04
0x6b14fd13
0x6b14fd14
0x6b14fd15
0x6b14fd21
0x6b14fd27
0x6b14fd36
0x6b14fd3d
0x6b14fd45
0x6b14fd60
0x6b14fd64
0x6b14fd72
0x6b14fd78
0x6b14fd88
0x6b14fd90
0x6b14fda8
0x6b14fdac
0x6b14fdbc
0x6b14fdcc
0x6b14fdd1
0x6b14fdd7
0x6b14fddb
0x6b14fedf
0x6b14fee1
0x6b14fee4
0x6b14fee8
0x6b14feec
0x6b14ff57
0x6b14ff5a
0x6b14ff63
0x6b14ff66
0x6b14ff70
0x6b14ff73
0x6b14ff75
0x6b14ff83
0x6b14ff89
0x6b14ff8d
0x6b14ff8f
0x6b14ff94
0x6b14ffa3
0x6b14ffab
0x6b14ffaf
0x6b14ffb9
0x6b14ffca
0x6b14ffcf
0x6b14ffcf
0x6b14ff8f
0x6b14feee
0x6b14feee
0x6b14fef1
0x6b14fef3
0x6b14ff02
0x6b14ff08
0x6b14ff0c
0x6b14ff0e
0x6b14ff17
0x6b14ff26
0x6b14ff2e
0x6b14ff32
0x6b14ff3c
0x6b14ff4f
0x6b14ff4f
0x6b14ff0e
0x6b14fde1
0x6b14fdf6
0x6b14fdfe
0x6b14fe03
0x6b14fe07
0x6b14fe19
0x6b14fe1d
0x6b14fe27
0x6b14fe32
0x6b14fe44
0x6b14fe52
0x6b14fe55
0x6b14fe5e
0x6b14fe6f
0x6b14fe76
0x6b14fe7e
0x6b14fe81
0x6b14fe8d
0x6b14fe94
0x6b14fe9e
0x6b14fea6
0x6b14feb8
0x6b14feba
0x6b14feba
0x6b14febf
0x6b14fecb
0x6b14fecb
0x6b14ffd5
0x6b14ffdd
0x00000000

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B14FCA4

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

MapDialogRect.USER32(?,00000000), ref: 6B14FDAC
ShowWindow.USER32(?,00000001,?,?,?,?,40000000,?,?,?,00000000), ref: 6B14FE32
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B14FE44

Part of subcall function 6B13F589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B13F5AC
Part of subcall function 6B13F589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6B13F5B5
Part of subcall function 6B13F589: CreateFontIndirectW.GDI32(?), ref: 6B13F600
Part of subcall function 6B13F589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B13F610

LoadImageW.USER32 ref: 6B14FF02
SendMessageW.USER32(?,00000170,?,00000000), ref: 6B14FF4F
LoadImageW.USER32 ref: 6B14FF83

Part of subcall function 6B14F933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6B14F944

MapDialogRect.USER32(?,00000000), ref: 6B1500A6
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B15010B
ShowWindow.USER32(?,00000001,?,00000000), ref: 6B150116

Part of subcall function 6B14F8DE: CreateWindowExW.USER32 ref: 6B14F91E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
String ID:
API String ID: 727718542-0
Opcode ID: 56c614158e6a18113837e9b2413a3d475c5da69816303781583937e8c515f3e2
Instruction ID: b3d3ba2626adbcac7c488ab9a69199a389f58dcc38d18137d9ee9284ffbbae6a
Opcode Fuzzy Hash: 56c614158e6a18113837e9b2413a3d475c5da69816303781583937e8c515f3e2
Instruction Fuzzy Hash: 6702F175604301AFCB04DF68C898A1ABBE6FF89314F00496DF59A8B361DB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B15210E Relevance: 15.5, APIs: 10, Instructions: 457
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6B15210E(intOrPtr __ecx, intOrPtr* __edx, void* __eflags, struct HWND__* _a4, int _a8) {
				signed int _v12;
				long _v16;
				signed int _v24;
				signed int _v32;
				void* _v44;
				signed int _v48;
				char _v52;
				char _v56;
				struct tagRECT _v72;
				char _v76;
				int _v80;
				char _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				long _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				int _v116;
				int _v120;
				long _v124;
				intOrPtr _v128;
				void* _v132;
				int _v136;
				int _v140;
				int _v144;
				void* _v148;
				void* _v152;
				int _v156;
				struct HWND__* _v160;
				struct HWND__* _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t171;
				signed int _t173;
				void* _t189;
				void* _t195;
				intOrPtr* _t207;
				intOrPtr* _t213;
				void* _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				char _t238;
				char _t241;
				intOrPtr* _t243;
				void* _t247;
				intOrPtr* _t249;
				void* _t253;
				void* _t262;
				intOrPtr _t263;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr* _t268;
				intOrPtr* _t274;
				void* _t277;
				intOrPtr* _t284;
				void* _t287;
				intOrPtr* _t304;
				intOrPtr* _t311;
				intOrPtr* _t313;
				void* _t316;
				intOrPtr* _t318;
				intOrPtr* _t325;
				long _t326;
				void* _t327;
				intOrPtr* _t379;
				intOrPtr* _t381;
				intOrPtr _t407;
				void* _t409;
				int _t415;
				int _t426;
				void* _t427;
				signed int _t430;
				int _t432;
				void* _t433;

				_t433 = __eflags;
				_t393 = __edx;
				_push(0xffffffff);
				_push(0x6b16531c);
				_push( *[fs:0x0]);
				_t432 = (_t430 & 0xfffffff8) - 0x50;
				_t171 =  *0x6b16f0a0; // 0xf69ff218
				_v24 = _t171 ^ _t432;
				_t173 =  *0x6b16f0a0; // 0xf69ff218
				_push(_t173 ^ _t432);
				 *[fs:0x0] =  &_v16;
				_t426 = _a8;
				_t407 = __ecx;
				_v72.right = __ecx;
				_t325 = __edx;
				_v80 = _t426;
				_v72.left = SendMessageW(_a4, 0x31, 0, 0);
				_v72.bottom =  *((intOrPtr*)(_t407 + 8));
				_push( &_v56);
				E6B14E8E8(L"$$", _t426, _t433);
				_v12 = _v12 & 0x00000000;
				_v56 =  *((intOrPtr*)(_v72.bottom - 0xc));
				_push( &_v52);
				E6B14E8E8(L"$$", _t426, _t433);
				_v52 =  *((intOrPtr*)(_v56 - 0xc));
				_v104 = _v104 & 0x00000000;
				_v16 = 1;
				if( *((intOrPtr*)( *_t325))() <= 0) {
					L12:
					_t326 = 0;
					_v100 = 0;
					_t189 =  *((intOrPtr*)( *_t426))();
					_t439 = _t189;
					if(_t189 <= 0) {
						L19:
						E6B158460(_v56 + 0xfffffff0, _t393);
						_t195 = E6B158460(_v72.right + 0xfffffff0, _t393);
						 *[fs:0x0] = _v24;
						_pop(_t409);
						_pop(_t427);
						_pop(_t327);
						return E6B1587C1(_t195, _t327, _v32 ^ _t432, _t393, _t409, _t427);
					}
					_v92 = _v72.left + 0xc;
					while(1) {
						_v48 = _v48 & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))()))))(_t326);
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))())) + 4))(_t326);
						_t207 =  *((intOrPtr*)( *_t426 + 4))(_t326);
						_v112 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))())) + 8))(_t326);
						_v56 = _v112 +  *((intOrPtr*)( *_t207))();
						_t213 =  *((intOrPtr*)( *_t426 + 4))(_t326);
						_v120 =  *((intOrPtr*)( *_t426 + 4))(_t326);
						_t217 =  *((intOrPtr*)( *_t213 + 4))();
						_v72.bottom = _t217 +  *((intOrPtr*)( *_v120 + 0xc))();
						MapDialogRect(_a4,  &_v72);
						if(E6B1591B7(_t217 +  *((intOrPtr*)( *_v120 + 0xc))(), _t426, _t439, 0x28) == 0) {
							_t415 = 0;
							__eflags = 0;
						} else {
							_t415 = E6B154371(_t222,  *((intOrPtr*)(_v96 + 4)));
						}
						_v120 = _t415;
						_t224 =  *((intOrPtr*)( *_t426 + 4))(_t326);
						 *_t432 =  *_t432 & 0x00000000;
						_t393 =  *_t224;
						_v104 = _t432;
						_t225 =  *((intOrPtr*)( *_t224 + 0x14))();
						 *_t432 =  &_v76;
						_v104 = _t432;
						E6B154454(_t415, _a4, _t224,  *_t225, _t426); // executed
						SendMessageW( *(_t415 + 4), 0x30, _v124, 1);
						ShowWindow( *(_t415 + 4), 1); // executed
						E6B154800( &_v140, _v136);
						_v144 = _v144 + 1;
						if(_v144 >=  *( *_v132)()) {
							goto L19;
						}
						_t326 = _v128;
						_t426 = _v116;
					}
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_v48 = _v48 & 0x00000000;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t238 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))()))))(_v104);
					_v52 = _t238;
					_t241 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))())) + 4))(_v108);
					_v52 = _t241;
					_t243 =  *((intOrPtr*)( *_t325 + 4))(_v112);
					_v116 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))())) + 8))(_v116);
					_t247 =  *((intOrPtr*)( *_t243))();
					_v56 = _v116 + _t247;
					_t249 =  *((intOrPtr*)( *_t325 + 4))(_v120);
					_v124 =  *((intOrPtr*)( *_t325 + 4))(_v124);
					_t253 =  *((intOrPtr*)( *_t249 + 4))();
					_v72.bottom = _t253 +  *((intOrPtr*)( *_v124 + 0xc))();
					MapDialogRect(_a4,  &_v72);
					_v124 = 0;
					_t262 = E6B158199( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))())) + 0x14))(_v128))));
					_push(_v132);
					_t263 =  *_t325;
					if(_t262 <= 0) {
						_t266 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t263 + 4))())) + 0x18))()));
						__eflags =  *(_t266 - 0xc);
						_push(_v136);
						_t267 =  *_t325;
						if( *(_t266 - 0xc) <= 0) {
							_t268 =  *((intOrPtr*)(_t267 + 4))();
							_t393 =  *_t268;
							__eflags =  *( *((intOrPtr*)( *((intOrPtr*)( *_t268 + 0x1c))())) - 0xc);
							if(__eflags > 0) {
								_t274 =  *((intOrPtr*)( *_t325 + 4))(_v140);
								_t393 =  *_t274;
								_t379 = _t274;
								_t277 = LoadImageW(0,  *( *((intOrPtr*)( *_t274 + 0x1c))()), 0, 0, 0, 0x10);
								_v136 = _t277;
								__eflags = _t277;
								if(__eflags != 0) {
									_v124 = _t432;
									 *_t432 = 0;
									_v124 = _t432;
									 *_t432 =  &_v88;
									E6B14F8DE( &_v140, _a4, _t379, 0x6b1379e4, 0x5000020e, _t379);
									E6B14F933( &_v164,  &_v140, _v160);
									_t426 = _v156;
								}
							}
						} else {
							_t284 =  *((intOrPtr*)(_t267 + 4))();
							_t393 =  *_t284;
							_t381 = _t284;
							_t287 = LoadImageW(0,  *( *((intOrPtr*)( *_t284 + 0x18))()), 1, 0, 0, 0x10);
							_v132 = _t287;
							__eflags = _t287;
							if(__eflags != 0) {
								_v120 = _t432;
								 *_t432 = 0;
								_v120 = _t432;
								 *_t432 =  &_v84;
								E6B14F8DE( &_v136, _a4, _t381, 0x6b1379e4, 0x50000203, _t381);
								SendMessageW(_v160, 0x170, _v156, 0);
							}
						}
					} else {
						E6B1547D6(_t293,  &_v124,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t263 + 4))())) + 0x14))());
						_v56 = 2;
						 *_t432 =  *_t432 & 0x00000000;
						_v136 = _t432;
						_v136 = _t432;
						 *_t432 =  &_v88;
						E6B14F8DE( &_v140, _a4, _t293, _v132, 0x40000000, _t293); // executed
						ShowWindow(_v164, 1); // executed
						SendMessageW(_v164, 0x30, _v144, 1);
						_t304 =  *((intOrPtr*)( *_t325 + 4))(_v168);
						_t393 =  *_t304;
						if( *((intOrPtr*)( *_t304 + 0x20))() != 0) {
							_t311 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))())) + 0x24))(_v140);
							_t313 =  *((intOrPtr*)( *_t325 + 4))(_v144);
							_t393 =  *_t313;
							_v140 =  *((intOrPtr*)( *_t313 + 0x24))();
							_t316 =  *((intOrPtr*)( *_t311 + 4))();
							_t318 =  *((intOrPtr*)( *_v140))();
							_v140 = _t432;
							 *_t432 = E6B1583FD( *_t318 - 0x10) + 0x10;
							E6B13F589(_t325,  *_t313, E6B1583FD( *_t318 - 0x10) + 0x10, _v144, _v140, _t316, 0, 0);
						}
						_v52 = 1;
						E6B158460(_v128 + 0xfffffff0, _t393);
					}
					_v140 = _v140 + 1;
				} while (_v140 <  *((intOrPtr*)( *_t325))());
				goto L12;
			}

0x6b15210e
0x6b15210e
0x6b152116
0x6b152118
0x6b152123
0x6b152124
0x6b152127
0x6b15212e
0x6b152135
0x6b15213c
0x6b152141
0x6b152147
0x6b152153
0x6b152155
0x6b152159
0x6b15215b
0x6b152165
0x6b15216c
0x6b152174
0x6b15217a
0x6b15217f
0x6b15218b
0x6b152193
0x6b152194
0x6b1521a0
0x6b1521a4
0x6b1521a9
0x6b1521b9
0x6b1524a0
0x6b1524a2
0x6b1524a6
0x6b1524aa
0x6b1524ac
0x6b1524ae
0x6b1525f8
0x6b1525ff
0x6b15260b
0x6b152614
0x6b15261c
0x6b15261d
0x6b15261e
0x6b15262d
0x6b15262d
0x6b1524bb
0x6b1524c9
0x6b1524c9
0x6b1524d4
0x6b1524d5
0x6b1524d6
0x6b1524e5
0x6b1524f8
0x6b152501
0x6b152519
0x6b152527
0x6b15252e
0x6b15253b
0x6b152543
0x6b15255b
0x6b15255f
0x6b15256f
0x6b152581
0x6b152581
0x6b152571
0x6b15257d
0x6b15257d
0x6b152588
0x6b15258c
0x6b152592
0x6b152595
0x6b152599
0x6b15259d
0x6b1525a9
0x6b1525ab
0x6b1525b4
0x6b1525c4
0x6b1525cf
0x6b1525dd
0x6b1525e8
0x6b1525f2
0x00000000
0x00000000
0x6b1524c1
0x6b1524c5
0x6b1524c5
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1521bf
0x6b1521bf
0x6b1521bf
0x6b1521ce
0x6b1521cf
0x6b1521d0
0x6b1521dc
0x6b1521e2
0x6b1521f1
0x6b1521f8
0x6b152200
0x6b15221b
0x6b15221f
0x6b15222d
0x6b152233
0x6b152243
0x6b15224b
0x6b152263
0x6b152267
0x6b152277
0x6b152287
0x6b15228c
0x6b152292
0x6b152296
0x6b152398
0x6b15239a
0x6b15239d
0x6b1523a1
0x6b1523a5
0x6b152410
0x6b152413
0x6b15241c
0x6b15241f
0x6b152429
0x6b15242c
0x6b15242e
0x6b15243c
0x6b152442
0x6b152446
0x6b152448
0x6b15244d
0x6b15245c
0x6b152464
0x6b152468
0x6b152472
0x6b152483
0x6b152488
0x6b152488
0x6b152448
0x6b1523a7
0x6b1523a7
0x6b1523aa
0x6b1523ac
0x6b1523bb
0x6b1523c1
0x6b1523c5
0x6b1523c7
0x6b1523d0
0x6b1523df
0x6b1523e7
0x6b1523eb
0x6b1523f5
0x6b152408
0x6b152408
0x6b1523c7
0x6b15229c
0x6b1522b0
0x6b1522b8
0x6b1522bd
0x6b1522c0
0x6b1522d4
0x6b1522d8
0x6b1522e2
0x6b1522ed
0x6b1522ff
0x6b15230d
0x6b152310
0x6b152319
0x6b15232a
0x6b152337
0x6b15233a
0x6b152343
0x6b15234d
0x6b152357
0x6b15235f
0x6b152371
0x6b152373
0x6b152373
0x6b152378
0x6b152384
0x6b152384
0x6b15248e
0x6b152496
0x00000000

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B15215F

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

MapDialogRect.USER32(?,00000000), ref: 6B152267
ShowWindow.USER32(?,00000001,?,?,?,?,40000000,?,?,00000000), ref: 6B1522ED
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B1522FF

Part of subcall function 6B13F589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B13F5AC
Part of subcall function 6B13F589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6B13F5B5
Part of subcall function 6B13F589: CreateFontIndirectW.GDI32(?), ref: 6B13F600
Part of subcall function 6B13F589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B13F610

LoadImageW.USER32 ref: 6B1523BB
SendMessageW.USER32(?,00000170,?,00000000), ref: 6B152408
LoadImageW.USER32 ref: 6B15243C

Part of subcall function 6B14F933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6B14F944

MapDialogRect.USER32(?,00000000), ref: 6B15255F
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B1525C4
ShowWindow.USER32(?,00000001,?,00000000), ref: 6B1525CF

Part of subcall function 6B14F8DE: CreateWindowExW.USER32 ref: 6B14F91E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
String ID:
API String ID: 727718542-0
Opcode ID: 9b24406694f9aefbce413aa6d430e69af9653a453c88c9690582dfd3ee34e7db
Instruction ID: b8a3ab810211734cb18548f5c021483a0a6abc8b38e6f57034c0fc80b417e24d
Opcode Fuzzy Hash: 9b24406694f9aefbce413aa6d430e69af9653a453c88c9690582dfd3ee34e7db
Instruction Fuzzy Hash: B6020276604301AFCB04DF68C888A1ABBF6FF89314F10496DF5968B361DB34E955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B148FA4 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B148FA4(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v16;
				char _v24;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v92;
				char _v100;
				char _v108;
				char _v112;
				char _v116;
				int _v128;
				char _v132;
				char _v136;
				char _v144;
				char _v148;
				void* _v152;
				char _v156;
				char _v164;
				int _v168;
				void* _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v204;
				intOrPtr* _v220;
				signed int _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr* _v248;
				intOrPtr _v252;
				signed int _v268;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr* _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t108;
				void* _t112;
				void* _t114;
				void* _t122;
				void* _t124;
				void* _t133;
				void* _t134;
				intOrPtr* _t135;
				void* _t138;
				intOrPtr* _t165;
				intOrPtr* _t174;
				void* _t178;
				void* _t185;
				intOrPtr* _t188;
				void* _t196;
				void* _t199;
				void* _t221;
				struct HWND__* _t222;
				struct HWND__* _t225;
				struct HWND__* _t226;
				void* _t232;
				void* _t234;
				intOrPtr _t235;
				intOrPtr _t238;
				struct HWND__* _t240;
				void* _t241;
				intOrPtr* _t242;
				intOrPtr* _t244;
				intOrPtr* _t250;
				intOrPtr* _t256;
				void* _t264;
				void* _t267;
				void* _t275;
				intOrPtr* _t283;
				int _t284;
				signed int _t289;
				signed int _t291;

				_t292 = __eflags;
				_t264 = __edx;
				_t291 = (_t289 & 0xfffffff8) - 0x78;
				_t108 =  *0x6b16f0a0; // 0xf69ff218
				 *[fs:0x0] =  &_v16;
				_t112 = E6B151169(_t234, _t241, _t267, _t275, __eflags);
				_v12 = _v12 & 0x00000000;
				_t235 = _a4;
				_t242 =  *((intOrPtr*)(_t235 + 0x12c));
				_t114 =  *((intOrPtr*)( *_t242))( &_v132, _t108 ^ _t291, _t267, _t275, _t234,  *[fs:0x0], 0x6b166350, 0xffffffff);
				E6B147FA9(_t112, _t242,  &_v40, __eflags,  *((intOrPtr*)( *_t242 + 0x30))(), _t264, _t114);
				_v24 = 2;
				E6B158460(_v148 + 0xfffffff0, _t264);
				_t122 = E6B1510EB(_t235, _t242, _t112,  &_v144, _t292);
				_v24 = 3;
				_t244 =  *((intOrPtr*)(_t235 + 0x12c));
				_t124 =  *((intOrPtr*)( *_t244))();
				E6B147FA9(_t122, _t244,  &_v68, _t292,  *((intOrPtr*)( *_t244 + 0x24))(), _t264, _t124);
				_v36 = 5;
				E6B158460(_v156 + 0xfffffff0, _t264);
				_t133 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 + 0x12c)))) + 0x34))();
				_t265 =  &_v148;
				_t134 = E6B14E98E(_t235, _t133,  &_v148, _t122,  &_v68, _t292);
				_v36 = 6;
				_t135 = E6B14F0E8(_t235, _t134,  &_v68, _t292);
				_v44 = 7;
				E6B14E8E8( *_t135,  &_v68, _t292);
				_v48 = 8;
				_t250 =  *((intOrPtr*)(_t235 + 0x12c));
				_t138 =  *((intOrPtr*)( *_t250))( &_v172,  &_v152, ":");
				E6B147FA9( &_v176, _t250,  &_v108, _t292,  *((intOrPtr*)( *_t250 + 0x2c))(),  &_v148, _t138);
				E6B158460(_v188 + 0xfffffff0,  &_v148);
				E6B158460(_v176 + 0xfffffff0,  &_v148);
				_v60 = 0xc;
				E6B158460(_v172 + 0xfffffff0,  &_v148);
				_t272 = 0x6b1379e4;
				E6B14E8E8(0x6b1379e4,  &_v108, _t292);
				_v132 = 0;
				_v128 = 0;
				_v64 = 0xd;
				E6B14E8E8(0x6b1379e4, 0, _t292);
				_v152 = 0;
				_v148 = 0;
				_v68 = 0xe;
				E6B14E8E8(0x6b1379e4, 0, _t292);
				_v172 = 0;
				_v168 = 0;
				_v72 = 0xf;
				E6B147FE0( &_v148, _t265, 0x6b1379e4, 0, _t292);
				_t238 = _a4;
				_t165 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x70)))) + 0x20))( &_v100,  &_v116,  &_v132,  &_v164,  &_v180,  &_v176,  &_v156,  &_v136);
				_t266 =  *_t165;
				_t283 =  *((intOrPtr*)( *_t165 + 0x1c))();
				_v220 = _t283;
				_v204 = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)( *_t283))())) - 0x10) + 0x10;
				_v92 = 0x10;
				_t174 =  *((intOrPtr*)( *_t283 + 4))();
				_push(0x67);
				_push(0x65);
				_push(_t238);
				_t256 = _t174; // executed
				E6B148ECA(_t238, _t256, 0x6b1379e4, _t283, _t292); // executed
				_push(_t238 + 0x74);
				_push(_v168);
				_push(_v172);
				_push( &_v180);
				_push(_t238); // executed
				_t178 = E6B148CD7(_t238,  *_t165, 0x6b1379e4, _t283, _t292); // executed
				_t293 = _t178;
				if(_t178 == 0) {
					_v204 = _t291;
					_t272 = L"System Drive";
					E6B14E8E8(L"System Drive", _t283, _t293);
					_v92 = 0x11;
					_t256 =  *((intOrPtr*)(_t238 + 0x12c));
					_t232 =  *((intOrPtr*)( *_t256 + 0x14))(5, _t291, _t256);
					_v92 = 0x10;
					E6B14F42A(_t238, _t256, _t266, L"System Drive", _t232, _t293);
				}
				_t284 = 0;
				if(_v168 > 0) {
					L4:
					E6B148CD7(_t238, _t266, _t272, _t284, _t295);
					_v224 = _t291;
					_t272 = L"Download Drive";
					E6B14E8E8(L"Download Drive", _t284, _t295);
					_v112 = 0x12;
					_t185 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x12c)))) + 0x14))(5, _t291, _t256, _t238,  &_v180, _v172, _v168, _t238 + 0x80);
					_v112 = 0x10;
					E6B14F42A(_t238,  *((intOrPtr*)(_t238 + 0x12c)), _t266, L"Download Drive", _t185, _t295);
					_t188 =  *((intOrPtr*)( *_v248 + 8))();
					_push(0x68);
					_push(0x66);
					_push(_t238);
					_t256 = _t188;
					E6B148ECA(_t238, _t256, L"Download Drive", _t185, _t295);
					_t284 = 0;
					L9:
					if(_v228 > _t284) {
						L11:
						E6B148CD7(_t238, _t266, _t272, _t284, _t297);
						_v268 = _t291;
						E6B14E8E8(L"Product Drive", _t284, _t297);
						_v156 = 0x13;
						_t196 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x12c)))) + 0x14))(5, _t291, _t256, _t238,  &_v240, _v232, _v228, _t238 + 0x8c);
						_v156 = 0x10;
						E6B14F42A(_t238,  *((intOrPtr*)(_t238 + 0x12c)), _t266, L"Product Drive", _t196, _t297);
						_t199 =  *((intOrPtr*)( *_v292 + 0xc))();
						_push(0x6b);
						_push(0x69);
						_push(_t238);
						E6B148ECA(_t238, _t199, L"Product Drive", _t196, _t297);
						L16:
						E6B158460(_v288 + 0xfffffff0, _t266);
						E6B158460(_v284 + 0xfffffff0, _t266);
						E6B158460(_v268 + 0xfffffff0, _t266);
						E6B158460(_v252 + 0xfffffff0, _t266);
						E6B158460(_v236 + 0xfffffff0, _t266);
						E6B158460(_v220 + 0xfffffff0, _t266);
						_t221 = E6B158460(_v204 + 0xfffffff0, _t266);
						 *[fs:0x0] = _v184;
						return _t221;
					}
					_t297 = _v232 - _t284;
					if(_v232 <= _t284) {
						_t222 =  *(_t238 + 0x90);
						__eflags = _t222 - _t284;
						if(_t222 != _t284) {
							ShowWindow(_t222, _t284); // executed
						}
						_t240 =  *(_t238 + 0x94);
						__eflags = _t240 - _t284;
						if(_t240 != _t284) {
							ShowWindow(_t240, _t284); // executed
						}
						goto L16;
					}
					goto L11;
				}
				_t295 = _v172;
				if(_v172 <= 0) {
					_t225 =  *(_t238 + 0x84);
					__eflags = _t225;
					if(_t225 != 0) {
						ShowWindow(_t225, 0); // executed
					}
					_t226 =  *(_t238 + 0x88);
					__eflags = _t226 - _t284;
					if(__eflags != 0) {
						ShowWindow(_t226, _t284); // executed
					}
					goto L9;
				}
				goto L4;
			}

0x6b148fa4
0x6b148fa4
0x6b148fba
0x6b148fc0
0x6b148fcf
0x6b148fda
0x6b148fe1
0x6b148fe9
0x6b148fec
0x6b148ff6
0x6b14900b
0x6b149010
0x6b14901f
0x6b149028
0x6b14902f
0x6b149037
0x6b149041
0x6b149053
0x6b149058
0x6b149067
0x6b149074
0x6b149077
0x6b14907d
0x6b14908e
0x6b149096
0x6b14909f
0x6b1490aa
0x6b1490af
0x6b1490b7
0x6b1490c1
0x6b1490d5
0x6b1490e1
0x6b1490ed
0x6b1490f2
0x6b149101
0x6b14910b
0x6b149110
0x6b149117
0x6b14911b
0x6b149124
0x6b14912c
0x6b149131
0x6b149135
0x6b14913e
0x6b149146
0x6b14914b
0x6b14914f
0x6b149173
0x6b14917b
0x6b149180
0x6b149188
0x6b14918b
0x6b149192
0x6b149198
0x6b1491ab
0x6b1491af
0x6b1491bb
0x6b1491be
0x6b1491c0
0x6b1491c2
0x6b1491c3
0x6b1491c5
0x6b1491cd
0x6b1491ce
0x6b1491d6
0x6b1491da
0x6b1491db
0x6b1491dc
0x6b1491e1
0x6b1491e3
0x6b1491e8
0x6b1491ed
0x6b1491f2
0x6b1491f7
0x6b1491ff
0x6b149209
0x6b14920e
0x6b149216
0x6b149216
0x6b14921b
0x6b149221
0x6b149229
0x6b14923e
0x6b149246
0x6b14924b
0x6b149250
0x6b149255
0x6b149267
0x6b14926c
0x6b149274
0x6b14927f
0x6b149282
0x6b149284
0x6b149286
0x6b149287
0x6b149289
0x6b14928e
0x6b1492b6
0x6b1492ba
0x6b1492c2
0x6b1492d7
0x6b1492df
0x6b1492e9
0x6b1492ee
0x6b149300
0x6b149305
0x6b14930d
0x6b149318
0x6b14931b
0x6b14931d
0x6b14931f
0x6b149322
0x6b14934d
0x6b149354
0x6b149360
0x6b14936c
0x6b149378
0x6b149384
0x6b149390
0x6b14939c
0x6b1493a8
0x6b1493b6
0x6b1493b6
0x6b1492bc
0x6b1492c0
0x6b149329
0x6b14932f
0x6b149331
0x6b149335
0x6b149335
0x6b14933b
0x6b149341
0x6b149343
0x6b149347
0x6b149347
0x00000000
0x6b149343
0x00000000
0x6b1492c0
0x6b149223
0x6b149227
0x6b149292
0x6b149298
0x6b14929a
0x6b14929e
0x6b14929e
0x6b1492a4
0x6b1492aa
0x6b1492ac
0x6b1492b0
0x6b1492b0
0x00000000
0x6b1492ac
0x00000000

APIs

Part of subcall function 6B151169: __EH_prolog3.LIBCMT ref: 6B151170
Part of subcall function 6B151169: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 6B1511B1

Part of subcall function 6B1510EB: __EH_prolog3_GS.LIBCMT ref: 6B1510F5
Part of subcall function 6B1510EB: _memset.LIBCMT ref: 6B151121
Part of subcall function 6B1510EB: GetTempPathW.KERNEL32(00000104,?,Action,?,00000000), ref: 6B151135

Part of subcall function 6B14E98E: __EH_prolog3_GS.LIBCMT ref: 6B14E995
Part of subcall function 6B14E98E: _wmemcpy_s.LIBCMT ref: 6B14EA2A

Part of subcall function 6B14F0E8: __EH_prolog3.LIBCMT ref: 6B14F0EF

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B147FE0: __EH_prolog3.LIBCMT ref: 6B147FE7
Part of subcall function 6B147FE0: PathGetDriveNumberW.SHLWAPI(?,?,?,00000014,6B149180,?,?,?,?,?,?,?,?), ref: 6B148015
Part of subcall function 6B147FE0: PathGetDriveNumberW.SHLWAPI(?), ref: 6B14801C
Part of subcall function 6B147FE0: PathGetDriveNumberW.SHLWAPI(?,?,?,?), ref: 6B148064
Part of subcall function 6B147FE0: PathGetDriveNumberW.SHLWAPI(?), ref: 6B14806B
Part of subcall function 6B147FE0: PathGetDriveNumberW.SHLWAPI(00000001,00000001,?,?), ref: 6B1480B3
Part of subcall function 6B147FE0: PathGetDriveNumberW.SHLWAPI(?), ref: 6B1480BA

Part of subcall function 6B148ECA: __EH_prolog3.LIBCMT ref: 6B148ED1
Part of subcall function 6B148ECA: GetDlgItem.USER32 ref: 6B148F73
Part of subcall function 6B148ECA: GetDlgItem.USER32 ref: 6B148F88
Part of subcall function 6B148ECA: KiUserCallbackDispatcher.NTDLL ref: 6B148F97

Part of subcall function 6B148CD7: __EH_prolog3.LIBCMT ref: 6B148CDE

Part of subcall function 6B14F42A: __EH_prolog3.LIBCMT ref: 6B14F431

ShowWindow.USER32(?,00000000,?,?,?,?,?,?,00000065,00000067), ref: 6B14929E
ShowWindow.USER32(F69FF218,00000000,?,?,?,?,?,?,00000065,00000067), ref: 6B1492B0
ShowWindow.USER32(?,00000000,?,00000066,00000068,?,?,?,?,?,?,?,?,?,?,?), ref: 6B149335
ShowWindow.USER32(00000012,00000000,?,00000066,00000068,?,?,?,?,?,?,?,?,?,?,?), ref: 6B149347

Strings

Download Drive, xrefs: 6B14924B
Product Drive, xrefs: 6B1492E4
System Drive, xrefs: 6B1491ED
Action, xrefs: 6B148FBF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3Path$DriveNumber$ShowWindow$H_prolog3_Item$CallbackDirectoryDispatcherSystemTempUser_memset_wmemcpy_s
String ID: Action$Download Drive$Product Drive$System Drive
API String ID: 4172065825-2973646315
Opcode ID: 844ff539bfd7723e5f5bc62faa682dbe8f6a9d3a9f3a15c9953d92034719a16e
Instruction ID: 1811a28fb6d5e36fe471c0be4245b41951c61fa32271a8eb042a81fba76aa1ac
Opcode Fuzzy Hash: 844ff539bfd7723e5f5bc62faa682dbe8f6a9d3a9f3a15c9953d92034719a16e
Instruction Fuzzy Hash: 8FC13D72508240AFC720DB78C885B5EB7E8FF89718F044A59F999DB391DB39D904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6B149584 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B149584(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t72;
				intOrPtr _t76;
				void* _t77;
				void* _t78;
				long _t79;
				char _t84;
				intOrPtr _t92;
				intOrPtr _t99;
				void* _t102;
				intOrPtr* _t105;
				intOrPtr _t107;
				void* _t113;
				intOrPtr* _t116;
				int _t119;
				intOrPtr _t124;
				void* _t131;
				intOrPtr* _t133;
				intOrPtr _t136;
				void* _t141;
				intOrPtr _t142;
				void* _t143;

				_t143 = __eflags;
				_t131 = __edi;
				E6B16265B(0x6b165e70, __ebx, __edi, __esi);
				_t72 =  *0x6b16fe10; // 0x6b1333ec
				 *((char*)(_t141 - 0xd)) = 0;
				 *(_t141 - 0x1c) =  *((intOrPtr*)(_t72 + 0xc))(0x2c) + 0x10;
				_t119 = 0;
				 *((intOrPtr*)(_t141 - 4)) = 0;
				 *((intOrPtr*)(_t141 - 0x38)) = 0;
				 *((intOrPtr*)(_t141 - 0x34)) = 0;
				 *((intOrPtr*)(_t141 - 0x30)) = 0;
				 *((char*)(_t141 - 4)) = 1;
				_t133 =  *((intOrPtr*)(__edi + 0x12c));
				_t76 =  *((intOrPtr*)( *_t133 + 0x10))();
				_t130 =  *_t133;
				 *((intOrPtr*)(_t141 - 0x18)) = _t76;
				_t77 =  *((intOrPtr*)( *_t133 + 0x20))(_t141 - 0x38);
				_t124 =  *((intOrPtr*)(_t141 - 0x18));
				_push(_t77); // executed
				_t78 = E6B147F0A(0, _t124,  *_t133, __edi, _t133, _t143); // executed
				if(_t78 < 0 ||  *((intOrPtr*)(_t141 - 0x34)) <= 0) {
					L11:
					_t79 =  *(_t131 + 0x130);
				} else {
					 *((intOrPtr*)(_t141 - 0x18)) = 0;
					 *((intOrPtr*)(_t141 - 0x14)) =  *((intOrPtr*)(_t141 - 0x38));
					_t119 = L"%s\r\n";
					while(1) {
						_t92 =  *((intOrPtr*)(_t141 - 0x18));
						if(_t92 < 0) {
							break;
						}
						_t147 = _t92 -  *((intOrPtr*)(_t141 - 0x34));
						if(_t92 >=  *((intOrPtr*)(_t141 - 0x34))) {
							break;
						} else {
							 *((char*)(_t141 - 0xd)) =  *((intOrPtr*)( *((intOrPtr*)(E6B147E47( *((intOrPtr*)(_t141 - 0x14)), _t124, _t141 - 0x20, _t147))) - 0xc)) == 0;
							E6B158460( *((intOrPtr*)(_t141 - 0x20)) + 0xfffffff0, _t130);
							_t149 =  *((char*)(_t141 - 0xd));
							_t99 =  *((intOrPtr*)(_t141 - 0x14));
							_push(_t124);
							 *((intOrPtr*)(_t141 - 0x2c)) = _t142;
							_t136 = _t142;
							if( *((char*)(_t141 - 0xd)) == 0) {
								E6B147E47(_t99, _t124, _t136, __eflags);
								 *((char*)(_t141 - 4)) = 4;
								_t102 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x12c)))) + 0x14))(4);
								 *((char*)(_t141 - 4)) = 1;
								E6B14F42A(_t119,  *((intOrPtr*)(_t131 + 0x12c)), _t130, _t131, _t102, __eflags);
								_t105 = E6B147E47( *((intOrPtr*)(_t141 - 0x14)),  *((intOrPtr*)(_t131 + 0x12c)), _t141 - 0x28, __eflags);
								 *((char*)(_t141 - 4)) = 5;
								E6B155002(_t141 - 0x1c, _t119,  *_t105);
								 *((char*)(_t141 - 4)) = 1;
								_t107 =  *((intOrPtr*)(_t141 - 0x28));
							} else {
								E6B147E25(_t99, _t124, _t136, _t149);
								 *((char*)(_t141 - 4)) = 2;
								_t113 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x12c)))) + 0x14))(4);
								 *((char*)(_t141 - 4)) = 1;
								E6B14F42A(_t119,  *((intOrPtr*)(_t131 + 0x12c)), _t130, _t131, _t113, _t149);
								_t116 = E6B147E25( *((intOrPtr*)(_t141 - 0x14)),  *((intOrPtr*)(_t131 + 0x12c)), _t141 - 0x24, _t149);
								 *((char*)(_t141 - 4)) = 3;
								E6B155002(_t141 - 0x1c, _t119,  *_t116);
								 *((char*)(_t141 - 4)) = 1;
								_t107 =  *((intOrPtr*)(_t141 - 0x24));
							}
							_pop(_t124);
							E6B158460(_t107 + 0xfffffff0, _t130);
							 *((intOrPtr*)(_t141 - 0x18)) =  *((intOrPtr*)(_t141 - 0x18)) + 1;
							 *((intOrPtr*)(_t141 - 0x14)) =  *((intOrPtr*)(_t141 - 0x14)) + 8;
							if( *((intOrPtr*)(_t141 - 0x18)) <  *((intOrPtr*)(_t141 - 0x34))) {
								continue;
							} else {
								_t79 =  *(_t131 + 0x134);
								_t119 = 0;
								 *((char*)(_t141 - 0xd)) = 1;
							}
						}
						goto L12;
					}
					RaiseException(0xc000008c, 1, 0, 0);
					goto L11;
				}
				L12:
				SendDlgItemMessageW( *(_t131 + 4), 0x70, 0x172, 1, _t79);
				SetWindowTextW( *(_t131 + 0xd0),  *(_t141 - 0x1c));
				if( *((char*)(_t141 - 0xd)) == 0) {
					EnableWindow( *(_t131 + 0xd0), _t119); // executed
					_push(_t119);
				} else {
					EnableWindow( *(_t131 + 0xd0), 1);
					_push(5);
				}
				ShowWindow( *(_t131 + 0xd0), ??); // executed
				if( *((char*)(_t141 - 0xd)) == 0) {
					_t84 =  *((intOrPtr*)(_t131 + 0x128));
				} else {
					_t84 = 0;
				}
				 *((char*)(_t131 + 0x128)) = _t84;
				E6B156931(_t141 - 0x38);
				return E6B162709(E6B158460( &(( *(_t141 - 0x1c))[0xfffffffffffffff8]), _t130));
			}

0x6b149584
0x6b149584
0x6b14958b
0x6b149590
0x6b14959a
0x6b1495a4
0x6b1495a7
0x6b1495a9
0x6b1495ac
0x6b1495af
0x6b1495b2
0x6b1495b5
0x6b1495b9
0x6b1495c3
0x6b1495c6
0x6b1495ce
0x6b1495d1
0x6b1495d4
0x6b1495d7
0x6b1495d8
0x6b1495df
0x6b149701
0x6b149701
0x6b1495ee
0x6b1495f1
0x6b1495f4
0x6b1495f7
0x6b1495fc
0x6b1495fc
0x6b149601
0x00000000
0x00000000
0x6b149607
0x6b14960a
0x00000000
0x6b149610
0x6b149624
0x6b14962b
0x6b149630
0x6b149634
0x6b149637
0x6b149638
0x6b14963b
0x6b14963d
0x6b149683
0x6b149688
0x6b149696
0x6b14969b
0x6b14969f
0x6b1496aa
0x6b1496af
0x6b1496b9
0x6b1496be
0x6b1496c2
0x6b14963f
0x6b14963f
0x6b149644
0x6b149652
0x6b149657
0x6b14965b
0x6b149666
0x6b14966b
0x6b149675
0x6b14967a
0x6b14967e
0x6b14967e
0x6b1496c6
0x6b1496ca
0x6b1496cf
0x6b1496d5
0x6b1496dc
0x00000000
0x6b1496e2
0x6b1496e2
0x6b1496e8
0x6b1496ea
0x6b1496ea
0x6b1496dc
0x00000000
0x6b14960a
0x6b1496fb
0x00000000
0x6b1496fb
0x6b149707
0x6b149714
0x6b149723
0x6b14972d
0x6b149748
0x6b14974e
0x6b14972f
0x6b149737
0x6b14973d
0x6b14973d
0x6b149755
0x6b14975f
0x6b149765
0x6b149761
0x6b149761
0x6b149761
0x6b14976e
0x6b149774
0x6b149789

APIs

__EH_prolog3.LIBCMT ref: 6B14958B

Part of subcall function 6B147F0A: __EH_prolog3.LIBCMT ref: 6B147F11

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 6B1496FB

Part of subcall function 6B14F42A: __EH_prolog3.LIBCMT ref: 6B14F431

Part of subcall function 6B155002: _vwprintf.LIBCMT ref: 6B15502C
Part of subcall function 6B155002: _vswprintf_s.LIBCMT ref: 6B155059

SendDlgItemMessageW.USER32 ref: 6B149714
SetWindowTextW.USER32(?,00000001), ref: 6B149723
EnableWindow.USER32(?,00000001), ref: 6B149737
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 6B149748
ShowWindow.USER32(?,00000000), ref: 6B149755

Strings

%s, xrefs: 6B1495F7, 6B149674, 6B1496B8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3Window$CallbackDispatcherEnableExceptionItemMessageRaiseSendShowTextUser_vswprintf_s_vwprintf
String ID: %s
API String ID: 845793909-3043279178
Opcode ID: 00d07721cd86afdb426df9a876754ffde4c07a0dc98bfe2f257751c770a5c142
Instruction ID: b063fb3e7e6f3c6ca1be71428a0b6ff28879f20fb931dcf4df2eabea41b12ac4
Opcode Fuzzy Hash: 00d07721cd86afdb426df9a876754ffde4c07a0dc98bfe2f257751c770a5c142
Instruction Fuzzy Hash: 37514971A0424AFFDB10DFB8C985BDDBBB0BF09308F104195E654B7292C7796A50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B1493BE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B1493BE(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t58;
				void* _t61;
				long _t62;
				char _t67;
				intOrPtr _t74;
				intOrPtr _t79;
				void* _t81;
				void* _t89;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t100;
				void* _t107;
				int _t111;
				void* _t116;
				intOrPtr* _t117;
				void* _t118;

				_t118 = __eflags;
				_t105 = __edx;
				E6B16265B(0x6b16674e, __ebx, __edi, __esi);
				_t107 = __ecx;
				_t54 =  *0x6b16fe10; // 0x6b1333ec
				 *((char*)(_t116 - 0xd)) = 0;
				 *(_t116 - 0x18) =  *((intOrPtr*)(_t54 + 0xc))() + 0x10;
				 *((intOrPtr*)(_t116 - 4)) = 0;
				 *((intOrPtr*)(_t116 - 0x28)) = 0;
				 *((intOrPtr*)(_t116 - 0x24)) = 0;
				 *((intOrPtr*)(_t116 - 0x20)) = 0;
				 *((char*)(_t116 - 4)) = 1;
				_t93 =  *((intOrPtr*)(__ecx + 0x12c));
				_t58 =  *((intOrPtr*)( *_t93 + 0x10))();
				_t100 = _t93;
				_t61 = E6B14795B(_t116 - 0x28, __edx, __ecx, _t58, _t118,  *((intOrPtr*)( *_t93 + 0x1c))(), 0x1c); // executed
				_t111 = 0;
				if(_t61 < 0 ||  *((intOrPtr*)(_t116 - 0x24)) <= 0) {
					L12:
					_t62 =  *(_t107 + 0x130);
				} else {
					 *((intOrPtr*)(_t116 - 0x14)) = 0;
					_t96 =  *((intOrPtr*)(_t116 - 0x28)) + 8;
					while(1) {
						_t74 =  *((intOrPtr*)(_t116 - 0x14));
						if(_t74 < _t111 || _t74 >=  *((intOrPtr*)(_t116 - 0x24))) {
							break;
						}
						_t75 =  *_t96;
						if( *((intOrPtr*)( *_t96 - 0xc)) == _t111) {
							L8:
							 *((intOrPtr*)(_t116 - 0x1c)) = _t117;
							_t79 = E6B1583FD( *((intOrPtr*)(_t96 - 4)) - 0x10) + 0x10;
							__eflags = _t79;
							 *_t117 = _t79;
							 *((char*)(_t116 - 4)) = 2;
							_t81 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x12c)))) + 0x14))(3, _t100);
							 *((char*)(_t116 - 4)) = 1;
							E6B14F42A(_t96,  *((intOrPtr*)(_t107 + 0x12c)), _t105, _t107, _t81, _t79);
							_push( *((intOrPtr*)(_t96 - 4)));
						} else {
							_t125 =  *((char*)(_t96 + 4));
							if( *((char*)(_t96 + 4)) == 0) {
								goto L8;
							} else {
								 *((intOrPtr*)(_t116 - 0x1c)) = _t117;
								 *_t117 = E6B1583FD(_t75 + 0xfffffff0) + 0x10;
								 *((char*)(_t116 - 4)) = 3;
								_t89 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x12c)))) + 0x14))(3, _t100);
								 *((char*)(_t116 - 4)) = 1;
								E6B14F42A(_t96,  *((intOrPtr*)(_t107 + 0x12c)), _t105, _t107, _t89, _t125);
								_push( *_t96);
							}
						}
						_push(L"%s\r\n");
						E6B155002(_t116 - 0x18);
						 *((intOrPtr*)(_t116 - 0x14)) =  *((intOrPtr*)(_t116 - 0x14)) + 1;
						_t96 = _t96 + 0x14;
						_t111 = 0;
						_pop(_t100);
						if( *((intOrPtr*)(_t116 - 0x14)) <  *((intOrPtr*)(_t116 - 0x24))) {
							continue;
						} else {
							_t62 =  *(_t107 + 0x134);
							 *((char*)(_t116 - 0xd)) = 1;
						}
						goto L13;
					}
					RaiseException(0xc000008c, 1, _t111, _t111);
					goto L12;
				}
				L13:
				SendDlgItemMessageW( *(_t107 + 4), 0x6f, 0x172, 1, _t62);
				SetWindowTextW( *(_t107 + 0x9c),  *(_t116 - 0x18));
				if( *((char*)(_t116 - 0xd)) == 0) {
					EnableWindow( *(_t107 + 0x9c), _t111); // executed
					_push(_t111);
				} else {
					EnableWindow( *(_t107 + 0x9c), 1);
					_push(5);
				}
				ShowWindow( *(_t107 + 0x9c), ??); // executed
				if( *((char*)(_t116 - 0xd)) == 0) {
					_t67 =  *((intOrPtr*)(_t107 + 0x128));
				} else {
					_t67 = 0;
				}
				 *((char*)(_t107 + 0x128)) = _t67;
				E6B1510A6(_t116 - 0x28);
				return E6B162709(E6B158460( &(( *(_t116 - 0x18))[0xfffffffffffffff8]), _t105));
			}

0x6b1493be
0x6b1493be
0x6b1493c5
0x6b1493ca
0x6b1493cc
0x6b1493d8
0x6b1493e1
0x6b1493e4
0x6b1493e7
0x6b1493ea
0x6b1493ed
0x6b1493f0
0x6b1493f4
0x6b1493fe
0x6b149405
0x6b14940e
0x6b149413
0x6b149417
0x6b1494f6
0x6b1494f6
0x6b149426
0x6b149429
0x6b14942c
0x6b14942f
0x6b14942f
0x6b149434
0x00000000
0x00000000
0x6b149443
0x6b149448
0x6b149483
0x6b14948a
0x6b149494
0x6b149494
0x6b149497
0x6b149499
0x6b1494a7
0x6b1494ac
0x6b1494b0
0x6b1494b5
0x6b14944a
0x6b14944a
0x6b14944e
0x00000000
0x6b149450
0x6b149454
0x6b149461
0x6b149463
0x6b149471
0x6b149476
0x6b14947a
0x6b14947f
0x6b14947f
0x6b14944e
0x6b1494b8
0x6b1494c0
0x6b1494c5
0x6b1494cc
0x6b1494cf
0x6b1494d1
0x6b1494d5
0x00000000
0x6b1494db
0x6b1494db
0x6b1494e1
0x6b1494e1
0x00000000
0x6b1494d5
0x6b1494f0
0x00000000
0x6b1494f0
0x6b1494fc
0x6b149509
0x6b149518
0x6b149522
0x6b14953d
0x6b149543
0x6b149524
0x6b14952c
0x6b149532
0x6b149532
0x6b14954a
0x6b149554
0x6b14955a
0x6b149556
0x6b149556
0x6b149556
0x6b149560
0x6b149569
0x6b14957e

APIs

__EH_prolog3.LIBCMT ref: 6B1493C5

Part of subcall function 6B14795B: __EH_prolog3.LIBCMT ref: 6B147962
Part of subcall function 6B14795B: EnumWindows.USER32(6B147C3F,?), ref: 6B1479BF

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 6B1494F0

Part of subcall function 6B14F42A: __EH_prolog3.LIBCMT ref: 6B14F431

SendDlgItemMessageW.USER32 ref: 6B149509
SetWindowTextW.USER32(?,?), ref: 6B149518
EnableWindow.USER32(?,00000001), ref: 6B14952C
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 6B14953D
ShowWindow.USER32(?,00000000), ref: 6B14954A

Strings

%s, xrefs: 6B1494B8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3Window$CallbackDispatcherEnableEnumExceptionItemMessageRaiseSendShowTextUserWindows
String ID: %s
API String ID: 1961699382-3043279178
Opcode ID: a40c84874e0f1ec259868bdd8ba4c4c60d352a7a5500c181bfd8cab975f2786a
Instruction ID: f72659eadd343dde0fec96755a8ff902d5cceba45808888007fad6f9a11794e4
Opcode Fuzzy Hash: a40c84874e0f1ec259868bdd8ba4c4c60d352a7a5500c181bfd8cab975f2786a
Instruction Fuzzy Hash: 1951A031900215FFDB11DFB8C989BDDBFB1BF09754F144198E558AB282D7389A50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F4D6 Relevance: 12.0, APIs: 8, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13F4D6(int* __ebx, struct HWND__* _a4) {

				EnableWindow(GetDlgItem(_a4,  *__ebx), 0); // executed
				EnableWindow(GetDlgItem(_a4, __ebx[2]), 0); // executed
				EnableWindow(GetDlgItem(_a4, __ebx[4]), 0); // executed
				return EnableWindow(GetDlgItem(_a4, __ebx[6]), 0);
			}

0x6b13f4f3
0x6b13f500
0x6b13f50d
0x6b13f51f

APIs

GetDlgItem.USER32 ref: 6B13F4E8
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6B13F4F3
GetDlgItem.USER32 ref: 6B13F4FB
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6B13F500
GetDlgItem.USER32 ref: 6B13F508
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6B13F50D
GetDlgItem.USER32 ref: 6B13F515
EnableWindow.USER32(00000000,00000000), ref: 6B13F51A

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Item$CallbackDispatcherUser$EnableWindow
String ID:
API String ID: 2551263484-0
Opcode ID: a1aa18585a41274cb307fd6277accac61860e4119804ad00cd0fcce416d5fb6f
Instruction ID: 7363c5e17370ded47bf1a73844ec4939590bcf96cad8734cc51d2f0fbeb63b3f
Opcode Fuzzy Hash: a1aa18585a41274cb307fd6277accac61860e4119804ad00cd0fcce416d5fb6f
Instruction Fuzzy Hash: A8F09E7254025877CF213FA6CC49F4B3E29EFC5760F154461F6049A060C675D961DFE4

Uniqueness

Uniqueness Score: -1.00%

Function 6B1430B1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6B1430B1(void* __ebx, intOrPtr* __ecx, void* __eflags, char _a4) {
				void* __edi;
				void* __esi;
				void* _t12;
				void* _t13;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t35;
				void* _t36;
				void* _t37;
				char* _t38;
				signed int _t39;
				intOrPtr* _t40;
				intOrPtr* _t44;
				void* _t45;

				_t35 = __ecx;
				_push(_t37);
				_push(_a4);
				_t44 = __ecx; // executed
				_t12 = E6B156041(__ebx, _t36, _t37, __ecx, __eflags); // executed
				_t13 = _t12 - 1;
				if(_t13 == 0) {
					L9:
					_t38 = L"Install";
				} else {
					_t30 = _t13 - 1;
					if(_t30 == 0) {
						_t38 = L"Uninstall";
					} else {
						_t31 = _t30 - 1;
						if(_t31 == 0) {
							_t38 = L"Repair";
						} else {
							_t32 = _t31 - 1;
							if(_t32 == 0) {
								_t38 = L"CreateLayout";
							} else {
								_t58 = _t32 != 3;
								if(_t32 != 3) {
									goto L9;
								} else {
									_t38 = L"UninstallPatch";
								}
							}
						}
					}
				}
				_push( &_a4);
				E6B14E8E8(_t38, _t44, _t58);
				_t45 = _t44 + 0xc;
				_t39 = E6B14F693(_t45,  &_a4);
				E6B158460(_a4 + 0xfffffff0, _t36);
				if(_t39 < 0 || _t39 >=  *((intOrPtr*)(_t45 + 8))) {
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t45);
					_push(_t39);
					_t40 = _t35;
					 *_t40 = 0x6b13731c;
					E6B14F5A3(_t40 + 0xc);
					E6B158460( *((intOrPtr*)(_t40 + 8)) - 0x10, _t36);
					__eflags =  *((intOrPtr*)(_t40 + 4)) - 0x10;
					_t27 = E6B158460( *((intOrPtr*)(_t40 + 4)) - 0x10, _t36);
					 *_t40 = 0x6b136ffc;
					return _t27;
				} else {
					return  *((intOrPtr*)(_t45 + 4)) + _t39 * 4;
				}
			}

0x6b1430b1
0x6b1430b7
0x6b1430b8
0x6b1430bb
0x6b1430bd
0x6b1430c2
0x6b1430c3
0x6b1430ef
0x6b1430ef
0x6b1430c5
0x6b1430c5
0x6b1430c6
0x6b1430e8
0x6b1430c8
0x6b1430c8
0x6b1430c9
0x6b1430e1
0x6b1430cb
0x6b1430cb
0x6b1430cc
0x6b1430da
0x6b1430ce
0x6b1430ce
0x6b1430d1
0x00000000
0x6b1430d3
0x6b1430d3
0x6b1430d3
0x6b1430d1
0x6b1430cc
0x6b1430c9
0x6b1430c6
0x6b1430f7
0x6b1430f8
0x6b143100
0x6b143109
0x6b143111
0x6b143118
0x6b143136
0x6b14313c
0x6b14313d
0x6b14313e
0x6b14313f
0x6b143140
0x6b143141
0x6b143144
0x6b143145
0x6b143146
0x6b14314b
0x6b143151
0x6b14315c
0x6b143164
0x6b143167
0x6b14316c
0x6b143174
0x6b14311f
0x6b143128
0x6b143128

APIs

Part of subcall function 6B156041: __EH_prolog3.LIBCMT ref: 6B156048
Part of subcall function 6B156041: GetCommandLineW.KERNEL32(0000001C,6B1430C2,?), ref: 6B15604D

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?), ref: 6B143136

Strings

CreateLayout, xrefs: 6B1430DA
Repair, xrefs: 6B1430E1
UninstallPatch, xrefs: 6B1430D3
Install, xrefs: 6B1430EF
Uninstall, xrefs: 6B1430E8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CommandExceptionH_prolog3LineRaise
String ID: CreateLayout$Install$Repair$Uninstall$UninstallPatch
API String ID: 683617612-791770018
Opcode ID: 44320022164d9b4d1cf81732e904298b3f9254f5b27efdb70599b6146345f23f
Instruction ID: 04a08b5285790ca21f017d4253561c819da4d19898b08a8708ee7c7265c826fa
Opcode Fuzzy Hash: 44320022164d9b4d1cf81732e904298b3f9254f5b27efdb70599b6146345f23f
Instruction Fuzzy Hash: C201F572104559B3DF30D72CE812F45B6559B856B4F164271EA24EB240DA3EE4438260

Uniqueness

Uniqueness Score: -1.00%

Function 6B14B6A5 Relevance: 10.5, APIs: 7, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B14B6A5(void* __eax) {
				void* _t21;
				struct HWND__** _t23;

				_t21 = __eax;
				 *( *((intOrPtr*)(__eax + 0x68)) + 4) = 0x69;
				_t23 = __eax + 4;
				E6B13E389(_t23, 4); // executed
				E6B13E36B(_t23);
				EnableMenuItem(GetSystemMenu(GetParent( *_t23), 0), 0xf060, 0);
				SetWindowLongW( *_t23, 0xfffffff4, 0x69);
				SetWindowTextW(GetParent( *_t23),  *(_t21 + 0x58)); // executed
				PostMessageW( *_t23, 0x6f5, 0, 0); // executed
				return 1;
			}

0x6b14b6aa
0x6b14b6af
0x6b14b6b6
0x6b14b6bd
0x6b14b6c4
0x6b14b6e4
0x6b14b6f0
0x6b14b6ff
0x6b14b710
0x6b14b71c

APIs

Part of subcall function 6B13E389: GetParent.USER32 ref: 6B13E390
Part of subcall function 6B13E389: PostMessageW.USER32(00000000,00000470,00000000,?), ref: 6B13E3A1

Part of subcall function 6B13E36B: GetParent.USER32(?), ref: 6B13E36D
Part of subcall function 6B13E36B: SendMessageW.USER32(00000000,0000046B,00000000,00000000), ref: 6B13E37D

GetParent.USER32(00000069), ref: 6B14B6D1
GetSystemMenu.USER32(00000000,00000000,0000F060,00000000,?,?,00000000,6B1520A8,00000001,?,6B152023,?,000006F5,?,?,?), ref: 6B14B6DD
EnableMenuItem.USER32 ref: 6B14B6E4
SetWindowLongW.USER32 ref: 6B14B6F0
GetParent.USER32(00000069), ref: 6B14B6FB
SetWindowTextW.USER32(00000000,?), ref: 6B14B6FF
PostMessageW.USER32(00000069,000006F5,00000000,00000000), ref: 6B14B710

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Parent$Message$MenuPostWindow$EnableItemLongSendSystemText
String ID:
API String ID: 2729316450-0
Opcode ID: ac1048834c6f8417dbbdbfdb7f12d1e480e50a3aabda8c2251dbab0f612b85b1
Instruction ID: 0f12492453beedf9be61aea997f2247935b7df2defc4780e88cd6cb9d2ae5d7c
Opcode Fuzzy Hash: ac1048834c6f8417dbbdbfdb7f12d1e480e50a3aabda8c2251dbab0f612b85b1
Instruction Fuzzy Hash: 38016D76240220FFEB206BA9CC49F597B69EB45B64F200410F241D7590DB71E9318B94

Uniqueness

Uniqueness Score: -1.00%

Function 6B1433F3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6B1433F3(WCHAR** __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t17;
				signed int _t22;
				void* _t27;
				intOrPtr* _t29;
				intOrPtr _t31;
				void* _t32;

				_t27 = __edx;
				_push(8);
				E6B16265B(0x6b164b1f, __ebx, __edi, __esi);
				_t31 = __ecx;
				_t29 =  *((intOrPtr*)(_t32 + 8));
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				 *_t29 = 0x6b137330;
				 *((intOrPtr*)(_t29 + 4)) = E6B1583FD( *__ebx - 0x10) + 0x10;
				 *(_t32 - 4) = 1;
				 *((intOrPtr*)(_t29 + 8)) = _t31;
				_t17 = LoadLibraryW( *__ebx); // executed
				_t36 = _t17;
				if(_t17 == 0) {
					_t29 = GetLastError;
					_push(GetLastError());
					_push( *__ebx);
					_push(L"::LoadLibrary(%s) failed with error %d");
					_push(0);
					E6B13B93E(__ebx, _t27, GetLastError, _t31, _t36);
					_t22 = GetLastError();
					if(_t22 > 0) {
						_t22 = _t22 & 0x0000ffff | 0x80070000;
					}
					 *(_t32 - 0x10) = _t22;
					 *((intOrPtr*)(_t32 - 0x14)) = 0x6b136e14;
					_t17 = E6B15DBDB(_t32 - 0x14, 0x6b1682d8);
				}
				 *(_t29 + 0xc) = _t17;
				return E6B162709(_t29);
			}

0x6b1433f3
0x6b1433f3
0x6b1433fa
0x6b1433ff
0x6b143401
0x6b143404
0x6b143408
0x6b14341b
0x6b14341e
0x6b143422
0x6b143427
0x6b14342d
0x6b14342f
0x6b143431
0x6b143439
0x6b14343a
0x6b14343c
0x6b143441
0x6b143443
0x6b14344b
0x6b14344f
0x6b143456
0x6b143456
0x6b14345b
0x6b143467
0x6b14346e
0x6b14346e
0x6b143473
0x6b14347d

APIs

__EH_prolog3.LIBCMT ref: 6B1433FA
LoadLibraryW.KERNELBASE(?,00000008,6B143377,?), ref: 6B143427
GetLastError.KERNEL32 ref: 6B143437

Part of subcall function 6B13B93E: __EH_prolog3.LIBCMT ref: 6B13B945

GetLastError.KERNEL32 ref: 6B14344B
__CxxThrowException@8.LIBCMT ref: 6B14346E

Strings

::LoadLibrary(%s) failed with error %d, xrefs: 6B14343C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last$Exception@8LibraryLoadThrow
String ID: ::LoadLibrary(%s) failed with error %d
API String ID: 3804648058-20907036
Opcode ID: 84547d2161161932403ae659fe4735382dc5a4fb946c26660c3414cd1cb353af
Instruction ID: b6465ae887164a8edc3abd5d341f2b0a9e4506537705e2b2526f98d8895f02a9
Opcode Fuzzy Hash: 84547d2161161932403ae659fe4735382dc5a4fb946c26660c3414cd1cb353af
Instruction Fuzzy Hash: 69017CB290051AFFDB00DF78C846B6EBAA1FF11344F148574E418EB244E77DD9218BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B147C58 Relevance: 9.1, APIs: 6, Instructions: 140
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E6B147C58(void* __ebx, signed int* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t73;
				signed int _t79;
				signed int _t90;
				intOrPtr* _t101;
				signed int _t104;
				WCHAR* _t113;
				struct HWND__* _t119;
				signed int _t124;
				signed int* _t129;
				int _t132;
				signed int _t133;
				intOrPtr* _t137;
				void* _t139;

				_push(0x20);
				E6B16265B(0x6b16638e, __ebx, __edi, __esi);
				_t129 = __ecx;
				 *(_t139 - 0x14) =  *(_t139 - 0x14) & 0x00000000;
				GetWindowThreadProcessId( *(_t139 + 8), _t139 - 0x14);
				if(GetCurrentProcessId() ==  *(_t139 - 0x14)) {
					L15:
					return E6B162709(1);
				} else {
					_t73 =  *0x6b16fe10; // 0x6b1333ec
					_t7 =  *((intOrPtr*)(_t73 + 0xc))() + 0x10; // 0x10
					_t113 = _t7;
					 *(_t139 - 0x10) = _t113;
					 *(_t139 - 4) =  *(_t139 - 4) & 0x00000000;
					_t118 = 1 -  *((intOrPtr*)(_t113 - 4));
					if(( *(_t113 - 8) - 0x00000200 | 1) < 0) {
						_t118 = _t139 - 0x10;
						E6B15827A(0x200, _t139 - 0x10);
						_t113 =  *(_t139 - 0x10);
					}
					if( *(_t113 - 8) < 0x200) {
						E6B1583CE(_t118, 0x80070057);
					}
					 *((intOrPtr*)(_t113 - 0xc)) = 0x200;
					_t113[0x200] = 0;
					_t132 =  *(_t113 - 8);
					if( *((intOrPtr*)(_t113 - 4)) > 1) {
						E6B1581DE(_t118, _t139 - 0x10,  *((intOrPtr*)(_t113 - 0xc)));
						_t113 =  *(_t139 - 0x10);
					}
					_t79 = GetWindowTextW( *(_t139 + 8), _t113, _t132);
					_t133 = _t139 - 0x10;
					L6B14F1A2(_t79 | 0xffffffff, _t113, _t133);
					E6B13F1D6(_t118, _t139 - 0x18,  *(_t139 - 0x14), _t129[3]); // executed
					 *(_t139 - 4) = 1;
					 *(_t139 + 8) = IsWindowVisible( *(_t139 + 8)) & 0xffffff00 | _t84 != 0x00000000;
					_push( *(_t139 + 8));
					_push(_t133);
					_push(_t139 - 0x18);
					_push( *(_t139 - 0x14));
					_push(_t139 - 0x2c);
					E6B1478D5(_t113, _t118, _t129, _t133, _t84);
					 *(_t139 - 4) = 2;
					_t90 = _t129[1];
					_t119 = 0;
					 *(_t139 + 8) = 0;
					if(_t90 <= 0) {
						L13:
						_push(_t139 - 0x2c);
						E6B150FBC(_t129);
						goto L14;
					} else {
						_t124 =  *(_t139 - 0x2c);
						while( *(_t139 + 8) >= 0 &&  *(_t139 + 8) < _t90) {
							_t133 =  *_t129;
							if(_t124 ==  *((intOrPtr*)(_t119 + _t133))) {
								_t133 =  *(_t139 + 8);
								__eflags = _t133 - _t90;
								if(_t133 >= _t90) {
									break;
								} else {
									_t137 = _t133 * 0x14 +  *_t129;
									_t104 =  *_t137 - _t124;
									__eflags = _t104;
									if(_t104 == 0) {
										 *((intOrPtr*)(_t137 + 0xc)) - _t104 =  *((intOrPtr*)(_t139 - 0x20));
										_t104 = (_t104 & 0xffffff00 |  *((intOrPtr*)(_t137 + 0xc)) != _t104) - (0 |  *((intOrPtr*)(_t139 - 0x20)) != 0x00000000);
										__eflags = _t104;
										if(_t104 == 0) {
											__eflags = _t137 + 8;
											_t104 = E6B14EB56(_t137 + 8,  *((intOrPtr*)(_t139 - 0x24)));
										}
									}
									__eflags = _t104;
									if(_t104 >= 0) {
										L14:
										L23();
										L24();
										L24();
										goto L15;
									} else {
										E6B15104D(_t129,  *(_t139 + 8));
										goto L13;
									}
								}
							} else {
								 *(_t139 + 8) =  &( *(_t139 + 8)->i);
								_t119 = _t119 + 0x14;
								if( *(_t139 + 8) < _t90) {
									continue;
								} else {
									goto L13;
								}
							}
							goto L27;
						}
						RaiseException(0xc000008c, 1, 0, 0);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						L24();
						L24();
						_t101 =  *((intOrPtr*)(_t133 + 4)) - 0x10;
						asm("lock xadd [ecx], edx");
						__eflags = (_t124 | 0xffffffff) - 1;
						if((_t124 | 0xffffffff) - 1 <= 0) {
							return  *((intOrPtr*)( *((intOrPtr*)( *_t101)) + 4))(_t101);
						}
						return _t101;
					}
				}
				L27:
			}

0x6b147c58
0x6b147c5f
0x6b147c64
0x6b147c66
0x6b147c71
0x6b147c80
0x6b147d9f
0x6b147da7
0x6b147c86
0x6b147c86
0x6b147c93
0x6b147c93
0x6b147c96
0x6b147c99
0x6b147ca3
0x6b147caf
0x6b147cb3
0x6b147cb6
0x6b147cbb
0x6b147cbb
0x6b147cc1
0x6b147cc8
0x6b147cc8
0x6b147ccd
0x6b147cd2
0x6b147cdd
0x6b147ce0
0x6b147ce9
0x6b147cee
0x6b147cee
0x6b147cf6
0x6b147cff
0x6b147d02
0x6b147d11
0x6b147d19
0x6b147d28
0x6b147d2b
0x6b147d30
0x6b147d34
0x6b147d35
0x6b147d3b
0x6b147d3c
0x6b147d41
0x6b147d45
0x6b147d48
0x6b147d4a
0x6b147d4f
0x6b147d79
0x6b147d7c
0x6b147d7f
0x00000000
0x6b147d51
0x6b147d51
0x6b147d54
0x6b147d67
0x6b147d6c
0x6b147daa
0x6b147dad
0x6b147daf
0x00000000
0x6b147db1
0x6b147db4
0x6b147db8
0x6b147db8
0x6b147dba
0x6b147dc4
0x6b147dca
0x6b147dca
0x6b147dcc
0x6b147dd1
0x6b147dd5
0x6b147dd5
0x6b147dcc
0x6b147dda
0x6b147ddc
0x6b147d84
0x6b147d87
0x6b147d92
0x6b147d9a
0x00000000
0x6b147dde
0x6b147de1
0x00000000
0x6b147de1
0x6b147ddc
0x6b147d6e
0x6b147d6e
0x6b147d71
0x6b147d77
0x00000000
0x00000000
0x00000000
0x00000000
0x6b147d77
0x00000000
0x6b147d6c
0x6b147df3
0x6b147df9
0x6b147dfa
0x6b147dfb
0x6b147dfc
0x6b147dfd
0x6b147dfe
0x6b147e05
0x6b147e10
0x6b147e18
0x6b158466
0x6b15846b
0x6b15846d
0x00000000
0x6b158474
0x6b158477
0x6b158477
0x6b147d4f
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B147C5F
GetWindowThreadProcessId.USER32(?,00000000), ref: 6B147C71
GetCurrentProcessId.KERNEL32 ref: 6B147C77
GetWindowTextW.USER32 ref: 6B147CF6
IsWindowVisible.USER32(?), ref: 6B147D1D
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,?,?), ref: 6B147DF3

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Process$CurrentExceptionH_prolog3RaiseTextThreadVisible
String ID:
API String ID: 905677211-0
Opcode ID: 8d6fdfd7a7e2c20d65018abbd9e8c35896d856fae5c6da14e532248e3180e1e4
Instruction ID: 258b162346ee272f8a30655192a9b4a83ab25a3a4c4a5216287c85ca5dea881d
Opcode Fuzzy Hash: 8d6fdfd7a7e2c20d65018abbd9e8c35896d856fae5c6da14e532248e3180e1e4
Instruction Fuzzy Hash: 52517971D1011AFBCF00DFB4C885AAEBB75FF04359F11806AE925EB140E7389A65CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B15424A Relevance: 9.0, APIs: 6, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B15424A(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t45;
				void* _t46;

				_t45 = __esi;
				_push(0x18);
				E6B16265B(0x6b16366b, __ebx, __edi, __esi);
				 *((intOrPtr*)( *__esi + 0x10))();
				SetWindowLongW( *(__esi + 4), 0xfffffff4, 0x69);
				 *(_t46 - 0x24) =  *(__esi + 4);
				 *((intOrPtr*)(_t46 - 0x20)) = 0;
				 *((intOrPtr*)(_t46 - 0x1c)) = 0;
				 *((intOrPtr*)(_t46 - 0x18)) = 0;
				 *((intOrPtr*)(_t46 - 0x14)) = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E6B13FF14(_t46 - 0x24);
				if( *((intOrPtr*)(_t46 - 0x20)) != 0) {
					E6B158E26( *((intOrPtr*)(_t46 - 0x20)));
				}
				if(SendMessageW(GetParent( *(_t45 + 4)), 0x485, 0, 0x69) == 0) {
					 *((intOrPtr*)(_t46 - 0x10)) = GetParent( *(_t45 + 4));
					E6B13E153(_t46 - 0x10, GetDesktopWindow());
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b15424a
0x6b15424a
0x6b154251
0x6b15425a
0x6b154265
0x6b154270
0x6b154273
0x6b154276
0x6b154279
0x6b15427c
0x6b154282
0x6b154285
0x6b15428d
0x6b154292
0x6b154297
0x6b1542b4
0x6b1542bb
0x6b1542c9
0x6b1542c9
0x6b1542d4
0x6b1542db

APIs

__EH_prolog3.LIBCMT ref: 6B154251
SetWindowLongW.USER32 ref: 6B154265

Part of subcall function 6B13FF14: EnumChildWindows.USER32 ref: 6B13FF21

GetParent.USER32(?), ref: 6B1542A1
SendMessageW.USER32(00000000,00000485,00000000,00000069), ref: 6B1542AC
GetParent.USER32(?), ref: 6B1542B9
GetDesktopWindow.USER32 ref: 6B1542BE

Part of subcall function 6B158E26: HeapFree.KERNEL32(00000000,00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E3C
Part of subcall function 6B158E26: GetLastError.KERNEL32(00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E4E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 43a9d6fec287761f1d07be5a03a15008576ea194427be9e188519eb69595fb3d
Instruction ID: 634d30aee095e9c83fee55fdc1a85bd58c0f9781c69f13c05686487fd71243f4
Opcode Fuzzy Hash: 43a9d6fec287761f1d07be5a03a15008576ea194427be9e188519eb69595fb3d
Instruction Fuzzy Hash: A7115AB5900218EFCB109FB8C88599EFBF4FF59740B10451AE426E7290EB399A20CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B153A76 Relevance: 9.0, APIs: 6, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B153A76(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t45;
				void* _t46;

				_t45 = __esi;
				_push(0x18);
				E6B16265B(0x6b16366b, __ebx, __edi, __esi);
				 *((intOrPtr*)( *__esi + 0x10))();
				SetWindowLongW( *(__esi + 4), 0xfffffff4, 0x6b);
				 *(_t46 - 0x24) =  *(__esi + 4);
				 *((intOrPtr*)(_t46 - 0x20)) = 0;
				 *((intOrPtr*)(_t46 - 0x1c)) = 0;
				 *((intOrPtr*)(_t46 - 0x18)) = 0;
				 *((intOrPtr*)(_t46 - 0x14)) = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E6B13FF14(_t46 - 0x24);
				if( *((intOrPtr*)(_t46 - 0x20)) != 0) {
					E6B158E26( *((intOrPtr*)(_t46 - 0x20)));
				}
				if(SendMessageW(GetParent( *(_t45 + 4)), 0x485, 0, 0x6b) == 0) {
					 *((intOrPtr*)(_t46 - 0x10)) = GetParent( *(_t45 + 4));
					E6B13E153(_t46 - 0x10, GetDesktopWindow()); // executed
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b153a76
0x6b153a76
0x6b153a7d
0x6b153a86
0x6b153a91
0x6b153a9c
0x6b153a9f
0x6b153aa2
0x6b153aa5
0x6b153aa8
0x6b153aae
0x6b153ab1
0x6b153ab9
0x6b153abe
0x6b153ac3
0x6b153ae0
0x6b153ae7
0x6b153af5
0x6b153af5
0x6b153b00
0x6b153b07

APIs

__EH_prolog3.LIBCMT ref: 6B153A7D
SetWindowLongW.USER32 ref: 6B153A91

Part of subcall function 6B13FF14: EnumChildWindows.USER32 ref: 6B13FF21

GetParent.USER32(?), ref: 6B153ACD
SendMessageW.USER32(00000000,00000485,00000000,0000006B), ref: 6B153AD8
GetParent.USER32(?), ref: 6B153AE5
GetDesktopWindow.USER32 ref: 6B153AEA

Part of subcall function 6B158E26: HeapFree.KERNEL32(00000000,00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E3C
Part of subcall function 6B158E26: GetLastError.KERNEL32(00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E4E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: b40f71150ddeeff3a47aa71e881cbe0e3f82b5d6f487892f1942b18af6311de5
Instruction ID: 2df0f97b4f2be6b5534081aa9b919fcc28d6aca8616ed5e668086c5fa9cebfd0
Opcode Fuzzy Hash: b40f71150ddeeff3a47aa71e881cbe0e3f82b5d6f487892f1942b18af6311de5
Instruction Fuzzy Hash: 7F119AB1900614EFCB20DFB8C88599EFBF4FF59700B10451AE026E7290EB389A20CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B154100 Relevance: 9.0, APIs: 6, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B154100(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t45;
				void* _t46;

				_t45 = __esi;
				_push(0x18);
				E6B16265B(0x6b16366b, __ebx, __edi, __esi);
				 *((intOrPtr*)( *__esi + 0x10))();
				SetWindowLongW( *(__esi + 4), 0xfffffff4, 0x6a);
				 *(_t46 - 0x24) =  *(__esi + 4);
				 *((intOrPtr*)(_t46 - 0x20)) = 0;
				 *((intOrPtr*)(_t46 - 0x1c)) = 0;
				 *((intOrPtr*)(_t46 - 0x18)) = 0;
				 *((intOrPtr*)(_t46 - 0x14)) = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E6B13FF14(_t46 - 0x24);
				if( *((intOrPtr*)(_t46 - 0x20)) != 0) {
					E6B158E26( *((intOrPtr*)(_t46 - 0x20)));
				}
				if(SendMessageW(GetParent( *(_t45 + 4)), 0x485, 0, 0x6a) == 0) {
					 *((intOrPtr*)(_t46 - 0x10)) = GetParent( *(_t45 + 4));
					E6B13E153(_t46 - 0x10, GetDesktopWindow());
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b154100
0x6b154100
0x6b154107
0x6b154110
0x6b15411b
0x6b154126
0x6b154129
0x6b15412c
0x6b15412f
0x6b154132
0x6b154138
0x6b15413b
0x6b154143
0x6b154148
0x6b15414d
0x6b15416a
0x6b154171
0x6b15417f
0x6b15417f
0x6b15418a
0x6b154191

APIs

__EH_prolog3.LIBCMT ref: 6B154107
SetWindowLongW.USER32 ref: 6B15411B

Part of subcall function 6B13FF14: EnumChildWindows.USER32 ref: 6B13FF21

GetParent.USER32(?), ref: 6B154157
SendMessageW.USER32(00000000,00000485,00000000,0000006A), ref: 6B154162
GetParent.USER32(?), ref: 6B15416F
GetDesktopWindow.USER32 ref: 6B154174

Part of subcall function 6B158E26: HeapFree.KERNEL32(00000000,00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E3C
Part of subcall function 6B158E26: GetLastError.KERNEL32(00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E4E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 6e86c1f386d4541b720e22ae16ce0430105895511f0a7b1ef782b961dd39b177
Instruction ID: 48bcf8d98fc6b86e98dac3b9d5faf549666204b944674308c629c5dee99c37cc
Opcode Fuzzy Hash: 6e86c1f386d4541b720e22ae16ce0430105895511f0a7b1ef782b961dd39b177
Instruction Fuzzy Hash: CB115EB1A00214EBCB109F78C88599EFBF4FF69744B10451AE426E7290EB399920CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6B148CD7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 154
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6B148CD7(void* __ebx, unsigned int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t73;
				intOrPtr _t76;
				void* _t83;
				char _t84;
				signed int _t93;
				intOrPtr _t97;
				unsigned int _t100;
				unsigned int _t101;
				intOrPtr _t104;
				intOrPtr* _t112;
				struct HWND__* _t118;
				struct HWND__* _t119;
				signed int _t152;
				unsigned int _t154;
				unsigned int _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				int _t164;
				WCHAR* _t165;
				void* _t166;
				void* _t167;
				void* _t170;

				_t170 = __eflags;
				_t154 = __edx;
				E6B16265B(0x6b165ec8, __ebx, __edi, __esi);
				_t73 =  *0x6b16fe10; // 0x6b1333ec
				 *((intOrPtr*)(_t166 - 0x24)) =  *((intOrPtr*)(_t73 + 0xc))(0x18) + 0x10;
				 *(_t166 - 4) =  *(_t166 - 4) & 0x00000000;
				_t76 =  *0x6b16fe10; // 0x6b1333ec
				 *(_t166 - 0x18) =  *((intOrPtr*)(_t76 + 0xc))() + 0x10;
				 *(_t166 - 4) = 1;
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0xc)))), 0x6b16fe10, _t170);
				 *(_t166 - 4) = 2;
				_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 8)) + 0x12c)))) + 0x10))(_t166 - 0x14);
				_t84 = E6B15127A( *((intOrPtr*)(_t166 + 0xc)), _t83, __edx,  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0xc)))), 0x6b16fe10, _t170); // executed
				 *((char*)(_t166 - 0xd)) = _t84;
				 *(_t166 - 4) = 1;
				E6B158460( *((intOrPtr*)(_t166 - 0x14)) + 0xfffffff0, __edx);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t166 + 0xc)))), 0x6b16fe10, _t170);
				 *(_t166 - 4) = 3;
				_t140 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 8)) + 0x12c)))) + 0x10))(_t166 - 0x14, _t166 - 0x14,  *(_t166 + 0x10),  *(_t166 + 0x14)); // executed
				_t93 = E6B151360(__edx, _t166 - 0x14); // executed
				 *(_t166 - 0x20) = _t93;
				 *(_t166 - 4) = 1;
				_t158 = _t154;
				E6B158460( *((intOrPtr*)(_t166 - 0x14)) + 0xfffffff0, _t154);
				_t97 =  *0x6b16fe10; // 0x6b1333ec
				 *((intOrPtr*)(_t166 - 0x14)) =  *((intOrPtr*)(_t97 + 0xc))() + 0x10;
				 *(_t166 - 4) = 4;
				_t100 =  *(_t166 + 0x14);
				_t152 = (_t100 << 0x00000020 |  *(_t166 + 0x10)) >> 0x14;
				_t101 = _t100 >> 0x14;
				if(_t101 != 0) {
					L2:
					_push(_t101);
					E6B155075(_t152, _t166 - 0x14, L"%1!I64u!", _t152);
					_t167 = _t167 + 0x10;
				} else {
					_t172 = _t152;
					if(_t152 == 0) {
						_t140 = E6B158199(L"< 1");
						E6B15811C(_t166 - 0x14, _t135, _t152, L"< 1");
					} else {
						goto L2;
					}
				}
				_t104 =  *0x6b16fe10; // 0x6b1333ec
				 *(_t166 + 0x14) =  *((intOrPtr*)(_t104 + 0xc))() + 0x10;
				_push(_t158 >> 0x14);
				 *(_t166 - 4) = 5;
				E6B155075(0x6b16fe10, _t166 + 0x14, L"%1!I64u!", (_t158 << 0x00000020 |  *(_t166 - 0x20)) >> 0x14);
				_push( *((intOrPtr*)(_t166 + 0xc)));
				_push(_t166 + 0xc);
				_t112 = E6B1511E8(_t140, 0x6b16fe10, _t154, _t158 >> 0x14, 0x6b16fe10, _t172);
				_t163 =  *((intOrPtr*)(_t166 + 8));
				 *(_t166 - 4) = 6;
				_t141 =  *(_t166 + 0x14);
				_push( *(_t166 + 0x14));
				_push( *((intOrPtr*)(_t166 - 0x14)));
				E6B155075(0x6b16fe10, _t166 - 0x18,  *((intOrPtr*)(_t163 + 0x13c)),  *_t112);
				E6B158460( *((intOrPtr*)(_t166 + 0xc)) + 0xfffffff0, _t154);
				if( *((char*)(_t166 - 0xd)) == 0) {
					 *((char*)(_t163 + 0x128)) = 0;
					_t164 =  *(_t163 + 0x134);
				} else {
					_t164 =  *(_t163 + 0x130);
				}
				_t160 =  *((intOrPtr*)(_t166 + 0x18));
				_t118 =  *(_t160 + 4);
				if(_t118 != 0) {
					SendMessageW(_t118, 0x170, _t164, 0);
				}
				_t119 =  *(_t160 + 8);
				_t165 =  *(_t166 - 0x18);
				if(_t119 != 0) {
					SetWindowTextW(_t119, _t165); // executed
				}
				E6B158460(_t141 - 0x10, _t154);
				E6B158460( *((intOrPtr*)(_t166 - 0x14)) + 0xfffffff0, _t154);
				E6B158460(_t165 - 0x10, _t154);
				E6B158460( *((intOrPtr*)(_t166 - 0x24)) + 0xfffffff0, _t154);
				return E6B162709( *((intOrPtr*)(_t166 - 0xd)));
			}

0x6b148cd7
0x6b148cd7
0x6b148cde
0x6b148ce3
0x6b148cf5
0x6b148cf8
0x6b148cfc
0x6b148d09
0x6b148d0c
0x6b148d19
0x6b148d21
0x6b148d2d
0x6b148d3c
0x6b148d41
0x6b148d44
0x6b148d4e
0x6b148d59
0x6b148d61
0x6b148d74
0x6b148d76
0x6b148d7b
0x6b148d7e
0x6b148d88
0x6b148d8a
0x6b148d8f
0x6b148d9c
0x6b148d9f
0x6b148da3
0x6b148da9
0x6b148dad
0x6b148db2
0x6b148db8
0x6b148db8
0x6b148dc3
0x6b148dc8
0x6b148db4
0x6b148db4
0x6b148db6
0x6b148dda
0x6b148ddf
0x00000000
0x00000000
0x00000000
0x6b148db6
0x6b148de4
0x6b148df1
0x6b148dfe
0x6b148e09
0x6b148e0d
0x6b148e15
0x6b148e1b
0x6b148e1c
0x6b148e21
0x6b148e24
0x6b148e28
0x6b148e2b
0x6b148e2c
0x6b148e3b
0x6b148e49
0x6b148e52
0x6b148e5c
0x6b148e63
0x6b148e54
0x6b148e54
0x6b148e54
0x6b148e69
0x6b148e6c
0x6b148e71
0x6b148e7c
0x6b148e7c
0x6b148e82
0x6b148e85
0x6b148e8a
0x6b148e8e
0x6b148e8e
0x6b148e97
0x6b148ea2
0x6b148eaa
0x6b148eb5
0x6b148ec2

APIs

__EH_prolog3.LIBCMT ref: 6B148CDE

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B15127A: __EH_prolog3.LIBCMT ref: 6B151281

Part of subcall function 6B151360: GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?,Action,6B16FE10,?,?,?,F69FF218,Action,?,00000000), ref: 6B151395
Part of subcall function 6B151360: GetLastError.KERNEL32(?,?,?,F69FF218,Action,?,00000000), ref: 6B1513A5

SendMessageW.USER32(00000006,00000170,?,00000000), ref: 6B148E7C
SetWindowTextW.USER32(?,?), ref: 6B148E8E

Strings

%1!I64u!, xrefs: 6B148DBD, 6B148E03
< 1, xrefs: 6B148DCD, 6B148DD9

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$DiskErrorFreeLastMessageSendSpaceTextWindow
String ID: %1!I64u!$< 1
API String ID: 3840077912-3199623825
Opcode ID: 831f45bf57fadaba2859fad4afe1f23c344653fa1e808584ac8df63a819be64d
Instruction ID: d0d297346291b00c7e0e648433d5ea8e68cec6e93d11d34374ea85d4e6745db1
Opcode Fuzzy Hash: 831f45bf57fadaba2859fad4afe1f23c344653fa1e808584ac8df63a819be64d
Instruction Fuzzy Hash: FC513072900249EFDF01DFB8C945BEE7BB4AF05318F144554E925BB292D738EA24CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B15127A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B15127A(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr _t37;
				intOrPtr* _t56;
				signed int _t57;
				void* _t62;
				char* _t65;
				void* _t66;
				void* _t67;
				void* _t69;
				void* _t70;
				void* _t73;
				void* _t74;

				_t73 = __eflags;
				_t62 = __edx;
				E6B16265B(0x6b1653bc, __ebx, __edi, __esi);
				_t56 = __ecx;
				E6B14E8E8(L" complete", __esi, _t73);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 = L"Action";
				E6B14E8E8(_t65, __esi, _t73);
				 *(_t70 - 4) = 1;
				 *((intOrPtr*)(_t70 - 0x1c)) = _t70 - 0x14;
				 *((intOrPtr*)(_t70 - 0x18)) = _t56;
				 *((intOrPtr*)( *_t56 + 8))(_t65, L"Disk space check for items being downloaded", _t70 - 0x20, _t70 - 0x14, 0x18);
				 *(_t70 - 4) = 2;
				_t36 = E6B151360(__edx,  *((intOrPtr*)(_t70 + 8))); // executed
				_t66 = _t36;
				_t37 =  *0x6b16fe10; // 0x6b1333ec
				_t69 = _t62;
				 *((intOrPtr*)(_t70 - 0x10)) =  *((intOrPtr*)(_t37 + 0xc))() + 0x10;
				 *(_t70 - 4) = 3;
				E6B1580BA(_t70 - 0x10, L"Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u]",  *((intOrPtr*)( *((intOrPtr*)(_t70 + 8)))));
				 *((intOrPtr*)( *_t56 + 4))(2,  *((intOrPtr*)(_t70 - 0x10)),  *((intOrPtr*)(_t70 + 0xc)),  *((intOrPtr*)(_t70 + 0x10)), _t66, _t69);
				_t67 = _t66 + 0xfffff;
				asm("adc esi, 0x0");
				_t74 = _t69 -  *((intOrPtr*)(_t70 + 0x10));
				if(_t74 < 0) {
					L4:
					_t57 = 0;
					__eflags = 0;
				} else {
					if(_t74 > 0) {
						L3:
						_t57 = 1;
					} else {
						_t75 = _t67 -  *((intOrPtr*)(_t70 + 0xc));
						if(_t67 <  *((intOrPtr*)(_t70 + 0xc))) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				E6B158460( *((intOrPtr*)(_t70 - 0x10)) + 0xfffffff0, _t62);
				_push(_t70 - 0x20);
				 *(_t70 - 4) = 0;
				E6B13B8EF(_t57, _t67, _t69, _t75); // executed
				E6B158460( *((intOrPtr*)(_t70 - 0x14)) + 0xfffffff0, _t62);
				return E6B162709(_t57);
			}

0x6b15127a
0x6b15127a
0x6b151281
0x6b151286
0x6b151291
0x6b151296
0x6b15129e
0x6b1512a3
0x6b1512a8
0x6b1512b4
0x6b1512b7
0x6b1512bf
0x6b1512c5
0x6b1512c9
0x6b1512ce
0x6b1512d0
0x6b1512da
0x6b1512e2
0x6b1512ed
0x6b1512ff
0x6b151310
0x6b151313
0x6b151319
0x6b15131c
0x6b15131f
0x6b15132c
0x6b15132c
0x6b15132c
0x6b151321
0x6b151321
0x6b151328
0x6b151328
0x6b151323
0x6b151323
0x6b151326
0x00000000
0x00000000
0x00000000
0x00000000
0x6b151326
0x6b151321
0x6b151334
0x6b15133c
0x6b15133d
0x6b151341
0x6b15134c
0x6b151358

APIs

__EH_prolog3.LIBCMT ref: 6B151281

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B151360: GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?,Action,6B16FE10,?,?,?,F69FF218,Action,?,00000000), ref: 6B151395
Part of subcall function 6B151360: GetLastError.KERNEL32(?,?,?,F69FF218,Action,?,00000000), ref: 6B1513A5

Strings

complete, xrefs: 6B15128C
Disk space check for items being downloaded, xrefs: 6B1512AF
Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u], xrefs: 6B1512F9
Action, xrefs: 6B15129E, 6B1512BC

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$DiskErrorFreeLastSpace
String ID: complete$Action$Disk space check for items being downloaded$Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u]
API String ID: 2933164920-3673225344
Opcode ID: 1c915e7f3cd8521f2012fc9cdb662d1f80cbb087f9ef60cd8b9ef2b12050ee3d
Instruction ID: 25a5c5be4c6217e218fd516fee8296ab150c33b4b68ad6f00908ed1727f99a61
Opcode Fuzzy Hash: 1c915e7f3cd8521f2012fc9cdb662d1f80cbb087f9ef60cd8b9ef2b12050ee3d
Instruction Fuzzy Hash: 60219F7290012DFFCF01DFA8C845BEEBBB5BF19314F544468E528AB241D7389A24DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6B155EC4 Relevance: 7.6, APIs: 5, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B155EC4(void* __eflags, long _a4, int _a8, int _a12, long _a16) {
				long _v8;
				char _v44;
				void* _t53;
				signed int _t54;
				long _t65;
				long _t67;
				int _t77;
				intOrPtr* _t79;

				_t79 = _a4;
				_t77 = _a8;
				E6B13E118( &_v44,  *(_t79 + 4), _t77, _a12, _a16);
				_a4 = _a4 & 0x00000000;
				_a8 =  *(_t79 + 0x18);
				 *(_t79 + 0x18) =  &_v44;
				_t53 =  *((intOrPtr*)( *_t79))( *(_t79 + 4), _t77, _a12, _a16,  &_a4, 0); // executed
				if(_t53 == 0) {
					if(_t77 == 0x82) {
						_v8 = GetWindowLongW( *(_t79 + 4), 0xfffffffc);
						_a4 = CallWindowProcW( *(_t79 + 0x20),  *(_t79 + 4), 0x82, _a12, _a16);
						__eflags =  *(_t79 + 0x20) - __imp__DefWindowProcW; // 0x740ba930
						if(__eflags != 0) {
							_t65 = GetWindowLongW( *(_t79 + 4), 0xfffffffc);
							__eflags = _t65 - _v8;
							if(_t65 == _v8) {
								SetWindowLongW( *(_t79 + 4), 0xfffffffc,  *(_t79 + 0x20));
							}
						}
						_t34 = _t79 + 0x1c;
						 *_t34 =  *(_t79 + 0x1c) | 0x00000001;
						__eflags =  *_t34;
					} else {
						_t67 = CallWindowProcW( *(_t79 + 0x20),  *(_t79 + 4), _t77, _a12, _a16); // executed
						_a4 = _t67;
					}
				}
				_t54 =  *(_t79 + 0x1c);
				if((_t54 & 0x00000001) == 0 || _a8 != 0) {
					 *(_t79 + 0x18) = _a8;
				} else {
					 *(_t79 + 0x1c) = _t54 & 0xfffffffe;
					 *(_t79 + 4) = 0;
					 *(_t79 + 0x18) = 0;
					 *((intOrPtr*)( *_t79 + 0xc))( *(_t79 + 4));
				}
				return _a4;
			}

0x6b155ecd
0x6b155ed7
0x6b155ee1
0x6b155ee9
0x6b155ef6
0x6b155f03
0x6b155f0a
0x6b155f0e
0x6b155f18
0x6b155f43
0x6b155f56
0x6b155f5c
0x6b155f62
0x6b155f6a
0x6b155f6c
0x6b155f6f
0x6b155f79
0x6b155f79
0x6b155f6f
0x6b155f7f
0x6b155f7f
0x6b155f7f
0x6b155f1a
0x6b155f27
0x6b155f2d
0x6b155f2d
0x6b155f83
0x6b155f84
0x6b155f89
0x6b155fae
0x6b155f92
0x6b155f98
0x6b155fa0
0x6b155fa3
0x6b155fa6
0x6b155fa6
0x6b155fb7

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 6B155F27
GetWindowLongW.USER32(?,000000FC), ref: 6B155F3E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 6B155F50
GetWindowLongW.USER32(?,000000FC), ref: 6B155F6A
SetWindowLongW.USER32 ref: 6B155F79

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: 6360d9cd3f014c66c526c6789a9059a23013b1f5d8d005045fd9e6db17ae3385
Instruction ID: 3b823844772c9757cd105d0801773e24ac6bf1998252d24e44ee1723c9dbec80
Opcode Fuzzy Hash: 6360d9cd3f014c66c526c6789a9059a23013b1f5d8d005045fd9e6db17ae3385
Instruction Fuzzy Hash: C2311776500609FFCB21DF69CC8499ABBF5FF48720B108619F9AA97260D734E960DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F24C Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6B13F24C(int* __edi, intOrPtr* __esi, struct HWND__* _a4) {
				int _t10;
				WCHAR** _t14;
				struct HWND__* _t21;
				intOrPtr* _t27;

				_t27 = __esi;
				_t21 = GetDlgItem(_a4,  *__edi);
				if( *((intOrPtr*)( *__esi + 4))() == 0) {
					ShowWindow(_t21, 0); // executed
					_push(0);
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *__esi))())) - 0xc)) == 0) {
						_t14 =  &(__edi[1]);
					} else {
						_t14 =  *((intOrPtr*)( *__esi))();
					}
					SetWindowTextW(_t21,  *_t14); // executed
					ShowWindow(_t21, 5); // executed
					_push( *((intOrPtr*)( *_t27 + 8))() & 0x000000ff);
				}
				_t10 = EnableWindow(_t21, ??); // executed
				return _t10;
			}

0x6b13f24c
0x6b13f25d
0x6b13f268
0x6b13f2a5
0x6b13f2ab
0x6b13f26a
0x6b13f276
0x6b13f280
0x6b13f278
0x6b13f27c
0x6b13f27c
0x6b13f286
0x6b13f28f
0x6b13f29f
0x6b13f29f
0x6b13f2ae
0x6b13f2b6

APIs

GetDlgItem.USER32 ref: 6B13F257
SetWindowTextW.USER32(00000000,?), ref: 6B13F286
ShowWindow.USER32(00000000,00000005), ref: 6B13F28F
ShowWindow.USER32(00000000,00000000), ref: 6B13F2A5
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6B13F2AE

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Show$CallbackDispatcherItemTextUser
String ID:
API String ID: 3009180066-0
Opcode ID: 891263f971d6dae7d5ecd7fd0f33d542b0c1680cd329d3bef26ff44dcd5cad3d
Instruction ID: 016101a5d41162f9d955132d6dd86ea33350e3befada505205adc9a3859f35f1
Opcode Fuzzy Hash: 891263f971d6dae7d5ecd7fd0f33d542b0c1680cd329d3bef26ff44dcd5cad3d
Instruction Fuzzy Hash: 7D012C38200210FFDB10AF68C88CF59BBA9EF4D712F104454F556872A1EB39D921CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6B13C280 Relevance: 7.5, APIs: 5, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B13C280(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				WCHAR* _t29;
				void* _t31;
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_t31 = __edx;
				_push(8);
				E6B16265B(0x6b165ad0, __ebx, __edi, __esi);
				_t34 = __ecx;
				_push( *(_t35 + 8));
				_push(_t35 - 0x14);
				E6B13C224(__ebx, __ecx, __edi, __ecx, _t36);
				 *((intOrPtr*)(_t35 - 4)) = 0;
				_t29 =  *(_t35 - 0x14);
				if( *((intOrPtr*)(_t29 - 0xc)) == 0) {
					 *(_t35 - 0x10) = 0;
					_t19 = FormatMessageW(0x1100, 0,  *(_t35 + 8), 0x400, _t35 - 0x10, 0, 0);
					__eflags = _t19;
					if(_t19 != 0) {
						OutputDebugStringW( *(_t35 - 0x10)); // executed
						E6B15807A(_t34,  *(_t35 - 0x10));
						LocalFree( *(_t35 - 0x10));
					}
				} else {
					OutputDebugStringW(_t29);
					E6B15807A(_t34,  *(_t35 - 0x14));
				}
				return E6B162709(E6B158460( &(( *(_t35 - 0x14))[0xfffffffffffffff8]), _t31));
			}

0x6b13c280
0x6b13c280
0x6b13c280
0x6b13c287
0x6b13c28c
0x6b13c28e
0x6b13c294
0x6b13c295
0x6b13c29c
0x6b13c29f
0x6b13c2a5
0x6b13c2c6
0x6b13c2cf
0x6b13c2d5
0x6b13c2d7
0x6b13c2dc
0x6b13c2e5
0x6b13c2ed
0x6b13c2ed
0x6b13c2a7
0x6b13c2a8
0x6b13c2b1
0x6b13c2b1
0x6b13c303

APIs

__EH_prolog3.LIBCMT ref: 6B13C287

Part of subcall function 6B13C224: __EH_prolog3.LIBCMT ref: 6B13C22B

OutputDebugStringW.KERNEL32(?,?,?,00000008,6B13C856), ref: 6B13C2A8

Part of subcall function 6B15807A: SysFreeString.OLEAUT32(00000000), ref: 6B158087
Part of subcall function 6B15807A: SysAllocString.OLEAUT32(00000000), ref: 6B158096

FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,00000008,6B13C856), ref: 6B13C2CF
OutputDebugStringW.KERNELBASE(?), ref: 6B13C2DC
LocalFree.KERNEL32(?,?), ref: 6B13C2ED

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: String$DebugFreeH_prolog3Output$AllocFormatLocalMessage
String ID:
API String ID: 3239379132-0
Opcode ID: 7f7133a8a83d714b99c1e3fe55f680d1a619311ad9d2ce38817b5c630982ec68
Instruction ID: 447535fc66bc3380607ff2aeecefb22ee4e395c3e4a97d599e6110db00740f67
Opcode Fuzzy Hash: 7f7133a8a83d714b99c1e3fe55f680d1a619311ad9d2ce38817b5c630982ec68
Instruction Fuzzy Hash: 5B012C7191012AFFDF11ABF8CC45EBEBA75BF15346B104515F921F5190EB758920CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B1560A8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6B1560A8(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t106;
				intOrPtr* _t109;
				signed int _t115;
				intOrPtr* _t120;
				signed int _t132;
				intOrPtr _t135;
				signed int _t140;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr* _t179;
				signed int _t180;
				void* _t181;
				intOrPtr* _t187;
				signed int _t196;
				signed int _t198;
				signed int _t202;
				intOrPtr* _t205;
				signed int _t206;
				intOrPtr* _t209;
				intOrPtr* _t212;
				void* _t214;
				intOrPtr* _t215;

				_push(0x28);
				E6B16265B(0x6b164fd2, __ebx, __edi, __esi);
				_t205 = __ecx;
				_t179 =  *((intOrPtr*)(_t214 + 8));
				 *(_t214 - 0x10) =  *(_t214 - 0x10) & 0x00000000;
				E6B156931(_t179);
				_t209 =  *((intOrPtr*)(_t214 + 0xc));
				_t217 =  *((intOrPtr*)(_t205 + 4));
				if( *((intOrPtr*)(_t205 + 4)) == 0) {
					L24:
					_t106 =  *_t209;
					_t187 = _t209;
					if( *(_t179 + 4) != 0) {
						 *((intOrPtr*)(_t106 + 4))(2, L"Blocking Services");
						_t109 = E6B147E6A(_t187, _t214 + 8);
						 *(_t214 - 4) = 5;
						_t201 =  *_t209;
						 *((intOrPtr*)( *_t209 + 4))(2,  *_t109);
						 *(_t214 - 4) =  *(_t214 - 4) | 0xffffffff;
						E6B158460( *((intOrPtr*)(_t214 + 8)) + 0xfffffff0,  *_t209);
						_t115 =  *(_t179 + 4);
						_t206 = 0;
						__eflags = _t115;
						if(_t115 <= 0) {
							L36:
							return E6B162709( *(_t214 - 0x10));
						} else {
							goto L33;
						}
						while(1) {
							L33:
							__eflags = _t206;
							if(_t206 < 0) {
								break;
							}
							__eflags = _t206 - _t115;
							if(__eflags >= 0) {
								break;
							}
							_t120 = E6B147E8F(_t179, _t214 + 0xc, _t201, _t206, _t209, __eflags);
							 *(_t214 - 4) = 6;
							_t201 =  *_t209;
							 *((intOrPtr*)( *_t209 + 4))(2,  *_t120,  *_t179 + _t206 * 8, _t214 + 0xc);
							 *(_t214 - 4) =  *(_t214 - 4) | 0xffffffff;
							E6B158460( *((intOrPtr*)(_t214 + 0xc)) + 0xfffffff0,  *_t209);
							_t115 =  *(_t179 + 4);
							_t206 = _t206 + 1;
							__eflags = _t206 - _t115;
							if(_t206 < _t115) {
								continue;
							}
							goto L36;
						}
						L29:
						_push(0);
						_push(0);
						L27:
						_push(1);
						L28:
						RaiseException(0xc000008c, ??, ??, ??);
						goto L29;
					}
					 *((intOrPtr*)(_t106 + 4))(2, L"No Blocking Services");
					goto L36;
				}
				 *(_t214 - 0x20) =  *(_t214 - 0x20) & 0x00000000;
				 *(_t214 - 0x34) =  *(_t214 + 0x10);
				 *(_t214 - 0x30) =  *(_t214 + 0x14);
				 *((intOrPtr*)(_t214 - 0x2c)) =  *((intOrPtr*)(_t214 + 0x18));
				 *((intOrPtr*)(_t214 - 0x28)) =  *((intOrPtr*)(_t214 + 0x1c));
				 *((intOrPtr*)(_t214 - 0x24)) =  *((intOrPtr*)(_t214 + 0x20));
				 *((intOrPtr*)(_t214 - 0x1c)) = _t209;
				 *(_t214 - 4) =  *(_t214 - 4) & 0x00000000;
				_t132 = E6B157341(_t179, _t214 - 0x34, __edx, _t205, _t209, _t217);
				 *(_t214 - 0x10) = _t132;
				if(_t132 < 0) {
					L22:
					 *(_t214 - 4) =  *(_t214 - 4) | 0xffffffff;
					if( *(_t214 - 0x20) != 0) {
						 *(_t214 - 0x30)( *(_t214 - 0x20));
					}
					goto L24;
				}
				_t180 = 0;
				 *(_t214 + 0x10) = 0;
				if( *((intOrPtr*)(_t205 + 4)) <= 0) {
					L21:
					_t179 =  *((intOrPtr*)(_t214 + 8));
					goto L22;
				} else {
					goto L3;
				}
				do {
					L3:
					_t135 =  *((intOrPtr*)( *((intOrPtr*)(_t214 + 8)) + 4));
					_t202 = 0;
					 *(_t214 + 0x14) = 0;
					if(_t135 <= 0) {
						L11:
						 *(_t214 + 0x14) = 1;
						if(_t180 < _t202) {
							L31:
							_push(_t202);
							_push(_t202);
							_push(1);
							goto L28;
						}
						_t228 = _t180 -  *((intOrPtr*)(_t205 + 4));
						if(_t180 >=  *((intOrPtr*)(_t205 + 4))) {
							goto L31;
						}
						_t203 = _t214 + 0x14;
						_t140 = E6B1573D5(_t180, _t214 - 0x34, _t214 + 0x14, _t205, _t209, _t228,  *_t205 + (_t180 << 2));
						 *(_t214 - 0x10) = _t140;
						if(_t140 < 0) {
							goto L21;
						}
						if( *(_t214 - 0x10) == 0 &&  *(_t214 + 0x14) != 1) {
							_t232 = _t180 -  *((intOrPtr*)(_t205 + 4));
							if(_t180 >=  *((intOrPtr*)(_t205 + 4))) {
								_push(0);
								_push(0);
								goto L27;
							}
							_t198 = _t180 << 2;
							_push(_t198);
							 *(_t214 + 0x14) = _t198;
							 *((intOrPtr*)(_t214 + 0x20)) = _t215;
							 *_t215 = E6B1583FD( *((intOrPtr*)( *_t205 + _t198)) - 0x10) + 0x10;
							_push(_t214 + 0x1c);
							_t212 = E6B1574DC(_t180, _t214 - 0x34, _t203, _t205, _t215, _t232);
							 *(_t214 - 4) = 2;
							_t233 = _t180 -  *((intOrPtr*)(_t205 + 4));
							if(_t180 >=  *((intOrPtr*)(_t205 + 4))) {
								goto L29;
							}
							 *((intOrPtr*)(_t214 - 0x18)) = E6B1583FD( *((intOrPtr*)( *_t205 +  *(_t214 + 0x14))) - 0x10) + 0x10;
							 *(_t214 - 4) = 3;
							 *((intOrPtr*)(_t214 - 0x14)) = E6B1583FD( *_t212 - 0x10) + 0x10;
							 *(_t214 - 4) = 4;
							E6B15688B(_t214 - 0x18, _t205,  *((intOrPtr*)(_t214 + 8)), _t233);
							E6B158460( *((intOrPtr*)(_t214 - 0x14)) + 0xfffffff0, _t203);
							E6B158460( *((intOrPtr*)(_t214 - 0x18)) + 0xfffffff0, _t203);
							 *(_t214 - 4) = 0;
							E6B158460( *((intOrPtr*)(_t214 + 0x1c)) + 0xfffffff0, _t203);
							L19:
							_t180 =  *(_t214 + 0x10);
							_t209 =  *((intOrPtr*)(_t214 + 0xc));
						}
						goto L20;
					}
					while(_t180 >= _t202 && _t180 <  *((intOrPtr*)(_t205 + 4))) {
						_t181 =  *_t205 + _t180 * 4;
						_t196 =  *(_t214 + 0x14);
						if(_t196 < _t202) {
							break;
						}
						_t224 = _t196 - _t135;
						if(_t196 >= _t135) {
							break;
						}
						_t172 = E6B147E25( *((intOrPtr*)( *((intOrPtr*)(_t214 + 8)))) + _t196 * 8, _t196, _t214 + 0x18, _t224);
						 *(_t214 - 4) = 1;
						_t173 = E6B14EB56(_t181,  *_t172);
						 *(_t214 - 4) = 0;
						asm("sbb bl, bl");
						E6B158460( *((intOrPtr*)(_t214 + 0x18)) + 0xfffffff0, _t202);
						if( ~_t173 + 1 != 0) {
							goto L19;
						}
						_t135 =  *((intOrPtr*)( *((intOrPtr*)(_t214 + 8)) + 4));
						 *(_t214 + 0x14) =  *(_t214 + 0x14) + 1;
						_t180 =  *(_t214 + 0x10);
						_t202 = 0;
						if( *(_t214 + 0x14) < _t135) {
							continue;
						}
						_t209 =  *((intOrPtr*)(_t214 + 0xc));
						goto L11;
					}
					_push(_t202);
					_push(_t202);
					goto L27;
					L20:
					_t180 = _t180 + 1;
					 *(_t214 + 0x10) = _t180;
				} while (_t180 <  *((intOrPtr*)(_t205 + 4)));
				goto L21;
			}

0x6b1560a8
0x6b1560af
0x6b1560b4
0x6b1560b6
0x6b1560b9
0x6b1560bf
0x6b1560c7
0x6b1560ca
0x6b1560cc
0x6b1562b6
0x6b1562ba
0x6b1562bc
0x6b1562be
0x6b1562f4
0x6b1562fb
0x6b156300
0x6b156309
0x6b156310
0x6b156313
0x6b15631d
0x6b156322
0x6b156325
0x6b156327
0x6b156329
0x6b15636c
0x6b156374
0x00000000
0x00000000
0x00000000
0x6b15632b
0x6b15632b
0x6b15632b
0x6b15632d
0x00000000
0x00000000
0x6b15632f
0x6b156331
0x00000000
0x00000000
0x6b15633d
0x6b156342
0x6b15634b
0x6b156352
0x6b156355
0x6b15635f
0x6b156364
0x6b156367
0x6b156368
0x6b15636a
0x00000000
0x00000000
0x00000000
0x6b15636a
0x6b1562de
0x6b1562de
0x6b1562e0
0x6b1562d1
0x6b1562d1
0x6b1562d3
0x6b1562d8
0x00000000
0x6b1562d8
0x6b1562c7
0x00000000
0x6b1562c7
0x6b1560d5
0x6b1560d9
0x6b1560df
0x6b1560e5
0x6b1560eb
0x6b1560f1
0x6b1560f4
0x6b1560f7
0x6b1560fe
0x6b156103
0x6b156108
0x6b1562a6
0x6b1562a6
0x6b1562ae
0x6b1562b3
0x6b1562b3
0x00000000
0x6b1562ae
0x6b15610e
0x6b156110
0x6b156116
0x6b1562a3
0x6b1562a3
0x00000000
0x00000000
0x00000000
0x00000000
0x6b15611c
0x6b15611c
0x6b15611f
0x6b156122
0x6b156124
0x6b156129
0x6b1561a3
0x6b1561a6
0x6b1561ab
0x6b1562e8
0x6b1562e8
0x6b1562e9
0x6b1562ea
0x00000000
0x6b1562ea
0x6b1561b1
0x6b1561b4
0x00000000
0x00000000
0x6b1561c4
0x6b1561ca
0x6b1561cf
0x6b1561d4
0x00000000
0x00000000
0x6b1561df
0x6b1561ef
0x6b1561f2
0x6b1562e4
0x6b1562e5
0x00000000
0x6b1562e5
0x6b1561fc
0x6b156202
0x6b156206
0x6b156209
0x6b156216
0x6b15621b
0x6b156224
0x6b156226
0x6b15622a
0x6b15622d
0x00000000
0x00000000
0x6b156245
0x6b156248
0x6b156259
0x6b15625c
0x6b156266
0x6b156271
0x6b15627c
0x6b156281
0x6b15628b
0x6b156290
0x6b156290
0x6b156293
0x6b156293
0x00000000
0x6b1561df
0x6b15612b
0x6b15613e
0x6b156141
0x6b156146
0x00000000
0x00000000
0x6b15614c
0x6b15614e
0x00000000
0x00000000
0x6b15615f
0x6b156164
0x6b15616b
0x6b156172
0x6b15617b
0x6b156180
0x6b156187
0x00000000
0x00000000
0x6b156190
0x6b156193
0x6b156196
0x6b156199
0x6b15619e
0x00000000
0x00000000
0x6b1561a0
0x00000000
0x6b1561a0
0x6b1562cf
0x6b1562d0
0x00000000
0x6b156296
0x6b156296
0x6b156297
0x6b15629a
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B1560AF

Part of subcall function 6B157341: __EH_prolog3.LIBCMT ref: 6B157348
Part of subcall function 6B157341: GetLastError.KERNEL32 ref: 6B157364

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 6B1562D8

Part of subcall function 6B14EB56: __wcsicoll.LIBCMT ref: 6B14EB74

Strings

No Blocking Services, xrefs: 6B1562C0
Blocking Services, xrefs: 6B1562ED

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorExceptionLastRaise__wcsicoll
String ID: Blocking Services$No Blocking Services
API String ID: 1137283054-2473106011
Opcode ID: 9cb9657b17fcbdf6045313da013da7461046af1197ec77918b99aa973803d83a
Instruction ID: 53e41a9897015e82df660a39b396892fe0b0926fcd939ee4647bec11a6b1189f
Opcode Fuzzy Hash: 9cb9657b17fcbdf6045313da013da7461046af1197ec77918b99aa973803d83a
Instruction Fuzzy Hash: 2D9143B290020EEFDF00CF68C985B9D77B0FF14354F148259E865AB291D778EA65CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B13EDE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6B13EDE8(intOrPtr* __ecx, struct HWND__** _a4, struct HWND__* _a8) {
				signed int _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				struct _WINDOWPLACEMENT _v52;
				struct HWND__* _v56;
				intOrPtr _v60;
				struct HWND__** _v64;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t48;
				signed int _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				long _t62;
				signed int _t63;

				_t27 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t27 ^ _t63;
				_v64 = _a4;
				_v56 = _a8;
				_v60 =  *((intOrPtr*)( *__ecx + 0xc))();
				_v68 =  *((intOrPtr*)( *__ecx + 8))();
				_t48 =  *((intOrPtr*)( *__ecx + 4))();
				_t62 =  *((intOrPtr*)( *__ecx))();
				if(_t62 != 0xffffffff) {
					_t55 = 0xa;
					memset( &(_v52.flags), 0, _t55 << 2);
					_v52.length = 0x2c;
					GetWindowPlacement(_v56,  &_v52); // executed
					_v52.rcNormalPosition.left = _t62;
					_t62 = _t62 + _v68;
					_v20 = _t48;
					_t48 = _t48 + _v60;
					_v16 = _t62;
					_v12 = _t48;
					MapDialogRect( *_v64,  &(_v52.rcNormalPosition));
					_t38 = SetWindowPlacement(_v56,  &_v52); // executed
					_t58 = _t58;
				}
				return E6B1587C1(_t38, _t48, _v8 ^ _t63, _t57, _t58, _t62);
			}

0x6b13edf0
0x6b13edf7
0x6b13edfe
0x6b13ee07
0x6b13ee0f
0x6b13ee19
0x6b13ee23
0x6b13ee2b
0x6b13ee30
0x6b13ee35
0x6b13ee3b
0x6b13ee44
0x6b13ee4b
0x6b13ee5a
0x6b13ee5d
0x6b13ee60
0x6b13ee63
0x6b13ee66
0x6b13ee69
0x6b13ee6c
0x6b13ee79
0x6b13ee7f
0x6b13ee7f
0x6b13ee8d

APIs

GetWindowPlacement.USER32(?,?), ref: 6B13EE4B
MapDialogRect.USER32(?,?), ref: 6B13EE6C
SetWindowPlacement.USER32(?,0000002C), ref: 6B13EE79

Strings

,, xrefs: 6B13EE44

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: PlacementWindow$DialogRect
String ID: ,
API String ID: 3865709247-3772416878
Opcode ID: ac90fcd282bdc8e6d58e6c04bf2617d9067c047d0495f51f49dd405c19882b72
Instruction ID: bb65b0ef04a64cf505e364edf5fd4c9c29d5b499097737e89e79b4f7410b7477
Opcode Fuzzy Hash: ac90fcd282bdc8e6d58e6c04bf2617d9067c047d0495f51f49dd405c19882b72
Instruction Fuzzy Hash: 0021D575A00218EFCB10EFA8D88899DBBF5FF48310B10456AF955E3360D7309A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B148C2A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6B148C2A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t44;
				char* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t55 = __eflags;
				_t53 = __esi;
				_t48 = __edx;
				E6B16265B(0x6b16580f, __ebx, __edi, __esi);
				E6B14E8E8(L" complete", __esi, _t55);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12c)))) + 0x10))();
				_t51 = L"Action";
				E6B14E8E8(_t51, __esi, _t55);
				 *(_t54 - 4) = 1;
				 *((intOrPtr*)(_t54 - 0x18)) = _t54 - 0x10;
				 *((intOrPtr*)(_t54 - 0x14)) = _t44;
				 *((intOrPtr*)( *_t44 + 8))(_t51, L"System Requirement Checks", _t54 - 0x1c, _t54 - 0x10, 0x10);
				 *(_t54 - 4) = 2;
				 *((char*)(__esi + 0x128)) = 1;
				E6B148FA4(__edx, _t55, __esi); // executed
				E6B1493BE(_t44, __esi, __edx, _t51, __esi, _t55); // executed
				_t52 = __esi; // executed
				E6B149584(_t44, __esi, __esi, _t55); // executed
				_t56 =  *((char*)(__esi + 0x128));
				if( *((char*)(__esi + 0x128)) != 0) {
					_push(3);
					_pop(1);
				}
				E6B13E389(_t53 + 4, 1); // executed
				_push(_t54 - 0x1c);
				 *(_t54 - 4) = 0;
				E6B13B8EF(_t44, _t52, _t53, _t56); // executed
				return E6B162709(E6B158460( *((intOrPtr*)(_t54 - 0x10)) + 0xfffffff0, _t48));
			}

0x6b148c2a
0x6b148c2a
0x6b148c2a
0x6b148c31
0x6b148c3f
0x6b148c44
0x6b148c53
0x6b148c59
0x6b148c5e
0x6b148c63
0x6b148c6f
0x6b148c72
0x6b148c7a
0x6b148c7d
0x6b148c82
0x6b148c89
0x6b148c90
0x6b148c95
0x6b148c97
0x6b148c9f
0x6b148ca6
0x6b148ca8
0x6b148caa
0x6b148caa
0x6b148caf
0x6b148cb7
0x6b148cb8
0x6b148cbc
0x6b148cd1

APIs

__EH_prolog3.LIBCMT ref: 6B148C31

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B1493BE: __EH_prolog3.LIBCMT ref: 6B1493C5
Part of subcall function 6B1493BE: SendDlgItemMessageW.USER32 ref: 6B149509
Part of subcall function 6B1493BE: SetWindowTextW.USER32(?,?), ref: 6B149518
Part of subcall function 6B1493BE: EnableWindow.USER32(?,00000001), ref: 6B14952C
Part of subcall function 6B1493BE: ShowWindow.USER32(?,00000000), ref: 6B14954A

Part of subcall function 6B149584: __EH_prolog3.LIBCMT ref: 6B14958B
Part of subcall function 6B149584: SendDlgItemMessageW.USER32 ref: 6B149714
Part of subcall function 6B149584: SetWindowTextW.USER32(?,00000001), ref: 6B149723

Strings

complete, xrefs: 6B148C3A
System Requirement Checks, xrefs: 6B148C6A
Action, xrefs: 6B148C59, 6B148C77

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3Window$ItemMessageSendText$EnableShow
String ID: complete$Action$System Requirement Checks
API String ID: 1922407589-3507766184
Opcode ID: d738cd3ceeae3b1cb52fa31510cb55217afa4c4fa09720ac3dbd1cc951c62ffb
Instruction ID: 921627f9f89449527cc80b7c9b0e889058468ccf0d15e180731356b17908bad7
Opcode Fuzzy Hash: d738cd3ceeae3b1cb52fa31510cb55217afa4c4fa09720ac3dbd1cc951c62ffb
Instruction Fuzzy Hash: 4C11E571900258BFDB00DBB8C845BEEF7E8AF09318F244459D165EB281EB7C9A05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6B147F0A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B147F0A(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				char* _t40;
				intOrPtr* _t42;
				void* _t44;
				void* _t45;

				_t45 = __eflags;
				_t37 = __edx;
				E6B16265B(0x6b16580f, __ebx, __edi, __esi);
				_t42 = __ecx;
				E6B14E8E8(L" complete", __ecx, _t45);
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t40 = L"Action";
				E6B14E8E8(_t40, _t42, _t45);
				 *(_t44 - 4) = 1;
				 *((intOrPtr*)(_t44 - 0x18)) = _t44 - 0x10;
				 *((intOrPtr*)(_t44 - 0x14)) = _t42;
				 *((intOrPtr*)( *_t42 + 8))(_t40, L"Enumerating incompatible services", _t44 - 0x1c, _t44 - 0x10, 0x10);
				 *(_t44 - 4) = 2;
				_t25 = E6B1560A8(__ebx,  *((intOrPtr*)(_t44 + 8)), __edx, _t40, _t42, _t45,  *((intOrPtr*)(_t44 + 0xc)), _t42, __imp__OpenSCManagerW, __imp__CloseServiceHandle, __imp__OpenServiceW, __imp__QueryServiceStatus, __imp__GetServiceDisplayNameW); // executed
				_push(_t44 - 0x1c);
				 *(_t44 - 4) = 0;
				E6B13B8EF(__ebx, _t40, _t25, _t45); // executed
				E6B158460( *((intOrPtr*)(_t44 - 0x10)) + 0xfffffff0, _t37);
				return E6B162709(_t25);
			}

0x6b147f0a
0x6b147f0a
0x6b147f11
0x6b147f16
0x6b147f21
0x6b147f26
0x6b147f2e
0x6b147f33
0x6b147f38
0x6b147f44
0x6b147f47
0x6b147f4f
0x6b147f55
0x6b147f7b
0x6b147f85
0x6b147f86
0x6b147f8a
0x6b147f95
0x6b147fa1

APIs

__EH_prolog3.LIBCMT ref: 6B147F11

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B1560A8: __EH_prolog3.LIBCMT ref: 6B1560AF

Part of subcall function 6B13B8EF: __EH_prolog3.LIBCMT ref: 6B13B8F6

Strings

complete, xrefs: 6B147F1C
Enumerating incompatible services, xrefs: 6B147F3F
Action, xrefs: 6B147F2E, 6B147F4C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: complete$Action$Enumerating incompatible services
API String ID: 431132790-2452571594
Opcode ID: 3e296ab1c17a2c970c3f0d31f597bb82f9567ba4f7ca7c9537a441170227efca
Instruction ID: a83570af86276e381ac796c69cfd215d54bcb82dd6509b78b2b053f05cec9904
Opcode Fuzzy Hash: 3e296ab1c17a2c970c3f0d31f597bb82f9567ba4f7ca7c9537a441170227efca
Instruction Fuzzy Hash: 67118076800068FFCF11EBE8C842B9EBBB5AF19754F148055E154E7250E7788A25EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B151360 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6B151360(void* __edx, WCHAR** _a4) {
				intOrPtr _v12;
				union _ULARGE_INTEGER _v16;
				char _v20;
				union _ULARGE_INTEGER _v24;
				void* _v28;
				union _ULARGE_INTEGER _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t18;
				long _t20;
				void* _t22;
				void* _t27;

				_t27 = __edx;
				_v32.LowPart = 0;
				asm("stosd");
				_v16.LowPart = 0;
				asm("stosd");
				_v24.LowPart = 0;
				asm("stosd");
				_t18 = GetDiskFreeSpaceExW( *_a4,  &_v16,  &_v32,  &_v24); // executed
				_t33 = _t18;
				if(_t18 == 0) {
					_v16.LowPart = 0;
					_v12 = 0;
					_t20 = GetLastError();
					_push(L"GetDiskFreeSpaceEx");
					_push(0);
					E6B13C71B(_t22, _t20, _t27,  &_v20, 0, _t33);
				}
				return _v16.LowPart;
			}

0x6b151360
0x6b15136e
0x6b151374
0x6b151379
0x6b15137f
0x6b151384
0x6b15138a
0x6b151395
0x6b15139b
0x6b15139d
0x6b15139f
0x6b1513a2
0x6b1513a5
0x6b1513ab
0x6b1513b0
0x6b1513b3
0x6b1513b3
0x6b1513c1

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?,Action,6B16FE10,?,?,?,F69FF218,Action,?,00000000), ref: 6B151395
GetLastError.KERNEL32(?,?,?,F69FF218,Action,?,00000000), ref: 6B1513A5

Part of subcall function 6B13C71B: __EH_prolog3.LIBCMT ref: 6B13C722

Strings

GetDiskFreeSpaceEx, xrefs: 6B1513AB
Action, xrefs: 6B151369

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: DiskErrorFreeH_prolog3LastSpace
String ID: Action$GetDiskFreeSpaceEx
API String ID: 3776785849-3943406023
Opcode ID: 67e0a1f6f80b0cc80c792b00848c6f126eafa05fd91e84215e4874d9b706e9f0
Instruction ID: 7d8b228e7443a053bbc0cacac8aa8e190028d1ccff635c67e9c0f04d39a6675b
Opcode Fuzzy Hash: 67e0a1f6f80b0cc80c792b00848c6f126eafa05fd91e84215e4874d9b706e9f0
Instruction Fuzzy Hash: 8F01FFB6D04229BB8B00DF99D8458DFBBB9EB99710B004459E511F7214E774A709CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6B15017C Relevance: 6.1, APIs: 4, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6B15017C(void* __ecx, intOrPtr* __edx, struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				signed int* _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t36;
				void* _t40;
				void* _t45;
				intOrPtr* _t48;
				void* _t58;
				void* _t67;
				char _t78;
				intOrPtr* _t79;
				signed int _t82;
				signed int* _t83;
				void* _t84;

				_t72 = __edx;
				_t28 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t28 ^ _t82;
				_v24.left = _v24.left & 0x00000000;
				asm("stosd");
				asm("stosd");
				_t79 = __edx;
				_t58 = __ecx;
				asm("stosd");
				_v24.left =  *((intOrPtr*)( *__edx))();
				_v24.top =  *((intOrPtr*)( *__edx + 4))();
				_t36 =  *((intOrPtr*)( *__edx + 8))();
				_v24.right = _t36 +  *((intOrPtr*)( *__edx))();
				_t40 =  *((intOrPtr*)( *__edx + 0xc))();
				_v24.bottom = _t40 +  *((intOrPtr*)( *__edx + 4))();
				MapDialogRect(_a4,  &_v24);
				_t45 = E6B1591B7(_t40 +  *((intOrPtr*)( *__edx + 4))(), _t79, _t84, 0x28);
				_pop(_t67);
				if(_t45 == 0) {
					_t78 = 0;
					__eflags = 0;
				} else {
					_t78 = E6B154371(_t45,  *((intOrPtr*)(_t58 + 4)));
				}
				 *_t83 =  *_t83 & 0x00000000;
				_v32 = _t78;
				_v28 = _t83;
				_t48 =  *((intOrPtr*)( *_t79 + 0x14))();
				 *_t83 =  &_v24;
				_v28 = _t83;
				E6B154454(_t78, _a4, _t79,  *_t48, _t67); // executed
				SendMessageW( *(_t78 + 4), 0x30, SendMessageW(_a4, 0x31, 0, 0), 1);
				ShowWindow( *(_t78 + 4), 1); // executed
				return E6B1587C1(E6B154800( &_v32, _t58 + 0xc),  &_v32, _v8 ^ _t82, _t72, _t78, _t58 + 0xc);
			}

0x6b15017c
0x6b150184
0x6b15018b
0x6b15018e
0x6b15019a
0x6b15019b
0x6b15019c
0x6b15019e
0x6b1501a0
0x6b1501a7
0x6b1501b1
0x6b1501b8
0x6b1501c9
0x6b1501cc
0x6b1501e1
0x6b1501e4
0x6b1501ec
0x6b1501f1
0x6b1501f4
0x6b150202
0x6b150202
0x6b1501f6
0x6b1501fe
0x6b1501fe
0x6b150207
0x6b15020e
0x6b150211
0x6b150214
0x6b15021f
0x6b150221
0x6b150229
0x6b150247
0x6b15024e
0x6b15026d

APIs

MapDialogRect.USER32(?,00000000), ref: 6B1501E4

Part of subcall function 6B1591B7: _malloc.LIBCMT ref: 6B1591D1

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B15023D
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B150247
ShowWindow.USER32(?,00000001,?,00000000,?,00000000), ref: 6B15024E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$DialogRectShowWindow_malloc
String ID:
API String ID: 929715566-0
Opcode ID: 2ef7ed4ea46da2fc6a90a1a7de9d06113c0679e2191647344d0cc9ce51dbb17d
Instruction ID: 320a8891e86e265be72f28234be6dff5d5654b195a4894412124487173614241
Opcode Fuzzy Hash: 2ef7ed4ea46da2fc6a90a1a7de9d06113c0679e2191647344d0cc9ce51dbb17d
Instruction Fuzzy Hash: CE318076A00219AFCB11DF68C849AAEBBF6FF48350F104059F515EB350DB359E11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B148ECA Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6B148ECA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;

				_push(0x30);
				E6B16265B(0x6b1635f3, __ebx, __edi, __esi);
				_t86 = __ecx;
				 *(_t88 + 8) =  *( *(_t88 + 8) + 4);
				_t42 =  *((intOrPtr*)( *__ecx + 0xc))();
				_t84 = 0x10;
				if(_t42 <= _t84) {
					_t84 =  *((intOrPtr*)( *__ecx + 0xc))();
				}
				_t44 =  *((intOrPtr*)( *_t86 + 4))();
				_t46 =  *((intOrPtr*)( *_t86))();
				 *((intOrPtr*)(_t88 - 0x28)) = 0x6b1376d4;
				 *((intOrPtr*)(_t88 - 0x24)) = _t46;
				 *((intOrPtr*)(_t88 - 0x20)) = _t44;
				 *((intOrPtr*)(_t88 - 0x1c)) = _t84;
				 *((intOrPtr*)(_t88 - 0x18)) = _t84;
				 *(_t88 - 4) =  *(_t88 - 4) & 0x00000000;
				 *((intOrPtr*)(_t88 - 0x14)) =  *((intOrPtr*)( *_t86 + 0xc))();
				_t50 =  *((intOrPtr*)( *_t86 + 8))();
				_t51 = 0xfffffffd;
				 *((intOrPtr*)(_t88 - 0x10)) =  *((intOrPtr*)( *_t86 + 4))();
				 *((intOrPtr*)(_t88 - 0x38)) =  *((intOrPtr*)( *_t86))() + _t84 + 3;
				 *((intOrPtr*)(_t88 - 0x34)) =  *((intOrPtr*)(_t88 - 0x10));
				 *((intOrPtr*)(_t88 - 0x3c)) = 0x6b1376d4;
				 *((intOrPtr*)(_t88 - 0x30)) = _t50 + _t51 - _t84;
				 *((intOrPtr*)(_t88 - 0x2c)) =  *((intOrPtr*)(_t88 - 0x14));
				 *(_t88 - 4) = 1;
				E6B13EDE8(_t88 - 0x28, _t88 + 8, GetDlgItem( *(_t88 + 8),  *(_t88 + 0xc))); // executed
				_t65 = E6B13EDE8(_t88 - 0x3c, _t88 + 8, GetDlgItem( *(_t88 + 8),  *(_t88 + 0x10))); // executed
				return E6B162709(_t65);
			}

0x6b148eca
0x6b148ed1
0x6b148ed6
0x6b148ede
0x6b148ee3
0x6b148ee8
0x6b148eeb
0x6b148ef4
0x6b148ef4
0x6b148efa
0x6b148f03
0x6b148f05
0x6b148f0c
0x6b148f0f
0x6b148f12
0x6b148f15
0x6b148f18
0x6b148f23
0x6b148f2a
0x6b148f31
0x6b148f3d
0x6b148f4a
0x6b148f50
0x6b148f56
0x6b148f5d
0x6b148f60
0x6b148f66
0x6b148f7d
0x6b148f92
0x6b148f9c

APIs

__EH_prolog3.LIBCMT ref: 6B148ED1
GetDlgItem.USER32 ref: 6B148F73
GetDlgItem.USER32 ref: 6B148F88
KiUserCallbackDispatcher.NTDLL ref: 6B148F97

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Item$CallbackDispatcherH_prolog3User
String ID:
API String ID: 4090980997-0
Opcode ID: 980aa5a52278afdab092a6d74a186c60cb2bd17ace70937973f91930e4374a72
Instruction ID: 26f205927b78b30b10f9999acd07c55eb0855a327d6b140bf60b6c0cbf6e9e0b
Opcode Fuzzy Hash: 980aa5a52278afdab092a6d74a186c60cb2bd17ace70937973f91930e4374a72
Instruction Fuzzy Hash: D531C879A00118EFCB11DFA8C898A9DBBF1FF5C350B14845AE949EB350DB359A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6B15D763 Relevance: 6.1, APIs: 4, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E6B15D763(void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t6;
				long _t7;
				intOrPtr* _t8;
				intOrPtr* _t12;
				void* _t18;
				long _t26;
				long _t29;

				if(_a4 != 0) {
					_push(__esi);
					_t29 = _a8;
					__eflags = _t29;
					if(_t29 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t29 - 0xffffffe0;
							if(_t29 > 0xffffffe0) {
								break;
							}
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = _t29 + 1;
								__eflags = _t29;
							}
							_t6 = HeapReAlloc( *0x6b172418, 0, _a4, _t29); // executed
							_t26 = _t6;
							__eflags = _t26;
							if(_t26 != 0) {
								L17:
								_t7 = _t26;
							} else {
								__eflags =  *0x6b172d84 - _t6;
								if(__eflags == 0) {
									_t8 = E6B15B570(__eflags);
									 *_t8 = E6B15B529(GetLastError());
									goto L17;
								} else {
									__eflags = E6B15DA46(_t29);
									if(__eflags == 0) {
										_t12 = E6B15B570(__eflags);
										 *_t12 = E6B15B529(GetLastError());
										L12:
										_t7 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E6B15DA46(_t29);
						 *((intOrPtr*)(E6B15B570(__eflags))) = 0xc;
						goto L12;
					} else {
						E6B158E26(_a4);
						_t7 = 0;
					}
					L14:
					return _t7;
				} else {
					_t18 = E6B158FCB(__edi, __esi, _a8); // executed
					return _t18;
				}
			}

0x6b15d76c
0x6b15d779
0x6b15d77a
0x6b15d77d
0x6b15d77f
0x6b15d78e
0x6b15d7c1
0x6b15d7c1
0x6b15d7c4
0x00000000
0x00000000
0x6b15d791
0x6b15d793
0x6b15d795
0x6b15d795
0x6b15d795
0x6b15d7a2
0x6b15d7a8
0x6b15d7aa
0x6b15d7ac
0x6b15d80c
0x6b15d80c
0x6b15d7ae
0x6b15d7ae
0x6b15d7b4
0x6b15d7f6
0x6b15d80a
0x00000000
0x6b15d7b6
0x6b15d7bd
0x6b15d7bf
0x6b15d7de
0x6b15d7f2
0x6b15d7d8
0x6b15d7d8
0x6b15d7d8
0x00000000
0x00000000
0x00000000
0x6b15d7bf
0x6b15d7b4
0x00000000
0x6b15d7da
0x6b15d7c7
0x6b15d7d2
0x00000000
0x6b15d781
0x6b15d784
0x6b15d78a
0x6b15d78a
0x6b15d7db
0x6b15d7dd
0x6b15d76e
0x6b15d771
0x6b15d778
0x6b15d778

APIs

_malloc.LIBCMT ref: 6B15D771

Part of subcall function 6B158FCB: __FF_MSGBANNER.LIBCMT ref: 6B158FE4
Part of subcall function 6B158FCB: __NMSG_WRITE.LIBCMT ref: 6B158FEB
Part of subcall function 6B158FCB: HeapAlloc.KERNEL32(00000000,00000001,00000000,?,?,?,6B1591D6,?), ref: 6B159010

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: AllocHeap_malloc
String ID:
API String ID: 3293231637-0
Opcode ID: e8afb638dddb33b8640abd10faaa5b1290db2d0d81698bad6808e7e76ed33b57
Instruction ID: 2484c0b406ef18edf26541d022e9029de6b850715307d8fbbc96daeb2e3ae37d
Opcode Fuzzy Hash: e8afb638dddb33b8640abd10faaa5b1290db2d0d81698bad6808e7e76ed33b57
Instruction Fuzzy Hash: 4111EBB3985115FBCB252F389804E8B37A89B423B9F210475F97897250EB3CC8708790

Uniqueness

Uniqueness Score: -1.00%

Function 6B1591B7 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B1591B7(void* __edi, void* __esi, void* __eflags, signed short* _a4, char _a8) {
				signed short* _v0;
				char* _v8;
				void* _v12;
				char _v20;
				void* _t15;
				signed int _t16;
				signed int _t21;
				signed int _t22;
				signed short* _t30;
				signed short* _t34;
				void* _t35;
				void* _t37;

				_t37 = __esi;
				_t35 = __edi;
				while(1) {
					_t15 = E6B158FCB(_t35, _t37, _a4); // executed
					if(_t15 != 0) {
						break;
					}
					_t16 = E6B15DA46(_a4);
					__eflags = _t16;
					if(_t16 == 0) {
						__eflags =  *0x6b1722c0 & 0x00000001;
						if(( *0x6b1722c0 & 0x00000001) == 0) {
							 *0x6b1722c0 =  *0x6b1722c0 | 0x00000001;
							__eflags =  *0x6b1722c0;
							_push(1);
							_v8 = "bad allocation";
							E6B15DA73(0x6b1722b4,  &_v8);
							 *0x6b1722b4 = 0x6b131418;
							E6B158907( *0x6b1722c0, E6B167E51);
						}
						E6B15DBB1( &_v20, 0x6b1722b4);
						_v20 = 0x6b131418;
						E6B15DBDB( &_v20, 0x6b167f54);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						__eflags = _v8;
						if(_v8 != 0) {
							_t34 = _a4;
							_t30 = _v0;
							while(1) {
								_t13 =  &_a8;
								 *_t13 = _a8 - 1;
								__eflags =  *_t13;
								if( *_t13 == 0) {
									break;
								}
								_t22 =  *_t30 & 0x0000ffff;
								__eflags = _t22;
								if(_t22 != 0) {
									__eflags = _t22 -  *_t34;
									if(_t22 ==  *_t34) {
										_t30 =  &(_t30[1]);
										_t34 =  &(_t34[1]);
										continue;
									}
								}
								break;
							}
							_t21 = ( *_t30 & 0x0000ffff) - ( *_t34 & 0x0000ffff);
							__eflags = _t21;
							return _t21;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						continue;
					}
					L15:
				}
				return _t15;
				goto L15;
			}

0x6b1591b7
0x6b1591b7
0x6b1591ce
0x6b1591d1
0x6b1591d9
0x00000000
0x00000000
0x6b1591c4
0x6b1591ca
0x6b1591cc
0x6b1591dd
0x6b1591ee
0x6b1591f0
0x6b1591f0
0x6b1591f7
0x6b1591ff
0x6b159206
0x6b159210
0x6b159216
0x6b15921b
0x6b159220
0x6b15922e
0x6b159231
0x6b159236
0x6b159237
0x6b159238
0x6b159239
0x6b15923a
0x6b15923b
0x6b159241
0x6b159245
0x6b15924b
0x6b15924e
0x6b159251
0x6b159251
0x6b159251
0x6b159251
0x6b159254
0x00000000
0x00000000
0x6b159256
0x6b159259
0x6b15925c
0x6b15925e
0x6b159261
0x6b159263
0x6b159266
0x00000000
0x6b159266
0x6b159261
0x00000000
0x6b15925c
0x6b159271
0x6b159271
0x6b159274
0x6b159247
0x6b159247
0x6b15924a
0x6b15924a
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1591cc
0x6b1591dc
0x00000000

APIs

_malloc.LIBCMT ref: 6B1591D1

Part of subcall function 6B158FCB: __FF_MSGBANNER.LIBCMT ref: 6B158FE4
Part of subcall function 6B158FCB: __NMSG_WRITE.LIBCMT ref: 6B158FEB
Part of subcall function 6B158FCB: HeapAlloc.KERNEL32(00000000,00000001,00000000,?,?,?,6B1591D6,?), ref: 6B159010

std::exception::exception.LIBCMT ref: 6B159206
std::exception::exception.LIBCMT ref: 6B159220
__CxxThrowException@8.LIBCMT ref: 6B159231

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID:
API String ID: 1414122017-0
Opcode ID: 4f31a1a0f3fc49bbbc6689e744a0682b44f147661d5b0f38a3ab2359d30388ce
Instruction ID: fdb3483df3980368cb7b3af757b2229b3a1b84a4a796bf2079c0c4397ea8ac3a
Opcode Fuzzy Hash: 4f31a1a0f3fc49bbbc6689e744a0682b44f147661d5b0f38a3ab2359d30388ce
Instruction Fuzzy Hash: EAF028F7444129BBEF04DB64C856E9D7BB5AB42398F000065E830A3180EB3CCA72C392

Uniqueness

Uniqueness Score: -1.00%

Function 00D735E5 Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D735E5() {
				WCHAR* _t2;
				void* _t4;
				void* _t15;
				WCHAR* _t17;

				_t2 = GetEnvironmentStringsW();
				_t17 = _t2;
				if(_t17 != 0) {
					if( *_t17 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t2 =  &(_t2[1]);
							} while ( *_t2 != 0);
							_t2 =  &(_t2[1]);
						} while ( *_t2 != 0);
					}
					_t1 = _t2 - _t17 + 2; // -2
					_t10 = _t1;
					_t4 = E00D74F38(_t1); // executed
					_t15 = _t4;
					if(_t15 != 0) {
						E00D75030(_t15, _t17, _t10);
					}
					FreeEnvironmentStringsW(_t17);
					return _t15;
				} else {
					return 0;
				}
			}

0x00d735e8
0x00d735ee
0x00d735f4
0x00d735fd
0x00000000
0x00d735ff
0x00d735ff
0x00d735ff
0x00d735ff
0x00d73602
0x00d73607
0x00d7360a
0x00d735ff
0x00d73612
0x00d73612
0x00d73617
0x00d7361c
0x00d73621
0x00d73633
0x00d73638
0x00d73624
0x00d7362f
0x00d735f6
0x00d735f9
0x00d735f9

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00D72AE3), ref: 00D735E8
__malloc_crt.LIBCMT ref: 00D73617
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D73624

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 599fb53773fae69ee02f996cc7c825df59d0a5e19b46967e85d338bbd4328b7e
Instruction ID: 5a53fd296eca4d848a32988eb8d532d1acfd5e84cc87e63aa1ecb1f13b209b31
Opcode Fuzzy Hash: 599fb53773fae69ee02f996cc7c825df59d0a5e19b46967e85d338bbd4328b7e
Instruction Fuzzy Hash: F6F0A77B5121116ACB317738BC5A85B6738DAD236031FC55AF40EC7740FA208FC596B1

Uniqueness

Uniqueness Score: -1.00%

Function 6B14E1AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E6B14E1AD(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				signed int _t37;
				signed int _t45;
				signed int _t46;
				long _t50;
				long _t53;
				intOrPtr* _t61;
				intOrPtr _t64;
				void* _t71;
				signed int _t72;
				void* _t76;
				intOrPtr* _t80;
				void* _t83;
				signed int _t85;
				signed int _t87;

				_t76 = __edx;
				_push(0xffffffff);
				_push(0x6b167d5d);
				_push( *[fs:0x0]);
				_t87 = (_t85 & 0xfffffff8) - 0x10;
				_t34 =  *0x6b16f0a0; // 0xf69ff218
				_push(_t34 ^ _t87);
				 *[fs:0x0] =  &_v16;
				_t83 = __ecx;
				_v32 = _v32 & 0x00000000;
				if( *((char*)(__ecx + 0x1c)) == 0) {
					L11:
					_t37 = 0;
					__eflags = 0;
				} else {
					_t64 = _a8;
					_t80 = _a4;
					 *((intOrPtr*)(__ecx + 0x18)) = _t64;
					SetThreadLocale( *((intOrPtr*)( *_t80 + 8))());
					if( *((intOrPtr*)( *_t80 + 4))() != 0) {
						 *((intOrPtr*)(_t83 + 0x14)) =  *((intOrPtr*)( *_t80))();
						_t45 = E6B1591B7(_t80, _t83, __eflags, 0xdf0); // executed
						_pop(_t71);
						_v28 = _t45;
						_v8 = _v8 & 0x00000000;
						__eflags = _t45;
						if(__eflags == 0) {
							_t46 = 0;
							__eflags = 0;
						} else {
							_push(_t64);
							_push( *((intOrPtr*)(_t83 + 0x14)));
							_push(_t71);
							_v32 = _t87;
							_push(_t87);
							E6B14E8E8(L"UiInfo.xml", _t83, __eflags);
							_push( &_v28);
							_t61 = E6B1550FB(_t64, _t71, _t76, L"UiInfo.xml", _t83, __eflags);
							_v20 = 1;
							_push(_v40);
							_t80 =  *_t61;
							_v44 = 1;
							_t46 = E6B1529EF(_t64, _t71, _t76, __eflags); // executed
						}
						_v8 = _v8 | 0xffffffff;
						__eflags = _v32 & 0x00000001;
						 *(_t83 + 0x10) = _t46;
						if((_v32 & 0x00000001) != 0) {
							__eflags = _v24 + 0xfffffff0;
							E6B158460(_v24 + 0xfffffff0, _t76);
						}
						_t72 =  *(_t83 + 0x10);
						__eflags = _t72;
						if(__eflags != 0) {
							E6B13EB87(_t64,  *((intOrPtr*)( *_t72))(), _t80, _t83, __eflags);
							_t50 =  *0x6b172f94; // 0x3070000
							 *(_t83 + 0xc) = _t50;
							_t53 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *( *(_t83 + 0x10))))()))))();
							 *(_t83 + 8) = _t53;
							InterlockedExchange(0x6b172f94, _t53);
							 *((char*)(_t83 + 0x1c)) = 0;
							goto L11;
						} else {
							_t37 = 0x8007000e;
						}
					} else {
						_t37 = 0x80004005;
					}
				}
				 *[fs:0x0] = _v16;
				return _t37;
			}

0x6b14e1ad
0x6b14e1b5
0x6b14e1b7
0x6b14e1c2
0x6b14e1c3
0x6b14e1c9
0x6b14e1d0
0x6b14e1d5
0x6b14e1db
0x6b14e1dd
0x6b14e1e6
0x6b14e2d1
0x6b14e2d1
0x6b14e2d1
0x6b14e1ec
0x6b14e1ec
0x6b14e1ef
0x6b14e1f2
0x6b14e1fd
0x6b14e20c
0x6b14e223
0x6b14e226
0x6b14e22b
0x6b14e22c
0x6b14e230
0x6b14e235
0x6b14e237
0x6b14e273
0x6b14e273
0x6b14e239
0x6b14e239
0x6b14e23a
0x6b14e242
0x6b14e245
0x6b14e249
0x6b14e24a
0x6b14e253
0x6b14e254
0x6b14e259
0x6b14e25e
0x6b14e262
0x6b14e264
0x6b14e26c
0x6b14e26c
0x6b14e275
0x6b14e27a
0x6b14e27f
0x6b14e282
0x6b14e288
0x6b14e28b
0x6b14e28b
0x6b14e290
0x6b14e293
0x6b14e295
0x6b14e2a4
0x6b14e2a9
0x6b14e2b1
0x6b14e2bc
0x6b14e2c4
0x6b14e2c7
0x6b14e2cd
0x00000000
0x6b14e297
0x6b14e297
0x6b14e297
0x6b14e20e
0x6b14e20e
0x6b14e20e
0x6b14e20c
0x6b14e2d7
0x6b14e2e5

APIs

SetThreadLocale.KERNEL32(00000000), ref: 6B14E1FD

Strings

UiInfo.xml, xrefs: 6B14E23D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: LocaleThread
String ID: UiInfo.xml
API String ID: 635194068-3938134364
Opcode ID: 012f3e8ce1e808a777266b930c95441728c1fe96e5df56eefb016ae120e41ba7
Instruction ID: 56e9e29481f1e6a73fc5a8ca36c96175a007d86bc8dc9218736f83b0d33f0c2e
Opcode Fuzzy Hash: 012f3e8ce1e808a777266b930c95441728c1fe96e5df56eefb016ae120e41ba7
Instruction Fuzzy Hash: 06416D72608741AFD714DF68C449B1ABBE4EB49324F104A5DF866C7390D738E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F527 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B13F527(intOrPtr __ebx, struct HWND__* __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				struct _WINDOWPLACEMENT _v52;
				void* __edi;
				signed int _t12;
				int _t19;
				signed int _t22;
				intOrPtr _t26;
				signed int _t30;

				_t12 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t12 ^ _t30;
				_t22 = 0xa;
				memset( &(_v52.flags), 0, _t22 << 2);
				_v52.length = 0x2c;
				GetWindowPlacement(__esi,  &_v52); // executed
				_v12 = _v12 + __ebx;
				_v20 = _v20 + __ebx;
				_t19 = SetWindowPlacement(__esi,  &_v52); // executed
				return E6B1587C1(_t19, __ebx, _v8 ^ _t30, _t26,  &(_v52.flags) + _t22, __esi);
			}

0x6b13f52f
0x6b13f536
0x6b13f53c
0x6b13f542
0x6b13f549
0x6b13f550
0x6b13f556
0x6b13f559
0x6b13f561
0x6b13f573

APIs

GetWindowPlacement.USER32(00000000,?,00000000), ref: 6B13F550
SetWindowPlacement.USER32(00000000,0000002C), ref: 6B13F561

Strings

,, xrefs: 6B13F549

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: PlacementWindow
String ID: ,
API String ID: 2154376794-3772416878
Opcode ID: 8a7b0af001daef21a40db596a4ab4da9d4ec65738dc8709c9430bbaae6ccec6a
Instruction ID: cf06088c620ea46a922da5aa2793725940eb648f73ec1f322cd8415a8fd3713c
Opcode Fuzzy Hash: 8a7b0af001daef21a40db596a4ab4da9d4ec65738dc8709c9430bbaae6ccec6a
Instruction Fuzzy Hash: 67F05E32910218BBDB00EFA8C844DFEB7B8FB45314F10052AE801A2140DB709A158A55

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F415 Relevance: 4.6, APIs: 3, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6B13F415(int* __eax, struct HWND__* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t36;
				int* _t39;
				void* _t49;
				long _t54;
				void* _t56;
				struct HWND__* _t61;

				_t39 = __eax;
				E6B13F24C(__eax,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x20))))))(), _a4); // executed
				E6B13F24C(_t39 + 8,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x20)))) + 4))(_t49, _t56), _a4); // executed
				E6B13F24C(_t39 + 0x10,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x20)))) + 8))(), _a4); // executed
				E6B13F24C(_t39 + 0x18,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x20)))) + 0xc))(), _a4); // executed
				_t61 = GetDlgItem(_a4, 0x3024);
				_t54 = GetWindowLongW(_t61, 0xffffffeb);
				_t36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x20)))) + 4))())) + 4))();
				if(_t36 == 0) {
					if(_t54 == 0) {
						E6B13F527(0xc8, _t61); // executed
						_push("true");
						goto L5;
					}
				} else {
					if(_t54 != 0) {
						E6B13F527(0xffffff38, _t61); // executed
						_push("true");
						L5:
						_t36 = SetWindowLongW(_t61, 0xffffffeb, ??);
					}
				}
				return _t36;
			}

0x6b13f41b
0x6b13f42d
0x6b13f442
0x6b13f457
0x6b13f46c
0x6b13f47f
0x6b13f48d
0x6b13f498
0x6b13f49d
0x6b13f4b3
0x6b13f4ba
0x6b13f4bf
0x00000000
0x6b13f4bf
0x6b13f49f
0x6b13f4a1
0x6b13f4a8
0x6b13f4ad
0x6b13f4c1
0x6b13f4c4
0x6b13f4c4
0x6b13f4a1
0x6b13f4ce

APIs

Part of subcall function 6B13F24C: GetDlgItem.USER32 ref: 6B13F257
Part of subcall function 6B13F24C: SetWindowTextW.USER32(00000000,?), ref: 6B13F286
Part of subcall function 6B13F24C: ShowWindow.USER32(00000000,00000005), ref: 6B13F28F
Part of subcall function 6B13F24C: KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6B13F2AE

Part of subcall function 6B13F24C: ShowWindow.USER32(00000000,00000000), ref: 6B13F2A5

GetDlgItem.USER32 ref: 6B13F479
GetWindowLongW.USER32(00000000,000000EB), ref: 6B13F484
SetWindowLongW.USER32 ref: 6B13F4C4

Part of subcall function 6B13F527: GetWindowPlacement.USER32(00000000,?,00000000), ref: 6B13F550
Part of subcall function 6B13F527: SetWindowPlacement.USER32(00000000,0000002C), ref: 6B13F561

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$ItemLongPlacementShow$CallbackDispatcherTextUser
String ID:
API String ID: 3090988947-0
Opcode ID: 1b034f4a7480193efdd99a297b344e3f36b2b0de4e13b794dcf809ddbdc58984
Instruction ID: 59054a621f5af6838149579baa61fe4020ede7ca6e3297846797be96ad5e9316
Opcode Fuzzy Hash: 1b034f4a7480193efdd99a297b344e3f36b2b0de4e13b794dcf809ddbdc58984
Instruction Fuzzy Hash: 9C212C39200224BFCB009F78C4D8D597BA1EF89369B164294FD19AF3A1EB35DC15CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6B14A5F8 Relevance: 4.6, APIs: 3, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6B14A5F8(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;
				void* _t31;
				char _t41;

				_push(__ecx);
				_push(_t31);
				_v8 = __ecx;
				if(_a24 != 0) {
					L10:
					_t19 = 0;
					__eflags = 0;
				} else {
					if(_a8 != 0x690) {
						__eflags = _a8 - 0x691;
						if(__eflags != 0) {
							_t33 = _a12;
							_t46 = _a16;
							_t20 = E6B151CED(__ecx, _a4, _a8, _a12, _a16, _a20, 0); // executed
							__eflags = _t20;
							if(_t20 == 0) {
								_t41 = 1;
								_a12 = 1;
								_t23 = E6B155CD1(_a8, _t33, _v8, _t46,  &_a12);
								__eflags = _a12;
								 *_a20 = _t23;
								if(_a12 != 0) {
									goto L4;
								} else {
									goto L10;
								}
							} else {
								_t19 = 1;
							}
						} else {
							E6B14B167(__ecx, _t31, __ecx, __edx, __eflags, _a12);
							goto L3;
						}
					} else {
						EnableWindow(GetDlgItem(GetParent( *(__ecx + 4)), 2), 0); // executed
						L3:
						_t41 = 1;
						 *_a20 = 1;
						L4:
						_t19 = _t41;
					}
				}
				return _t19;
			}

0x6b14a5fd
0x6b14a5fe
0x6b14a603
0x6b14a609
0x6b14a693
0x6b14a693
0x6b14a693
0x6b14a60f
0x6b14a616
0x6b14a63e
0x6b14a645
0x6b14a653
0x6b14a65a
0x6b14a665
0x6b14a66a
0x6b14a66c
0x6b14a67f
0x6b14a680
0x6b14a683
0x6b14a688
0x6b14a68f
0x6b14a691
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14a66e
0x6b14a670
0x6b14a670
0x6b14a647
0x6b14a64c
0x00000000
0x6b14a64c
0x6b14a618
0x6b14a62c
0x6b14a632
0x6b14a637
0x6b14a638
0x6b14a63a
0x6b14a63a
0x6b14a63a
0x6b14a616
0x6b14a699

APIs

GetParent.USER32(?), ref: 6B14A61B
GetDlgItem.USER32 ref: 6B14A625
KiUserCallbackDispatcher.NTDLL(00000000), ref: 6B14A62C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CallbackDispatcherItemParentUser
String ID:
API String ID: 2271384307-0
Opcode ID: 050be3962a9c1f91d8218cc0da8c0b105e4175b6c49289bee889b3dbe881cfbb
Instruction ID: 12fc8c7398e85fff2f28d58f8bdb60b04332d41f5abfabf1d141646157826f21
Opcode Fuzzy Hash: 050be3962a9c1f91d8218cc0da8c0b105e4175b6c49289bee889b3dbe881cfbb
Instruction Fuzzy Hash: 36117C71510219BFCB119F6AC84498B7BADFF953A9F024025F81586110D779C921CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F5FD Relevance: 4.6, APIs: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6B14F5FD(void* __ebx, void* __ecx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t35;
				intOrPtr _t36;
				intOrPtr* _t40;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t44;

				_t43 = __esi;
				_push(0);
				E6B16265B(0x6b163d6f, __ebx, __edi, __esi);
				_t17 = E6B158EAA( *__esi,  *(__esi + 8) + 1, 4);
				if(_t17 != 0) {
					 *__esi = _t17;
					_t20 = E6B158EAA( *((intOrPtr*)(__esi + 4)),  *(__esi + 8) + 1, 4); // executed
					if(_t20 == 0) {
						goto L1;
					} else {
						_t35 =  *(__esi + 8) << 2;
						 *((intOrPtr*)(__esi + 4)) = _t20;
						_t40 =  *__esi + _t35;
						 *((intOrPtr*)(_t44 - 4)) = 0;
						if(_t40 != 0) {
							 *_t40 = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)(_t44 + 8)))) - 0x10) + 0x10;
						}
						_t42 =  *((intOrPtr*)(_t43 + 4)) + _t35;
						_t36 = 1;
						 *((intOrPtr*)(_t44 - 4)) = _t36;
						if(_t42 != 0) {
							 *_t42 = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0xc)))) - 0x10) + 0x10;
						}
						 *((intOrPtr*)(_t43 + 8)) =  *((intOrPtr*)(_t43 + 8)) + 1;
						_t21 = _t36;
					}
				} else {
					L1:
					_t21 = 0;
				}
				return E6B162709(_t21);
			}

0x6b14f5fd
0x6b14f5fd
0x6b14f604
0x6b14f612
0x6b14f61c
0x6b14f622
0x6b14f62e
0x6b14f638
0x00000000
0x6b14f63a
0x6b14f63f
0x6b14f642
0x6b14f645
0x6b14f647
0x6b14f64e
0x6b14f660
0x6b14f660
0x6b14f665
0x6b14f669
0x6b14f66a
0x6b14f66d
0x6b14f67f
0x6b14f67f
0x6b14f681
0x6b14f684
0x6b14f684
0x6b14f61e
0x6b14f61e
0x6b14f61e
0x6b14f61e
0x6b14f68b

APIs

__EH_prolog3.LIBCMT ref: 6B14F604
__recalloc.LIBCMT ref: 6B14F612
__recalloc.LIBCMT ref: 6B14F62E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __recalloc$H_prolog3
String ID:
API String ID: 59120599-0
Opcode ID: 442301dc637cea525047263fef48b8063f45fb7371545b99b582132daed5a9b1
Instruction ID: d073ce0339b1c8066057131ae8ac2499478ac59bb9dd39d118adaaf1791806c9
Opcode Fuzzy Hash: 442301dc637cea525047263fef48b8063f45fb7371545b99b582132daed5a9b1
Instruction Fuzzy Hash: F9111EB6600202AFE7108F68C982B15B7E1FB24754F108868E9F9CB355EB79E9518B50

Uniqueness

Uniqueness Score: -1.00%

Function 6B15430C Relevance: 4.5, APIs: 3, Instructions: 34
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B15430C(int __edi, void* __esi, int _a4, long _a8) {
				long _t10;
				long _t16;
				void* _t18;

				_t18 = __esi;
				_t10 = CallWindowProcW( *(__esi + 0x20),  *(__esi + 4), _a4, __edi, _a8); // executed
				_t16 = _t10;
				if(__edi >> 0x10 == 0 && (__edi == 1 || __edi == 2) && ( *(_t18 + 0x28) & 0x00000400) != 0 && SendMessageW( *(_t18 + 4), 0x476, 0, 0) == 0) {
					DestroyWindow( *(_t18 + 4));
				}
				return _t16;
			}

0x6b15430c
0x6b15431f
0x6b154325
0x6b15432f
0x6b15435f
0x6b15435f
0x6b154369

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 6B15431F
SendMessageW.USER32(?,00000476,00000000,00000000), ref: 6B154352
DestroyWindow.USER32(?,?,?,?,?,?,6B15278A,00000111,?), ref: 6B15435F

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$CallDestroyMessageProcSend
String ID:
API String ID: 1681470762-0
Opcode ID: 9364078ebf83c782daab54fa4226283ad0e85f18f07c7c820e38d6120e2f73f3
Instruction ID: e49f51c5f5139c9a0c65c474631d5f51e6548755a359a2d6e484d9f2bd781e26
Opcode Fuzzy Hash: 9364078ebf83c782daab54fa4226283ad0e85f18f07c7c820e38d6120e2f73f3
Instruction Fuzzy Hash: 00F0E272204714BBEB311A14DC49B427BB6FB84B65F104024FAA981574E736D570DA00

Uniqueness

Uniqueness Score: -1.00%

Function 6B13FF39 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6B13FF39(struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				struct HWND__* _v20;
				struct _WINDOWPLACEMENT _v52;
				struct HWND__* _v56;
				struct HWND__* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t22;
				struct HWND__* _t38;
				signed int _t39;
				intOrPtr _t43;
				signed int _t46;
				struct HWND__** _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				signed int _t51;

				_t22 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t22 ^ _t51;
				_t38 = _a4;
				_t49 = _a8;
				_t39 = 0xa;
				memset( &(_v52.flags), 0, _t39 << 2);
				_v52.length = 0x2c;
				GetWindowPlacement(_t38,  &_v52); // executed
				_t46 =  *(_t49 + 8);
				_t50 = _t49 + 4;
				_v60 = _v52.rcNormalPosition;
				_v56 = _v20;
				if(_t46 >=  *((intOrPtr*)(_t50 + 8)) && E6B1576EE(_t46 + 1, _t50) == 0) {
					E6B1583CE(0, 0x8007000e);
				}
				_t48 = _t46 * 0xc +  *_t50;
				if(_t48 != 0) {
					_t48[1] = _v60;
					 *_t48 = _t38;
					_t48[2] = _v56;
				}
				 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) + 1;
				return E6B1587C1(1, _t38, _v8 ^ _t51, _t43, _t48, _t50);
			}

0x6b13ff41
0x6b13ff48
0x6b13ff4c
0x6b13ff50
0x6b13ff56
0x6b13ff5c
0x6b13ff63
0x6b13ff6a
0x6b13ff73
0x6b13ff76
0x6b13ff79
0x6b13ff7f
0x6b13ff85
0x6b13ff98
0x6b13ff98
0x6b13ffa0
0x6b13ffa2
0x6b13ffa7
0x6b13ffad
0x6b13ffaf
0x6b13ffaf
0x6b13ffb2
0x6b13ffc6

APIs

GetWindowPlacement.USER32(?,?), ref: 6B13FF6A

Part of subcall function 6B1576EE: _calloc.LIBCMT ref: 6B15770F

Part of subcall function 6B1583CE: __CxxThrowException@8.LIBCMT ref: 6B1583E2

Strings

,, xrefs: 6B13FF63

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Exception@8PlacementThrowWindow_calloc
String ID: ,
API String ID: 1982324250-3772416878
Opcode ID: 6862b73f3baa525900ed8bf4c9a5340a1f4b0a65d91f2d290b21bf96d1fec0f3
Instruction ID: 78bcf6d5e4f2a587fd4f6360d56edba802fb0a8c1bcb17086058d7e751eec5b3
Opcode Fuzzy Hash: 6862b73f3baa525900ed8bf4c9a5340a1f4b0a65d91f2d290b21bf96d1fec0f3
Instruction Fuzzy Hash: 77111CB3910219BFDB00DFA9D98199EF7F9FF49314B21442AE869A7200D730F955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F8DE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B14F8DE(struct HWND__** _a4, struct HWND__* _a8, int* _a12, WCHAR* _a16, long _a20, struct HMENU__* _a24) {
				int* _t10;
				struct HWND__* _t13;

				_t10 = _a12;
				if(_t10 == 0) {
					_t10 = 0x6b172198;
				}
				_t2 =  &(_t10[1]); // 0x80000000
				_t3 =  &(_t10[3]); // 0x0
				_t4 =  &(_t10[2]); // 0x0
				_t13 = CreateWindowExW(0, L"STATIC", _a16, _a20,  *_t10,  *_t2,  *_t4 -  *_t10,  *_t3 -  *_t2, _a8, _a24,  *0x6b172f90, 0); // executed
				 *_a4 = _t13;
				return _t13;
			}

0x6b14f8e3
0x6b14f8e9
0x6b14f8eb
0x6b14f8eb
0x6b14f8f0
0x6b14f8f3
0x6b14f8f8
0x6b14f91e
0x6b14f927
0x6b14f92b

APIs

CreateWindowExW.USER32 ref: 6B14F91E

Strings

STATIC, xrefs: 6B14F917

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CreateWindow
String ID: STATIC
API String ID: 716092398-1882779555
Opcode ID: 90f846bea84673a07249cb153405e0c43d9e187f8de5388e5dfdafbcec397b35
Instruction ID: b835573972d1e27e72a3a7d5e855097301e380c1460be3338cac238300e9a353
Opcode Fuzzy Hash: 90f846bea84673a07249cb153405e0c43d9e187f8de5388e5dfdafbcec397b35
Instruction Fuzzy Hash: D2F05E36200219BFDB008F98CC08EAB7B6AEB89750F158054FE089B220D631EC21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B1409A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B1409A7(intOrPtr* __esi) {
				struct HINSTANCE__* _t10;

				 *((intOrPtr*)(__esi + 4)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0;
				 *((intOrPtr*)(__esi + 0x18)) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 0x20)) = DefWindowProcW;
				 *__esi = 0x6b1371ec; // executed
				_t10 = LoadLibraryW(L"RICHED20.DLL"); // executed
				 *(__esi + 0x24) = _t10;
				 *((intOrPtr*)(__esi + 0x28)) = 0;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				return __esi;
			}

0x6b1409af
0x6b1409b2
0x6b1409ba
0x6b1409bd
0x6b1409c0
0x6b1409c3
0x6b1409c9
0x6b1409cf
0x6b1409d2
0x6b1409d5
0x6b1409db

APIs

LoadLibraryW.KERNELBASE(RICHED20.DLL,?,6B14CA98,00000000,00000001,?,80070057,6B135D9C,?,00000030,80070057), ref: 6B1409C9

Strings

RICHED20.DLL, xrefs: 6B1409B5

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: LibraryLoad
String ID: RICHED20.DLL
API String ID: 1029625771-992299850
Opcode ID: 629581175e065b4f5a4e96aa7421d5ee3c527baa16c7437e4b0c429585f92d76
Instruction ID: cd4b563dc7c1e4656ce41c6bfd371e2f7d6943bab507f279644ef82dcb3fd4f0
Opcode Fuzzy Hash: 629581175e065b4f5a4e96aa7421d5ee3c527baa16c7437e4b0c429585f92d76
Instruction Fuzzy Hash: C2E0F6B1901B60EF87709F6FA944542FAF8BFA96503104A1FE09AC2A24E2B0A1458F94

Uniqueness

Uniqueness Score: -1.00%

Function 6B142996 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6B142996(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a8, long _a12, long _a16) {
				signed int _v0;
				char _v4;
				signed int _v8;
				long _v16;
				intOrPtr* _v20;
				intOrPtr _t59;
				signed int _t60;
				void* _t63;
				signed int _t66;
				intOrPtr _t71;
				intOrPtr _t76;
				intOrPtr* _t83;
				intOrPtr* _t85;
				long _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;

				_t83 = __ecx;
				_push(8);
				E6B16265B(0x6b16464f, __ebx, __edi, __esi);
				_t85 = __ecx;
				_v4 = 0;
				_t89 = _a8;
				 *_t89 = 0x6b13730c;
				_t90 = _t89 + 4;
				 *_t90 = 0;
				 *((intOrPtr*)(_t90 + 4)) = 0;
				 *((intOrPtr*)(_t90 + 8)) = 0;
				_v4 = 1;
				_v16 = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L5:
					_t86 = _a12;
					_v16 = 0;
					if( *((intOrPtr*)(_t86 + 8)) <= 0) {
						L10:
						_t86 = _a16;
						_a12 = 0;
						if( *((intOrPtr*)(_t86 + 8)) <= 0) {
							L15:
							return E6B162709(_a8);
						} else {
							_a16 = 0;
							while(1) {
								_t59 = _a12;
								if(_t59 < 0) {
									goto L16;
								}
								_t107 = _t59 -  *((intOrPtr*)(_t86 + 8));
								if(_t59 >=  *((intOrPtr*)(_t86 + 8))) {
									goto L16;
								} else {
									_push( *((intOrPtr*)(_t86 + 4)) + _a16);
									E6B150717(_t86, _t90, _t107);
									_a12 = _a12 + 1;
									_a16 = _a16 + 0x1c;
									if(_a12 <  *((intOrPtr*)(_t86 + 8))) {
										continue;
									} else {
										goto L15;
									}
								}
								goto L22;
							}
							goto L16;
						}
					} else {
						_a12 = 0;
						while(1) {
							_t71 = _v16;
							if(_t71 < 0) {
								goto L16;
							}
							_t103 = _t71 -  *((intOrPtr*)(_t86 + 8));
							if(_t71 >=  *((intOrPtr*)(_t86 + 8))) {
								goto L16;
							} else {
								_push( *((intOrPtr*)(_t86 + 4)) + _a12);
								E6B150717(_t86, _t90, _t103);
								_v16 = _v16 + 1;
								_a12 = _a12 + 0x1c;
								if(_v16 <  *((intOrPtr*)(_t86 + 8))) {
									continue;
								} else {
									goto L10;
								}
							}
							goto L22;
						}
						goto L16;
					}
				} else {
					_v20 = 0;
					while(1) {
						_t76 = _v16;
						if(_t76 < 0) {
							break;
						}
						_t99 = _t76 -  *((intOrPtr*)(_t85 + 8));
						if(_t76 >=  *((intOrPtr*)(_t85 + 8))) {
							break;
						} else {
							_push( *((intOrPtr*)(_t85 + 4)) + _v20); // executed
							E6B150717(_t85, _t90, _t99); // executed
							_v16 = _v16 + 1;
							_v20 = _v20 + 0x1c;
							if(_v16 <  *((intOrPtr*)(_t85 + 8))) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L22;
					}
					L16:
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t60 = _v0;
					__eflags = _t60;
					if(_t60 < 0) {
						L20:
						RaiseException(0xc000008c, 1, 0, 0);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(4);
						E6B16265B(0x6b16361b, 0, _t86, _t90);
						_t87 = _t83;
						_v20 = _t87;
						 *_t87 = 0x6b13730c;
						_t52 =  &_v8;
						 *_t52 = _v8 & 0x00000000;
						__eflags =  *_t52;
						_t63 = E6B156000(_t87 + 4);
						 *_t87 = 0x6b136fec;
						return E6B162709(_t63);
					} else {
						__eflags = _t60 -  *((intOrPtr*)(_t83 + 8));
						if(_t60 >=  *((intOrPtr*)(_t83 + 8))) {
							goto L20;
						} else {
							_t66 = _t60 * 0x1c +  *((intOrPtr*)(_t83 + 4));
							__eflags = _t66;
							return _t66;
						}
					}
				}
				L22:
			}

0x6b142996
0x6b142996
0x6b14299d
0x6b1429a2
0x6b1429a6
0x6b1429a9
0x6b1429ac
0x6b1429b2
0x6b1429b5
0x6b1429b7
0x6b1429ba
0x6b1429bd
0x6b1429c1
0x6b1429c7
0x6b1429fb
0x6b1429fb
0x6b1429fe
0x6b142a04
0x6b142a30
0x6b142a30
0x6b142a33
0x6b142a39
0x6b142a65
0x6b142a6d
0x6b142a3b
0x6b142a3b
0x6b142a3e
0x6b142a3e
0x6b142a43
0x00000000
0x00000000
0x6b142a45
0x6b142a48
0x00000000
0x6b142a4a
0x6b142a50
0x6b142a51
0x6b142a56
0x6b142a5c
0x6b142a63
0x00000000
0x00000000
0x00000000
0x00000000
0x6b142a63
0x00000000
0x6b142a48
0x00000000
0x6b142a3e
0x6b142a06
0x6b142a06
0x6b142a09
0x6b142a09
0x6b142a0e
0x00000000
0x00000000
0x6b142a10
0x6b142a13
0x00000000
0x6b142a15
0x6b142a1b
0x6b142a1c
0x6b142a21
0x6b142a27
0x6b142a2e
0x00000000
0x00000000
0x00000000
0x00000000
0x6b142a2e
0x00000000
0x6b142a13
0x00000000
0x6b142a09
0x6b1429c9
0x6b1429c9
0x6b1429cc
0x6b1429cc
0x6b1429d1
0x00000000
0x00000000
0x6b1429d7
0x6b1429da
0x00000000
0x6b1429e0
0x6b1429e6
0x6b1429e7
0x6b1429ec
0x6b1429f2
0x6b1429f9
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1429f9
0x00000000
0x6b1429da
0x6b142a70
0x6b142a79
0x6b142a7f
0x6b142a80
0x6b142a81
0x6b142a82
0x6b142a83
0x6b142a84
0x6b142a8a
0x6b142a8d
0x6b142a8f
0x6b142aa0
0x6b142aab
0x6b142ab1
0x6b142ab2
0x6b142ab3
0x6b142ab4
0x6b142ab5
0x6b142ab6
0x6b142ab7
0x6b142abe
0x6b142ac3
0x6b142ac5
0x6b142ac8
0x6b142ace
0x6b142ace
0x6b142ace
0x6b142ad5
0x6b142ada
0x6b142ae5
0x6b142a91
0x6b142a91
0x6b142a94
0x00000000
0x6b142a96
0x6b142a99
0x6b142a99
0x6b142a9d
0x6b142a9d
0x6b142a94
0x6b142a8f
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B14299D
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000008,6B1450CF,6B1571D0,?,6B1571D0,?,?,?,00000000,6B145C04,?,?), ref: 6B142A79

Part of subcall function 6B150717: __EH_prolog3.LIBCMT ref: 6B15071E
Part of subcall function 6B150717: __recalloc.LIBCMT ref: 6B150766

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionRaise__recalloc
String ID:
API String ID: 3369754026-0
Opcode ID: 2fe2054d87b460d782569f8af43cbafe2bd4228bb7cac48ee9a4b953c749692e
Instruction ID: 284e7d8b3a6c2c569fb49c1f242c9495c2fcb5c70f9b3c241df1bebe122f0b09
Opcode Fuzzy Hash: 2fe2054d87b460d782569f8af43cbafe2bd4228bb7cac48ee9a4b953c749692e
Instruction Fuzzy Hash: C231F8B191060AEBCB10CF99C9C195EF7B4FF04354B64C92AE96AD7601C338E9A5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6B147BC5 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6B147BC5(intOrPtr* __eax, void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebp;
				intOrPtr _t19;
				intOrPtr _t21;
				void* _t22;
				signed int _t27;
				intOrPtr* _t33;
				intOrPtr* _t35;

				_t33 = __edi;
				_push(__ecx);
				_push(__ebx);
				_t27 = 0;
				_push(__esi);
				_t35 = __eax;
				 *__eax = 0;
				 *((intOrPtr*)(__eax + 4)) = 0;
				 *((intOrPtr*)(__eax + 8)) = 0;
				_t17 =  *((intOrPtr*)(__edi + 4));
				_v8 = 0;
				if( *((intOrPtr*)(__edi + 4)) == 0) {
					L7:
					return _t35;
				} else {
					_t19 = E6B158E65(__ecx, _t17, 0x14);
					 *_t35 = _t19;
					if(_t19 == 0) {
						goto L7;
					} else {
						 *((intOrPtr*)(_t35 + 8)) =  *((intOrPtr*)(__edi + 4));
						_t21 =  *((intOrPtr*)(__edi + 4));
						if(_t21 <= 0) {
							goto L7;
						} else {
							_v8 = _v8 & 0;
							while(_t27 >= 0 && _t27 < _t21) {
								_push( *_t33 + _v8);
								E6B150FBC(_t35);
								_t21 =  *((intOrPtr*)(_t33 + 4));
								_v8 = _v8 + 0x14;
								_t27 = _t27 + 1;
								if(_t27 < _t21) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							RaiseException(0xc000008c, 1, 0, 0);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t22 = E6B147C58(_t27, _v8, _t33, _t35, __eflags, _v12); // executed
							return _t22;
						}
					}
				}
				L9:
			}

0x6b147bc5
0x6b147bca
0x6b147bcb
0x6b147bcc
0x6b147bce
0x6b147bcf
0x6b147bd1
0x6b147bd3
0x6b147bd6
0x6b147bd9
0x6b147bdc
0x6b147be1
0x6b147c22
0x6b147c27
0x6b147be3
0x6b147be6
0x6b147bed
0x6b147bf1
0x00000000
0x6b147bf3
0x6b147bf6
0x6b147bf9
0x6b147bfe
0x00000000
0x6b147c00
0x6b147c00
0x6b147c03
0x6b147c10
0x6b147c11
0x6b147c16
0x6b147c19
0x6b147c1d
0x6b147c20
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6b147c20
0x6b147c33
0x6b147c39
0x6b147c3a
0x6b147c3b
0x6b147c3c
0x6b147c3d
0x6b147c3e
0x6b147c4a
0x6b147c50
0x6b147c50
0x6b147bfe
0x6b147bf1
0x00000000

APIs

_calloc.LIBCMT ref: 6B147BE6
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 6B147C33

Part of subcall function 6B150FBC: __EH_prolog3.LIBCMT ref: 6B150FC3
Part of subcall function 6B150FBC: __recalloc.LIBCMT ref: 6B15100B

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ExceptionH_prolog3Raise__recalloc_calloc
String ID:
API String ID: 1592213269-0
Opcode ID: 3c74213e86287e57192922b56f7dc7d63a949bf933bd0b08b1111cd93ec8fe57
Instruction ID: 03e1fd4c6a1a41043edd8a77bdc1f79cc713bf3a361488aa0c9f4b8f943a09f1
Opcode Fuzzy Hash: 3c74213e86287e57192922b56f7dc7d63a949bf933bd0b08b1111cd93ec8fe57
Instruction Fuzzy Hash: 8B115EB2A00706BBD710DFA9D9C1A4AF7E8FB44758F20883EE659D7640D775EC508B90

Uniqueness

Uniqueness Score: -1.00%

Function 6B1563D4 Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B1563D4(struct HMENU__* __ebx, void* __eflags, struct HWND__* _a4, int* _a8, WCHAR* _a12, signed int _a16, long _a20, struct HMENU__* _a24, signed short _a28) {
				void* __edi;
				void* __esi;
				int* _t24;
				struct HWND__* _t28;

				_t1 = __ebx + 8; // 0x8
				_t34 = _t1;
				if(E6B13E2E1(0, _t1, 0) != 0) {
					if(_a28 == 0) {
						L2:
						return 0;
					}
					E6B157DD2(__ebx, _t34);
					if(_a24 == 0 && (_a16 & 0x40000000) != 0) {
						_a24 = __ebx;
					}
					_t24 = _a8;
					if(_t24 == 0) {
						_t24 = 0x6b172198;
						_a8 = 0x6b172198;
					}
					_t10 =  &(_t24[1]); // 0x80000000
					_t11 =  &(_t24[3]); // 0x0
					_t12 =  &(_t24[2]); // 0x0
					_t28 = CreateWindowExW(_a20, _a28 & 0x0000ffff, _a12, _a16,  *_t24,  *_t10,  *_t12 -  *_t24,  *_t11 -  *_t10, _a4, _a24,  *0x6b172f90, 0); // executed
					return _t28;
				}
				SetLastError(0xe);
				goto L2;
			}

0x6b1563db
0x6b1563db
0x6b1563eb
0x6b1563ff
0x6b1563f5
0x00000000
0x6b1563f5
0x6b156403
0x6b15640b
0x6b156416
0x6b156416
0x6b156419
0x6b15641e
0x6b156420
0x6b156425
0x6b156425
0x6b156428
0x6b15642b
0x6b156430
0x6b156456
0x00000000
0x6b156456
0x6b1563ef
0x00000000

APIs

Part of subcall function 6B13E2E1: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 6B13E319
Part of subcall function 6B13E2E1: FlushInstructionCache.KERNEL32(00000000), ref: 6B13E320

SetLastError.KERNEL32(0000000E,00000000,?,?,6B1544A7,?,?,00000000,50010000,00000000,?,?,6B1721D0,00000020,?,00000000), ref: 6B1563EF
CreateWindowExW.USER32 ref: 6B156456

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CacheCreateCurrentErrorFlushInstructionLastProcessWindow
String ID:
API String ID: 852167079-0
Opcode ID: 28ab1ff32fb5e5663b30f995caa1c297328718a2dafade107f9709b3c05bfb5c
Instruction ID: 2e07b4c76b3c7c2702a6bc47fe8959205163d5af8a5ccc50cd41d000d69fc639
Opcode Fuzzy Hash: 28ab1ff32fb5e5663b30f995caa1c297328718a2dafade107f9709b3c05bfb5c
Instruction Fuzzy Hash: 5C117CB2200119FFCB118F69CC05EAB7BA5EB89351F058029F928D7110E738EC31DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B149CD5 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B149CD5(void* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed int _t26;
				signed int _t29;
				void* _t30;
				void* _t33;
				void* _t37;
				void* _t38;
				long _t39;

				_t38 = __eax;
				_t39 = GetTickCount();
				_t25 =  *((intOrPtr*)(_t38 + 8));
				_t40 = _t25;
				if(_t25 != 0) {
					__eflags = _t39 -  *((intOrPtr*)(_t38 + 0x14)) -  *((intOrPtr*)(_t38 + 0x18));
					if(_t39 -  *((intOrPtr*)(_t38 + 0x14)) >=  *((intOrPtr*)(_t38 + 0x18))) {
						 *((intOrPtr*)(_t38 + 0x14)) = _t39;
						__eflags =  *(_t38 + 0x1c);
						if( *(_t38 + 0x1c) == 0) {
							_t15 = _t38 + 0x10;
							 *_t15 =  *(_t38 + 0x10) - 1;
							__eflags =  *_t15;
							if( *_t15 < 0) {
								_t29 = _t25 - 1;
								__eflags = _t29;
								 *(_t38 + 0x10) = _t29;
							}
						} else {
							 *(_t38 + 0x10) =  *(_t38 + 0x10) + 1;
							__eflags =  *(_t38 + 0x10) - _t25;
							if( *(_t38 + 0x10) >= _t25) {
								 *(_t38 + 0x10) = 0;
							}
						}
					}
					_t26 =  *(_t38 + 0x10);
					__eflags = _t26;
					if(_t26 < 0) {
						L4:
						RaiseException(0xc000008c, 1, 0, 0);
						L5:
						return _t38 + 0x24;
					} else {
						__eflags = _t26 -  *((intOrPtr*)(_t38 + 8));
						if(_t26 >=  *((intOrPtr*)(_t38 + 8))) {
							goto L4;
						}
						return  *((intOrPtr*)(_t38 + 4)) + _t26 * 4;
					}
				}
				_t30 = E6B149D5D(0, _t33, _t37, _t38, _t39, _t40); // executed
				if(_t30 == 0) {
					goto L5;
				} else {
					 *((intOrPtr*)(_t38 + 0x14)) = _t39;
					 *(_t38 + 0x10) = 0;
					if( *((intOrPtr*)(_t38 + 8)) <= 0) {
						goto L4;
					} else {
						return  *((intOrPtr*)(_t38 + 4));
					}
				}
			}

0x6b149cda
0x6b149ce2
0x6b149ce4
0x6b149ce9
0x6b149ceb
0x6b149d1f
0x6b149d22
0x6b149d24
0x6b149d27
0x6b149d2a
0x6b149d39
0x6b149d39
0x6b149d39
0x6b149d3c
0x6b149d3e
0x6b149d3e
0x6b149d3f
0x6b149d3f
0x6b149d2c
0x6b149d2c
0x6b149d2f
0x6b149d32
0x6b149d34
0x6b149d34
0x6b149d32
0x6b149d2a
0x6b149d42
0x6b149d45
0x6b149d47
0x6b149d06
0x6b149d0f
0x6b149d15
0x00000000
0x6b149d49
0x6b149d49
0x6b149d4c
0x00000000
0x00000000
0x00000000
0x6b149d51
0x6b149d47
0x6b149ced
0x6b149cf4
0x00000000
0x6b149cf6
0x6b149cf6
0x6b149cf9
0x6b149cff
0x00000000
0x6b149d01
0x00000000
0x6b149d01
0x6b149cff

APIs

GetTickCount.KERNEL32 ref: 6B149CDC

Part of subcall function 6B149D5D: __EH_prolog3.LIBCMT ref: 6B149D64
Part of subcall function 6B149D5D: LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010,6B135524,graphics,?,?,?,?,?,?,?,0000002C), ref: 6B149DDF
Part of subcall function 6B149D5D: __recalloc.LIBCMT ref: 6B149E26

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000000,?,6B14A073), ref: 6B149D0F

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CountExceptionH_prolog3ImageLoadRaiseTick__recalloc
String ID:
API String ID: 4195099341-0
Opcode ID: fa686c8fa12569e721b730b6fb6a6b0ad540eca214c63940411a417118985545
Instruction ID: e08e26f8fa698bc79f28af294fbea04675ebb9780f7901eeef602e209c77ee8a
Opcode Fuzzy Hash: fa686c8fa12569e721b730b6fb6a6b0ad540eca214c63940411a417118985545
Instruction Fuzzy Hash: F11175B0600A12FFC704CF29C6A0950B7B5FB013893500B3AE226CB902C334F9A1CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F35E Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E6B14F35E(intOrPtr* __ebx, intOrPtr* __esi) {
				signed int _t16;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				intOrPtr _t32;
				intOrPtr* _t35;
				void* _t36;

				_t35 = __esi;
				_t26 = __ebx;
				_push(0);
				E6B16265B(0x6b163d45, __ebx, _t30, __esi);
				_t27 =  *((intOrPtr*)(__esi + 4));
				_t16 =  *(__esi + 8);
				if(_t27 != _t16) {
					L10:
					_t31 =  *_t35 +  *(_t35 + 4) * 4;
					 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
					if(_t31 != 0) {
						 *_t31 = E6B1583FD( *_t26 - 0x10) + 0x10;
					}
					 *(_t35 + 4) =  *(_t35 + 4) + 1;
					_t19 = 1;
				} else {
					_t29 =  *__esi;
					if(__ebx >= _t29 && __ebx < _t29 + _t16 * 4) {
						_t16 = E6B1583CE(_t27, 0x80004005);
					}
					if(_t16 != 0) {
						_t32 = _t27 + _t27;
						if(_t32 < 0 || _t32 > 0x1fffffff) {
							goto L14;
						} else {
							goto L8;
						}
					} else {
						_t32 = 1;
						L8:
						_t25 = E6B158EAA(_t29, _t32, 4); // executed
						if(_t25 == 0) {
							L14:
							_t19 = 0;
						} else {
							 *((intOrPtr*)(_t35 + 8)) = _t32;
							 *_t35 = _t25;
							goto L10;
						}
					}
				}
				return E6B162709(_t19);
			}

0x6b14f35e
0x6b14f35e
0x6b14f35e
0x6b14f365
0x6b14f36a
0x6b14f36d
0x6b14f372
0x6b14f3b8
0x6b14f3bd
0x6b14f3c0
0x6b14f3c6
0x6b14f3d5
0x6b14f3d5
0x6b14f3d7
0x6b14f3dc
0x6b14f374
0x6b14f374
0x6b14f378
0x6b14f386
0x6b14f386
0x6b14f38d
0x6b14f394
0x6b14f399
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14f38f
0x6b14f391
0x6b14f3a3
0x6b14f3a7
0x6b14f3b1
0x6b14f3e3
0x6b14f3e3
0x6b14f3b3
0x6b14f3b3
0x6b14f3b6
0x00000000
0x6b14f3b6
0x6b14f3b1
0x6b14f38d
0x6b14f3e2

APIs

__EH_prolog3.LIBCMT ref: 6B14F365
__recalloc.LIBCMT ref: 6B14F3A7

Part of subcall function 6B1583CE: __CxxThrowException@8.LIBCMT ref: 6B1583E2

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__recalloc
String ID:
API String ID: 2968967773-0
Opcode ID: 685b5e8b5e5186468292730c08e78ce7a77105c10c9dc9f6e54a016b40bdac8f
Instruction ID: 5eff8d0f7ca319d1c8a160781825a17a1581b2ba810da63509e6c270e5568ec4
Opcode Fuzzy Hash: 685b5e8b5e5186468292730c08e78ce7a77105c10c9dc9f6e54a016b40bdac8f
Instruction Fuzzy Hash: 0E018472600701A7D3108F38C481B9AB3E2EF91B59F61496CD5BD9B344EBBDEA12C740

Uniqueness

Uniqueness Score: -1.00%

Function 6B150717 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B150717(intOrPtr __edi, intOrPtr* __esi, void* __eflags) {
				signed int _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t32;
				void* _t33;

				_t32 = __esi;
				_t27 = __edi;
				_push(0);
				E6B16265B(0x6b163d45, _t23, __edi, __esi);
				_t24 =  *((intOrPtr*)(__esi + 4));
				_t14 =  *(__esi + 8);
				if(_t24 != _t14) {
					L10:
					_t17 =  *(_t32 + 4) * 0x1c +  *_t32;
					_t42 = _t17;
					 *((intOrPtr*)(_t33 - 4)) = 0;
					if(_t17 != 0) {
						_push(_t17);
						E6B154DFA(_t23,  *((intOrPtr*)(_t33 + 8)), _t27, _t32, _t42);
					}
					 *(_t32 + 4) =  *(_t32 + 4) + 1;
					_t19 = 1;
				} else {
					_t26 =  *__esi;
					if( *((intOrPtr*)(_t33 + 8)) >= _t26 &&  *((intOrPtr*)(_t33 + 8)) < _t14 * 0x1c + _t26) {
						_t14 = E6B1583CE(_t24, 0x80004005);
					}
					if(_t14 != 0) {
						_t27 = _t24 + _t24;
						__eflags = _t27;
						if(_t27 < 0) {
							goto L14;
						} else {
							__eflags = _t27 - 0x4924924;
							if(_t27 > 0x4924924) {
								goto L14;
							} else {
								goto L8;
							}
						}
					} else {
						_t27 = 1;
						L8:
						_t22 = E6B158EAA(_t26, _t27, 0x1c); // executed
						if(_t22 == 0) {
							L14:
							_t19 = 0;
						} else {
							 *((intOrPtr*)(_t32 + 8)) = _t27;
							 *_t32 = _t22;
							goto L10;
						}
					}
				}
				return E6B162709(_t19);
			}

0x6b150717
0x6b150717
0x6b150717
0x6b15071e
0x6b150723
0x6b150726
0x6b15072b
0x6b150777
0x6b15077d
0x6b15077d
0x6b15077f
0x6b150786
0x6b15078b
0x6b15078c
0x6b15078c
0x6b150791
0x6b150796
0x6b15072d
0x6b15072d
0x6b150732
0x6b150745
0x6b150745
0x6b15074c
0x6b150753
0x6b150756
0x6b150758
0x00000000
0x6b15075a
0x6b15075a
0x6b150760
0x00000000
0x00000000
0x00000000
0x00000000
0x6b150760
0x6b15074e
0x6b150750
0x6b150762
0x6b150766
0x6b150770
0x6b15079f
0x6b15079f
0x6b150772
0x6b150772
0x6b150775
0x00000000
0x6b150775
0x6b150770
0x6b15074c
0x6b15079c

APIs

__EH_prolog3.LIBCMT ref: 6B15071E
__recalloc.LIBCMT ref: 6B150766

Part of subcall function 6B1583CE: __CxxThrowException@8.LIBCMT ref: 6B1583E2

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__recalloc
String ID:
API String ID: 2968967773-0
Opcode ID: c91b3d802d02aa7b917a5a64e76b2c1d553dcdf84d474bf4ee59dbfca89154ff
Instruction ID: 0586c377df44bce195cb8fb1458694322ae213494dd90adf4a2a6ab79c77012a
Opcode Fuzzy Hash: c91b3d802d02aa7b917a5a64e76b2c1d553dcdf84d474bf4ee59dbfca89154ff
Instruction Fuzzy Hash: 4201C8B7500600BBD310CF74C94AA5677EAAFA0B89F21882CD5FA8B140EB38D461CE40

Uniqueness

Uniqueness Score: -1.00%

Function 6B13D76F Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6B13D76F(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t14;
				void* _t17;
				void* _t25;
				void* _t35;

				_t25 = __ebx;
				_push(8);
				E6B16265B(0x6b164d42, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t35 - 0x14)) = 0;
				_t14 =  *((intOrPtr*)(__esi));
				_t37 = _t14;
				if(_t14 != 0) {
					 *((intOrPtr*)(_t35 - 0x10)) = 0;
					 *((intOrPtr*)(_t35 - 4)) = 0;
					 *((intOrPtr*)( *_t14 + 0x68))(_t14, _t35 - 0x10);
					_t17 = E6B14E8E8( *((intOrPtr*)(_t35 - 0x10)), __esi, __eflags);
					 *((char*)(_t35 - 4)) = 1;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 8))))))(); // executed
					__eflags =  *((intOrPtr*)(_t35 - 0x14)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t35 - 0x14)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(__esi + 8)))));
					__imp__#6( *((intOrPtr*)(_t35 - 0x10)), __ebx, _t17, _t35 - 0x14);
				} else {
					_push(__ebx);
					E6B14E8E8(0x6b1379e4, __esi, _t37);
				}
				return E6B162709(_t25);
			}

0x6b13d76f
0x6b13d76f
0x6b13d776
0x6b13d77d
0x6b13d780
0x6b13d782
0x6b13d784
0x6b13d793
0x6b13d79a
0x6b13d7a0
0x6b13d7aa
0x6b13d7af
0x6b13d7ba
0x6b13d7bf
0x6b13d7c2
0x6b13d7ca
0x6b13d786
0x6b13d786
0x6b13d78c
0x6b13d78c
0x6b13d7d7

APIs

__EH_prolog3.LIBCMT ref: 6B13D776
SysFreeString.OLEAUT32(00000000), ref: 6B13D7CA

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$FreeString
String ID:
API String ID: 2872891630-0
Opcode ID: dc73ba37eb445b00a99fa0147b8376225630161f8bef200ace3add22f904d8f9
Instruction ID: 903337ebf4e1e500db0588273ddd6be300e47f40d44f1bb11fd32df131acac97
Opcode Fuzzy Hash: dc73ba37eb445b00a99fa0147b8376225630161f8bef200ace3add22f904d8f9
Instruction Fuzzy Hash: 17016D7190020AEBCF04DFB8C8459AEB779BF59318B204559F025E7350D738AA51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B14B167 Relevance: 3.0, APIs: 2, Instructions: 33
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E6B14B167(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t10;
				void* _t17;

				_t17 = __eax;
				if(E6B151DCD(__ebx, __edx, 1, __eax, __eflags) != 0) {
					_t20 = _a4;
					if(_a4 == 0 || E6B151E15(__ebx, __edx, 1, _t17, _t20) == 0) {
						_push(2);
						 *((char*)(_t17 + 0x1b5)) = 1;
						_pop(1);
					}
				}
				E6B13E389(_t17 + 4, 1); // executed
				_t10 = SendMessageW(GetParent( *(_t17 + 4)), 0x471, 1, 0); // executed
				return _t10;
			}

0x6b14b170
0x6b14b17a
0x6b14b17c
0x6b14b180
0x6b14b18b
0x6b14b18d
0x6b14b194
0x6b14b194
0x6b14b180
0x6b14b199
0x6b14b1b0
0x6b14b1b9

APIs

Part of subcall function 6B151DCD: __EH_prolog3.LIBCMT ref: 6B151DD4
Part of subcall function 6B151DCD: GetCommandLineW.KERNEL32(00000018,6B14B178,00000000,?,?,6B14AC46,?), ref: 6B151DD9

GetParent.USER32(?), ref: 6B14B1A1
SendMessageW.USER32(00000000,00000471,00000001,00000000), ref: 6B14B1B0

Part of subcall function 6B151E15: __EH_prolog3.LIBCMT ref: 6B151E1C
Part of subcall function 6B151E15: GetCommandLineW.KERNEL32(00000018,6B14B187,00000000,?,?,6B14AC46,?), ref: 6B151E21

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CommandH_prolog3Line$MessageParentSend
String ID:
API String ID: 1052027613-0
Opcode ID: 9ef6fc96cd4f8322aecfc223ffc94d464b2524822eb2eff315a6c24e8bb43ee1
Instruction ID: 84bd05dca8d32cf86c52f308a6f8faf354ddfa270b96c988eca37371ec57c368
Opcode Fuzzy Hash: 9ef6fc96cd4f8322aecfc223ffc94d464b2524822eb2eff315a6c24e8bb43ee1
Instruction Fuzzy Hash: E9F0EC73100350B6DB311A79DC4EFDB7F9CEFD3B69F000065F56A96050D7655455C160

Uniqueness

Uniqueness Score: -1.00%

Function 6B156041 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B156041(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t30;
				void* _t31;
				void* _t32;

				_t32 = __eflags;
				_t27 = __edx;
				_push(0x1c);
				E6B16265B(0x6b1661b7, __ebx, __edi, __esi);
				E6B13BE03(__ebx, GetCommandLineW(), _t27, __edi, __esi, _t32, _t31 - 0x28); // executed
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				E6B13C1D8(_t31 - 0x28, _t31 - 0x10);
				_t16 =  *((intOrPtr*)(_t31 - 0x10));
				if( *((intOrPtr*)( *((intOrPtr*)(_t31 - 0x10)) - 0xc)) != 0) {
					_t30 = 7;
				} else {
					_t30 =  *((intOrPtr*)(_t31 + 8));
				}
				E6B158460(_t16 + 0xfffffff0, _t27);
				E6B13C137(_t31 - 0x28, _t27);
				return E6B162709(_t30);
			}

0x6b156041
0x6b156041
0x6b156041
0x6b156048
0x6b156059
0x6b15605e
0x6b156069
0x6b15606e
0x6b156075
0x6b156096
0x6b156077
0x6b156077
0x6b156077
0x6b15607d
0x6b156085
0x6b156091

APIs

__EH_prolog3.LIBCMT ref: 6B156048
GetCommandLineW.KERNEL32(0000001C,6B1430C2,?), ref: 6B15604D

Part of subcall function 6B13BE03: __EH_prolog3.LIBCMT ref: 6B13BE0A

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID:
API String ID: 1384747822-0
Opcode ID: 68f000f3f9d4128b54b77a5285ac2dde060dc4a76991ead0b9518c4dda96de30
Instruction ID: aff1bc08171a0713ebfa9f98cb3e63c44f8b7e3cffbc70ce9eace24b85ac27d4
Opcode Fuzzy Hash: 68f000f3f9d4128b54b77a5285ac2dde060dc4a76991ead0b9518c4dda96de30
Instruction Fuzzy Hash: 48F0F872940129EBDB04EBB8C805BEDB774AF2476CF444125E521AB1C0EB7CA955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B1529EF Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B1529EF(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;

				_t31 = __eflags;
				_t25 = __ecx;
				E6B16265B(0x6b167d1a, __ebx, _t27, _t28);
				 *(_t29 - 0x10) =  *(_t29 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t29 - 0x14)) = _t30;
				E6B14E8E8(_t27, _t28, _t31);
				E6B13D923(__ebx, __edx, _t27, _t28, _t31, _t29 - 0x10, _t30, _t25); // executed
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				E6B1544B2(_t25,  *((intOrPtr*)(_t29 + 8)), _t29 - 0x10,  *((intOrPtr*)(_t29 + 0xc)),  *((intOrPtr*)(_t29 + 0x10))); // executed
				__imp__#6( *(_t29 - 0x10), E6B13B852(), 8); // executed
				return E6B162709( *((intOrPtr*)(_t29 + 8)));
			}

0x6b1529ef
0x6b1529ef
0x6b1529f6
0x6b1529fb
0x6b152a08
0x6b152a0c
0x6b152a15
0x6b152a1d
0x6b152a2b
0x6b152a33
0x6b152a41

APIs

__EH_prolog3.LIBCMT ref: 6B1529F6

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D923: __EH_prolog3.LIBCMT ref: 6B13D92A
Part of subcall function 6B13D923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13D960
Part of subcall function 6B13D923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13D9BA
Part of subcall function 6B13D923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6B14E271,00000000,?,?,00000DF0,?,?), ref: 6B13DA0D

SysFreeString.OLEAUT32(00000000), ref: 6B152A33

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$CombineFileFreeModuleNameRelativeString
String ID:
API String ID: 2530041087-0
Opcode ID: 33b85b724ed7e00f5e269682d360afff7369ce5157d67cb8d331f936992d2ccf
Instruction ID: f7d59e16e08b6c9ac2321530c28f3e683e28bc382e52fa39edb41b52083ba6f6
Opcode Fuzzy Hash: 33b85b724ed7e00f5e269682d360afff7369ce5157d67cb8d331f936992d2ccf
Instruction Fuzzy Hash: 0BF01C7181021AFBDF00DFB4CC06EAE7B78FF14359F108819F810A6150E7399A25DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B1499B6 Relevance: 3.0, APIs: 2, Instructions: 22
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B1499B6(void* __ecx, signed char _a4) {
				int _t8;
				long _t12;
				void* _t16;

				_t16 = __ecx;
				_t8 = IsWindow( *(__ecx - 0x20)); // executed
				if(_t8 != 0) {
					asm("cdq");
					_t12 = SendMessageW( *(_t16 - 0x20), 0x402, (_a4 & 0x000000ff) * 0x3e8 / 0xff, 0); // executed
					return _t12;
				}
				return _t8;
			}

0x6b1499bc
0x6b1499c1
0x6b1499c9
0x6b1499d5
0x6b1499e8
0x00000000
0x6b1499e8
0x6b1499f0

APIs

IsWindow.USER32(?), ref: 6B1499C1
SendMessageW.USER32(?,00000402,?,00000000), ref: 6B1499E8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSendWindow
String ID:
API String ID: 701072176-0
Opcode ID: 69c2f93b767dc87f04c499adb44dca840b78c15105f28fbe8ed5a034786b1532
Instruction ID: 4ab9e6bc261a34ec35025a272be8141aebcf01838dcde8511c61c8365810d487
Opcode Fuzzy Hash: 69c2f93b767dc87f04c499adb44dca840b78c15105f28fbe8ed5a034786b1532
Instruction Fuzzy Hash: 40E0C272204165BBFF201615CD4BF76BEADFB953A1F004436B640C50E1EAE0DD109674

Uniqueness

Uniqueness Score: -1.00%

Function 6B13E389 Relevance: 3.0, APIs: 2, Instructions: 12
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13E389(struct HWND__** __eax, long _a4) {
				int _t4;

				_t4 = PostMessageW(GetParent( *__eax), 0x470, 0, _a4); // executed
				return _t4;
			}

0x6b13e3a1
0x6b13e3a8

APIs

GetParent.USER32 ref: 6B13E390
PostMessageW.USER32(00000000,00000470,00000000,?), ref: 6B13E3A1

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageParentPost
String ID:
API String ID: 3400216365-0
Opcode ID: ef825bd6e267df116d9c9cdd397936141839b7378a49b546e792092f882186e9
Instruction ID: dade1cf71ff217e76a83d6f8eaccb68267b498b3179126139aea4c5ce35291d5
Opcode Fuzzy Hash: ef825bd6e267df116d9c9cdd397936141839b7378a49b546e792092f882186e9
Instruction Fuzzy Hash: E9C01276040208FBCB202AA5CC09F967FADEB86BA1F048010F3094A4A19A72A5209A58

Uniqueness

Uniqueness Score: -1.00%

Function 6B13E36B Relevance: 3.0, APIs: 2, Instructions: 8
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13E36B(struct HWND__** __eax) {
				long _t3;

				_t3 = SendMessageW(GetParent( *__eax), 0x46b, 0, 0); // executed
				return _t3;
			}

0x6b13e37d
0x6b13e383

APIs

GetParent.USER32(?), ref: 6B13E36D
SendMessageW.USER32(00000000,0000046B,00000000,00000000), ref: 6B13E37D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-0
Opcode ID: 5a43bdabe25ba31ab2b62b4e82b6c48d071ded3f2defaf9373d3c661479b065a
Instruction ID: 5d88b9c46b5c559df87e1322637c32d77d7b8b0a6f3ec1a1349a147d0bf8dfa6
Opcode Fuzzy Hash: 5a43bdabe25ba31ab2b62b4e82b6c48d071ded3f2defaf9373d3c661479b065a
Instruction Fuzzy Hash: E4B09270680210BBEE206B648C0EF443A64BB02BA2F200840B302AA4E0ABA191208A09

Uniqueness

Uniqueness Score: -1.00%

Function 00D72915 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D7291C
Run.SETUPENGINE ref: 00D72922

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: HeapInformation
String ID:
API String ID: 3918721486-0
Opcode ID: 2e59df65dbf38107032cd39acf40646cfee7206d6253f02195bb5d165b35a624
Instruction ID: 693aca3f3a2c3568cdf36c192df554d086ef0f4cbe3032b4c907321612fb38ec
Opcode Fuzzy Hash: 2e59df65dbf38107032cd39acf40646cfee7206d6253f02195bb5d165b35a624
Instruction Fuzzy Hash: D9B092B45202406EEA0057249C0DF36261CE700342F000911B84AC01A4E6A048C08530

Uniqueness

Uniqueness Score: -1.00%

Function 6B155DEE Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6B155DEE(void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, long _a16) {
				char _v40;
				long _t40;
				signed int _t41;
				intOrPtr _t48;
				intOrPtr* _t56;

				_t48 = _a8;
				_t56 = _a4;
				E6B13E118( &_v40,  *(_t56 + 4), _t48, _a12, _a16);
				_a4 = _a4 & 0x00000000;
				 *((intOrPtr*)(_t56 + 0x18)) =  &_v40;
				_t40 =  *((intOrPtr*)( *_t56))( *(_t56 + 4), _t48, _a12, _a16,  &_a4, 0); // executed
				_a16 = _t40;
				if(_t40 == 0) {
					if(_t48 == 0x82) {
						 *(_t56 + 0x1c) =  *(_t56 + 0x1c) | 0x00000001;
					}
				} else {
					if(_t48 < 0x2e || _t48 > 0x2f && _t48 != 0x37 && _t48 != 0x39 && _t48 != 0x110 && (_t48 <= 0x131 || _t48 > 0x138)) {
						if(( *(_t56 + 0x1c) & 0x00000001) == 0) {
							SetWindowLongW( *(_t56 + 4), 0, _a4);
						}
					} else {
						_a16 = _a4;
					}
				}
				_t41 =  *(_t56 + 0x1c);
				if((_t41 & 0x00000001) != 0 &&  *((intOrPtr*)(_t56 + 0x18)) == 0) {
					 *(_t56 + 0x1c) = _t41 & 0xfffffffe;
					 *(_t56 + 4) = 0;
					 *((intOrPtr*)( *_t56 + 0xc))( *(_t56 + 4));
				}
				return _a16;
			}

0x6b155df7
0x6b155dfb
0x6b155e0c
0x6b155e14
0x6b155e27
0x6b155e32
0x6b155e39
0x6b155e3e
0x6b155e8f
0x6b155e91
0x6b155e91
0x6b155e40
0x6b155e43
0x6b155e78
0x6b155e81
0x6b155e81
0x6b155e6c
0x6b155e6f
0x6b155e6f
0x6b155e43
0x6b155e95
0x6b155e9a
0x6b155ea7
0x6b155eaf
0x6b155eb2
0x6b155eb2
0x6b155ebc

APIs

SetWindowLongW.USER32 ref: 6B155E81

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 13b77541345ed0b15b9f39d606bc8697ba67fbb8d96e7dce4f5c3981e4eb056a
Instruction ID: b7b98dc55ef709a977686a9fd4376dd498424ab1cf88d43ad8204c433c9f108a
Opcode Fuzzy Hash: 13b77541345ed0b15b9f39d606bc8697ba67fbb8d96e7dce4f5c3981e4eb056a
Instruction Fuzzy Hash: 1A217CB6500704AFCB21CF15C884B8EBBF5FF58311F10452AEA6A97250D339E9A1CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B1464C2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6B1464C2() {
				intOrPtr* _t29;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				intOrPtr* _t45;
				void* _t48;
				void* _t52;
				void* _t53;
				intOrPtr* _t54;
				void* _t56;
				void* _t61;
				void* _t62;
				intOrPtr _t64;

				_push(0x20);
				E6B16265B(0x6b16653e, _t48, _t53, _t56);
				_t29 = E6B13D349(_t48, _t51, _t53, _t56, _t62, _t61 - 0x20);
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				_t54 =  *((intOrPtr*)(_t61 - 0x20));
				if(_t54 != 0) {
					_t33 =  *((intOrPtr*)(_t61 + 8)) + 4;
					_t64 = _t33;
					 *((intOrPtr*)(_t61 + 8)) = _t33;
					do {
						_t34 = E6B13D76F(_t61 - 0x14, _t54, _t61 - 0x20, _t64); // executed
						_push(_t61 - 0x20);
						 *(_t61 - 4) = 1;
						_t36 = E6B13D2B6(_t61 - 0x10, _t51, _t52, _t54, _t34, _t64);
						 *(_t61 - 4) = 2;
						E6B14F5FD(_t61 - 0x10, _t51, _t54,  *((intOrPtr*)(_t61 + 8)), _t64, _t36, _t34);
						E6B158460( *((intOrPtr*)(_t61 - 0x10)) + 0xfffffff0, _t52);
						 *(_t61 - 4) = 0;
						E6B158460( *((intOrPtr*)(_t61 - 0x14)) + 0xfffffff0, _t52);
						_t51 = _t61 - 0x20;
						_t45 = E6B13D4C5(_t61 - 0x10, _t61 - 0x20, _t54,  *((intOrPtr*)(_t61 + 8)), _t64, _t61 - 0x2c);
						_t46 =  *_t45;
						if(_t54 !=  *_t45) {
							E6B157D2D(_t46, _t61 - 0x20);
							_t54 =  *((intOrPtr*)(_t61 - 0x20));
						}
						_t29 =  *((intOrPtr*)(_t61 - 0x2c));
						if(_t29 != 0) {
							_t51 =  *_t29;
							_t29 =  *((intOrPtr*)( *_t29 + 8))(_t29);
						}
					} while (_t54 != 0);
				}
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				if(_t54 != 0) {
					_t29 =  *((intOrPtr*)( *_t54 + 8))(_t54);
				}
				return E6B162709(_t29);
			}

0x6b1464c2
0x6b1464c9
0x6b1464d2
0x6b1464d7
0x6b1464db
0x6b1464e0
0x6b1464e5
0x6b1464e5
0x6b1464e8
0x6b1464eb
0x6b1464f1
0x6b1464fb
0x6b1464ff
0x6b146503
0x6b14650d
0x6b146511
0x6b14651c
0x6b146521
0x6b14652b
0x6b146534
0x6b146537
0x6b14653c
0x6b146540
0x6b146547
0x6b14654c
0x6b14654c
0x6b14654f
0x6b146554
0x6b146556
0x6b146559
0x6b146559
0x6b14655c
0x6b1464eb
0x6b146560
0x6b146566
0x6b14656b
0x6b14656b
0x6b146573

APIs

__EH_prolog3.LIBCMT ref: 6B1464C9

Part of subcall function 6B13D349: __EH_prolog3.LIBCMT ref: 6B13D350

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Part of subcall function 6B13D2B6: __EH_prolog3.LIBCMT ref: 6B13D2BD

Part of subcall function 6B14F5FD: __EH_prolog3.LIBCMT ref: 6B14F604
Part of subcall function 6B14F5FD: __recalloc.LIBCMT ref: 6B14F612

Part of subcall function 6B13D4C5: __EH_prolog3.LIBCMT ref: 6B13D4CC

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID:
API String ID: 1900422986-0
Opcode ID: c93bee56fe46005c4c5071aaaa9380484120c80ff5c428a3aaa09cb16ce7d6d0
Instruction ID: 049b35ee9444f7cc5482d22e39f77e9188c174576fbe008902da913894bc5793
Opcode Fuzzy Hash: c93bee56fe46005c4c5071aaaa9380484120c80ff5c428a3aaa09cb16ce7d6d0
Instruction Fuzzy Hash: 96212C7290011CABCF01DFB8C985BEEB7B4AF55758F144195E424BB294EB38EA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D761AE Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00D761AE(signed int _a4, signed int _a8, intOrPtr* _a12) {
				void* _t10;
				intOrPtr* _t12;
				signed int _t13;
				signed int _t17;
				intOrPtr* _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xd793a4, 8, _t24); // executed
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					if( *0xd79880 == 0) {
						_t19 = _a12;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						if(E00D74771(_t24) != 0) {
							L5:
							_t10 = 0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00D747E5())) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x00d761b3
0x00d761b8
0x00d761d5
0x00d761da
0x00d761de
0x00d761e0
0x00d761e0
0x00000000
0x00d761e8
0x00d761f1
0x00d761f9
0x00000000
0x00000000
0x00d7622d
0x00d7622f
0x00000000
0x00d761fb
0x00d76202
0x00d76220
0x00d76225
0x00d76227
0x00d76227
0x00d76204
0x00d7620d
0x00d761e1
0x00d761e1
0x00d761e6
0x00000000
0x00000000
0x00000000
0x00000000
0x00d7620f
0x00d7620f
0x00d76214
0x00d76216
0x00d76216
0x00d7621c
0x00d7621c
0x00d7620d
0x00000000
0x00d761ba
0x00d761be
0x00d761c4
0x00000000
0x00d761c6
0x00d761cb
0x00d761d4
0x00d761d4
0x00d761c4
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D74F98,?,?,00000000,00000000,00000000,?,00D73A5D,00000001,00000214,?,00D72FA5), ref: 00D761F1

Part of subcall function 00D747E5: __getptd_noexit.LIBCMT ref: 00D747E5

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 907bb110ae25ca738ec155c9aaaa791c5f200bc8056fa4162a4a653d5b1148da
Instruction ID: 207d98d8562cda1f12ed14467ada9a5d7ccc61c46ce9027cd563506ea76aad3c
Opcode Fuzzy Hash: 907bb110ae25ca738ec155c9aaaa791c5f200bc8056fa4162a4a653d5b1148da
Instruction Fuzzy Hash: 1A01B5363017155EEB299F64DC18BA63794EB81760F49C629EC1DCB1D1FB30D840C674

Uniqueness

Uniqueness Score: -1.00%

Function 6B14BC2B Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B14BC2B(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t19;
				signed int _t20;
				long _t23;
				intOrPtr _t25;
				void* _t26;
				intOrPtr* _t29;
				void* _t31;
				void* _t32;
				void* _t35;
				intOrPtr* _t36;

				if(_a8 != 2) {
					L6:
					__eflags = _a8 - 1;
					if(_a8 == 1) {
						_t9 = E6B157D78() + 4; // 0x4
						_t36 = _t9;
						_t29 = _t36;
						_t19 =  *((intOrPtr*)( *_t36 + 8))(_t32, _t35, _t26);
						_t11 = _t36 + 8; // 0x400008, executed
						_t33 = _t11;
						_t20 = E6B13E2E1(_t19, _t11, _t36); // executed
						__eflags = _t20;
						if(_t20 != 0) {
							_t33 = _a4;
							_t23 = SetWindowLongW(_t33, 0xfffffffc,  *(_t36 + 0x14));
							__eflags = _t23;
							if(_t23 != 0) {
								 *(_t36 + 0x20) = _t23;
								 *(_t36 + 4) = _t33;
							}
						}
						E6B1542E3(_t36);
						E6B14BCBB(_t27, _t29, _t31, _t33, _t27, __eflags); // executed
					}
					L11:
					return 0;
				}
				if(E6B13E7D4() != 1) {
					goto L11;
				}
				_t25 = _a12;
				if(_t25 == 0) {
					goto L11;
				}
				if( *((intOrPtr*)(_t25 + 2)) != 0xffff) {
					_t6 = _t25 + 4;
					 *_t6 =  *(_t25 + 4) | 0x00400000;
					__eflags =  *_t6;
					goto L6;
				} else {
					 *(_t25 + 8) =  *(_t25 + 8) | 0x00400000;
					goto L11;
				}
			}

0x6b14bc34
0x6b14bc61
0x6b14bc61
0x6b14bc65
0x6b14bc71
0x6b14bc71
0x6b14bc77
0x6b14bc79
0x6b14bc7c
0x6b14bc7c
0x6b14bc7f
0x6b14bc84
0x6b14bc86
0x6b14bc8b
0x6b14bc91
0x6b14bc97
0x6b14bc99
0x6b14bc9b
0x6b14bc9e
0x6b14bc9e
0x6b14bc99
0x6b14bca1
0x6b14bca8
0x6b14bcaf
0x6b14bcb0
0x6b14bcb3
0x6b14bcb3
0x6b14bc3d
0x00000000
0x00000000
0x6b14bc3f
0x6b14bc44
0x00000000
0x00000000
0x6b14bc4f
0x6b14bc5a
0x6b14bc5a
0x6b14bc5a
0x00000000
0x6b14bc51
0x6b14bc51
0x00000000
0x6b14bc51

APIs

SetWindowLongW.USER32 ref: 6B14BC91

Part of subcall function 6B13E7D4: GetThreadLocale.KERNEL32(?,?,6B13EB27), ref: 6B13E7DE
Part of subcall function 6B13E7D4: GetThreadLocale.KERNEL32(?,?,6B13EB27), ref: 6B13E7ED

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: LocaleThread$LongWindow
String ID:
API String ID: 2581572359-0
Opcode ID: a87fc964cc8fae157e519cfea58265c69b87cfc6b4ccda5cfd02411299f46f30
Instruction ID: 966e8b8b7b11b5250b49515f6db6136f640aae9bbbfe34deb6c3b5bb2dc03238
Opcode Fuzzy Hash: a87fc964cc8fae157e519cfea58265c69b87cfc6b4ccda5cfd02411299f46f30
Instruction Fuzzy Hash: 1D01D632604214BBCB209F35D5C5A6FB7F8EF45315B01C069E81997250DF38E955DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B153B0F Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B153B0F(intOrPtr* __eax, intOrPtr* __ebx, void* __ecx, void* __edx) {
				intOrPtr* __edi;
				signed int _t72;
				intOrPtr* _t133;
				void* _t140;
				signed int _t142;
				void* _t160;
				intOrPtr* _t164;
				void* _t175;

				_t160 = __edx;
				_t140 = __ecx;
				_t133 = __ebx;
				_t164 = __eax;
				_t175 = __ecx;
				if( *__eax ==  *((intOrPtr*)(__ecx + 4))) {
					L22:
					_t142 =  *((intOrPtr*)(_t164 + 8)) + 0xd5;
					_t72 = 0;
					__eflags = _t142 - 0xd;
					if(__eflags > 0) {
						L30:
						 *_t133 = _t72;
						goto L31;
					} else {
						switch( *((intOrPtr*)(_t142 * 4 +  &M6B153B83))) {
							case 0:
								goto L31;
							case 1:
								goto L30;
							case 2:
								__eflags =  *((intOrPtr*)(__esi + 0x128)) - __al;
								if(__eflags != 0) {
									__eax = 0;
									__eax = 1;
									__eflags = 1;
								} else {
									__eax = E6B154870(__ebx, __edi, __esi, __eflags);
								}
								__ecx = 0;
								__eflags = __eax;
								__ecx = 0 | __eflags == 0x00000000;
								__eax = __eflags == 0;
								goto L31;
							case 3:
								_pop(__edi);
								__ecx = __esi;
								_pop(__esi);
								_push(0x30);
								E6B16265B(0x6b16595d, _t133, _t164, _t175);
								_t177 = _t140;
								if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104)))) + 0x3c))() == 1) {
									_t128 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104)))) + 0x14))();
									_push(E6B13FED9(_t177 + 0xd4) & 0x000000ff);
									 *((intOrPtr*)( *_t128 + 4))();
								}
								if(( *0x6b173014 & 0x00000001) == 0) {
									 *0x6b173014 =  *0x6b173014 | 0x00000001;
									 *0x6b173010 = 0x6b136ee4;
								}
								_t161 =  *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104))));
								_push( *((intOrPtr*)(_t177 + 0x100)));
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104)))) + 0x44))();
								_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104)))) + 0x14))();
								_t134 = _t83;
								_t146 =  *((intOrPtr*)(_t83 + 0x3c));
								_push( *((intOrPtr*)(_t177 + 0x100)));
								_push(0x1b5);
								_push( *((intOrPtr*)(_t146 + 4)));
								if( *((intOrPtr*)( *_t146 + 0x14))() != 0) {
									_t20 = _t179 - 0x14;
									 *_t20 =  *(_t179 - 0x14) & 0x00000000;
									__eflags =  *_t20;
								} else {
									_t125 = GetLastError();
									if(_t125 > 0) {
										_t125 = _t125 & 0x0000ffff | 0x80070000;
										_t186 = _t125;
									}
									 *(_t179 - 0x14) = _t125;
								}
								_push(_t179 - 0x18);
								E6B14E8E8(L"Failed to record Operation Requested", _t177, _t186);
								 *(_t179 - 4) =  *(_t179 - 4) & 0x00000000;
								E6B153942(_t134, _t161, _t179 - 0x18, _t177, _t186, _t134,  *(_t179 - 0x14));
								 *(_t179 - 4) =  *(_t179 - 4) | 0xffffffff;
								E6B158460( *((intOrPtr*)(_t179 - 0x18)) + 0xfffffff0, _t161);
								_t93 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x74)))) + 0x1c))();
								E6B13F2BE( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x74)))) + 4))(), _t161, _t93, _t177, _t186, _t179 - 0x3c, _t93);
								 *(_t179 - 4) = 1;
								E6B13F4D6(_t179 - 0x3c, GetParent( *(_t177 + 4)));
								_t100 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104)))) + 0x58))();
								_t101 = GetParent( *(_t177 + 4));
								_t162 =  *_t100;
								_push(_t101);
								_t102 =  *((intOrPtr*)( *_t100 + 4))();
								 *(_t179 - 0x10) =  *(_t179 - 0x10) & 0x00000000;
								_t171 = _t102;
								if( *((intOrPtr*)( *_t171))() == 0) {
									_push(_t179 - 0x10);
									_t106 =  *((intOrPtr*)( *_t171 + 4))();
									__eflags = _t106;
									if(_t106 != 0) {
										goto L15;
									} else {
										__eflags =  *((intOrPtr*)( *_t171 + 8))();
										if(__eflags != 0) {
											_push(_t179 - 0x14);
											_t171 = L"Blocker";
											E6B14E8E8(_t171, _t177, __eflags);
											 *(_t179 - 4) = 2;
											E6B14F491( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x104)))) + 0x14))(), _t171, _t177, __eflags, _t179 - 0x14);
											 *(_t179 - 4) = 1;
											__eflags =  *(_t179 - 0x14) + 0xfffffff0;
											E6B158460( *(_t179 - 0x14) + 0xfffffff0, _t162);
											 *(_t179 - 0x10) = 0x642;
											goto L15;
										}
									}
								} else {
									 *(_t179 - 0x10) =  *(_t179 - 0x10) & 0x00000000;
									L15:
									 *((char*)(_t177 + 0x128)) = 1;
								}
								if( *((char*)(_t177 + 0x128)) != 1) {
									_t172 = 0;
								} else {
									_push( *(_t179 - 0x10));
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x10c)))) + 0xc))();
									SendMessageW(GetParent( *(_t177 + 4)), 0x471, 5, 0);
									_t172 = _t171 | 0xffffffff;
								}
								E6B140913(_t162, _t179 - 0x3c);
								return E6B162709(_t172);
								goto L32;
							case 4:
								_t73 = E6B1404F9(_t133, _t160, _t164, _t175, __eflags, _t175); // executed
								asm("sbb eax, eax");
								_t72 =  ~( ~_t73) - 1;
								goto L31;
						}
					}
				} else {
					__eax = GetParent(__eax);
					__eflags =  *__edi - __eax;
					if( *__edi == __eax) {
						goto L22;
					} else {
						 *__ebx =  *__ebx & 0x00000000;
						0 = 1;
						L31:
						return _t72;
					}
				}
				L32:
			}

0x6b153b0f
0x6b153b0f
0x6b153b0f
0x6b153b13
0x6b153b15
0x6b153b1c
0x6b153b31
0x6b153b34
0x6b153b3a
0x6b153b3c
0x6b153b3f
0x6b153b7d
0x6b153b7d
0x00000000
0x6b153b41
0x6b153b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6b153b57
0x6b153b5d
0x6b153b66
0x6b153b68
0x6b153b68
0x6b153b5f
0x6b153b5f
0x6b153b5f
0x6b153b69
0x6b153b6b
0x6b153b6d
0x6b153b70
0x00000000
0x00000000
0x6b153b74
0x6b153b75
0x6b153b77
0x6b1406cd
0x6b1406d4
0x6b1406d9
0x6b1406e9
0x6b1406f3
0x6b140708
0x6b14070b
0x6b14070b
0x6b140715
0x6b140717
0x6b14071e
0x6b14071e
0x6b140734
0x6b140736
0x6b140737
0x6b140748
0x6b14074b
0x6b14074d
0x6b140752
0x6b140753
0x6b140758
0x6b140760
0x6b14077b
0x6b14077b
0x6b14077b
0x6b140762
0x6b140762
0x6b14076a
0x6b140771
0x6b140771
0x6b140771
0x6b140776
0x6b140776
0x6b140782
0x6b140788
0x6b14078d
0x6b140798
0x6b14079d
0x6b1407a7
0x6b1407b1
0x6b1407c5
0x6b1407ca
0x6b1407e0
0x6b1407ed
0x6b1407f5
0x6b1407f7
0x6b1407f9
0x6b1407fc
0x6b1407ff
0x6b140803
0x6b14080d
0x6b14081a
0x6b14081d
0x6b140820
0x6b140822
0x00000000
0x6b140824
0x6b14082b
0x6b14082d
0x6b140832
0x6b140833
0x6b140838
0x6b14083d
0x6b140852
0x6b140857
0x6b14085e
0x6b140861
0x6b140866
0x00000000
0x6b140866
0x6b14082d
0x6b14080f
0x6b14080f
0x6b14086d
0x6b14086d
0x6b14086d
0x6b14087b
0x6b1408b7
0x6b14087d
0x6b140883
0x6b140888
0x6b14089e
0x6b1408a4
0x6b1408a4
0x6b1408aa
0x6b1408b6
0x00000000
0x00000000
0x6b153b49
0x6b153b50
0x6b153b54
0x00000000
0x00000000
0x6b153b41
0x6b153b1e
0x6b153b1f
0x6b153b25
0x6b153b27
0x00000000
0x6b153b29
0x6b153b29
0x6b153b2e
0x6b153b7f
0x6b153b81
0x6b153b81
0x6b153b27
0x00000000

APIs

GetParent.USER32(?), ref: 6B153B1F

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: 3f06373830daf406b6f1ce22220316f51f59fe9a4f9f188a41685b2f605516d1
Instruction ID: 548c5a9a8d883e54d24167a81d05ec86fa6e210815ad4dc1006d27095447f9b5
Opcode Fuzzy Hash: 3f06373830daf406b6f1ce22220316f51f59fe9a4f9f188a41685b2f605516d1
Instruction Fuzzy Hash: 8C01F4B3658152BBD7206A7CF814A6AB3D9DB637A3705087AD0A7C3040DB2888638725

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F024 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E6B14F024(intOrPtr* __eax, struct HINSTANCE__* _a4, unsigned int _a8) {
				void* __esi;
				void* _t11;
				void* _t14;
				signed short* _t27;
				intOrPtr* _t29;

				_t29 = __eax;
				if(FindResourceW(_a4, (_a8 >> 0x00000004) + 0x00000001 & 0x0000ffff, 6) == 0) {
					L2:
					_t11 = 0;
				} else {
					_t27 = E6B157A10(_a8, _a4, _t10);
					if(_t27 != 0) {
						_t21 =  *_t27 & 0x0000ffff;
						_t14 = E6B1582D1(_t29,  *_t27 & 0x0000ffff); // executed
						E6B157A92( *_t27 & 0x0000ffff, _t14, _t21,  &(_t27[1]));
						E6B15830D(_t21, _t29);
						_t11 = 1;
					} else {
						goto L2;
					}
				}
				return _t11;
			}

0x6b14f02a
0x6b14f045
0x6b14f059
0x6b14f059
0x6b14f047
0x6b14f053
0x6b14f057
0x6b14f05e
0x6b14f062
0x6b14f072
0x6b14f07e
0x6b14f085
0x00000000
0x00000000
0x00000000
0x6b14f057
0x6b14f08a

APIs

FindResourceW.KERNEL32(?,?,00000006,6B172F8C,00000000,?,6B14F018,00000000,?,00000000,?,?,?,?,?,6B14E923), ref: 6B14F03D

Part of subcall function 6B157A10: LoadResource.KERNEL32(?,?,?,?,6B14F053,?,00000000,?,6B14F018,00000000,?,00000000,?,?), ref: 6B157A1E
Part of subcall function 6B157A10: LockResource.KERNEL32(00000000,6B172F8C,?,6B14F053,?,00000000,?,6B14F018,00000000,?,00000000,?,?), ref: 6B157A2A
Part of subcall function 6B157A10: SizeofResource.KERNEL32(?,?,?,6B14F053,?,00000000,?,6B14F018,00000000,?,00000000,?,?), ref: 6B157A3C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: bb40e3263ab497c063e034625b63206af80835d43fb029e6ac90fbb9b70b0242
Instruction ID: 0ade32f544f35c8ee9a25f459bec049fc85814976065f1750c0fe4ecb84efab9
Opcode Fuzzy Hash: bb40e3263ab497c063e034625b63206af80835d43fb029e6ac90fbb9b70b0242
Instruction Fuzzy Hash: CDF06D726101147BE7209A3A9C82D7B77DEDBD56A5B108122F869D7240FB39CD3182B0

Uniqueness

Uniqueness Score: -1.00%

Function 6B152764 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B152764(void* __ecx, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24) {
				void* __edi;
				void* __esi;
				intOrPtr _t21;
				void* _t27;

				if(_a24 != 0) {
					L10:
					return 0;
				}
				if(_a8 != 0x111) {
					if(_a8 != 0x112) {
						goto L10;
					}
					_t27 = 1;
					if(( *(__ecx + 0x28) & 0x00000400) == 0 || (_a12 & 0x0000fff0) != 0xf060) {
						_t27 = 0;
					} else {
						SendMessageW( *(__ecx + 4), 0x10, 0, 0);
					}
					 *_a20 = 0;
					if(_t27 != 0) {
						L3:
						return 1;
					} else {
						goto L10;
					}
				}
				_t21 = E6B15430C(_a12, __ecx, 0x111, _a16); // executed
				 *_a20 = _t21;
				goto L3;
			}

0x6b152770
0x6b1527d2
0x00000000
0x6b1527d2
0x6b15277a
0x6b15279b
0x00000000
0x00000000
0x6b15279f
0x6b1527a7
0x6b1527c7
0x6b1527b8
0x6b1527bf
0x6b1527bf
0x6b1527cc
0x6b1527d0
0x6b15278f
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1527d0
0x6b152785
0x6b15278d
0x00000000

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6B1527BF

Part of subcall function 6B15430C: CallWindowProcW.USER32(?,?,?,?,?), ref: 6B15431F
Part of subcall function 6B15430C: SendMessageW.USER32(?,00000476,00000000,00000000), ref: 6B154352
Part of subcall function 6B15430C: DestroyWindow.USER32(?,?,?,?,?,?,6B15278A,00000111,?), ref: 6B15435F

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSendWindow$CallDestroyProc
String ID:
API String ID: 3326080945-0
Opcode ID: f3d08b8944449ef9bada3a71e9bfe311d0610603d4ed81ec1cc5b9b11ca63f4a
Instruction ID: 2eb215a754628318f3e4a33d1a0b793d83be0ca5f3ef6080bf3e441c9398af96
Opcode Fuzzy Hash: f3d08b8944449ef9bada3a71e9bfe311d0610603d4ed81ec1cc5b9b11ca63f4a
Instruction Fuzzy Hash: C1017CB3904219FBCB21CF25C8419963BB8EBA1765F114465F92497141D639C872DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6B1581DE Relevance: 1.5, APIs: 1, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E6B1581DE(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr* _t17;
				void* _t18;
				intOrPtr* _t25;
				void* _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t35;
				void* _t36;
				void* _t38;
				intOrPtr _t39;

				_t39 =  *_a4;
				_t28 =  *((intOrPtr*)(_t39 - 0xc));
				_v8 = _t28;
				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 - 0x10)))) + 0x10))(_t35, _t38, _t27, __ecx);
				_t34 =  *_t17;
				_t18 =  *((intOrPtr*)( *_t17))(_a8, 2); // executed
				_t36 = _t18;
				if(_t36 == 0) {
					E6B1583ED();
				}
				_t19 = _a8;
				if(_t28 < _a8) {
					_t19 = _t28;
				}
				_t10 = _t36 + 0x10; // 0x10
				_t29 = _t10;
				E6B158923(_t29, _t19 + _t19 + 2, _t39, _t19 + _t19 + 2);
				 *((intOrPtr*)(_t36 + 4)) = _v8;
				E6B158460(_t39 - 0x10, _t34);
				_t25 = _a4;
				 *_t25 = _t29;
				return _t25;
			}

0x6b1581e9
0x6b1581ee
0x6b1581f4
0x6b1581f7
0x6b1581fa
0x6b158203
0x6b158205
0x6b158209
0x6b15820b
0x6b15820b
0x6b158210
0x6b158215
0x6b158217
0x6b158217
0x6b158220
0x6b158220
0x6b158224
0x6b15822c
0x6b158235
0x6b15823a
0x6b15823f
0x6b158243

APIs

_memcpy_s.LIBCMT ref: 6B158224

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: c01e1e98f9f7237cd202567e4be46cc5d813d16762386cea022bbb08782e589b
Instruction ID: eb8092debee7235ee6417f56f3857b77151e5f11c694b7f0c0e8a33e7632dbc0
Opcode Fuzzy Hash: c01e1e98f9f7237cd202567e4be46cc5d813d16762386cea022bbb08782e589b
Instruction Fuzzy Hash: F3012CBA610608BFC710DFA8C885C9AB7B8FF89354710456AF925CB311D774ED15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B154199 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B154199(intOrPtr* __eax, signed int* __ebx, void* __ecx, void* __edx) {
				struct HWND__* _t8;
				signed int _t20;
				void* _t22;
				void* _t23;
				intOrPtr* _t24;

				_t22 = __edx;
				_t17 = __ebx;
				_t24 = __eax;
				_t23 = __ecx;
				_t8 =  *(__ecx + 4);
				if( *__eax != _t8 &&  *_t24 != GetParent(_t8)) {
					 *__ebx =  *__ebx & 0x00000000;
					return 1;
				}
				_t20 =  *((intOrPtr*)(_t24 + 8)) + 0xd5;
				__eflags = _t20 - 0xd;
				if(__eflags > 0) {
					L8:
					 *_t17 = 0;
					return 0;
				}
				switch( *((intOrPtr*)(_t20 * 4 +  &M6B15420D))) {
					case 0:
						return __eax;
					case 1:
						goto L8;
					case 2:
						__eax = E6B14AA74(__edi);
						__eax =  ~__eax;
						asm("sbb eax, eax");
						return __eax;
					case 3:
						_t5 = __edi + 0x124; // 0x125
						__esi = _t5;
						__eax = E6B14A027(_t5);
						_t6 = __edi + 0x130; // 0x131
						__esi = _t6;
						E6B14A027(_t6) = 0;
						return 0;
					case 4:
						_t10 = E6B14A80E(_t17, _t23, _t22, _t23, _t24, __eflags); // executed
						asm("sbb eax, eax");
						return  ~( ~_t10) - 1;
				}
			}

0x6b154199
0x6b154199
0x6b15419d
0x6b15419f
0x6b1541a1
0x6b1541a6
0x6b1541b3
0x00000000
0x6b1541b8
0x6b1541be
0x6b1541c6
0x6b1541c9
0x6b154208
0x6b154208
0x00000000
0x6b154208
0x6b1541cb
0x00000000
0x6b15420c
0x00000000
0x00000000
0x00000000
0x6b1541fc
0x6b154201
0x6b154203
0x00000000
0x00000000
0x6b1541e2
0x6b1541e2
0x6b1541e8
0x6b1541ed
0x6b1541ed
0x6b1541f8
0x00000000
0x00000000
0x6b1541d4
0x6b1541db
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 6B1541A9

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: 22a2b8a83d2d58d79ddec66e4eeb1d4815a62fb34ae2f8d568b899b0fd214753
Instruction ID: dfee0c0811e3d2fc7b03ca13c2b028a36bb62448c7901f6f8a81aa45040ba14f
Opcode Fuzzy Hash: 22a2b8a83d2d58d79ddec66e4eeb1d4815a62fb34ae2f8d568b899b0fd214753
Instruction Fuzzy Hash: 38F0C2B32A412AFBCB105F38E815A6672D2EB6A796B420978D07BC3448DB389871C650

Uniqueness

Uniqueness Score: -1.00%

Function 6B154067 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6B154067(intOrPtr* __eax, signed int* __ebx, void* __ecx) {
				struct HWND__* _t6;
				signed int _t18;
				intOrPtr* _t20;
				void* _t21;

				_t15 = __ebx;
				_t20 = __eax;
				_t21 = __ecx;
				_t6 =  *(__ecx + 4);
				if( *__eax != _t6 &&  *_t20 != GetParent(_t6)) {
					 *__ebx =  *__ebx & 0x00000000;
					return 1;
				}
				_t18 =  *((intOrPtr*)(_t20 + 8)) + 0xd5;
				__eflags = _t18 - 0xd;
				if(__eflags > 0) {
					L7:
					 *_t15 = 0;
					return 0;
				}
				switch( *((intOrPtr*)(_t18 * 4 +  &M6B1540C3))) {
					case 0:
						return __eax;
					case 1:
						goto L7;
					case 2:
						__eax = E6B154870(__ebx, __edi, __esi, __eflags);
						__eax =  ~__eax;
						asm("sbb eax, eax");
						return __eax;
					case 3:
						_t8 = E6B148A1A(_t15, _t21, _t20, _t21, __eflags); // executed
						asm("sbb eax, eax");
						return  ~( ~_t8) - 1;
				}
			}

0x6b154067
0x6b15406b
0x6b15406d
0x6b15406f
0x6b154074
0x6b154081
0x00000000
0x6b154086
0x6b15408c
0x6b154094
0x6b154097
0x6b1540bc
0x6b1540bc
0x00000000
0x6b1540bc
0x6b154099
0x00000000
0x6b1540c0
0x00000000
0x00000000
0x00000000
0x6b1540b0
0x6b1540b5
0x6b1540b7
0x00000000
0x00000000
0x6b1540a2
0x6b1540a9
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 6B154077

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: a7cb205ecb720862f5fae2fa076a20c239f1f57878c1fa23d2a1563b1df636cf
Instruction ID: b19933406e64f402babb9165d49c9bc31c815da83bb2a10b76ecfd1359cae4e7
Opcode Fuzzy Hash: a7cb205ecb720862f5fae2fa076a20c239f1f57878c1fa23d2a1563b1df636cf
Instruction Fuzzy Hash: B9F0E2B31A4022FBDB202E38D404AA973D5DB637A37210A79E037C3188DB78C430C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 6B157F22 Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B157F22(void** __edi, WCHAR* _a4, long _a8, long _a12, long _a16, long _a20, struct _SECURITY_ATTRIBUTES* _a24) {
				void* __esi;
				void* _t14;
				void** _t17;

				_t17 = __edi;
				_t19 = __edi[1];
				if(__edi[1] == 0) {
					_t14 = CreateFileW(_a4, _a8, _a12, _a24, _a16, _a20, 0); // executed
				} else {
					_t14 = E6B157E95(_t19, _a4, _a8, _a12, _a24, _a16, _a20);
				}
				if(_t14 != 0xffffffff) {
					 *_t17 = _t14;
					return 0;
				} else {
					return E6B157F08();
				}
			}

0x6b157f22
0x6b157f28
0x6b157f2d
0x6b157f5c
0x6b157f2f
0x6b157f41
0x6b157f41
0x6b157f66
0x6b157f6f
0x00000000
0x6b157f68
0x00000000
0x6b157f68

APIs

CreateFileW.KERNELBASE(00002100,00000002,00000000,6B157BC3,C0000000,?,00000000,?,?,6B157BC3,?,C0000000,00000000,00000002,00002100,?), ref: 6B157F5C

Part of subcall function 6B157E95: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6B157F46,00002100,00000002,00000000,6B157BC3,C0000000,?,?,?,6B157BC3,?,C0000000,00000000), ref: 6B157EA6
Part of subcall function 6B157E95: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6B157EB6

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID:
API String ID: 2580138172-0
Opcode ID: f741e39111c9671540466142c0625042046fd5535b0c49aee25ce83427378c26
Instruction ID: 18bbaf3aacf1d7d99d27fcf56b1150235a0b85350b177b092aa9ade80ce13322
Opcode Fuzzy Hash: f741e39111c9671540466142c0625042046fd5535b0c49aee25ce83427378c26
Instruction Fuzzy Hash: 18F0B27340415AFBCF029FA4DC02DCA7F66EF19760F018112FA34551A0C336D871AB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B14507E Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6B14507E(intOrPtr __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_t26 = __ebx;
				_push(0);
				E6B16265B(0x6b164aec, __ebx, __edi, __esi);
				_t34 =  *((intOrPtr*)(_t35 + 8));
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				 *((intOrPtr*)(_t34 + 4)) =  *((intOrPtr*)(_t35 + 0xc));
				_t9 = _t26 + 8; // 0x50
				 *_t34 = 0x6b1374fc;
				 *((intOrPtr*)(_t34 + 8)) = __ebx;
				 *((intOrPtr*)(_t34 + 0xc)) = __ecx;
				E6B142661(__ebx, _t9, __ecx, _t34, _t36, _t34 + 0x10, __ecx + 8,  *((intOrPtr*)(_t35 + 0x10)));
				_push( *((intOrPtr*)(_t35 + 0x14)));
				_t32 = __ecx + 0x18;
				_push(__ecx + 0x18);
				_t14 = _t26 + 0x18; // 0x60
				 *(_t35 - 4) = 1;
				E6B142996(__ebx, _t14, _t32, _t34, _t32, _t34 + 0x20); // executed
				return E6B162709(_t34);
			}

0x6b14507e
0x6b14507e
0x6b14507e
0x6b145085
0x6b14508c
0x6b14508f
0x6b145099
0x6b1450a3
0x6b1450a7
0x6b1450ad
0x6b1450b0
0x6b1450b3
0x6b1450b8
0x6b1450bb
0x6b1450be
0x6b1450c2
0x6b1450c6
0x6b1450ca
0x6b1450d6

APIs

__EH_prolog3.LIBCMT ref: 6B145085

Part of subcall function 6B142661: __EH_prolog3.LIBCMT ref: 6B142668

Part of subcall function 6B142996: __EH_prolog3.LIBCMT ref: 6B14299D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: c474847150f9dc40b96855b75976220325753cf80cfe9c9fc0bd85f7693a4a12
Instruction ID: eea74da0497c06fa06ed42466b8ee9420078d5df6187a587bc55ac9934396749
Opcode Fuzzy Hash: c474847150f9dc40b96855b75976220325753cf80cfe9c9fc0bd85f7693a4a12
Instruction Fuzzy Hash: C7F01D76000609EFCB11CF68C881E8AB7E4BF14304F00855AE85ADB245E738E665DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 6B14A0F4 Relevance: 1.5, APIs: 1, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B14A0F4(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				long _t13;
				struct HWND__** _t18;

				_push(_a4);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x24))))(); // executed
				_t10 =  *((intOrPtr*)(__ecx + 0xc));
				if( *((char*)(_t10 + 0x1b5)) == 0 &&  *((char*)(__ecx + 8)) == 0) {
					_t18 = _t10 + 0x124;
					_t13 = SendMessageW( *_t18, 0x172, 1,  *(E6B149CD5(_t18[1]))); // executed
					return _t13;
				}
				return _t10;
			}

0x6b14a0fa
0x6b14a107
0x6b14a109
0x6b14a113
0x6b14a11b
0x6b14a134
0x00000000
0x6b14a134
0x6b14a13c

APIs

Part of subcall function 6B149CD5: GetTickCount.KERNEL32 ref: 6B149CDC

SendMessageW.USER32(?,00000172,00000001,00000000), ref: 6B14A134

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CountMessageSendTick
String ID:
API String ID: 3168085573-0
Opcode ID: 3e794ddff41d002493b976ba732e4905e903f7d07fc8935c0cc50d7ad19df4df
Instruction ID: 7fe4c8264a870cc5b26ae7b35aa3804d2ff97d12953b2aeed61a9c8b81dd2c76
Opcode Fuzzy Hash: 3e794ddff41d002493b976ba732e4905e903f7d07fc8935c0cc50d7ad19df4df
Instruction Fuzzy Hash: ECF0A931508248FFEB208B14C848F827BE2EF0A764F0580B9F58A9B661C772A850CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6B13B93E Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6B13B93E(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t14;
				void* _t28;
				void* _t32;

				_t28 = __edx;
				E6B16265B(0x6b16470b, __ebx, __edi, __esi);
				_t14 =  *0x6b16fe10; // 0x6b1333ec
				 *((intOrPtr*)(_t32 - 0x10)) =  *((intOrPtr*)(_t14 + 0xc))(4) + 0x10;
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				L6B158334(_t32 - 0x10,  *((intOrPtr*)(_t32 + 0xc)), _t32 + 0x10);
				_push( *((intOrPtr*)(_t32 - 0x10)));
				_push( *((intOrPtr*)(_t32 + 8)));
				 *((intOrPtr*)( *__esi + 4))();
				return E6B162709(E6B158460( *((intOrPtr*)(_t32 - 0x10)) - 0x10, _t28));
			}

0x6b13b93e
0x6b13b945
0x6b13b94a
0x6b13b95a
0x6b13b95d
0x6b13b96b
0x6b13b975
0x6b13b976
0x6b13b97b
0x6b13b98b

APIs

__EH_prolog3.LIBCMT ref: 6B13B945

Part of subcall function 6B15830D: _vwprintf.LIBCMT ref: 6B158353
Part of subcall function 6B15830D: _vswprintf_s.LIBCMT ref: 6B158378

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3_vswprintf_s_vwprintf
String ID:
API String ID: 3682816334-0
Opcode ID: 6c27f39a8d47d11b82cf52a583d0724adfd4ffdf3a41aca1898d0f563f7102db
Instruction ID: 2044e26f29b85b3336f226bf939120ff18aa9467fc5516015aeb1b388c89597e
Opcode Fuzzy Hash: 6c27f39a8d47d11b82cf52a583d0724adfd4ffdf3a41aca1898d0f563f7102db
Instruction Fuzzy Hash: 91F01CB551010AEFCF00DFA4C845AADBBB5BF40759F418424E924AB251EB38DA25CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B157E56 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B157E56(void* __ecx, void** _a4, long _a8, long _a12, long _a16) {
				long _v8;
				long _v12;
				long _t8;
				long _t10;
				void* _t12;

				_t8 = _a8;
				_v8 = _a12;
				_v12 = _t8;
				_t10 = SetFilePointer( *_a4, _t8,  &_v8, _a16); // executed
				if(_t10 != 0xffffffff) {
					L2:
					return 0;
				}
				_t12 = E6B157F08();
				if(_t12 >= 0) {
					goto L2;
				}
				return _t12;
			}

0x6b157e63
0x6b157e66
0x6b157e6e
0x6b157e76
0x6b157e7f
0x6b157e8a
0x00000000
0x6b157e8a
0x6b157e81
0x6b157e88
0x00000000
0x00000000
0x6b157e8d

APIs

SetFilePointer.KERNELBASE(?,?,00000006,?,?,?,?,6B13DAC1,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6B157E76

Part of subcall function 6B157F08: GetLastError.KERNEL32(6B157B0B,?,?,?,00000000), ref: 6B157F08

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d4b69f4612714d8c3201b5c6e6276f46fde64a0ba942c441a38c7b8b8f3624e9
Instruction ID: 352f698c9307f6b7a2847cfc80d3bc32463ab640d3618e5ff16b6ee3bc4c24ce
Opcode Fuzzy Hash: d4b69f4612714d8c3201b5c6e6276f46fde64a0ba942c441a38c7b8b8f3624e9
Instruction Fuzzy Hash: 15E012B2500248BF8B05CFA5DC46D9E7BB9EB45314B10826AF925D3290E770DD60DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B13B8EF Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13B8EF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t13;
				intOrPtr* _t26;
				void* _t28;
				void* _t29;

				_t29 = __eflags;
				E6B16265B(0x6b164181, __ebx, __edi, __esi);
				_t26 =  *((intOrPtr*)(_t28 + 8));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_t13 = E6B14F092(__ebx, _t26, __esi, _t29, _t28 - 0x10,  *((intOrPtr*)(_t26 + 4)));
				 *(_t28 - 4) = 1;
				_t24 =  *((intOrPtr*)( *((intOrPtr*)(_t26 + 8)))); // executed
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t26 + 8)))) + 0xc))( *_t13, 4);
				E6B158460( *((intOrPtr*)(_t28 - 0x10)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t26 + 8)))));
				return E6B162709(E6B158460( *_t26 - 0x10, _t24));
			}

0x6b13b8ef
0x6b13b8f6
0x6b13b8fb
0x6b13b8fe
0x6b13b909
0x6b13b90e
0x6b13b917
0x6b13b919
0x6b13b922
0x6b13b936

APIs

__EH_prolog3.LIBCMT ref: 6B13B8F6

Part of subcall function 6B14F092: __EH_prolog3.LIBCMT ref: 6B14F099

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 1565b9d01b965d55f8324d72cf17afbcb67e90f79d263ae7a82f7b3bff44512e
Instruction ID: 5564f4d39fb5d5eec8a436a14505c90663f9073230c46ecfbac97b37e9f54043
Opcode Fuzzy Hash: 1565b9d01b965d55f8324d72cf17afbcb67e90f79d263ae7a82f7b3bff44512e
Instruction Fuzzy Hash: AAF039B250010AFFDB00DBB8C846B9DF761FF1031CF108644E524AB295EB39A924CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B1588C6 Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E6B1588C6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t17;

				_push(0xc);
				_push(0x6b167ef8);
				E6B15AA30(__ebx, __edi, __esi);
				E6B15A061();
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E6B1587D5( *((intOrPtr*)(_t17 + 8))); // executed
				 *((intOrPtr*)(_t17 - 0x1c)) = _t9;
				 *(_t17 - 4) = 0xfffffffe;
				E6B1588FC();
				return E6B15AA75( *((intOrPtr*)(_t17 - 0x1c)));
			}

0x6b1588c6
0x6b1588c8
0x6b1588cd
0x6b1588d2
0x6b1588d7
0x6b1588de
0x6b1588e4
0x6b1588e7
0x6b1588ee
0x6b1588fb

APIs

Part of subcall function 6B15A061: __lock.LIBCMT ref: 6B15A063

__onexit_nolock.LIBCMT ref: 6B1588DE

Part of subcall function 6B1587D5: RtlDecodePointer.NTDLL(6B1722B4,6B131418,?,?,?,6B1588E3,?,6B167EF8,0000000C,6B158914,?,?,6B15921B,6B167E51,?), ref: 6B1587EA
Part of subcall function 6B1587D5: _DecodePointerInternal@4.SETUPUI(?,?,?,6B1588E3,?,6B167EF8,0000000C,6B158914,?,?,6B15921B,6B167E51,?), ref: 6B1587F7
Part of subcall function 6B1587D5: __realloc_crt.LIBCMT ref: 6B158834
Part of subcall function 6B1587D5: __realloc_crt.LIBCMT ref: 6B15884A
Part of subcall function 6B1587D5: _EncodePointerInternal@4.SETUPUI(00000000,?,?,?,6B1588E3,?,6B167EF8,0000000C,6B158914,?,?,6B15921B,6B167E51,?), ref: 6B15885C
Part of subcall function 6B1587D5: _EncodePointerInternal@4.SETUPUI(?,?,?,?,6B1588E3,?,6B167EF8,0000000C,6B158914,?,?,6B15921B,6B167E51,?), ref: 6B158870
Part of subcall function 6B1587D5: _EncodePointerInternal@4.SETUPUI(-00000004,?,?,?,6B1588E3,?,6B167EF8,0000000C,6B158914,?,?,6B15921B,6B167E51,?), ref: 6B158878

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Pointer$Internal@4$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 2982823084-0
Opcode ID: a11ddd5b3358e4307a30f7ad7ffe7197f1057ba9f32c996a81007c8b54c4e23b
Instruction ID: 39e565a9ba9506aefcfc3b83984b880c600d561e2069493956e14f295652f1b3
Opcode Fuzzy Hash: a11ddd5b3358e4307a30f7ad7ffe7197f1057ba9f32c996a81007c8b54c4e23b
Instruction Fuzzy Hash: 77D05EB3C71205BBCF00AFB8C90278EBAB0AF40328F204115A030A74D0CB7C0A618A65

Uniqueness

Uniqueness Score: -1.00%

Function 6B13FF14 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13FF14(long __eax) {
				void* __esi;
				struct HWND__** _t5;

				_t5 = __eax;
				EnumChildWindows( *__eax, E6B13FF39, __eax); // executed
				E6B13FFCE(_t5, _t5);
				return E6B14007B(_t5);
			}

0x6b13ff17
0x6b13ff21
0x6b13ff28
0x6b13ff33

APIs

EnumChildWindows.USER32 ref: 6B13FF21

Part of subcall function 6B14007B: SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 6B1400A9
Part of subcall function 6B14007B: SetWindowPos.USER32(0000000C,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 6B1400E6

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$ChildEnumWindows
String ID:
API String ID: 1604351572-0
Opcode ID: a0fa63d883f55606bb50ff5de72824afe3fa85dd4f18fabb3f02f9c601ed1a90
Instruction ID: 9b79786bf5034157589e4fe7ccb84d2cff8ac40e11f02ce1c6ebfbce9f141d58
Opcode Fuzzy Hash: a0fa63d883f55606bb50ff5de72824afe3fa85dd4f18fabb3f02f9c601ed1a90
Instruction Fuzzy Hash: 04C04C37016430765A313B75680DD9B2B9DDF972A43150056B954920146A1E8C5286E5

Uniqueness

Uniqueness Score: -1.00%

Function 6B159A12 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,6B16042F,6B172758,00000314,00000000,?,?,?,?,?,6B15D97D,6B172758,Microsoft Visual C++ Runtime Library,00012010), ref: 6B159A14

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: c7608ecfeaa337787b3fa290f682e531fc1835dbe941a27be7b5654804f209e8
Instruction ID: f851b1db1214233fa4c943c616c4e720e4aeecc8c03c59b5367f3adad0bd238d
Opcode Fuzzy Hash: c7608ecfeaa337787b3fa290f682e531fc1835dbe941a27be7b5654804f209e8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D738E2 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,00D72DF0,?,00D72F39,000000FF,?,00D74358,00000011,?,?,00D739C3,0000000D,?,00D72FA5,00000003), ref: 00D738E4

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7203e0a8265aca2f381d98b4b06877879bb273fcc6b211f42d9e32019b585684
Instruction ID: 1a2b06ee5f2cadeea0cbad693d77633edb122fa42e0f5411ead3d3679dfcd5ea
Opcode Fuzzy Hash: 7203e0a8265aca2f381d98b4b06877879bb273fcc6b211f42d9e32019b585684
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6B15D6DC Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E6B15D6DC(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = HeapAlloc( *0x6b172418, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x6b172d84;
					if( *0x6b172d84 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E6B15DA46(_t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E6B15B570(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x6b15d6e1
0x6b15d6e6
0x6b15d703
0x6b15d708
0x6b15d70a
0x6b15d70c
0x6b15d70e
0x6b15d70e
0x6b15d70e
0x00000000
0x6b15d716
0x6b15d71f
0x6b15d725
0x6b15d727
0x00000000
0x00000000
0x6b15d75b
0x6b15d75d
0x00000000
0x6b15d729
0x6b15d729
0x6b15d730
0x6b15d74e
0x6b15d751
0x6b15d753
0x6b15d755
0x6b15d755
0x6b15d732
0x6b15d733
0x6b15d739
0x6b15d73b
0x6b15d70f
0x6b15d70f
0x6b15d711
0x6b15d714
0x00000000
0x00000000
0x00000000
0x00000000
0x6b15d73d
0x6b15d73d
0x6b15d740
0x6b15d742
0x6b15d744
0x6b15d744
0x6b15d74a
0x6b15d74a
0x6b15d73b
0x00000000
0x6b15d6e8
0x6b15d6ec
0x6b15d6ef
0x6b15d6f2
0x00000000
0x6b15d6f4
0x6b15d6f9
0x6b15d702
0x6b15d702
0x6b15d6f2
0x00000000

APIs

HeapAlloc.KERNEL32(00000008,?,00000000,?,6B159F86,6B1591D6,?,00000000,00000000,00000000,?,6B159B8D,00000001,00000214,?,6B15B575), ref: 6B15D71F

Part of subcall function 6B15B570: __getptd_noexit.LIBCMT ref: 6B15B570

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: AllocHeap__getptd_noexit
String ID:
API String ID: 117620836-0
Opcode ID: ecb56225cec2b359d3880b7f5fc707fdc8d7701914679d138d588e7b713f8821
Instruction ID: 981e0f494c2b26cdeb92386686c228a7b920c46b9bb88a1462547083e02e7d2a
Opcode Fuzzy Hash: ecb56225cec2b359d3880b7f5fc707fdc8d7701914679d138d588e7b713f8821
Instruction Fuzzy Hash: E301B17B281215BBEB198E34C854F5737ACAB9276AF004569E839CB1D0D738C421C791

Uniqueness

Uniqueness Score: -1.00%

Function 6B161C56 Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B161C56(void* __ecx, long _a4) {
				void* _t3;

				_t3 = HeapAlloc( *(__ecx + 4), 0, _a4); // executed
				return _t3;
			}

0x6b161c63
0x6b161c6a

APIs

HeapAlloc.KERNEL32(?,00000000,?), ref: 6B161C63

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 057870697a2887c47b1809034978b4c21bdf242357de0c7d615b547728f8d0d2
Instruction ID: 494802db64cf4d8fb9761eb479bf22db88f8bd41fd140764190dd427654319b1
Opcode Fuzzy Hash: 057870697a2887c47b1809034978b4c21bdf242357de0c7d615b547728f8d0d2
Instruction Fuzzy Hash: 38C09B36040108F7CF111A55DC05F857F59E795750F148011F608050519773D431D694

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6B1587C1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E6B1587C1(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x6b16f0a0; // 0xf69ff218
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x6b172528 = _t6;
				 *0x6b172524 = _t22;
				 *0x6b172520 = _t25;
				 *0x6b17251c = _t21;
				 *0x6b172518 = _t27;
				 *0x6b172514 = _t26;
				 *0x6b172540 = ss;
				 *0x6b172534 = cs;
				 *0x6b172510 = ds;
				 *0x6b17250c = es;
				 *0x6b172508 = fs;
				 *0x6b172504 = gs;
				asm("pushfd");
				_pop( *0x6b172538);
				 *0x6b17252c =  *_t31;
				 *0x6b172530 = _v0;
				 *0x6b17253c =  &_a4;
				 *0x6b172478 = 0x10001;
				_t11 =  *0x6b172530; // 0x0
				 *0x6b17242c = _t11;
				 *0x6b172420 = 0xc0000409;
				 *0x6b172424 = 1;
				_t12 =  *0x6b16f0a0; // 0xf69ff218
				_v812 = _t12;
				_t13 =  *0x6b16f0a4; // 0x9600de7
				_v808 = _t13;
				 *0x6b172470 = IsDebuggerPresent();
				_push(1);
				E6B15F0B7(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x6b131540);
				if( *0x6b172470 == 0) {
					_push(1);
					E6B15F0B7(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x6b1587c1
0x6b1587c1
0x6b1587c1
0x6b1587c1
0x6b1587c1
0x6b1587c1
0x6b1587c1
0x6b1587c7
0x6b1587c9
0x6b1587c9
0x6b15ae4e
0x6b15ae53
0x6b15ae59
0x6b15ae5f
0x6b15ae65
0x6b15ae6b
0x6b15ae71
0x6b15ae78
0x6b15ae7f
0x6b15ae86
0x6b15ae8d
0x6b15ae94
0x6b15ae9b
0x6b15ae9c
0x6b15aea5
0x6b15aead
0x6b15aeb5
0x6b15aec0
0x6b15aeca
0x6b15aecf
0x6b15aed4
0x6b15aede
0x6b15aee8
0x6b15aeed
0x6b15aef3
0x6b15aef8
0x6b15af04
0x6b15af09
0x6b15af0b
0x6b15af13
0x6b15af1e
0x6b15af2b
0x6b15af2d
0x6b15af2f
0x6b15af34
0x6b15af48

APIs

IsDebuggerPresent.KERNEL32 ref: 6B15AEFE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6B15AF13
UnhandledExceptionFilter.KERNEL32(6B131540), ref: 6B15AF1E
GetCurrentProcess.KERNEL32(C0000409), ref: 6B15AF3A
TerminateProcess.KERNEL32(00000000), ref: 6B15AF41

Strings

`, xrefs: 6B15AEF3

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: `
API String ID: 2579439406-1067860262
Opcode ID: 7fa45e97e23d1c55c575d197cd9f645a73ee5441bb16de2b82c125a732828668
Instruction ID: 785318d7af3d3c3198352b0a91f218b0cf9e1d89cb2f66a6badada2a57acb4b3
Opcode Fuzzy Hash: 7fa45e97e23d1c55c575d197cd9f645a73ee5441bb16de2b82c125a732828668
Instruction Fuzzy Hash: D921CCB9815224FFDB11DF2DD4586843BE4FB0B315F20642AE81987341E7B4DA928F95

Uniqueness

Uniqueness Score: -1.00%

Function 00D72BA5 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00D72BA5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xd78050; // 0x6835a5a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xd794b0 = _t6;
				 *0xd794ac = _t22;
				 *0xd794a8 = _t25;
				 *0xd794a4 = _t21;
				 *0xd794a0 = _t27;
				 *0xd7949c = _t26;
				 *0xd794c8 = ss;
				 *0xd794bc = cs;
				 *0xd79498 = ds;
				 *0xd79494 = es;
				 *0xd79490 = fs;
				 *0xd7948c = gs;
				asm("pushfd");
				_pop( *0xd794c0);
				 *0xd794b4 =  *_t31;
				 *0xd794b8 = _v0;
				 *0xd794c4 =  &_a4;
				 *0xd79400 = 0x10001;
				_t11 =  *0xd794b8; // 0x0
				 *0xd793b4 = _t11;
				 *0xd793a8 = 0xc0000409;
				 *0xd793ac = 1;
				_t12 =  *0xd78050; // 0x6835a5a
				_v812 = _t12;
				_t13 =  *0xd78054; // 0xf97ca5a5
				_v808 = _t13;
				 *0xd793f8 = IsDebuggerPresent();
				_push(1);
				E00D75FD7(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xd71c60);
				if( *0xd793f8 == 0) {
					_push(1);
					E00D75FD7(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00d72ba5
0x00d72ba5
0x00d72ba5
0x00d72ba5
0x00d72ba5
0x00d72ba5
0x00d72ba5
0x00d72bab
0x00d72bad
0x00d72bad
0x00d7404f
0x00d74054
0x00d7405a
0x00d74060
0x00d74066
0x00d7406c
0x00d74072
0x00d74079
0x00d74080
0x00d74087
0x00d7408e
0x00d74095
0x00d7409c
0x00d7409d
0x00d740a6
0x00d740ae
0x00d740b6
0x00d740c1
0x00d740cb
0x00d740d0
0x00d740d5
0x00d740df
0x00d740e9
0x00d740ee
0x00d740f4
0x00d740f9
0x00d74105
0x00d7410a
0x00d7410c
0x00d74114
0x00d7411f
0x00d7412c
0x00d7412e
0x00d74130
0x00d74135
0x00d74149

APIs

IsDebuggerPresent.KERNEL32 ref: 00D740FF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D74114
UnhandledExceptionFilter.KERNEL32(00D71C60), ref: 00D7411F
GetCurrentProcess.KERNEL32(C0000409), ref: 00D7413B
TerminateProcess.KERNEL32(00000000), ref: 00D74142

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 407c7b5189db8014377b3aed5a218ff8c350bf72fda7220fc7256365b0e99467
Instruction ID: 936a4f34015826f55e81d018f2e6f8381235f6e84868ab73a56e47cb8a962729
Opcode Fuzzy Hash: 407c7b5189db8014377b3aed5a218ff8c350bf72fda7220fc7256365b0e99467
Instruction Fuzzy Hash: 74218ABA8043049FDB51DF28E9A9A94BBB4FB08319F50401AE50DC73A1F7B559C68B39

Uniqueness

Uniqueness Score: -1.00%

Function 6B13EFE2 Relevance: 7.5, APIs: 5, Instructions: 49
processCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6B13EFE2(intOrPtr __ebx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v540;
				intOrPtr _v556;
				char _v560;
				void* _v564;
				void* __edi;
				void* __esi;
				signed int _t10;
				int _t18;
				intOrPtr _t22;
				intOrPtr _t25;
				int _t26;
				void* _t27;
				signed int _t28;

				_t22 = __ebx;
				_t10 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t10 ^ _t28;
				_t26 = 0;
				_t27 = CreateToolhelp32Snapshot(2, 0);
				if(_t27 != 0xffffffff) {
					E6B15AF90( &_v560, 0, 0x228);
					_push( &_v564);
					_v564 = 0x22c;
					_t18 = Process32FirstW(_t27);
					while(_t18 == 1) {
						if(_v556 == _a4) {
							_t26 = _v540;
						} else {
							_t18 = Process32NextW(_t27,  &_v564);
							continue;
						}
						L7:
						CloseHandle(_t27);
						goto L8;
					}
					goto L7;
				}
				L8:
				return E6B1587C1(_t26, _t22, _v8 ^ _t28, _t25, _t26, _t27);
			}

0x6b13efe2
0x6b13efed
0x6b13eff4
0x6b13eff9
0x6b13f004
0x6b13f009
0x6b13f018
0x6b13f026
0x6b13f028
0x6b13f032
0x6b13f053
0x6b13f043
0x6b13f05a
0x6b13f045
0x6b13f04d
0x00000000
0x6b13f04d
0x6b13f060
0x6b13f061
0x00000000
0x6b13f061
0x00000000
0x6b13f058
0x6b13f067
0x6b13f076

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6B13EFFE
_memset.LIBCMT ref: 6B13F018
Process32FirstW.KERNEL32(00000000,?), ref: 6B13F032
Process32NextW.KERNEL32(00000000,0000022C), ref: 6B13F04D
CloseHandle.KERNEL32(00000000), ref: 6B13F061

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: baef98172ad0225897153e9e1251eaf3dc4098b50862655f2d73c536ca40cae6
Instruction ID: 0184a2c11df093e7e2d386939cc42d7d935897afbc756b6e9adf8c1f02753684
Opcode Fuzzy Hash: baef98172ad0225897153e9e1251eaf3dc4098b50862655f2d73c536ca40cae6
Instruction Fuzzy Hash: 1401F932901038BFC720EB68DC4DEAF7779EB46311F100195E824D3180E738DE45CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B157A10 Relevance: 4.5, APIs: 3, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E6B157A10(signed int __eax, struct HINSTANCE__* _a4, struct HRSRC__* _a8) {
				void* _t9;
				signed int _t11;
				void* _t13;
				signed int _t18;
				signed int _t20;
				signed int _t21;

				_t20 = __eax;
				_t9 = LoadResource(_a4, _a8);
				if(_t9 != 0) {
					_t18 = LockResource(_t9);
					if(_t18 == 0) {
						L6:
						_t11 = 0;
						L8:
						return _t11;
					}
					_t13 = SizeofResource(_a4, _a8) + _t18;
					_t21 = _t20 & 0x0000000f;
					if(_t21 <= 0) {
						L5:
						if(_t18 < _t13) {
							asm("sbb eax, eax");
							_t11 =  ~( *_t18 & 0x0000ffff) & _t18;
							goto L8;
						}
						goto L6;
					}
					while(_t18 < _t13) {
						_t21 = _t21 - 1;
						_t18 = _t18 + 2 + ( *_t18 & 0x0000ffff) * 2;
						if(_t21 != 0) {
							continue;
						}
						goto L5;
					}
					goto L6;
				}
				return _t9;
			}

0x6b157a19
0x6b157a1e
0x6b157a26
0x6b157a30
0x6b157a34
0x6b157a5b
0x6b157a5b
0x6b157a68
0x00000000
0x6b157a68
0x6b157a42
0x6b157a44
0x6b157a47
0x6b157a57
0x6b157a59
0x6b157a64
0x6b157a66
0x00000000
0x6b157a66
0x00000000
0x6b157a59
0x6b157a49
0x6b157a4d
0x6b157a51
0x6b157a55
0x00000000
0x00000000
0x00000000
0x6b157a55
0x00000000
0x6b157a49
0x6b157a6b

APIs

LoadResource.KERNEL32(?,?,?,?,6B14F053,?,00000000,?,6B14F018,00000000,?,00000000,?,?), ref: 6B157A1E
LockResource.KERNEL32(00000000,6B172F8C,?,6B14F053,?,00000000,?,6B14F018,00000000,?,00000000,?,?), ref: 6B157A2A
SizeofResource.KERNEL32(?,?,?,6B14F053,?,00000000,?,6B14F018,00000000,?,00000000,?,?), ref: 6B157A3C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 9b82e4dd1f4dc5972fdd20ca3b2381e3c90a5ec9b673eb5f7517c2f6173ce45f
Instruction ID: 86b4cbe0c48254aff8cf5267556f8281d90ebd78bd841affc829c5987a539e11
Opcode Fuzzy Hash: 9b82e4dd1f4dc5972fdd20ca3b2381e3c90a5ec9b673eb5f7517c2f6173ce45f
Instruction Fuzzy Hash: 24F0F673600026B78F111B29CC168A97BA7EBC17A2309C423F928D2110E739C674D2A0

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F665 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 473
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E6B13F665(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v28;
				intOrPtr _v36;
				char _v44;
				char _v68;
				void* _v72;
				void* _v84;
				void* _v88;
				void* _v96;
				void* _v104;
				void* _v108;
				void* _v120;
				char _v128;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				void* _v156;
				char _v164;
				char _v168;
				char _v180;
				intOrPtr* _v184;
				char _v188;
				char _v200;
				char _v208;
				char _v220;
				char _v228;
				char _v232;
				char _v236;
				char _v244;
				char _v248;
				char _v252;
				char _v264;
				char _v272;
				char _v276;
				void* _v280;
				intOrPtr* _v284;
				signed int _v288;
				char _v292;
				intOrPtr* _v308;
				void* _v312;
				signed int _v316;
				intOrPtr _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				signed int _v340;
				signed int _v344;
				char _v348;
				void* _v352;
				char _v356;
				char _v364;
				char _v368;
				void* _v372;
				void* _v384;
				signed int _v388;
				char _v392;
				char _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr _v408;
				signed int _v412;
				intOrPtr* _v416;
				signed int _v420;
				char _v424;
				intOrPtr _v428;
				intOrPtr* _v432;
				void* _v436;
				signed int _v444;
				intOrPtr _v448;
				void* _v452;
				char _v460;
				void* _v464;
				intOrPtr _v488;
				void* _v492;
				char _v520;
				void* _v524;
				void* _v532;
				void* _v540;
				intOrPtr _v552;
				void* _v556;
				void* _v568;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t186;
				intOrPtr* _t191;
				intOrPtr* _t202;
				intOrPtr _t203;
				intOrPtr* _t211;
				intOrPtr _t213;
				intOrPtr _t214;
				intOrPtr* _t215;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t225;
				intOrPtr* _t227;
				signed int _t229;
				intOrPtr* _t231;
				intOrPtr* _t233;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t239;
				intOrPtr* _t241;
				intOrPtr _t242;
				intOrPtr* _t243;
				intOrPtr _t246;
				char _t247;
				intOrPtr _t249;
				char* _t252;
				intOrPtr _t253;
				intOrPtr _t255;
				intOrPtr* _t264;
				intOrPtr* _t266;
				intOrPtr _t267;
				void* _t272;
				intOrPtr* _t274;
				intOrPtr* _t275;
				void* _t276;
				void* _t304;
				intOrPtr* _t314;
				void* _t320;
				intOrPtr _t321;
				intOrPtr* _t330;
				signed int _t338;
				signed int _t340;
				void* _t344;

				_t340 = (_t338 & 0xfffffff8) - 0xa8;
				_t186 =  *0x6b16f0a0; // 0xf69ff218
				 *[fs:0x0] =  &_v16;
				_v164 = 0;
				_v8 = 0;
				_t321 =  *((intOrPtr*)( *_a4 + 4))(0x6b137940, 0, 1, 0x6b137950,  &_v164, _t186 ^ _t340, _t304, _t320, _t272,  *[fs:0x0], 0x6b163871, 0xffffffff);
				if(_t321 < 0) {
					L52:
					_v28 = _v28 | 0xffffffff;
					_t191 = _v184;
					if(_t191 != 0) {
						 *((intOrPtr*)( *_t191 + 8))(_t191);
					}
					 *[fs:0x0] = _v36;
					return _t321;
				}
				_t274 = __imp__#8;
				 *_t274( &_v152);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t274( &_v140);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t274( &_v128);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t274( &_v68);
				_v44 = 4;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t202 = _v200;
				asm("movsd");
				asm("movsd");
				_t281 =  *_t202;
				asm("movsd");
				asm("movsd");
				_t344 = _t340 - 0xffffffffffffffe0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t203 =  *((intOrPtr*)( *_t202 + 0x28))(_t202);
				_t275 = __imp__#9;
				_t321 = _t203;
				 *_t275( &_v140);
				 *_t275( &_v208);
				 *_t275( &_v228);
				_t211 =  *_t275( &_v248);
				if(_t321 < 0) {
					goto L52;
				}
				_v288 = _v288 & 0x00000000;
				_v128 = 5;
				_t330 = _v284;
				__imp__#2("\\");
				_t314 = _t211;
				_v284 = _t314;
				if(_t314 != 0) {
					L4:
					_t281 =  &_v292;
					_v132 = 6;
					_t213 =  *((intOrPtr*)( *_t330 + 0x1c))(_t330, _t314,  &_v292);
					_v144 = 5;
					_t314 = __imp__#6;
					_t321 = _t213;
					_t214 =  *_t314(_t314);
					if(_t321 < 0) {
						L50:
						_v148 = 0;
						_t215 = _v308;
						if(_t215 != 0) {
							 *((intOrPtr*)( *_t215 + 8))(_t215);
						}
						goto L52;
					}
					_t330 = _v308;
					if(_a8 != 0) {
						__imp__#2(_a8);
						_v320 = _t214;
						if(_t214 == 0) {
							goto L3;
						}
						goto L8;
					} else {
						_v316 = _v316 & 0x00000000;
						L8:
						_v152 = 7;
						 *((intOrPtr*)( *_t330 + 0x3c))(_t330, _v320, 0);
						 *_t314(_v332);
						_v332 = _v332 & 0x00000000;
						_v168 = 8;
						_t221 = _v324;
						_t321 =  *((intOrPtr*)( *_t221 + 0x24))(_t221, 0,  &_v332);
						if(_t321 < 0) {
							L48:
							_v180 = 5;
							_t223 = _v344;
							if(_t223 != 0) {
								 *((intOrPtr*)( *_t223 + 8))(_t223);
							}
							goto L50;
						}
						_v324 = _v324 & 0x00000000;
						_v180 = 9;
						_t225 = _v344;
						_t321 =  *((intOrPtr*)( *_t225 + 0x24))(_t225,  &_v324);
						if(_t321 < 0) {
							L46:
							_v188 = 8;
							_t227 = _v332;
							if(_t227 != 0) {
								 *((intOrPtr*)( *_t227 + 8))(_t227);
							}
							goto L48;
						}
						_v316 = _v316 & 0x00000000;
						_v188 = 0xa;
						_t229 = _v332;
						_t321 =  *((intOrPtr*)( *_t229 + 0x28))(_t229, 7,  &_v316);
						if(_t321 < 0) {
							L44:
							_v200 = 9;
							_t231 = _v328;
							if(_t231 != 0) {
								 *((intOrPtr*)( *_t231 + 8))(_t231);
							}
							goto L46;
						}
						_v340 = _v340 & 0x00000000;
						_v200 = 0xb;
						_t233 = _v364;
						_t321 =  *((intOrPtr*)( *_t233 + 0x44))(_t233,  &_v340);
						if(_t321 < 0) {
							L42:
							_v208 = 0xa;
							_t235 = _v348;
							if(_t235 != 0) {
								 *((intOrPtr*)( *_t235 + 8))(_t235);
							}
							goto L44;
						}
						_v344 = _v344 & 0x00000000;
						_v208 = 0xc;
						_t237 = _v348;
						_t321 =  *((intOrPtr*)( *_t237 + 0x30))(_t237, 0,  &_v344);
						if(_t321 < 0) {
							L40:
							_v220 = 0xb;
							_t239 = _v356;
							if(_t239 != 0) {
								 *((intOrPtr*)( *_t239 + 8))(_t239);
							}
							goto L42;
						}
						_v388 = _v388 & 0x00000000;
						_v220 = 0xd;
						_t241 = _v356;
						_t281 =  *_t241;
						_t242 =  *((intOrPtr*)( *_t241))(_t241, 0x6b137960,  &_v388);
						_t321 = _t242;
						if(_t321 < 0) {
							L38:
							_v232 = 0xc;
							_t243 = _v400;
							if(_t243 != 0) {
								 *((intOrPtr*)( *_t243 + 8))(_t243);
							}
							goto L40;
						}
						_t330 = _v400;
						if(_a12 != 0) {
							__imp__#2(_a12);
							_v408 = _t242;
							if(_t242 == 0) {
								goto L3;
							}
							goto L17;
						} else {
							_v404 = _v404 & 0x00000000;
							L17:
							_v236 = 0xe;
							_t246 =  *((intOrPtr*)( *_t330 + 0x2c))(_t330, _v408);
							_v244 = 0xd;
							_t321 = _t246;
							_t247 =  *_t314(_v416);
							if(_t321 < 0) {
								goto L38;
							}
							_t330 = _v416;
							if(_a16 != 0) {
								__imp__#2(_a16);
								_v424 = _t247;
								if(_t247 == 0) {
									goto L3;
								}
								goto L21;
							} else {
								_v420 = _v420 & 0x00000000;
								L21:
								_v252 = 0xf;
								_t249 =  *((intOrPtr*)( *_t330 + 0x34))(_t330, _v424);
								_t321 = _t249;
								 *_t314(_v432);
								if(_t321 < 0) {
									goto L38;
								}
								_v412 = _v412 & 0x00000000;
								_v264 = 0x10;
								E6B157CDC( &_v356, 0x6b1379e4);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t252 =  &_v392;
								asm("movsd");
								__imp__#8(_t252);
								_v272 = 0x12;
								_t330 =  &_v396;
								_t314 =  &_v332;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								__imp__#2(L"S-1-5-32-545");
								_v408 = _t252;
								if(_t252 == 0) {
									goto L3;
								}
								_v272 = 0x13;
								_t253 = E6B157C87( &_v404, _t344 + 0x54);
								_v272 = 0x14;
								_t314 =  &_v348;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t330 = _v432;
								_v424 = _t330;
								if(_a8 != 0) {
									__imp__#2(_a8);
									_v448 = _t253;
									if(_t253 == 0) {
										goto L3;
									}
									goto L26;
								} else {
									_v444 = _v444 & 0x00000000;
									L26:
									_v276 = 0x15;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t344 = _t344 - 0xfffffffffffffff0;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t255 =  *((intOrPtr*)( *_t330 + 0x44))(_v428, _v448,  *((intOrPtr*)(_t344 + 0x58)), 2, 4,  &_v424);
									_t314 = __imp__#6;
									_t321 = _t255;
									 *_t314(_v520);
									 *_t275( &_v460);
									 *_t314(_v488);
									 *_t275(_t344 + 0x44);
									_v364 = 0x10;
									 *_t275(_t344 + 0x64);
									if(_t321 < 0) {
										L36:
										_v368 = 0xd;
										_t264 =  *((intOrPtr*)(_t344 + 0x2c));
										if(_t264 != 0) {
											 *((intOrPtr*)( *_t264 + 8))(_t264);
										}
										goto L38;
									} else {
										_t276 = 0;
										while(1) {
											_t266 =  *((intOrPtr*)(_t344 + 0x2c));
											_t281 =  *_t266;
											_t267 =  *((intOrPtr*)( *_t266 + 0x24))(_t266,  &_v520);
											if( *((intOrPtr*)(_t344 + 0x28)) == 4) {
												break;
											}
											_t281 = _a4;
											_t267 =  *((intOrPtr*)( *_a4 + 8))(0x64);
											_t276 = _t276 + 1;
											if(_t276 < 0x64) {
												continue;
											}
											break;
										}
										if(_t276 == 0x64) {
											_t330 = 0x8004130b;
										}
										_t275 =  *((intOrPtr*)(_t344 + 0x20));
										if(_a8 != 0) {
											__imp__#2(_a8);
											_v552 = _t267;
											if(_t267 == 0) {
												goto L3;
											}
											goto L35;
										} else {
											 *(_t344 + 0x14) =  *(_t344 + 0x14) & 0x00000000;
											L35:
											 *((char*)(_t344 + 0xc4)) = 0x16;
											 *((intOrPtr*)( *_t275 + 0x3c))(_t275, _v552, 0);
											 *_t314( *(_t344 + 0x14));
											goto L36;
										}
									}
								}
							}
						}
					}
				}
				L3:
				E6B1583CE(_t281, 0x8007000e);
				goto L4;
			}

0x6b13f67b
0x6b13f684
0x6b13f693
0x6b13f69b
0x6b13f6af
0x6b13f6c0
0x6b13f6c4
0x6b13fc16
0x6b13fc16
0x6b13fc1e
0x6b13fc24
0x6b13fc29
0x6b13fc29
0x6b13fc35
0x6b13fc43
0x6b13fc43
0x6b13f6ca
0x6b13f6d5
0x6b13f6df
0x6b13f6e0
0x6b13f6e1
0x6b13f6e7
0x6b13f6e8
0x6b13f6f5
0x6b13f6f6
0x6b13f6f7
0x6b13f6fd
0x6b13f6fe
0x6b13f70b
0x6b13f70c
0x6b13f70d
0x6b13f716
0x6b13f717
0x6b13f719
0x6b13f72d
0x6b13f72e
0x6b13f72f
0x6b13f730
0x6b13f73d
0x6b13f73e
0x6b13f73f
0x6b13f740
0x6b13f746
0x6b13f751
0x6b13f752
0x6b13f753
0x6b13f755
0x6b13f756
0x6b13f757
0x6b13f763
0x6b13f764
0x6b13f765
0x6b13f767
0x6b13f768
0x6b13f76b
0x6b13f771
0x6b13f77b
0x6b13f782
0x6b13f789
0x6b13f790
0x6b13f794
0x00000000
0x00000000
0x6b13f79a
0x6b13f79f
0x6b13f7a7
0x6b13f7b0
0x6b13f7b6
0x6b13f7b8
0x6b13f7be
0x6b13f7ca
0x6b13f7ca
0x6b13f7d0
0x6b13f7db
0x6b13f7de
0x6b13f7e7
0x6b13f7ed
0x6b13f7ef
0x6b13f7f3
0x6b13fc00
0x6b13fc00
0x6b13fc08
0x6b13fc0e
0x6b13fc13
0x6b13fc13
0x00000000
0x6b13fc0e
0x6b13f7fd
0x6b13f801
0x6b13f80d
0x6b13f813
0x6b13f819
0x00000000
0x00000000
0x00000000
0x6b13f803
0x6b13f803
0x6b13f81b
0x6b13f81d
0x6b13f82c
0x6b13f833
0x6b13f835
0x6b13f83f
0x6b13f847
0x6b13f853
0x6b13f857
0x6b13fbea
0x6b13fbea
0x6b13fbf2
0x6b13fbf8
0x6b13fbfd
0x6b13fbfd
0x00000000
0x6b13fbf8
0x6b13f85d
0x6b13f862
0x6b13f86a
0x6b13f879
0x6b13f87d
0x6b13fbd4
0x6b13fbd4
0x6b13fbdc
0x6b13fbe2
0x6b13fbe7
0x6b13fbe7
0x00000000
0x6b13fbe2
0x6b13f883
0x6b13f88d
0x6b13f895
0x6b13f8a1
0x6b13f8a5
0x6b13fbbe
0x6b13fbbe
0x6b13fbc6
0x6b13fbcc
0x6b13fbd1
0x6b13fbd1
0x00000000
0x6b13fbcc
0x6b13f8ab
0x6b13f8b0
0x6b13f8b8
0x6b13f8c7
0x6b13f8cb
0x6b13fba8
0x6b13fba8
0x6b13fbb0
0x6b13fbb6
0x6b13fbbb
0x6b13fbbb
0x00000000
0x6b13fbb6
0x6b13f8d1
0x6b13f8db
0x6b13f8e3
0x6b13f8ef
0x6b13f8f3
0x6b13fb92
0x6b13fb92
0x6b13fb9a
0x6b13fba0
0x6b13fba5
0x6b13fba5
0x00000000
0x6b13fba0
0x6b13f8f9
0x6b13f903
0x6b13f90b
0x6b13f90f
0x6b13f917
0x6b13f919
0x6b13f91d
0x6b13fb7c
0x6b13fb7c
0x6b13fb84
0x6b13fb8a
0x6b13fb8f
0x6b13fb8f
0x00000000
0x6b13fb8a
0x6b13f927
0x6b13f92b
0x6b13f937
0x6b13f93d
0x6b13f943
0x00000000
0x00000000
0x00000000
0x6b13f92d
0x6b13f92d
0x6b13f949
0x6b13f949
0x6b13f958
0x6b13f95b
0x6b13f967
0x6b13f969
0x6b13f96d
0x00000000
0x00000000
0x6b13f977
0x6b13f97b
0x6b13f987
0x6b13f98d
0x6b13f993
0x00000000
0x00000000
0x00000000
0x6b13f97d
0x6b13f97d
0x6b13f999
0x6b13f999
0x6b13f9a8
0x6b13f9af
0x6b13f9b1
0x6b13f9b5
0x00000000
0x00000000
0x6b13f9bb
0x6b13f9c9
0x6b13f9d1
0x6b13f9df
0x6b13f9e0
0x6b13f9e1
0x6b13f9e2
0x6b13f9e7
0x6b13f9e8
0x6b13f9ee
0x6b13f9f6
0x6b13f9fa
0x6b13fa01
0x6b13fa02
0x6b13fa03
0x6b13fa09
0x6b13fa0a
0x6b13fa10
0x6b13fa16
0x00000000
0x00000000
0x6b13fa24
0x6b13fa2c
0x6b13fa35
0x6b13fa3f
0x6b13fa43
0x6b13fa44
0x6b13fa45
0x6b13fa46
0x6b13fa47
0x6b13fa4b
0x6b13fa4f
0x6b13fa5b
0x6b13fa61
0x6b13fa67
0x00000000
0x00000000
0x00000000
0x6b13fa51
0x6b13fa51
0x6b13fa6d
0x6b13fa6d
0x6b13fa88
0x6b13fa89
0x6b13fa8a
0x6b13fa8b
0x6b13fa9a
0x6b13fa9b
0x6b13fa9c
0x6b13fa9d
0x6b13faa0
0x6b13faaa
0x6b13fab1
0x6b13fab6
0x6b13fabb
0x6b13fabc
0x6b13fac3
0x6b13fac9
0x6b13facb
0x6b13fad2
0x6b13fad8
0x6b13fadf
0x6b13fae6
0x6b13faee
0x6b13faf2
0x6b13fb66
0x6b13fb66
0x6b13fb6e
0x6b13fb74
0x6b13fb79
0x6b13fb79
0x00000000
0x6b13faf4
0x6b13faf4
0x6b13faf6
0x6b13faf6
0x6b13fafa
0x6b13fb02
0x6b13fb0a
0x00000000
0x00000000
0x6b13fb0c
0x6b13fb13
0x6b13fb16
0x6b13fb1a
0x00000000
0x00000000
0x00000000
0x6b13fb1a
0x6b13fb1f
0x6b13fb21
0x6b13fb21
0x6b13fb2a
0x6b13fb2e
0x6b13fb3a
0x6b13fb40
0x6b13fb46
0x00000000
0x00000000
0x00000000
0x6b13fb30
0x6b13fb30
0x6b13fb4c
0x6b13fb4e
0x6b13fb5d
0x6b13fb64
0x00000000
0x6b13fb64
0x6b13fb2e
0x6b13faf2
0x6b13fa4f
0x6b13f97b
0x6b13f92b
0x6b13f801
0x6b13f7c0
0x6b13f7c5
0x00000000

APIs

VariantInit.OLEAUT32(?), ref: 6B13F6D5
VariantInit.OLEAUT32(?), ref: 6B13F6E8
VariantInit.OLEAUT32(?), ref: 6B13F6FE
VariantInit.OLEAUT32(?), ref: 6B13F717
VariantClear.OLEAUT32(?), ref: 6B13F77B
VariantClear.OLEAUT32(?), ref: 6B13F782
VariantClear.OLEAUT32(?), ref: 6B13F789
VariantClear.OLEAUT32(?), ref: 6B13F790
SysAllocString.OLEAUT32(6B13375C), ref: 6B13F7B0
SysFreeString.OLEAUT32(00000000), ref: 6B13F7EF
SysFreeString.OLEAUT32(?), ref: 6B13F833

Part of subcall function 6B1583CE: __CxxThrowException@8.LIBCMT ref: 6B1583E2

SysAllocString.OLEAUT32(00000000), ref: 6B13F80D
SysAllocString.OLEAUT32(00000000), ref: 6B13F937
SysFreeString.OLEAUT32(?), ref: 6B13F969
SysAllocString.OLEAUT32(00000000), ref: 6B13F987
SysFreeString.OLEAUT32(?), ref: 6B13F9B1
VariantInit.OLEAUT32(?), ref: 6B13F9E8
SysAllocString.OLEAUT32(S-1-5-32-545), ref: 6B13FA0A
SysAllocString.OLEAUT32(00000000), ref: 6B13FA5B
SysFreeString.OLEAUT32(?), ref: 6B13FACB
VariantClear.OLEAUT32(?), ref: 6B13FAD2
SysFreeString.OLEAUT32(?), ref: 6B13FAD8
VariantClear.OLEAUT32(?), ref: 6B13FADF
VariantClear.OLEAUT32 ref: 6B13FAEE
SysAllocString.OLEAUT32(00000000), ref: 6B13FB3A
SysFreeString.OLEAUT32(?), ref: 6B13FB64

Strings

S-1-5-32-545, xrefs: 6B13FA04

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: String$Variant$AllocClearFree$Init$Exception@8Throw
String ID: S-1-5-32-545
API String ID: 3415528432-782171229
Opcode ID: 9e9393363dae1b74d27bfd921c9baeb1ea4f4ffaa7238480f117a712e0927181
Instruction ID: 8793b70d732d5d15e17a2496250b850975289494606df8fa32152a3286f39bf0
Opcode Fuzzy Hash: 9e9393363dae1b74d27bfd921c9baeb1ea4f4ffaa7238480f117a712e0927181
Instruction Fuzzy Hash: DB02CD71408751EFDB21DF68C848B4BBBE5BF96715F000A5DF894AB250E779D808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B159DA6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E6B159DA6(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x6b1722c4 = GetProcAddress(_t35, "FlsAlloc");
					 *0x6b1722c8 = GetProcAddress(_t35, "FlsGetValue");
					 *0x6b1722cc = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x6b1722c4;
					_t39 = TlsSetValue;
					 *0x6b1722d0 = _t7;
					if( *0x6b1722c4 == 0) {
						L6:
						 *0x6b1722c8 = TlsGetValue;
						 *0x6b1722c4 = 0x6b159a20;
						 *0x6b1722cc = _t39;
						 *0x6b1722d0 = TlsFree;
					} else {
						__eflags =  *0x6b1722c8;
						if( *0x6b1722c8 == 0) {
							goto L6;
						} else {
							__eflags =  *0x6b1722cc;
							if( *0x6b1722cc == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x6b16f054 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x6b1722c8);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E6B15A07D();
							_t41 =  *0x6b131404;
							_t14 =  *_t41( *0x6b1722c4);
							 *0x6b1722c4 = _t14;
							_t15 =  *_t41( *0x6b1722c8);
							 *0x6b1722c8 = _t15;
							_t16 =  *_t41( *0x6b1722cc);
							 *0x6b1722cc = _t16;
							 *0x6b1722d0 =  *_t41( *0x6b1722d0);
							_t18 = E6B15E872();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E6B159A67();
								goto L15;
							} else {
								_t36 =  *0x6b131400;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x6b1722c4, E6B159BFF);
								 *0x6b16f050 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E6B159F70(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x6b1722cc,  *0x6b16f050, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E6B159AA9(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E6B159A67();
					return 0;
				}
			}

0x6b159da6
0x6b159db4
0x6b159db8
0x6b159dd8
0x6b159de5
0x6b159df2
0x6b159df7
0x6b159df9
0x6b159e00
0x6b159e06
0x6b159e0b
0x6b159e23
0x6b159e28
0x6b159e32
0x6b159e3c
0x6b159e42
0x6b159e0d
0x6b159e0d
0x6b159e14
0x00000000
0x6b159e16
0x6b159e16
0x6b159e1d
0x00000000
0x6b159e1f
0x6b159e1f
0x6b159e21
0x00000000
0x00000000
0x6b159e21
0x6b159e1d
0x6b159e14
0x6b159e47
0x6b159e4d
0x6b159e52
0x6b159e55
0x6b159f1c
0x6b159f1c
0x6b159f1c
0x6b159e5b
0x6b159e62
0x6b159e64
0x6b159e66
0x00000000
0x6b159e6c
0x6b159e6c
0x6b159e77
0x6b159e7d
0x6b159e85
0x6b159e8a
0x6b159e92
0x6b159e97
0x6b159e9f
0x6b159ea6
0x6b159eab
0x6b159eb0
0x6b159eb2
0x6b159f17
0x6b159f17
0x00000000
0x6b159eb4
0x6b159eb4
0x6b159ec7
0x6b159ec9
0x6b159ece
0x6b159ed1
0x00000000
0x6b159ed3
0x6b159edf
0x6b159ee3
0x6b159ee5
0x00000000
0x6b159ee7
0x6b159ef8
0x6b159efa
0x00000000
0x6b159efc
0x6b159efc
0x6b159efe
0x6b159eff
0x6b159f06
0x6b159f0c
0x6b159f10
0x6b159f14
0x6b159f14
0x6b159efa
0x6b159ee5
0x6b159ed1
0x6b159eb2
0x6b159e66
0x6b159f20
0x6b159dba
0x6b159dba
0x6b159dc2
0x6b159dc2

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159DAE
__mtterm.LIBCMT ref: 6B159DBA

Part of subcall function 6B159A67: _DecodePointerInternal@4.SETUPUI(00000008,6B158611,6B1585F7,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159A78
Part of subcall function 6B159A67: TlsFree.KERNEL32(0000002A,6B158611,6B1585F7,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159A92
Part of subcall function 6B159A67: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6B158611,6B1585F7,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B15E8DE
Part of subcall function 6B159A67: DeleteCriticalSection.KERNEL32(0000002A,?,?,6B158611,6B1585F7,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B15E908

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6B159DD0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6B159DDD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6B159DEA
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6B159DF7
TlsAlloc.KERNEL32(?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159E47
TlsSetValue.KERNEL32(00000000,?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159E62
__init_pointers.LIBCMT ref: 6B159E6C
_EncodePointerInternal@4.SETUPUI(?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159E7D
_EncodePointerInternal@4.SETUPUI(?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159E8A
_EncodePointerInternal@4.SETUPUI(?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159E97
_EncodePointerInternal@4.SETUPUI(?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159EA4
_DecodePointerInternal@4.SETUPUI(Function_00029BFF,?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159EC5
__calloc_crt.LIBCMT ref: 6B159EDA
_DecodePointerInternal@4.SETUPUI(00000000,?,?,6B15854E,6B167EB8,00000008,6B1586E7,?,?,?,6B167ED8,0000000C,6B1587A7,?), ref: 6B159EF4
GetCurrentThreadId.KERNEL32 ref: 6B159F06

Strings

FlsGetValue, xrefs: 6B159DD2
FlsFree, xrefs: 6B159DEC
KERNEL32.DLL, xrefs: 6B159DA9
FlsAlloc, xrefs: 6B159DCA
FlsSetValue, xrefs: 6B159DDF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1778039572-3819984048
Opcode ID: 7f77eba08771559e4abfa951a69aea23403d645c867e58673ec1f7251172b457
Instruction ID: 049f081e760b5d6672e98c6e178eb28896b925b9c391108d3aa49da21e4f301c
Opcode Fuzzy Hash: 7f77eba08771559e4abfa951a69aea23403d645c867e58673ec1f7251172b457
Instruction Fuzzy Hash: 653123F2900231BADF116BBD9C1865A3FA5FB47395B144576D424D31A1EB38C4A2CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 00D73C03 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00D73C03(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0xd79394 = GetProcAddress(_t35, "FlsAlloc");
					 *0xd79398 = GetProcAddress(_t35, "FlsGetValue");
					 *0xd7939c = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0xd79394;
					_t39 = TlsSetValue;
					 *0xd793a0 = _t7;
					if( *0xd79394 == 0) {
						L6:
						 *0xd79398 = TlsGetValue;
						 *0xd79394 = E00D738F0;
						 *0xd7939c = _t39;
						 *0xd793a0 = TlsFree;
					} else {
						__eflags =  *0xd79398;
						if( *0xd79398 == 0) {
							goto L6;
						} else {
							__eflags =  *0xd7939c;
							if( *0xd7939c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0xd7804c = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0xd79398);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00D72C7C();
							_t41 =  *0xd71144;
							_t14 =  *_t41( *0xd79394);
							 *0xd79394 = _t14;
							_t15 =  *_t41( *0xd79398);
							 *0xd79398 = _t15;
							_t16 =  *_t41( *0xd7939c);
							 *0xd7939c = _t16;
							 *0xd793a0 =  *_t41( *0xd793a0);
							_t18 = E00D741A3();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00D73937();
								goto L15;
							} else {
								_t36 =  *0xd71140;
								_t21 =  *((intOrPtr*)( *_t36()))( *0xd79394, E00D73ACF);
								 *0xd78048 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00D74F82(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0xd7939c,  *0xd78048, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00D73979(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00D73937();
					return 0;
				}
			}

0x00d73c03
0x00d73c11
0x00d73c15
0x00d73c35
0x00d73c42
0x00d73c4f
0x00d73c54
0x00d73c56
0x00d73c5d
0x00d73c63
0x00d73c68
0x00d73c80
0x00d73c85
0x00d73c8f
0x00d73c99
0x00d73c9f
0x00d73c6a
0x00d73c6a
0x00d73c71
0x00000000
0x00d73c73
0x00d73c73
0x00d73c7a
0x00000000
0x00d73c7c
0x00d73c7c
0x00d73c7e
0x00000000
0x00000000
0x00d73c7e
0x00d73c7a
0x00d73c71
0x00d73ca4
0x00d73caa
0x00d73caf
0x00d73cb2
0x00d73d79
0x00d73d79
0x00d73d79
0x00d73cb8
0x00d73cbf
0x00d73cc1
0x00d73cc3
0x00000000
0x00d73cc9
0x00d73cc9
0x00d73cd4
0x00d73cda
0x00d73ce2
0x00d73ce7
0x00d73cef
0x00d73cf4
0x00d73cfc
0x00d73d03
0x00d73d08
0x00d73d0d
0x00d73d0f
0x00d73d74
0x00d73d74
0x00000000
0x00d73d11
0x00d73d11
0x00d73d24
0x00d73d26
0x00d73d2b
0x00d73d2e
0x00000000
0x00d73d30
0x00d73d3c
0x00d73d40
0x00d73d42
0x00000000
0x00d73d44
0x00d73d55
0x00d73d57
0x00000000
0x00d73d59
0x00d73d59
0x00d73d5b
0x00d73d5c
0x00d73d63
0x00d73d69
0x00d73d6d
0x00d73d71
0x00d73d71
0x00d73d57
0x00d73d42
0x00d73d2e
0x00d73d0f
0x00d73cc3
0x00d73d7d
0x00d73c17
0x00d73c17
0x00d73c1f
0x00d73c1f

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00D72AAE), ref: 00D73C0B
__mtterm.LIBCMT ref: 00D73C17

Part of subcall function 00D73937: _DecodePointerInternal@4.SETUP(00000006,00D73D79,?,00D72AAE), ref: 00D73948
Part of subcall function 00D73937: TlsFree.KERNEL32(00000026,00D73D79,?,00D72AAE), ref: 00D73962
Part of subcall function 00D73937: DeleteCriticalSection.KERNEL32(00000000,00000000,00D72976,?,00D73D79,?,00D72AAE), ref: 00D7420F
Part of subcall function 00D73937: _free.LIBCMT ref: 00D74212
Part of subcall function 00D73937: DeleteCriticalSection.KERNEL32(00000026,00D72976,?,00D73D79,?,00D72AAE), ref: 00D74239

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D73C2D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D73C3A
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D73C47
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D73C54
TlsAlloc.KERNEL32(?,00D72AAE), ref: 00D73CA4
TlsSetValue.KERNEL32(00000000,?,00D72AAE), ref: 00D73CBF
__init_pointers.LIBCMT ref: 00D73CC9
_EncodePointerInternal@4.SETUP(?,00D72AAE), ref: 00D73CDA
_EncodePointerInternal@4.SETUP(?,00D72AAE), ref: 00D73CE7
_EncodePointerInternal@4.SETUP(?,00D72AAE), ref: 00D73CF4
_EncodePointerInternal@4.SETUP(?,00D72AAE), ref: 00D73D01
_DecodePointerInternal@4.SETUP(00D73ACF,?,00D72AAE), ref: 00D73D22
__calloc_crt.LIBCMT ref: 00D73D37
_DecodePointerInternal@4.SETUP(00000000,?,00D72AAE), ref: 00D73D51
GetCurrentThreadId.KERNEL32 ref: 00D73D63

Strings

FlsSetValue, xrefs: 00D73C3C
FlsGetValue, xrefs: 00D73C2F
KERNEL32.DLL, xrefs: 00D73C06
FlsAlloc, xrefs: 00D73C27
FlsFree, xrefs: 00D73C49

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1131704290-3819984048
Opcode ID: 9d1611a2bc4ac0081098fb9319822ea67ac42eae2a5299c488d9cfa89b18a0e3
Instruction ID: 1d208e400894ca153f4340e86e96bcc9185d9be7560d3ae89b32839e6289196a
Opcode Fuzzy Hash: 9d1611a2bc4ac0081098fb9319822ea67ac42eae2a5299c488d9cfa89b18a0e3
Instruction Fuzzy Hash: F2319F769403209EDB22AF78AC1A649BFA4EB41738B14861AE40CD23F0FB3085C5DF70

Uniqueness

Uniqueness Score: -1.00%

Function 6B14D149 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6B14D149(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t32;
				void* _t33;
				long _t39;
				char* _t42;
				int _t45;
				long _t50;
				long _t55;
				int _t66;
				void* _t72;
				void* _t73;

				_t72 = __esi;
				E6B16265B(0x6b165da0, __ebx, __edi, __esi);
				_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x24))))))();
				_t69 =  *_t32;
				_t33 =  *((intOrPtr*)( *_t32))(4);
				_t75 = _t33;
				if(_t33 != 0) {
					_push(_t73 - 0x10);
					E6B13C419(__ebx, _t69, __edi, __esi, _t75);
					 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
					E6B14F21D(_t73 - 0x10, L"graphics\\setup.ico");
					_push(0x10);
					_t66 = 0x20;
					_t39 = LoadImageW(0,  *(_t73 - 0x10), 1, _t66, _t66, ??);
					 *(__esi + 0xa0) = _t39;
					if(_t39 != 0) {
						SendMessageW( *(__esi + 4), 0x80, 1, _t39);
					}
					E6B14F25E(_t73 - 0x10);
					_t42 = L"stop.ico";
					if( *((char*)(_t72 + 0x8d)) == 0) {
						_t42 = L"warn.ico";
					}
					E6B14F21D(_t73 - 0x10, _t42);
					_t45 = LoadImageW(0,  *(_t73 - 0x10), 1, _t66, _t66, 0x10);
					 *(_t72 + 0x9c) = _t45;
					if(_t45 != 0) {
						SendMessageW(GetDlgItem( *(_t72 + 4), 0x68), 0x170,  *(_t72 + 0x9c), 0);
					}
					E6B14F25E(_t73 - 0x10);
					E6B14F21D(_t73 - 0x10, L"print.ico");
					_t50 = LoadImageW(0,  *(_t73 - 0x10), 1, 0x10, 0x10, 0x10);
					 *(_t72 + 0xa4) = _t50;
					if(_t50 != 0) {
						SendMessageW(GetDlgItem( *(_t72 + 4), 0x69), 0xf7, 1,  *(_t72 + 0xa4));
					}
					E6B14F25E(_t73 - 0x10);
					E6B14F21D(_t73 - 0x10, L"save.ico");
					_t55 = LoadImageW(0,  *(_t73 - 0x10), 1, 0x10, 0x10, 0x10);
					 *(_t72 + 0xa8) = _t55;
					if(_t55 != 0) {
						SendMessageW(GetDlgItem( *(_t72 + 4), 0x6a), 0xf7, 1,  *(_t72 + 0xa8));
					}
					_t33 = E6B158460( &(( *(_t73 - 0x10))[0xfffffffffffffff8]), _t69);
				}
				return E6B162709(_t33);
			}

0x6b14d149
0x6b14d150
0x6b14d15a
0x6b14d15c
0x6b14d160
0x6b14d162
0x6b14d164
0x6b14d16d
0x6b14d16e
0x6b14d173
0x6b14d17f
0x6b14d18a
0x6b14d18e
0x6b14d198
0x6b14d19a
0x6b14d1a2
0x6b14d1af
0x6b14d1af
0x6b14d1b8
0x6b14d1c4
0x6b14d1c9
0x6b14d1cb
0x6b14d1cb
0x6b14d1d4
0x6b14d1e4
0x6b14d1e6
0x6b14d1ee
0x6b14d209
0x6b14d209
0x6b14d212
0x6b14d21f
0x6b14d231
0x6b14d233
0x6b14d23b
0x6b14d256
0x6b14d256
0x6b14d25f
0x6b14d26c
0x6b14d27e
0x6b14d280
0x6b14d288
0x6b14d2a3
0x6b14d2a3
0x6b14d2af
0x6b14d2af
0x6b14d2b9

APIs

__EH_prolog3.LIBCMT ref: 6B14D150

Part of subcall function 6B13C419: __EH_prolog3.LIBCMT ref: 6B13C420
Part of subcall function 6B13C419: GetModuleFileNameW.KERNEL32(6B130000,00000010,00000104), ref: 6B13C46D

Part of subcall function 6B14F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6B13C3AE), ref: 6B14F241

LoadImageW.USER32 ref: 6B14D198
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 6B14D1AF
LoadImageW.USER32 ref: 6B14D1E4
GetDlgItem.USER32 ref: 6B14D1F5
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6B14D209
LoadImageW.USER32 ref: 6B14D231
GetDlgItem.USER32 ref: 6B14D242
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6B14D256
LoadImageW.USER32 ref: 6B14D27E
GetDlgItem.USER32 ref: 6B14D28F
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6B14D2A3

Strings

save.ico, xrefs: 6B14D264
warn.ico, xrefs: 6B14D1CB, 6B14D1D0
stop.ico, xrefs: 6B14D1C4
graphics\setup.ico, xrefs: 6B14D177
print.ico, xrefs: 6B14D217

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ImageLoadMessageSend$Item$H_prolog3$AppendFileModuleNamePath
String ID: graphics\setup.ico$print.ico$save.ico$stop.ico$warn.ico
API String ID: 1194837009-3827646805
Opcode ID: 4c70550ea0afffdcf3f9aed1ece74048e1f56f43cb04a48d6e87529ca096e61b
Instruction ID: 25e8a6e4da15276f222249f966256487e9659ab6e53c6e04a0c10037e584cd90
Opcode Fuzzy Hash: 4c70550ea0afffdcf3f9aed1ece74048e1f56f43cb04a48d6e87529ca096e61b
Instruction Fuzzy Hash: EA415775680719BFEF209BB4CC46FAAB7A5FF05B45F000824F365AA1D0DBB5E8549B10

Uniqueness

Uniqueness Score: -1.00%

Function 6B13E153 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E6B13E153(struct HWND__** __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* _v76;
				struct tagMONITORINFO _v96;
				struct HWND__** _v100;
				signed int _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t44;
				struct HMONITOR__* _t46;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t69;
				struct HWND__* _t76;
				struct HWND__* _t77;
				void* _t82;
				void* _t88;
				struct HWND__* _t89;
				int _t93;
				signed int _t99;

				_t87 = __edx;
				_t42 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t42 ^ _t99;
				_t88 = GetWindowLongW;
				_t93 = __ecx;
				_v100 = __ecx;
				_t77 = __edx;
				_t44 = GetWindowLongW( *__ecx, 0xfffffff0);
				_v104 = _t44;
				if(_t77 == 0) {
					if((_t44 & 0x40000000) == 0) {
						_t76 = GetWindow( *_t93, 4);
					} else {
						_t76 = GetParent( *_t93);
					}
					_t77 = _t76;
				}
				_t46 = GetWindowRect( *_t93,  &_v56);
				if((_v104 & 0x40000000) != 0) {
					_t89 = GetParent( *_t93);
					GetClientRect(_t89,  &_v40);
					GetClientRect(_t77,  &_v24);
					MapWindowPoints(_t77, _t89,  &_v24, 2);
					goto L20;
				} else {
					if(_t77 == 0) {
						L12:
						_push(2);
						_push( *_t93);
						L13:
						__imp__MonitorFromWindow();
						if(_t46 != 0) {
							_v96.cbSize = 0x28;
							if(GetMonitorInfoW(_t46,  &_v96) == 0) {
								goto L14;
							}
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_t77 != 0) {
								GetWindowRect(_t77,  &_v24);
							} else {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
							}
							L20:
							_t82 = _v56.right - _v56.left;
							asm("cdq");
							_t88 = _v56.bottom - _v56.top;
							asm("cdq");
							_t93 = (_v24.left + _v24.right - _t87 >> 1) - (_t82 - _t87 >> 1);
							asm("cdq");
							asm("cdq");
							_t77 = (_v24.top + _v24.bottom - _t87 >> 1) - (_t88 - _t87 >> 1);
							_t66 = _v40.right;
							_t87 = _t93 + _t82;
							if(_t93 + _t82 > _t66) {
								_t93 = _t66 - _t82;
							}
							if(_t93 < _v40.left) {
								_t93 = _v40.left;
							}
							_t67 = _v40.bottom;
							if(_t77 + _t88 > _t67) {
								_t77 = _t67 - _t88;
							}
							if(_t77 < _v40.top) {
								_t77 = _v40.top;
							}
							_t69 = SetWindowPos( *_v100, 0, _t93, _t77, 0xffffffff, 0xffffffff, 0x15);
							L29:
							return E6B1587C1(_t69, _t77, _v8 ^ _t99, _t87, _t88, _t93);
						}
						L14:
						_t69 = 0;
						goto L29;
					}
					_t46 = GetWindowLongW(_t77, 0xfffffff0);
					if((_t46 & 0x10000000) == 0 || (_t46 & 0x20000000) != 0) {
						_t77 = 0;
					}
					if(_t77 == 0) {
						goto L12;
					} else {
						_push(2);
						_push(_t77);
						goto L13;
					}
				}
			}

0x6b13e153
0x6b13e15b
0x6b13e162
0x6b13e168
0x6b13e16e
0x6b13e174
0x6b13e177
0x6b13e179
0x6b13e17b
0x6b13e180
0x6b13e187
0x6b13e197
0x6b13e189
0x6b13e18b
0x6b13e18b
0x6b13e19d
0x6b13e19d
0x6b13e1a5
0x6b13e1b2
0x6b13e236
0x6b13e23d
0x6b13e244
0x6b13e24e
0x00000000
0x6b13e1b4
0x6b13e1b6
0x6b13e1d6
0x6b13e1d6
0x6b13e1d8
0x6b13e1da
0x6b13e1da
0x6b13e1e2
0x6b13e1f0
0x6b13e1ff
0x00000000
0x00000000
0x6b13e207
0x6b13e208
0x6b13e209
0x6b13e20a
0x6b13e20d
0x6b13e220
0x6b13e20f
0x6b13e215
0x6b13e216
0x6b13e217
0x6b13e218
0x6b13e218
0x6b13e254
0x6b13e25d
0x6b13e260
0x6b13e266
0x6b13e26d
0x6b13e274
0x6b13e27c
0x6b13e283
0x6b13e28a
0x6b13e28c
0x6b13e28f
0x6b13e294
0x6b13e298
0x6b13e298
0x6b13e29d
0x6b13e29f
0x6b13e29f
0x6b13e2a2
0x6b13e2aa
0x6b13e2ae
0x6b13e2ae
0x6b13e2b3
0x6b13e2b5
0x6b13e2b5
0x6b13e2c7
0x6b13e2cd
0x6b13e2db
0x6b13e2db
0x6b13e1e4
0x6b13e1e4
0x00000000
0x6b13e1e4
0x6b13e1bb
0x6b13e1c2
0x6b13e1cb
0x6b13e1cb
0x6b13e1cf
0x00000000
0x6b13e1d1
0x6b13e1d1
0x6b13e1d3
0x00000000
0x6b13e1d3
0x6b13e1cf

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6B13E179
GetParent.USER32 ref: 6B13E18B
GetWindow.USER32(?,00000004), ref: 6B13E197
GetWindowRect.USER32 ref: 6B13E1A5
GetWindowLongW.USER32(?,000000F0), ref: 6B13E1BB
MonitorFromWindow.USER32(?,00000002), ref: 6B13E1DA
GetMonitorInfoW.USER32 ref: 6B13E1F7
GetWindowRect.USER32 ref: 6B13E220
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000000,?,00000002,?,?,?,?,?), ref: 6B13E2C7

Strings

(, xrefs: 6B13E1F0

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID: (
API String ID: 1468510684-3887548279
Opcode ID: f2d3dabbdc86a108c2365110c9b3ac699d88419ce93031ad485ce84ec3523f02
Instruction ID: c227cf8129507e1560b13362ef6ca15dd3122cf939dac2c8ca34823687baa503
Opcode Fuzzy Hash: f2d3dabbdc86a108c2365110c9b3ac699d88419ce93031ad485ce84ec3523f02
Instruction Fuzzy Hash: CF516F72A00329EFDB10DEA8CD84A9EBBB9AF49351F150164F911F7290E765EE14CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6B1470F9 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 215
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B1470F9(void* __ecx, void* __eflags) {
				char _v16;
				signed int _v32;
				signed int _v40;
				struct HWND__* _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				signed int _v72;
				intOrPtr _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				signed int _t78;
				intOrPtr* _t83;
				intOrPtr* _t90;
				void* _t106;
				void* _t115;
				intOrPtr* _t124;
				intOrPtr* _t125;
				struct HWND__* _t126;
				intOrPtr* _t134;
				intOrPtr* _t135;
				struct HWND__* _t136;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t150;
				struct HWND__** _t152;
				struct HWND__** _t196;
				void* _t207;
				signed int _t211;
				void* _t214;

				_t214 = __eflags;
				_push(0xffffffff);
				_push(0x6b16677e);
				_push( *[fs:0x0]);
				_t66 =  *0x6b16f0a0; // 0xf69ff218
				_push(_t66 ^ (_t211 & 0xfffffff8) - 0x00000018);
				 *[fs:0x0] =  &_v16;
				_t207 = __ecx;
				_t196 = __ecx + 4;
				_push(GetDlgItem( *_t196, 0x65));
				_push(_t207 + 0x78);
				E6B14671F();
				GetDlgItem( *_t196, 0x68);
				E6B13EDAE(_t207 + 0xb0, _t214);
				GetDlgItem( *_t196, 0x69);
				_v40 = _t207 + 0xdc;
				E6B13EDAE(_t207 + 0xdc, _t214);
				_t78 = _v40;
				_t215 =  *((char*)(_t78 + 0x28));
				if( *((char*)(_t78 + 0x28)) == 0) {
					ShowWindow( *(_t78 + 4), 0);
				}
				_t150 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x74)))) + 0x10))();
				_v44 =  *_t196;
				_t83 =  *((intOrPtr*)( *_t150 + 0x2c))();
				_v32 = _t83;
				SetDlgItemTextW( *_t196, 0x68,  *( *((intOrPtr*)( *_t83 + 0x14))()));
				E6B13EDE8(_v32,  &_v44,  *((intOrPtr*)(_t207 + 0xb4)));
				_t90 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t150 + 0x30))()))))();
				_v40 = _t90;
				SetDlgItemTextW( *_t196, 0x69,  *( *((intOrPtr*)( *_t90 + 0x14))()));
				E6B13EDE8(_v40,  &_v52,  *(_t207 + 0xe0));
				E6B146ABD(_t207 + 0x10c, _t150,  *((intOrPtr*)( *_t150 + 0x24))(), _t215, _t196);
				E6B146ABD(_t207 + 0x13c, _t207 + 4,  *((intOrPtr*)( *_t150 + 0x28))(), _t215, _t207 + 4);
				_t106 =  *((intOrPtr*)( *_t150 + 0x34))( *((intOrPtr*)( *_t150 + 0x38))());
				_t189 = _t106;
				E6B1509E0(_t150, _t207 + 0x1a0, _t106,  *(_t207 + 4), _t207, _t215);
				asm("sbb eax, eax");
				_t200 =  *( ~_v72 & _t207 + 0x000000e0);
				SetWindowLongW(_t200, 0xfffffff0, GetWindowLongW(_t200, 0xfffffff0) | 0x00002400);
				_t115 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x108)))) + 0x3c))( *(_t207 + 4));
				_t216 = _t115 - 1;
				if(_t115 == 1) {
					_t142 =  *((intOrPtr*)( *_t150 + 0x30))();
					_t200 =  *(_t207 + 4);
					_t189 =  *((intOrPtr*)( *_t142 + 4))();
					E6B150E5C(_t207 + 0x1a0, _t143,  *(_t207 + 4));
				}
				E6B14F532( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x108)))) + 0x14))(3), _t189, _t200, _t207, _t216);
				_t152 = _t207 + 4;
				_v56 = _t207 + 0x1bc;
				E6B146615( *_t152, _t207 + 0x1bc);
				E6B14E8E8(L"IDS_PRINT", _t207, _t216);
				_v32 = _v32 & 0x00000000;
				_t124 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x74)))) + 4))( &_v52);
				_t125 =  *((intOrPtr*)( *_t124))( &_v56);
				_t126 = GetDlgItem( *_t152, 0x66);
				E6B146655(_t152, _t126,  *_t125,  *_t125, _t207, _t216);
				_v40 = _v40 | 0xffffffff;
				E6B158460(_v64 + 0xfffffff0,  *_t125);
				E6B14E8E8(L"IDS_SAVE", _t207, _t216);
				_v44 = 1;
				_t134 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t207 + 0x74)))) + 4))( &_v60, _v64);
				_t135 =  *((intOrPtr*)( *_t134))( &_v64);
				_t136 = GetDlgItem( *_t152, 0x67);
				_push(_v76);
				E6B146655(_t152, _t136,  *_t135, L"IDS_SAVE",  *_t135, _t216);
				_t140 = E6B158460(_v72 + 0xfffffff0,  *_t135);
				 *[fs:0x0] = _v60;
				return _t140;
			}

0x6b1470f9
0x6b147101
0x6b147103
0x6b14710e
0x6b147115
0x6b14711c
0x6b147121
0x6b147127
0x6b147131
0x6b147138
0x6b14713c
0x6b14713d
0x6b147146
0x6b147150
0x6b147159
0x6b147169
0x6b14716d
0x6b147172
0x6b147176
0x6b14717a
0x6b147181
0x6b147181
0x6b14718f
0x6b147193
0x6b14719b
0x6b1471a2
0x6b1471af
0x6b1471c4
0x6b1471d4
0x6b1471da
0x6b1471e7
0x6b1471fc
0x6b147211
0x6b147229
0x6b14723d
0x6b147241
0x6b147249
0x6b147254
0x6b14725e
0x6b147272
0x6b147280
0x6b147283
0x6b147286
0x6b14728c
0x6b147291
0x6b14729a
0x6b1472a2
0x6b1472a2
0x6b1472b6
0x6b1472bb
0x6b1472c6
0x6b1472ca
0x6b1472d9
0x6b1472de
0x6b1472e8
0x6b1472f4
0x6b1472fc
0x6b14730a
0x6b14730f
0x6b14731b
0x6b14732a
0x6b14732f
0x6b14733e
0x6b14734a
0x6b147352
0x6b147358
0x6b147360
0x6b14736c
0x6b147375
0x6b147383

APIs

GetDlgItem.USER32 ref: 6B147136

Part of subcall function 6B14671F: __EH_prolog3.LIBCMT ref: 6B146726
Part of subcall function 6B14671F: PathIsRelativeW.SHLWAPI(?,0000004C,0000004C,6B147142,?,00000000), ref: 6B146745
Part of subcall function 6B14671F: PathFileExistsW.SHLWAPI(?), ref: 6B146751
Part of subcall function 6B14671F: __CxxThrowException@8.LIBCMT ref: 6B1468B8

GetDlgItem.USER32 ref: 6B147146

Part of subcall function 6B13EDAE: SetWindowTextW.USER32(?,?), ref: 6B13EDC5

GetDlgItem.USER32 ref: 6B147159
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,6B16677E,000000FF), ref: 6B147181

Part of subcall function 6B14F532: __EH_prolog3.LIBCMT ref: 6B14F539
Part of subcall function 6B14F532: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6B16677E,000000FF), ref: 6B14F555

Part of subcall function 6B146615: CreateWindowExW.USER32 ref: 6B146636
Part of subcall function 6B146615: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,6B1472CF), ref: 6B146648

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

SetDlgItemTextW.USER32 ref: 6B1471AF
SetDlgItemTextW.USER32 ref: 6B1471E7
GetWindowLongW.USER32(?,000000F0), ref: 6B147263
SetWindowLongW.USER32 ref: 6B147272
GetDlgItem.USER32 ref: 6B1472FC

Part of subcall function 6B146655: __EH_prolog3_GS.LIBCMT ref: 6B14665C
Part of subcall function 6B146655: _memset.LIBCMT ref: 6B1466C3
Part of subcall function 6B146655: GetClientRect.USER32 ref: 6B1466E6
Part of subcall function 6B146655: SendMessageW.USER32(00000001,00000432,00000000,?), ref: 6B1466FC

GetDlgItem.USER32 ref: 6B147352

Part of subcall function 6B146655: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000040,6B14730F,?,?,?,?,?,?,?,?,?), ref: 6B146713

Strings

IDS_PRINT, xrefs: 6B1472D4
IDS_SAVE, xrefs: 6B147325

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Item$Window$H_prolog3Text$LongPath$ClientCreateErrorExceptionException@8ExistsFileH_prolog3_LastMessageRaiseRectRelativeSendShowThrow_memset
String ID: IDS_PRINT$IDS_SAVE
API String ID: 3758966775-3437764585
Opcode ID: 940c3bcfd743723b7834ecdfdce575a71bc8ad0bcb4a351976ee114dd6d84bea
Instruction ID: 32fe54ce9a1353766bd881983cfd639fce9d1a1f42ccfa10aaea18fc06c77c0b
Opcode Fuzzy Hash: 940c3bcfd743723b7834ecdfdce575a71bc8ad0bcb4a351976ee114dd6d84bea
Instruction Fuzzy Hash: 27816835204601AFCB10DF78C888E9ABBE6FF89314F100A68F556DB3A1DB34E919CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B14671F Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 196
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B14671F() {
				int _t88;
				signed int _t92;
				intOrPtr* _t96;
				void* _t104;
				int _t113;
				void* _t124;
				void* _t128;
				intOrPtr* _t138;
				void* _t152;
				intOrPtr _t153;
				WCHAR** _t154;
				void* _t163;
				void* _t166;
				intOrPtr* _t167;
				signed int _t171;
				void* _t176;
				intOrPtr* _t177;
				intOrPtr _t178;
				void* _t181;
				void* _t184;

				_push(0x4c);
				E6B16265B(0x6b166506, _t152, _t166, _t176);
				_push(_t181 - 0x34);
				_t167 = E6B141E75(_t152, _t157, _t163, _t166, _t176, _t184);
				 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
				_t153 =  *((intOrPtr*)(_t181 + 8));
				_t177 =  *((intOrPtr*)(_t153 + 0x34));
				_t154 = _t153 + 0x30;
				if(PathIsRelativeW( *_t154) != 0) {
					 *(_t181 - 0x14) = E6B1583FD( *_t167 - 0x10) + 0x10;
					 *(_t181 - 4) = 1;
					E6B14F21D(_t181 - 0x14,  *((intOrPtr*)(_t167 + 4)));
					E6B14F21D(_t181 - 0x14,  *_t154);
					_t167 = PathFileExistsW;
					PathFileExistsW( *(_t181 - 0x14));
					_t88 = PathFileExistsW( *(_t181 - 0x14));
					__eflags = _t88;
					if(_t88 == 0) {
						 *(_t181 - 4) = 0;
						E6B158460( &(( *(_t181 - 0x14))[0xfffffffffffffff8]), _t163);
						_t92 = 0;
						__eflags = 0;
						goto L5;
					} else {
						E6B14EA8D(_t181 - 0x14, _t154);
						 *(_t181 - 4) = 0;
						E6B158460( &(( *(_t181 - 0x14))[0xfffffffffffffff8]), _t163);
						goto L6;
					}
				} else {
					_t92 = PathFileExistsW( *_t154) & 0xffffff00 | _t151 != 0x00000000;
					L5:
					_t187 = _t92;
					if(_t92 == 0) {
						E6B13C9BB(_t154, _t157, _t167, _t177, __eflags);
						 *((intOrPtr*)(_t181 - 0x20)) = 0x6b136e38;
						 *(_t181 - 4) = 2;
						_t96 = E6B13CB96(_t154, _t181 - 0x20, _t163, 0x6b136e38, _t177, __eflags);
						 *(_t181 - 4) = 3;
						 *((intOrPtr*)( *_t177 + 4))(0,  *_t96, _t181 + 8, _t181 - 0x20, _t154);
						 *(_t181 - 4) = 2;
						E6B158460( *((intOrPtr*)(_t181 + 8)) + 0xfffffff0,  *_t177);
						_push(_t181 - 0x20);
						_t157 = _t181 - 0x18;
						E6B13D1B4(_t154, _t181 - 0x18, 0x6b136e38, _t177, __eflags);
						 *((intOrPtr*)(_t181 - 0x18)) = 0x6b136e38;
						_push(0x6b168364);
						_t104 = _t181 - 0x18;
						goto L8;
					} else {
						L6:
						_push( *_t154);
						_push(L"Successfuly found file %s ");
						_t171 = 4;
						_push(_t171);
						E6B13B93E(_t154, _t163, _t171, _t177, _t187);
						E6B158460( *((intOrPtr*)(_t181 - 0x30)) + 0xfffffff0, _t163);
						E6B158460( *((intOrPtr*)(_t181 - 0x34)) + 0xfffffff0, _t163);
						 *(_t181 - 0x2c) = 0;
						 *((intOrPtr*)(_t181 - 0x28)) = 0;
						 *(_t181 - 4) = _t171;
						_t124 = E6B157F22(_t181 - 0x2c,  *_t154, 0x80000000, 1, 3, 0x80, 0);
						_t188 = _t124;
						if(_t124 < 0) {
							 *((intOrPtr*)(_t181 + 0xc)) = E6B14E8E8(L"ParameterInfo.xml", 0, _t188);
							 *(_t181 - 4) = 5;
							_t128 = E6B14F143(_t154, _t154, 0, _t188);
							 *(_t181 - 4) = 6;
							E6B13CA39(_t154, _t157, _t163, _t154, 0, _t188);
							E6B158460( &(( *(_t181 - 0x14))[0xfffffffffffffff8]), _t163);
							 *(_t181 - 4) = 9;
							E6B158460( *((intOrPtr*)(_t181 - 0x1c)) + 0xfffffff0, _t163);
							_t138 = E6B13CAC2(_t154, _t181 - 0x4c, _t163, _t154, 0, _t188);
							 *(_t181 - 4) = 0xa;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t181 + 8)) + 0x34)))) + 4))(0,  *_t138, _t181 + 0xc, _t181 - 0x4c, _t128,  *((intOrPtr*)(_t181 + 0xc)), _t181 - 0x14, L"can\'t open EULA file: ", _t181 - 0x1c);
							 *(_t181 - 4) = 9;
							_t189 =  *((intOrPtr*)(_t181 + 0xc)) + 0xfffffff0;
							E6B158460( *((intOrPtr*)(_t181 + 0xc)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t181 + 8)) + 0x34)))));
							_push(_t181 - 0x4c);
							_t157 = _t181 - 0x58;
							E6B13D170(_t154, _t181 - 0x58, _t154, 0,  *((intOrPtr*)(_t181 + 0xc)) + 0xfffffff0);
							_push(0x6b1682a0);
							_t104 = _t181 - 0x58;
							L8:
							_push(_t104);
							E6B15DBDB();
						}
					}
				}
				_t178 =  *((intOrPtr*)(_t181 + 8));
				E6B140B11( *((intOrPtr*)(_t181 + 0xc)), _t178, _t189);
				 *((intOrPtr*)(_t181 - 0x24)) = _t181 - 0x2c;
				asm("stosd");
				asm("stosd");
				 *(_t181 - 0x40) = _t181 - 0x24;
				_t179 = _t178 + 4;
				 *((intOrPtr*)(_t181 - 0x38)) = E6B14698A;
				SendMessageW( *(_t178 + 4), 0x449, 2, _t181 - 0x40);
				if( *(_t181 - 0x2c) != 0) {
					CloseHandle( *(_t181 - 0x2c));
					 *(_t181 - 0x2c) = 0;
				}
				_t113 = E6B150324(0, _t157, _t179, 0);
				if( *(_t181 - 0x2c) != 0) {
					_t113 = CloseHandle( *(_t181 - 0x2c));
				}
				return E6B162709(_t113);
			}

0x6b14671f
0x6b146726
0x6b14672e
0x6b146734
0x6b146736
0x6b14673a
0x6b14673d
0x6b146740
0x6b14674d
0x6b14676b
0x6b14676e
0x6b146778
0x6b146782
0x6b14678a
0x6b146790
0x6b146795
0x6b146797
0x6b146799
0x6b1467b6
0x6b1467c0
0x6b1467c5
0x6b1467c5
0x00000000
0x6b14679b
0x6b1467a0
0x6b1467a5
0x6b1467af
0x00000000
0x6b1467af
0x6b14674f
0x6b146759
0x6b1467c7
0x6b1467c7
0x6b1467c9
0x6b14692d
0x6b146937
0x6b146941
0x6b146945
0x6b14694a
0x6b146957
0x6b14695a
0x6b146964
0x6b14696c
0x6b14696d
0x6b146970
0x6b146975
0x6b146978
0x6b14697d
0x00000000
0x6b1467cf
0x6b1467cf
0x6b1467cf
0x6b1467d1
0x6b1467d8
0x6b1467d9
0x6b1467da
0x6b1467e8
0x6b1467f3
0x6b1467fa
0x6b1467fd
0x6b14680a
0x6b146818
0x6b14681d
0x6b14681f
0x6b146833
0x6b146841
0x6b146845
0x6b14684a
0x6b146856
0x6b146861
0x6b146866
0x6b146870
0x6b14687c
0x6b146881
0x6b146891
0x6b146894
0x6b14689b
0x6b14689e
0x6b1468a6
0x6b1468a7
0x6b1468aa
0x6b1468af
0x6b1468b4
0x6b1468b7
0x6b1468b7
0x6b1468b8
0x6b1468b8
0x6b14681f
0x6b1467c9
0x6b1468c0
0x6b1468c3
0x6b1468cb
0x6b1468d3
0x6b1468d4
0x6b1468d8
0x6b1468e6
0x6b1468eb
0x6b1468f2
0x6b146903
0x6b146908
0x6b14690a
0x6b14690a
0x6b146911
0x6b146919
0x6b14691e
0x6b14691e
0x6b146925

APIs

__EH_prolog3.LIBCMT ref: 6B146726

Part of subcall function 6B141E75: __EH_prolog3.LIBCMT ref: 6B141E7C
Part of subcall function 6B141E75: GetThreadLocale.KERNEL32(?,00000004,6B146734,0000004C,0000004C,6B147142,?,00000000), ref: 6B141E8E

PathIsRelativeW.SHLWAPI(?,0000004C,0000004C,6B147142,?,00000000), ref: 6B146745
PathFileExistsW.SHLWAPI(?), ref: 6B146751
PathFileExistsW.SHLWAPI(?,?,?), ref: 6B146790
PathFileExistsW.SHLWAPI(?), ref: 6B146795
__CxxThrowException@8.LIBCMT ref: 6B1468B8
SendMessageW.USER32(?,00000449), ref: 6B1468F2
CloseHandle.KERNEL32(6B168364), ref: 6B146908
CloseHandle.KERNEL32(6B168364,?,00000000), ref: 6B14691E

Strings

Successfuly found file %s , xrefs: 6B1467D1
can't open EULA file: , xrefs: 6B146836
ParameterInfo.xml, xrefs: 6B146829

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Path$ExistsFile$CloseH_prolog3Handle$Exception@8LocaleMessageRelativeSendThreadThrow
String ID: ParameterInfo.xml$Successfuly found file %s $can't open EULA file:
API String ID: 4048475142-2926762472
Opcode ID: 86911e3571467b7b203a8d492d648b03298f14aed899f315c4305d8b3f242f96
Instruction ID: 5a4528d6d354255a5a64c78a5814347b620cb5c854cdc0f30b233b17a6838fcf
Opcode Fuzzy Hash: 86911e3571467b7b203a8d492d648b03298f14aed899f315c4305d8b3f242f96
Instruction Fuzzy Hash: 23712A7290011CFFDF01DFB8C985ADEBBB8AF05318F248155E520BB295D7789A15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14D353 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6B14D353(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v12;
				char _v16;
				signed int _v20;
				int _v24;
				intOrPtr _v32;
				struct HWND__** _v44;
				int _v48;
				void* _v52;
				struct HWND__** _v56;
				int _v60;
				struct HWND__* _v64;
				char _v68;
				intOrPtr _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				struct HWND__** _t59;
				intOrPtr* _t76;
				intOrPtr* _t77;
				struct HWND__* _t78;
				intOrPtr* _t87;
				intOrPtr* _t88;
				struct HWND__* _t89;
				struct HWND__** _t104;
				intOrPtr _t128;
				struct HWND__** _t140;
				signed int _t142;
				void* _t145;

				_t145 = __eflags;
				_push(0xffffffff);
				_push(0x6b1662b5);
				_push( *[fs:0x0]);
				_t48 =  *0x6b16f0a0; // 0xf69ff218
				_push(_t48 ^ (_t142 & 0xfffffff8) - 0x00000028);
				 *[fs:0x0] =  &_v16;
				_t128 = _a4;
				_t104 = _t128 + 4;
				_v56 = _t104;
				E6B13E153(_t104, GetParent( *_t104));
				SetWindowTextW( *_t104,  *( *(_t128 + 0x20)));
				E6B14D149(_t104, _t128, _t128, _t145);
				E6B14D073(_t104, _t128, _t128, _t145);
				E6B140B11(GetDlgItem( *_t104, 0x66), _t128 + 0x34, _t145);
				_t59 = _t128 + 0x38;
				_v44 = _t59;
				SendMessageW( *_t59, 0x445, 0, 0x4000000);
				E6B14D86C(_t128);
				SendMessageW( *_v44, 0xcf, 1, 0);
				E6B14CFA5(_t128, _t128, SendMessageW, _t145);
				_t139 = _t128;
				E6B14D2BF(_t128, _t128, _t128, _t145);
				if( *((char*)(_t128 + 0x8c)) != 0) {
					L2:
					EnableWindow(GetDlgItem( *_v56, 0xb), 0);
				} else {
					_t147 =  *((char*)(_t128 + 0x8d));
					if( *((char*)(_t128 + 0x8d)) != 0) {
						goto L2;
					}
				}
				_v48 = _t128 + 0xac;
				E6B146615( *_v56, _t128 + 0xac);
				E6B14E8E8(L"IDS_PRINT", _t139, _t147);
				_v12 = _v12 & 0x00000000;
				_t76 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24)))) + 4))( &_v52);
				_t77 =  *((intOrPtr*)( *_t76))( &_v56);
				_t140 = _v64;
				_t78 = GetDlgItem( *_t140, 0x69);
				E6B146655(GetDlgItem, _t78,  *_t77,  *_t77, _t140, _t147);
				_v20 = _v20 | 0xffffffff;
				E6B158460(_v64 + 0xfffffff0,  *_t77);
				E6B14E8E8(L"IDS_SAVE", _t140, _t147);
				_v24 = 1;
				_t87 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x24)))) + 4))( &_v64, _v56);
				_t88 =  *((intOrPtr*)( *_t87))( &_v68);
				_t89 = GetDlgItem( *_t140, 0x6a);
				_push(_v68);
				_t118 = _t89;
				E6B146655(GetDlgItem, _t89,  *_t88,  *_t88, _t140, _t147);
				E6B158460(_v76 + 0xfffffff0,  *_t88);
				_v64 =  *_t140;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v32 = 2;
				E6B13FF14( &_v64);
				if(_v60 != 0) {
					E6B158E26(_v60);
					_pop(_t118);
				}
				E6B150324(0, _t118, _v68, 0);
				PostMessageW( *_t140, 0x6f5, 0, 0);
				 *_a8 = 1;
				 *[fs:0x0] = _v48;
				return 1;
			}

0x6b14d353
0x6b14d35b
0x6b14d35d
0x6b14d368
0x6b14d36f
0x6b14d376
0x6b14d37b
0x6b14d381
0x6b14d384
0x6b14d389
0x6b14d397
0x6b14d3a3
0x6b14d3ab
0x6b14d3b0
0x6b14d3c4
0x6b14d3d6
0x6b14d3e0
0x6b14d3e4
0x6b14d3e8
0x6b14d3fc
0x6b14d3fe
0x6b14d403
0x6b14d405
0x6b14d411
0x6b14d41c
0x6b14d42d
0x6b14d413
0x6b14d413
0x6b14d41a
0x00000000
0x00000000
0x6b14d41a
0x6b14d43f
0x6b14d443
0x6b14d452
0x6b14d457
0x6b14d464
0x6b14d470
0x6b14d472
0x6b14d482
0x6b14d48c
0x6b14d491
0x6b14d49d
0x6b14d4ac
0x6b14d4b4
0x6b14d4c1
0x6b14d4cd
0x6b14d4d5
0x6b14d4d7
0x6b14d4dd
0x6b14d4df
0x6b14d4eb
0x6b14d4f4
0x6b14d4f8
0x6b14d4fc
0x6b14d500
0x6b14d504
0x6b14d50c
0x6b14d514
0x6b14d51d
0x6b14d523
0x6b14d528
0x6b14d528
0x6b14d530
0x6b14d53e
0x6b14d54a
0x6b14d550
0x6b14d55e

APIs

GetParent.USER32(?), ref: 6B14D38D

Part of subcall function 6B13E153: GetWindowLongW.USER32(?,000000F0), ref: 6B13E179
Part of subcall function 6B13E153: GetParent.USER32 ref: 6B13E18B
Part of subcall function 6B13E153: GetWindowRect.USER32 ref: 6B13E1A5
Part of subcall function 6B13E153: GetWindowLongW.USER32(?,000000F0), ref: 6B13E1BB
Part of subcall function 6B13E153: MonitorFromWindow.USER32(?,00000002), ref: 6B13E1DA

SetWindowTextW.USER32(?,?), ref: 6B14D3A3

Part of subcall function 6B14D149: __EH_prolog3.LIBCMT ref: 6B14D150
Part of subcall function 6B14D149: LoadImageW.USER32 ref: 6B14D198
Part of subcall function 6B14D149: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 6B14D1AF
Part of subcall function 6B14D149: LoadImageW.USER32 ref: 6B14D1E4
Part of subcall function 6B14D149: GetDlgItem.USER32 ref: 6B14D1F5
Part of subcall function 6B14D149: SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6B14D209
Part of subcall function 6B14D149: LoadImageW.USER32 ref: 6B14D231
Part of subcall function 6B14D149: GetDlgItem.USER32 ref: 6B14D242
Part of subcall function 6B14D149: SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6B14D256
Part of subcall function 6B14D149: LoadImageW.USER32 ref: 6B14D27E

Part of subcall function 6B14D073: __EH_prolog3.LIBCMT ref: 6B14D07A
Part of subcall function 6B14D073: SetDlgItemTextW.USER32 ref: 6B14D130

GetDlgItem.USER32 ref: 6B14D3B9

Part of subcall function 6B140B11: SetWindowLongW.USER32 ref: 6B140B2D

SendMessageW.USER32(?,00000445,00000000,04000000), ref: 6B14D3E4

Part of subcall function 6B14D86C: _memset.LIBCMT ref: 6B14D8B6
Part of subcall function 6B14D86C: SendMessageW.USER32(?,0000043A,00000001,?), ref: 6B14D8D9

SendMessageW.USER32(?,000000CF,00000001,00000000), ref: 6B14D3FC

Part of subcall function 6B14CFA5: __EH_prolog3.LIBCMT ref: 6B14CFAC
Part of subcall function 6B14CFA5: GetDlgItem.USER32 ref: 6B14D018
Part of subcall function 6B14CFA5: SetWindowLongW.USER32 ref: 6B14D041
Part of subcall function 6B14CFA5: SetDlgItemTextW.USER32 ref: 6B14D05A

Part of subcall function 6B14D2BF: __EH_prolog3.LIBCMT ref: 6B14D2C6
Part of subcall function 6B14D2BF: SetDlgItemTextW.USER32 ref: 6B14D2FC
Part of subcall function 6B14D2BF: SetDlgItemTextW.USER32 ref: 6B14D33B

GetDlgItem.USER32 ref: 6B14D424
EnableWindow.USER32(00000000,00000000), ref: 6B14D42D
GetDlgItem.USER32 ref: 6B14D482
GetDlgItem.USER32 ref: 6B14D4D5
PostMessageW.USER32(?,000006F5,00000000,00000000), ref: 6B14D53E

Strings

IDS_PRINT, xrefs: 6B14D44D
IDS_SAVE, xrefs: 6B14D4A7

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Item$Window$Message$Send$Text$H_prolog3ImageLoadLong$Parent$EnableFromMonitorPostRect_memset
String ID: IDS_PRINT$IDS_SAVE
API String ID: 2800768353-3437764585
Opcode ID: 012cda17868367c6609f6135147ca04b60dd8114a5ac1d76bc8bd9bf95e076a2
Instruction ID: e22a0d9f4705007f2d7ab9172cfb7f29e6a9bfdbffa1821e035e2702ee514bf2
Opcode Fuzzy Hash: 012cda17868367c6609f6135147ca04b60dd8114a5ac1d76bc8bd9bf95e076a2
Instruction Fuzzy Hash: DE518A71604305AFDB10DF78C885B1ABBE5FF8A328F100A69F5549B2A0DB79ED14CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6B14757C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6B14757C(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				intOrPtr* _t58;
				intOrPtr* _t68;
				intOrPtr* _t74;
				void* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t88;
				intOrPtr* _t105;
				intOrPtr* _t117;
				intOrPtr* _t123;
				intOrPtr* _t124;
				void* _t129;
				int _t137;
				void* _t143;
				WCHAR* _t144;

				_t129 = __edx;
				_push(0x18);
				E6B16265B(0x6b164a61, __ebx, __edi, __esi);
				_t117 = __ecx;
				_t136 =  *((intOrPtr*)(__ecx + 0x174));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x174)) + 0x30)) != 0) {
					E6B1412AB(_t136);
				}
				_t119 =  *((intOrPtr*)(_t117 + 0x108));
				_t56 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x108)))) + 4))();
				_t147 = _t56;
				if(_t56 == 0) {
					E6B14E8E8(L"Failed to initialize items information. engineDataProvider.InitializeItems() returned false", _t136, _t147);
					 *(_t143 - 4) =  *(_t143 - 4) & 0x00000000;
					E6B13C9BB(_t117, _t119, L"Failed to initialize items information. engineDataProvider.InitializeItems() returned false", _t136, _t147);
					 *(_t143 - 4) = 2;
					E6B158460( &(( *(_t143 - 0x10))[0xfffffffffffffff8]), _t129);
					_t105 = E6B13C9F6(_t143 - 0x1c, _t143 - 0x14);
					 *(_t143 - 4) = 3;
					_t117 =  *((intOrPtr*)(_t117 + 0x1b8));
					 *((intOrPtr*)( *_t117 + 4))(0,  *_t105, _t143 - 0x1c, _t143 - 0x10, _t143 - 0x10);
					 *(_t143 - 4) = 2;
					E6B158460( &(( *(_t143 - 0x14))[0xfffffffffffffff8]),  *_t117);
					_push(_t143 - 0x1c);
					E6B13D1B4(_t117, _t143 - 0x24, L"Failed to initialize items information. engineDataProvider.InitializeItems() returned false", _t136,  &(( *(_t143 - 0x14))[0xfffffffffffffff8]));
					E6B15DBDB(_t143 - 0x24, 0x6b168328);
				}
				_t58 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x108)))) + 0x48))();
				_t130 =  *_t58;
				_t137 =  *((intOrPtr*)( *_t58))();
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x108))))))() == 4 || _t137 != 0) {
					E6B13F415(_t117 + 0x17c, GetParent( *(_t117 + 4)));
					 *( *((intOrPtr*)(_t117 + 0x68)) + 4) = 0x66;
					E6B1477A9(_t117);
					_t123 =  *((intOrPtr*)(_t117 + 0x178));
					_t68 =  *((intOrPtr*)( *_t123 + 0x1c))();
					 *(_t143 - 0x14) = _t144;
					 *_t144 = E6B1583FD( *_t68 - 0x10) + 0x10;
					 *(_t143 - 4) = 4;
					_t124 =  *((intOrPtr*)(_t117 + 0x178));
					_t74 =  *((intOrPtr*)( *_t124 + 0x18))(_t123);
					_push(_t124);
					 *(_t143 - 0x10) = _t144;
					_t77 = E6B1583FD( *_t74 - 0x10);
					 *(_t143 - 4) =  *(_t143 - 4) | 0xffffffff;
					 *_t144 = _t77 + 0x10;
					E6B14FB4F(_t117, _t130, GetParent, _t117, __eflags);
					_t80 = SendMessageW( *(_t117 + 0xb4), 0xf0, 0, 0);
					__eflags = _t80;
					_t81 = _t80 & 0xffffff00 | _t80 != 0x00000000;
					__eflags =  *((char*)(_t117 + 0x104));
					if( *((char*)(_t117 + 0x104)) != 0) {
						EnableWindow( *(_t117 + 0xe0), _t81 & 0x000000ff);
					}
					SetWindowLongW( *(_t117 + 4), 0xfffffff4, 0x66);
					 *(_t143 - 0x14) =  *(_t117 + 0x58);
					SetWindowTextW(GetParent( *(_t117 + 4)),  *(_t143 - 0x14));
					PostMessageW( *(_t117 + 4), 0x6f5, 0, 0);
					_t88 = 1;
					__eflags = 1;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x170)))) + 0xc))(0x77777777);
					SendMessageW(GetParent( *(_t117 + 4)), 0x472, _t137, 0x69);
					_t88 = 0;
				}
				return E6B162709(_t88);
			}

0x6b14757c
0x6b14757c
0x6b147583
0x6b147588
0x6b14758a
0x6b147595
0x6b147597
0x6b147597
0x6b14759c
0x6b1475a4
0x6b1475a7
0x6b1475a9
0x6b1475b4
0x6b1475b9
0x6b1475c5
0x6b1475ca
0x6b1475d4
0x6b1475e0
0x6b1475e5
0x6b1475eb
0x6b1475f8
0x6b1475fb
0x6b147605
0x6b14760d
0x6b147611
0x6b14761f
0x6b14761f
0x6b14762c
0x6b14762f
0x6b14763b
0x6b147644
0x6b14768b
0x6b147695
0x6b14769c
0x6b1476a1
0x6b1476a9
0x6b1476b2
0x6b1476bf
0x6b1476c1
0x6b1476c8
0x6b1476d0
0x6b1476d5
0x6b1476d9
0x6b1476de
0x6b1476e3
0x6b1476ea
0x6b1476ee
0x6b147702
0x6b147708
0x6b14770a
0x6b14770d
0x6b147714
0x6b147720
0x6b147720
0x6b14772d
0x6b147739
0x6b147742
0x6b147752
0x6b14775a
0x6b14775a
0x6b14764a
0x6b147657
0x6b14766c
0x6b147672
0x6b147672
0x6b147760

APIs

__EH_prolog3.LIBCMT ref: 6B147583
__CxxThrowException@8.LIBCMT ref: 6B14761F
GetParent.USER32(?), ref: 6B14765D
SendMessageW.USER32(00000000,00000472,00000000,00000069), ref: 6B14766C

Part of subcall function 6B1412AB: CloseHandle.KERNEL32(?,?,6B14BB96), ref: 6B1412BC

GetParent.USER32(?), ref: 6B147682

Part of subcall function 6B13F415: GetDlgItem.USER32 ref: 6B13F479
Part of subcall function 6B13F415: GetWindowLongW.USER32(00000000,000000EB), ref: 6B13F484
Part of subcall function 6B13F415: SetWindowLongW.USER32 ref: 6B13F4C4

Part of subcall function 6B1477A9: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6B1477CF

Part of subcall function 6B1583FD: _memcpy_s.LIBCMT ref: 6B15844E

Part of subcall function 6B14FB4F: __EH_prolog3.LIBCMT ref: 6B14FB56
Part of subcall function 6B14FB4F: GetParent.USER32(00000001), ref: 6B14FB6B
Part of subcall function 6B14FB4F: SendMessageW.USER32(00000000,00000481,00000001,00000000), ref: 6B14FB78
Part of subcall function 6B14FB4F: GetParent.USER32(00000001), ref: 6B14FBB5
Part of subcall function 6B14FB4F: SendMessageW.USER32(00000000,0000047E,?,?), ref: 6B14FBC1
Part of subcall function 6B14FB4F: GetParent.USER32(00000001), ref: 6B14FBD3
Part of subcall function 6B14FB4F: SendMessageW.USER32(00000000,00000480,?,?), ref: 6B14FBDF

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6B147702
EnableWindow.USER32(?,?), ref: 6B147720
SetWindowLongW.USER32 ref: 6B14772D
GetParent.USER32(000000FF), ref: 6B14773C
SetWindowTextW.USER32(00000000,?), ref: 6B147742
PostMessageW.USER32(000000FF,000006F5,00000000,00000000), ref: 6B147752

Strings

Failed to initialize items information. engineDataProvider.InitializeItems() returned false, xrefs: 6B1475AF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Message$ParentSend$Window$Long$H_prolog3$CloseEnableException@8HandleItemPostTextThrow_memcpy_s
String ID: Failed to initialize items information. engineDataProvider.InitializeItems() returned false
API String ID: 3564908371-1354499266
Opcode ID: 8b2cb0687ce5b71763418949d5009eb575a8465f148fa0dd9f218f46f1663be8
Instruction ID: ae1d2a488dfe7b16cae51477f3d490d89a4ec69195f3a31c114774bb711aad96
Opcode Fuzzy Hash: 8b2cb0687ce5b71763418949d5009eb575a8465f148fa0dd9f218f46f1663be8
Instruction Fuzzy Hash: 2D516D71900215EFCB10DFB8C989A9E7BB5FF09324F1441A4E855EF2A2DB39D910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B15528B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6B15528B(void* _a4, intOrPtr* _a8) {
				void _v52;
				void _v100;
				intOrPtr _v104;
				wchar_t* _v108;
				void* __ebx;
				void* __esi;
				signed int _t46;
				WCHAR* _t48;
				struct HINSTANCE__* _t54;
				int _t57;
				signed int _t59;
				void* _t70;
				signed int _t74;
				signed int _t80;
				wchar_t* _t98;
				signed int _t101;
				void* _t103;

				_t103 = (_t101 & 0xfffffff8) - 0x6c;
				_t70 = _a4;
				_t94 = 0;
				if(_t70 == 0 || _a8 == 0) {
					L8:
					_t46 = 0;
					goto L9;
				} else {
					if( *(_t70 + 0x40) != 0) {
						L19:
						if( *(_t70 + 0x30) != _t94) {
							 *_a8 =  *((intOrPtr*)(_t70 + 0x34));
						}
						_t46 =  *(_t70 + 0x40);
						L9:
						return _t46;
					}
					EnterCriticalSection(0x6b172fc8);
					if( *(_t70 + 0x40) != 0) {
						L18:
						LeaveCriticalSection(0x6b172fc8);
						_t94 = 0;
						goto L19;
					}
					_t48 =  *(_t70 + 0x30);
					if(_t48 == 0) {
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t70 + 0x1c)) = LoadCursorW( !( ~( *(_t70 + 0x3c))) &  *0x6b172f94,  *(_t70 + 0x38));
						L12:
						_t54 =  *0x6b172f90; // 0x6b130000
						 *(_t70 + 4) =  *(_t70 + 4) & 0xffffbfff;
						 *(_t70 + 0x14) = _t54;
						if( *(_t70 + 0x28) == 0) {
							_t98 = _t70 + 0x42;
							swprintf(_t98, 0x25, L"ATL:%p", _t70);
							_t103 = _t103 + 0x10;
							 *(_t70 + 0x28) = _t98;
						}
						_t74 = 0xc;
						_t57 = GetClassInfoExW( *(_t70 + 0x14), memcpy( &_v52, _t70, _t74 << 2),  &_v52);
						 *(_t70 + 0x40) = _t57;
						if(_t57 == 0) {
							_t59 = RegisterClassExW(_t70) & 0x0000ffff;
							_v108 = _t59;
							if(_t59 != 0) {
								E6B14E876( &_v108, 0x6b172fe4);
								_t59 = _v108;
								_t70 = _a4;
							}
							 *(_t70 + 0x40) = _t59;
						}
						goto L18;
					}
					_v108 =  *(_t70 + 0x28);
					_v104 =  *((intOrPtr*)(_t70 + 8));
					_v100 = 0x30;
					if(GetClassInfoExW(0, _t48,  &_v100) != 0 || GetClassInfoExW( *0x6b172f90,  *(_t70 + 0x30),  &_v100) != 0) {
						_t80 = 0xc;
						memcpy(_t70,  &_v100, _t80 << 2);
						_t103 = _t103 + 0xc;
						 *((intOrPtr*)(_t70 + 0x34)) =  *((intOrPtr*)(_t70 + 8));
						 *(_t70 + 0x28) = _v108;
						 *((intOrPtr*)(_t70 + 8)) = _v104;
						goto L12;
					} else {
						LeaveCriticalSection(0x6b172fc8);
						goto L8;
					}
				}
			}

0x6b155293
0x6b155297
0x6b15529b
0x6b1552a0
0x6b155313
0x6b155313
0x00000000
0x6b1552a7
0x6b1552ab
0x6b1553e7
0x6b1553ea
0x6b1553f2
0x6b1553f2
0x6b1553f4
0x6b155315
0x6b15531b
0x6b15531b
0x6b1552b7
0x6b1552c1
0x6b1553da
0x6b1553df
0x6b1553e5
0x00000000
0x6b1553e5
0x6b1552c7
0x6b1552cc
0x6b155347
0x6b155358
0x6b15535b
0x6b15535b
0x6b155360
0x6b15536b
0x6b15536e
0x6b155376
0x6b15537c
0x6b155381
0x6b155384
0x6b155384
0x6b15538c
0x6b15539f
0x6b1553a5
0x6b1553ac
0x6b1553b5
0x6b1553b8
0x6b1553bf
0x6b1553ca
0x6b1553cf
0x6b1553d3
0x6b1553d3
0x6b1553d6
0x6b1553d6
0x00000000
0x6b1553ac
0x6b1552d1
0x6b1552d8
0x6b1552e9
0x6b1552f5
0x6b155320
0x6b155327
0x6b155327
0x6b15532c
0x6b155333
0x6b15533a
0x00000000
0x6b15530c
0x6b15530d
0x00000000
0x6b15530d
0x6b1552f5

APIs

EnterCriticalSection.KERNEL32(6B172FC8,00000000,?,00000000), ref: 6B1552B7
GetClassInfoExW.USER32 ref: 6B1552F1
GetClassInfoExW.USER32 ref: 6B155306
LeaveCriticalSection.KERNEL32(6B172FC8), ref: 6B15530D
LoadCursorW.USER32(?,?), ref: 6B155352
swprintf.LIBCMT ref: 6B15537C
GetClassInfoExW.USER32 ref: 6B15539F
RegisterClassExW.USER32 ref: 6B1553AF
LeaveCriticalSection.KERNEL32(6B172FC8), ref: 6B1553DF

Strings

ATL:%p, xrefs: 6B155371
0, xrefs: 6B1552E9

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegisterswprintf
String ID: 0$ATL:%p
API String ID: 1053483253-2453800769
Opcode ID: 4d64698c184bd161baa15fe50d4ec0819fffe7abd5c7779c76d22a666a64d195
Instruction ID: 1b1b1fd3dded68824622b2e4688dd158b39430dae9602b42e1e4e608f3a78a65
Opcode Fuzzy Hash: 4d64698c184bd161baa15fe50d4ec0819fffe7abd5c7779c76d22a666a64d195
Instruction Fuzzy Hash: 2B41BCB2500311EFCB15DF28C8C0A5A7BB8FF49751F40059AFE688B245E774D955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B13C4DC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E6B13C4DC(intOrPtr* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t102;
				signed int _t107;
				void* _t117;
				signed int _t124;
				signed int _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t137 = __eflags;
				_t102 = __ebx;
				_push(0x34);
				E6B1626CE(0x6b164e3c, __ebx, __edi, __esi);
				 *(_t135 - 0x38) =  *(_t135 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t135 - 0x34)) = __ecx;
				 *(_t135 - 0x2c) = L" (Elapsed time: %D %H:%M:%S).";
				E6B1583B4(__ecx);
				 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
				_t128 = L"%c";
				_push(_t135 - 0x1c);
				 *(_t135 - 0x38) = 1;
				E6B14E8E8(L"%c", L"%c", _t137);
				_push(_t135 - 0x18);
				 *(_t135 - 4) = 1;
				E6B14E8E8(L"%02ld", L"%c", _t137);
				_push(_t135 - 0x14);
				 *(_t135 - 4) = 2;
				E6B14E8E8(L"%d", _t128, _t137);
				_push(_t135 - 0x28);
				 *(_t135 - 4) = 3;
				E6B14E8E8(_t128, _t128, _t137);
				_push(_t135 - 0x24);
				 *(_t135 - 4) = 4;
				E6B14E8E8(L"%I64d", _t128, _t137);
				_push(_t135 - 0x20);
				 *(_t135 - 4) = 5;
				E6B14E8E8(L"%I64d", _t128, _t137);
				 *(_t135 - 4) = 6;
				_t129 =  *((intOrPtr*)(_t135 - 0x34));
				_t75 =  *((intOrPtr*)( *((intOrPtr*)(_t135 - 0x34))));
				_t117 = 1 -  *((intOrPtr*)(_t75 - 4));
				if(( *((intOrPtr*)(_t75 - 8)) - 0x00000080 | 1) < 0) {
					E6B15827A(0x80, _t129);
				}
				_t107 = 0x20;
				while(1) {
					_t77 = 2;
					 *(_t135 - 0x2c) =  &(( *(_t135 - 0x2c))[_t77]);
					_t124 = 0;
					 *(_t135 - 0x30) = 0;
					if(_t107 == 0x25) {
						_t107 =  *( *(_t135 - 0x2c)) & 0x0000ffff;
						 *(_t135 - 0x2c) =  &(( *(_t135 - 0x2c))[_t77]);
						 *(_t135 - 0x30) = 1;
						if(_t107 == 0x23) {
							_t107 =  *( *(_t135 - 0x2c)) & 0x0000ffff;
							 *(_t135 - 0x2c) =  &(( *(_t135 - 0x2c))[_t77]);
							 *(_t135 - 0x30) = _t77;
						}
						_t124 =  *(_t135 - 0x30);
					}
					_t78 = _t107 & 0x0000ffff;
					if(_t78 == 0x25) {
						goto L13;
					}
					if(_t78 == 0x44) {
						__eflags = _t124;
						if(_t124 == 0) {
							asm("cdq");
						} else {
							_t78 = E6B162740( *_t102,  *(_t102 + 4), 0x15180, 0);
						}
						_t124 =  *(_t135 + _t124 * 4 - 0x28);
						_push(_t117);
						E6B155002(_t129, _t124, _t78);
						_t136 = _t136 + 0xc;
						L14:
						_t107 =  *( *(_t135 - 0x2c)) & 0x0000ffff;
						if(_t107 == 0) {
							L31:
							_push(0x6b15848c);
							_push(3);
							_push(4);
							_push(_t135 - 0x28);
							 *(_t135 - 4) = 3;
							E6B158D2B(0x6b15848c, __eflags);
							_push(0x6b15848c);
							_push(3);
							_push(4);
							_push(_t135 - 0x1c);
							 *(_t135 - 4) = 0;
							E6B158D2B(0x6b15848c, __eflags);
							return E6B162722(_t102, _t124, 0x6b15848c);
						}
						_t129 =  *((intOrPtr*)(_t135 - 0x34));
						continue;
					}
					if(_t78 == 0x48) {
						__eflags = _t124;
						if(_t124 != 0) {
							 *(_t135 - 0x3c) = E6B162740( *_t102,  *(_t102 + 4), 0x15180, 0) * 0x18;
							_t78 = E6B162740( *_t102,  *(_t102 + 4), 0xe10, 0) -  *(_t135 - 0x3c);
							__eflags = _t78;
							_t124 =  *(_t135 - 0x30);
						}
						L24:
						_push(_t78);
						L25:
						_push(_t124);
						E6B155002( *((intOrPtr*)(_t135 - 0x34)));
						goto L14;
					}
					if(_t78 == 0x4d) {
						__eflags = _t124;
						if(_t124 != 0) {
							 *(_t135 - 0x30) = E6B162740( *_t102,  *(_t102 + 4), 0xe10, 0) * 0x3c;
							_t78 = E6B162740( *_t102,  *(_t102 + 4), 0x3c, 0) -  *(_t135 - 0x30);
						}
						goto L24;
					}
					if(_t78 == 0x53) {
						__eflags = _t124;
						if(_t124 == 0) {
							_t133 = _t78;
						} else {
							_t134 =  *_t102;
							 *(_t135 - 0x3c) =  *(_t102 + 4);
							_t133 = _t134 - E6B162740(_t134,  *(_t102 + 4), 0x3c, 0) * 0x3c;
						}
						_push(_t133);
						goto L25;
					}
					if(_t124 != 0) {
						E6B1583CE(_t107, 0x80004005);
						goto L31;
					}
					L13:
					E6B14EAD3(_t129, _t107);
					goto L14;
				}
			}

0x6b13c4dc
0x6b13c4dc
0x6b13c4dc
0x6b13c4e3
0x6b13c4e8
0x6b13c4ee
0x6b13c4f1
0x6b13c4f8
0x6b13c4fd
0x6b13c504
0x6b13c509
0x6b13c50c
0x6b13c513
0x6b13c51b
0x6b13c521
0x6b13c528
0x6b13c530
0x6b13c536
0x6b13c53a
0x6b13c542
0x6b13c545
0x6b13c54c
0x6b13c554
0x6b13c55a
0x6b13c55e
0x6b13c566
0x6b13c567
0x6b13c56b
0x6b13c570
0x6b13c574
0x6b13c577
0x6b13c57f
0x6b13c58b
0x6b13c58f
0x6b13c58f
0x6b13c596
0x6b13c597
0x6b13c599
0x6b13c59a
0x6b13c59d
0x6b13c59f
0x6b13c5a6
0x6b13c5ab
0x6b13c5ae
0x6b13c5b1
0x6b13c5bb
0x6b13c5c0
0x6b13c5c3
0x6b13c5c6
0x6b13c5c6
0x6b13c5c9
0x6b13c5c9
0x6b13c5cc
0x6b13c5d2
0x00000000
0x00000000
0x6b13c5d7
0x6b13c6ac
0x6b13c6ae
0x6b13c6c3
0x6b13c6b0
0x6b13c6bc
0x6b13c6bc
0x6b13c6c4
0x6b13c6c8
0x6b13c6cd
0x6b13c6d2
0x6b13c600
0x6b13c603
0x6b13c609
0x6b13c6e4
0x6b13c6e9
0x6b13c6ea
0x6b13c6ec
0x6b13c6f1
0x6b13c6f2
0x6b13c6f6
0x6b13c6fb
0x6b13c6fc
0x6b13c6fe
0x6b13c703
0x6b13c704
0x6b13c708
0x6b13c715
0x6b13c715
0x6b13c60f
0x00000000
0x6b13c60f
0x6b13c5e0
0x6b13c666
0x6b13c668
0x6b13c689
0x6b13c691
0x6b13c691
0x6b13c694
0x6b13c694
0x6b13c697
0x6b13c697
0x6b13c698
0x6b13c69f
0x6b13c6a0
0x00000000
0x6b13c6a6
0x6b13c5e9
0x6b13c637
0x6b13c639
0x6b13c658
0x6b13c661
0x6b13c661
0x00000000
0x6b13c639
0x6b13c5ee
0x6b13c614
0x6b13c616
0x6b13c632
0x6b13c618
0x6b13c61b
0x6b13c623
0x6b13c62e
0x6b13c62e
0x6b13c634
0x00000000
0x6b13c634
0x6b13c5f2
0x6b13c6df
0x00000000
0x6b13c6df
0x6b13c5f8
0x6b13c5fb
0x00000000
0x6b13c5fb

APIs

__EH_prolog3_GS.LIBCMT ref: 6B13C4E3

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B13C626
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B13C649
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B13C65C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B13C678
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B13C68C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B13C6BC

Strings

(Elapsed time: %D %H:%M:%S)., xrefs: 6B13C4F1
%I64d, xrefs: 6B13C555
%02ld, xrefs: 6B13C51C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$H_prolog3H_prolog3_
String ID: (Elapsed time: %D %H:%M:%S).$%02ld$%I64d
API String ID: 1979320550-823490803
Opcode ID: 1b8bb5568e9d8784649e4ab2ad3d70acf4a30ad407c09bd4c2500dcd0f43eccf
Instruction ID: f4c8d7b316d9f6a713b1bf23c4a40291f3ad99791fa1df1e42cd6c6683dd951c
Opcode Fuzzy Hash: 1b8bb5568e9d8784649e4ab2ad3d70acf4a30ad407c09bd4c2500dcd0f43eccf
Instruction Fuzzy Hash: 5761D5B2D01238FBDF04CBA8C841FDDBBB9AF59710F144049E900FB290E778AA418B65

Uniqueness

Uniqueness Score: -1.00%

Function 6B1509E0 Relevance: 16.9, APIs: 11, Instructions: 430
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6B1509E0(void* __ebx, intOrPtr __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t181;
				intOrPtr* _t199;
				intOrPtr* _t205;
				void* _t209;
				intOrPtr* _t216;
				intOrPtr* _t217;
				struct tagRECT _t230;
				intOrPtr _t233;
				intOrPtr* _t235;
				void* _t239;
				intOrPtr* _t241;
				void* _t245;
				void* _t254;
				intOrPtr _t255;
				intOrPtr _t258;
				intOrPtr _t259;
				intOrPtr* _t260;
				intOrPtr* _t266;
				int _t269;
				intOrPtr* _t276;
				int _t279;
				void* _t286;
				intOrPtr* _t296;
				intOrPtr* _t303;
				intOrPtr* _t305;
				void* _t308;
				intOrPtr* _t310;
				intOrPtr* _t317;
				intOrPtr* _t365;
				intOrPtr* _t367;
				intOrPtr _t393;
				void* _t409;
				int _t410;
				void* _t411;

				_t411 = __eflags;
				_t379 = __edx;
				_push(0x4c);
				E6B1626CE(0x6b1653f4, __ebx, __edi, __esi);
				_t407 =  *((intOrPtr*)(_t409 + 0xc));
				_t393 = __ecx;
				 *((intOrPtr*)(_t409 - 0x40)) = __ecx;
				_t317 = __edx;
				 *((intOrPtr*)(_t409 - 0x34)) = _t407;
				 *(_t409 - 0x3c) = SendMessageW( *(_t409 + 8), 0x31, 0, 0);
				 *(_t409 - 0x58) =  *((intOrPtr*)(_t393 + 8));
				_push(_t409 - 0x54);
				_t394 = L"$$";
				E6B14E8E8(L"$$", _t407, _t411);
				 *(_t409 - 4) =  *(_t409 - 4) & 0x00000000;
				 *((intOrPtr*)(_t409 - 0x50)) =  *((intOrPtr*)( *((intOrPtr*)(_t409 - 0x54)) - 0xc));
				_push(_t409 - 0x4c);
				E6B14E8E8(L"$$", _t407, _t411);
				 *((intOrPtr*)(_t409 - 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t409 - 0x4c)) - 0xc));
				 *(_t409 - 0x24) =  *(_t409 - 0x24) & 0x00000000;
				 *(_t409 - 4) = 1;
				if( *((intOrPtr*)( *_t317))() <= 0) {
					L12:
					_t318 = 0;
					 *(_t409 - 0x28) = 0;
					_t181 =  *((intOrPtr*)( *_t407))();
					_t417 = _t181;
					if(_t181 <= 0) {
						L19:
						E6B158460( *((intOrPtr*)(_t409 - 0x4c)) + 0xfffffff0, _t379);
						E6B158460( *((intOrPtr*)(_t409 - 0x54)) + 0xfffffff0, _t379);
						return E6B162722(_t318, _t394, _t407);
					}
					 *((intOrPtr*)(_t409 - 0x30)) =  *((intOrPtr*)(_t409 - 0x40)) + 0xc;
					while(1) {
						 *(_t409 - 0x20) =  *(_t409 - 0x20) & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						 *(_t409 - 0x20) =  *((intOrPtr*)( *( *((intOrPtr*)( *_t407 + 4))())))(_t318);
						 *((intOrPtr*)(_t409 - 0x1c)) =  *((intOrPtr*)( *( *((intOrPtr*)( *_t407 + 4))()) + 4))(_t318);
						_t199 =  *((intOrPtr*)( *_t407 + 4))(_t318);
						 *(_t409 - 0x2c) =  *((intOrPtr*)( *( *((intOrPtr*)( *_t407 + 4))()) + 8))(_t318);
						 *((intOrPtr*)(_t409 - 0x18)) =  *(_t409 - 0x2c) +  *((intOrPtr*)( *_t199))();
						_t205 =  *((intOrPtr*)( *_t407 + 4))(_t318);
						 *(_t409 - 0x2c) =  *((intOrPtr*)( *_t407 + 4))(_t318);
						_t209 =  *((intOrPtr*)( *_t205 + 4))();
						 *((intOrPtr*)(_t409 - 0x14)) = _t209 +  *((intOrPtr*)( *( *(_t409 - 0x2c)) + 0xc))();
						MapDialogRect( *(_t409 + 8), _t409 - 0x20);
						if(E6B1591B7(_t209 +  *((intOrPtr*)( *( *(_t409 - 0x2c)) + 0xc))(), _t407, _t417, 0x28) == 0) {
							_t394 = 0;
							__eflags = 0;
						} else {
							_t394 = E6B154371(_t214,  *((intOrPtr*)( *((intOrPtr*)(_t409 - 0x40)) + 4)));
						}
						 *(_t409 - 0x2c) = _t394;
						_t216 =  *((intOrPtr*)( *_t407 + 4))(_t318);
						 *_t410 =  *_t410 & 0x00000000;
						_t379 =  *_t216;
						 *(_t409 - 0x44) = _t410;
						_t217 =  *((intOrPtr*)( *_t216 + 0x14))();
						 *_t410 = _t409 - 0x20;
						 *(_t409 - 0x44) = _t410;
						E6B154454(_t394,  *(_t409 + 8), _t216,  *_t217, _t407);
						SendMessageW( *(_t394 + 4), 0x30,  *(_t409 - 0x3c), 1);
						ShowWindow( *(_t394 + 4), 1);
						_t407 =  *((intOrPtr*)(_t409 - 0x30));
						_t318 = _t409 - 0x2c;
						E6B154800(_t409 - 0x2c,  *((intOrPtr*)(_t409 - 0x30)));
						 *(_t409 - 0x28) =  &( *(_t409 - 0x28)->i);
						if( *(_t409 - 0x28) >=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t409 - 0x34))))))()) {
							goto L19;
						}
						_t318 =  *(_t409 - 0x28);
						_t407 =  *((intOrPtr*)(_t409 - 0x34));
					}
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					 *(_t409 - 0x20) =  *(_t409 - 0x20) & 0x00000000;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t230 =  *( *( *((intOrPtr*)( *_t317 + 4))()))( *(_t409 - 0x24));
					 *(_t409 - 0x20) = _t230;
					_t233 =  *((intOrPtr*)( *( *((intOrPtr*)( *_t317 + 4))()) + 4))( *(_t409 - 0x24));
					 *((intOrPtr*)(_t409 - 0x1c)) = _t233;
					_t235 =  *((intOrPtr*)( *_t317 + 4))( *(_t409 - 0x24));
					 *(_t409 - 0x28) =  *((intOrPtr*)( *( *((intOrPtr*)( *_t317 + 4))()) + 8))( *(_t409 - 0x24));
					_t239 =  *((intOrPtr*)( *_t235))();
					 *((intOrPtr*)(_t409 - 0x18)) =  *(_t409 - 0x28) + _t239;
					_t241 =  *((intOrPtr*)( *_t317 + 4))( *(_t409 - 0x24));
					 *(_t409 - 0x28) =  *((intOrPtr*)( *_t317 + 4))( *(_t409 - 0x24));
					_t245 =  *((intOrPtr*)( *_t241 + 4))();
					 *((intOrPtr*)(_t409 - 0x14)) = _t245 +  *((intOrPtr*)( *( *(_t409 - 0x28)) + 0xc))();
					MapDialogRect( *(_t409 + 8), _t409 - 0x20);
					_t394 = 0;
					 *(_t409 - 0x28) = 0;
					_t254 = E6B158199( *((intOrPtr*)( *((intOrPtr*)( *( *((intOrPtr*)( *_t317 + 4))()) + 0x14))( *(_t409 - 0x24)))));
					_push( *(_t409 - 0x24));
					_t255 =  *_t317;
					if(_t254 <= 0) {
						_t258 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t255 + 4))())) + 0x18))()));
						__eflags =  *(_t258 - 0xc);
						_push( *(_t409 - 0x24));
						_t259 =  *_t317;
						if( *(_t258 - 0xc) <= 0) {
							_t260 =  *((intOrPtr*)(_t259 + 4))();
							_t379 =  *_t260;
							__eflags =  *( *((intOrPtr*)( *((intOrPtr*)( *_t260 + 0x1c))())) - 0xc);
							if(__eflags > 0) {
								_t266 =  *((intOrPtr*)( *_t317 + 4))( *(_t409 - 0x24));
								_t379 =  *_t266;
								_t365 = _t266;
								_t269 = LoadImageW(0,  *( *((intOrPtr*)( *_t266 + 0x1c))()), 0, 0, 0, 0x10);
								 *(_t409 - 0x2c) = _t269;
								__eflags = _t269;
								if(__eflags != 0) {
									 *(_t409 - 0x38) = _t410;
									 *_t410 = 0;
									 *(_t409 - 0x38) = _t410;
									 *_t410 = _t409 - 0x20;
									E6B14F8DE(_t409 - 0x28,  *(_t409 + 8), _t365, 0x6b1379e4, 0x5000020e, _t365);
									E6B14F933(_t409 - 0x28, _t409 - 0x44,  *(_t409 - 0x2c));
									_t407 =  *((intOrPtr*)(_t409 - 0x34));
								}
							}
						} else {
							_t276 =  *((intOrPtr*)(_t259 + 4))();
							_t379 =  *_t276;
							_t367 = _t276;
							_t279 = LoadImageW(0,  *( *((intOrPtr*)( *_t276 + 0x18))()), 1, 0, 0, 0x10);
							 *(_t409 - 0x2c) = _t279;
							__eflags = _t279;
							if(__eflags != 0) {
								 *(_t409 - 0x38) = _t410;
								 *_t410 = 0;
								 *(_t409 - 0x38) = _t410;
								 *_t410 = _t409 - 0x20;
								E6B14F8DE(_t409 - 0x28,  *(_t409 + 8), _t367, 0x6b1379e4, 0x50000203, _t367);
								SendMessageW( *(_t409 - 0x28), 0x170,  *(_t409 - 0x2c), 0);
							}
						}
					} else {
						_t286 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t255 + 4))())) + 0x14))();
						_t394 = _t409 - 0x58;
						E6B154782(_t285, _t409 - 0x30, _t286);
						 *(_t409 - 4) = 2;
						 *_t410 =  *_t410 & 0x00000000;
						 *(_t409 - 0x2c) = _t410;
						 *(_t409 - 0x2c) = _t410;
						 *_t410 = _t409 - 0x20;
						E6B14F8DE(_t409 - 0x28,  *(_t409 + 8), _t285,  *((intOrPtr*)(_t409 - 0x30)), 0x40000000, _t285);
						ShowWindow( *(_t409 - 0x28), 1);
						SendMessageW( *(_t409 - 0x28), 0x30,  *(_t409 - 0x3c), 1);
						_t296 =  *((intOrPtr*)( *_t317 + 4))( *(_t409 - 0x24));
						_t379 =  *_t296;
						if( *((intOrPtr*)( *_t296 + 0x20))() != 0) {
							_t303 =  *((intOrPtr*)( *( *((intOrPtr*)( *_t317 + 4))()) + 0x24))( *(_t409 - 0x24));
							_t305 =  *((intOrPtr*)( *_t317 + 4))( *(_t409 - 0x24));
							_t379 =  *_t305;
							 *(_t409 - 0x2c) =  *((intOrPtr*)( *_t305 + 0x24))();
							_t308 =  *((intOrPtr*)( *_t303 + 4))();
							_t310 =  *((intOrPtr*)( *( *(_t409 - 0x2c))))();
							 *(_t409 - 0x2c) = _t410;
							_t394 = _t410;
							 *_t410 = E6B1583FD( *_t310 - 0x10) + 0x10;
							E6B13F589(_t317,  *_t305, E6B1583FD( *_t310 - 0x10) + 0x10,  *(_t409 - 0x28),  *(_t409 - 0x2c), _t308, 0, 0);
						}
						 *(_t409 - 4) = 1;
						E6B158460( *((intOrPtr*)(_t409 - 0x30)) + 0xfffffff0, _t379);
					}
					 *(_t409 - 0x24) =  *(_t409 - 0x24) + 1;
				} while ( *(_t409 - 0x24) <  *((intOrPtr*)( *_t317))());
				goto L12;
			}

0x6b1509e0
0x6b1509e0
0x6b1509e0
0x6b1509e7
0x6b1509ec
0x6b1509f8
0x6b1509fa
0x6b1509fd
0x6b1509ff
0x6b150a08
0x6b150a0e
0x6b150a14
0x6b150a15
0x6b150a1a
0x6b150a1f
0x6b150a29
0x6b150a2f
0x6b150a30
0x6b150a3b
0x6b150a3e
0x6b150a42
0x6b150a51
0x6b150cfc
0x6b150cfe
0x6b150d02
0x6b150d05
0x6b150d07
0x6b150d09
0x6b150e39
0x6b150e3f
0x6b150e4a
0x6b150e54
0x6b150e54
0x6b150d15
0x6b150d20
0x6b150d20
0x6b150d29
0x6b150d2a
0x6b150d2b
0x6b150d3a
0x6b150d4c
0x6b150d54
0x6b150d6c
0x6b150d78
0x6b150d7e
0x6b150d8b
0x6b150d92
0x6b150da8
0x6b150dab
0x6b150dbb
0x6b150dcc
0x6b150dcc
0x6b150dbd
0x6b150dc8
0x6b150dc8
0x6b150dd3
0x6b150dd6
0x6b150ddc
0x6b150ddf
0x6b150de3
0x6b150de6
0x6b150df1
0x6b150df3
0x6b150dfb
0x6b150e0a
0x6b150e15
0x6b150e1b
0x6b150e1e
0x6b150e21
0x6b150e2b
0x6b150e33
0x00000000
0x00000000
0x6b150d1a
0x6b150d1d
0x6b150d1d
0x00000000
0x00000000
0x00000000
0x00000000
0x6b150a57
0x6b150a57
0x6b150a57
0x6b150a63
0x6b150a64
0x6b150a65
0x6b150a71
0x6b150a76
0x6b150a84
0x6b150a8a
0x6b150a91
0x6b150aab
0x6b150aae
0x6b150aba
0x6b150abf
0x6b150ace
0x6b150ad5
0x6b150aeb
0x6b150aee
0x6b150af9
0x6b150afd
0x6b150b0c
0x6b150b11
0x6b150b16
0x6b150b1a
0x6b150c08
0x6b150c0a
0x6b150c0d
0x6b150c10
0x6b150c14
0x6b150c78
0x6b150c7b
0x6b150c84
0x6b150c87
0x6b150c90
0x6b150c93
0x6b150c95
0x6b150ca3
0x6b150ca9
0x6b150cac
0x6b150cae
0x6b150cb3
0x6b150cc1
0x6b150cc8
0x6b150ccb
0x6b150cd4
0x6b150ce2
0x6b150ce7
0x6b150ce7
0x6b150cae
0x6b150c16
0x6b150c16
0x6b150c19
0x6b150c1b
0x6b150c2a
0x6b150c30
0x6b150c33
0x6b150c35
0x6b150c3e
0x6b150c4c
0x6b150c53
0x6b150c56
0x6b150c5f
0x6b150c70
0x6b150c70
0x6b150c35
0x6b150b20
0x6b150b27
0x6b150b2f
0x6b150b32
0x6b150b3a
0x6b150b3e
0x6b150b41
0x6b150b52
0x6b150b55
0x6b150b5e
0x6b150b68
0x6b150b78
0x6b150b85
0x6b150b88
0x6b150b91
0x6b150ba1
0x6b150bad
0x6b150bb0
0x6b150bb9
0x6b150bc2
0x6b150bcb
0x6b150bd3
0x6b150bd6
0x6b150be3
0x6b150be5
0x6b150be5
0x6b150bea
0x6b150bf4
0x6b150bf4
0x6b150cec
0x6b150cf3
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 6B1509E7
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B150A02

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

MapDialogRect.USER32(?,00000000), ref: 6B150AEE
ShowWindow.USER32(00000000,00000001,00000000,?,?,?,40000000,?,?,00000000), ref: 6B150B68
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 6B150B78

Part of subcall function 6B13F589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B13F5AC
Part of subcall function 6B13F589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6B13F5B5
Part of subcall function 6B13F589: CreateFontIndirectW.GDI32(?), ref: 6B13F600
Part of subcall function 6B13F589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B13F610

LoadImageW.USER32 ref: 6B150C2A
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6B150C70
LoadImageW.USER32 ref: 6B150CA3

Part of subcall function 6B14F933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6B14F944

MapDialogRect.USER32(?,00000000), ref: 6B150DAB
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B150E0A
ShowWindow.USER32(?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,6B16677E,000000FF), ref: 6B150E15

Part of subcall function 6B14F8DE: CreateWindowExW.USER32 ref: 6B14F91E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3H_prolog3_IndirectObject
String ID:
API String ID: 2777900791-0
Opcode ID: 2b7909fe3bfaf257b745aab97e6031b0cad053a8455d29373b9112b30ef61f83
Instruction ID: f47d1f514ef24d9ea4aa5c26f54e7eecb916c8d303265f6e455eeb0f86d966ce
Opcode Fuzzy Hash: 2b7909fe3bfaf257b745aab97e6031b0cad053a8455d29373b9112b30ef61f83
Instruction Fuzzy Hash: B702F175A00208EFCB05DFA8C898A9DBBF6FF4D315B1480A9E516EB360DB35A951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6B147389 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6B147389(signed int* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t64;
				signed int _t70;
				signed int _t72;
				signed int _t76;
				intOrPtr _t82;
				signed int _t86;
				intOrPtr _t94;
				signed int _t96;
				intOrPtr _t97;
				signed int _t101;
				intOrPtr* _t111;
				signed int* _t121;
				unsigned int _t135;
				unsigned int _t136;
				signed int _t138;
				void* _t141;
				signed int _t143;
				signed int _t144;
				signed int _t148;
				void* _t150;

				_t133 = __edx;
				_t121 = __ebx;
				_push(0x18);
				E6B16265B(0x6b164ab9, __ebx, __edi, __esi);
				_t141 = __ecx;
				 *(_t150 - 0x18) =  *(_t150 - 0x18) & 0x00000000;
				 *(_t150 - 4) =  *(_t150 - 4) & 0x00000000;
				_t123 =  *((intOrPtr*)(__ecx + 0x108));
				_t64 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x108)))) + 4))();
				_t154 = _t64;
				if(_t64 == 0) {
					E6B14E8E8(L"Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false", __ecx, _t154);
					 *(_t150 - 4) = 1;
					E6B13C9BB(__ebx, _t123, L"Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false", _t141, _t154);
					 *(_t150 - 4) = 3;
					E6B158460( *(_t150 - 0x14) + 0xfffffff0, __edx);
					_t111 = E6B13C9F6(_t150 - 0x24, _t150 - 0x18);
					 *(_t150 - 4) = 4;
					_t133 =  *( *(_t141 + 0x1b8));
					 *((intOrPtr*)(_t133 + 4))(0,  *_t111, _t150 - 0x24, _t150 - 0x14, _t150 - 0x14);
					 *(_t150 - 4) = 3;
					E6B158460( *(_t150 - 0x18) + 0xfffffff0, _t133);
					_push(_t150 - 0x24);
					E6B13D1B4(__ebx, _t150 - 0x1c, L"Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false", _t141,  *(_t150 - 0x18) + 0xfffffff0);
					E6B15DBDB(_t150 - 0x1c, 0x6b168328);
				}
				_t143 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t141 + 0x108)))) + 0x28))();
				_t135 = _t133;
				 *(_t150 - 0x1c) = _t143;
				 *(_t150 - 0x18) = _t135;
				_t144 = (_t135 << 0x00000020 | _t143) >> 0xa;
				_t136 = _t135 >> 0xa;
				if(E6B14EB56(_t150 + 8, L"$$DownloadSizeEstimate$$") != 0) {
					_t70 = E6B14EB56(_t150 + 8, L"$$DownloadTimeOverBroadband$$");
					__eflags = _t70;
					if(_t70 != 0) {
						_t72 = E6B14EB56(_t150 + 8, L"$$DownloadTimeOverDialup$$");
						__eflags = _t72;
						if(_t72 != 0) {
							_t76 = E6B1583FD( *((intOrPtr*)(_t150 + 8)) + 0xfffffff0) + 0x10;
							__eflags = _t76;
							 *_t121 = _t76;
						} else {
							_t82 =  *0x6b16fe10; // 0x6b1333ec
							 *(_t150 - 0x14) =  *((intOrPtr*)(_t82 + 0xc))() + 0x10;
							_push(0);
							 *(_t150 - 4) = 7;
							_push(0x38);
							goto L11;
						}
					} else {
						_t94 =  *0x6b16fe10; // 0x6b1333ec
						_t96 =  *((intOrPtr*)(_t94 + 0xc))() + 0x10;
						__eflags = _t96;
						 *(_t150 - 0x14) = _t96;
						_push(0);
						 *(_t150 - 4) = 6;
						_push(0x300);
						L11:
						_push((_t136 << 0x00000020 | _t144) << 3);
						_push(_t144 << 3);
						_t86 = E6B15D3E0(E6B15D3E0(), _t133, 0x3c, 0);
						__eflags = _t86 | _t133;
						if((_t86 | _t133) == 0) {
							__eflags =  *(_t150 - 0x18);
							if( *(_t150 - 0x18) > 0) {
								L14:
								_t86 = 2;
								_t133 = 0;
								__eflags = 0;
							} else {
								__eflags =  *(_t150 - 0x1c);
								if( *(_t150 - 0x1c) > 0) {
									goto L14;
								}
							}
						}
						_push(_t133);
						_push(_t86);
						_push(L"%d");
						goto L8;
					}
				} else {
					_t97 =  *0x6b16fe10; // 0x6b1333ec
					 *(_t150 - 0x14) =  *((intOrPtr*)(_t97 + 0xc))() + 0x10;
					_t148 = (_t136 << 0x00000020 | _t144) >> 0xa;
					_t138 = _t136 >> 0xa;
					_t101 = _t148 | _t138;
					 *(_t150 - 4) = 5;
					if(_t101 == 0 && ( *(_t150 - 0x18) > _t101 ||  *(_t150 - 0x1c) > _t101)) {
						_t148 = 1;
						_t138 = 0;
					}
					_push(_t138);
					_push(_t148);
					_push(L"%I64u");
					L8:
					_push(_t150 - 0x14);
					E6B1580BA();
					 *_t121 = E6B1583FD( *(_t150 - 0x14) - 0x10) + 0x10;
					E6B158460( *(_t150 - 0x14) - 0x10, _t133);
				}
				E6B158460( *((intOrPtr*)(_t150 + 8)) + 0xfffffff0, _t133);
				return E6B162709(_t121);
			}

0x6b147389
0x6b147389
0x6b147389
0x6b147390
0x6b147395
0x6b147397
0x6b14739b
0x6b14739f
0x6b1473a7
0x6b1473aa
0x6b1473ac
0x6b1473b7
0x6b1473c4
0x6b1473c8
0x6b1473cd
0x6b1473d7
0x6b1473e3
0x6b1473e8
0x6b1473f4
0x6b1473f9
0x6b1473fc
0x6b147406
0x6b14740e
0x6b147412
0x6b147420
0x6b147420
0x6b147432
0x6b147434
0x6b14743e
0x6b147441
0x6b147444
0x6b147449
0x6b147453
0x6b1474c1
0x6b1474c6
0x6b1474c8
0x6b14752c
0x6b147531
0x6b147533
0x6b14755d
0x6b14755d
0x6b147560
0x6b147535
0x6b147535
0x6b147545
0x6b147548
0x6b14754a
0x6b14754e
0x00000000
0x6b14754e
0x6b1474ca
0x6b1474ca
0x6b1474d7
0x6b1474d7
0x6b1474da
0x6b1474dd
0x6b1474df
0x6b1474e3
0x6b1474e8
0x6b1474ec
0x6b1474f0
0x6b1474fd
0x6b147504
0x6b147506
0x6b147508
0x6b14750b
0x6b147512
0x6b147514
0x6b147515
0x6b147515
0x6b14750d
0x6b14750d
0x6b147510
0x00000000
0x00000000
0x6b147510
0x6b14750b
0x6b147517
0x6b147518
0x6b147519
0x00000000
0x6b147519
0x6b147455
0x6b147455
0x6b147465
0x6b147468
0x6b14746c
0x6b147471
0x6b147473
0x6b147477
0x6b147485
0x6b147486
0x6b147486
0x6b147488
0x6b147489
0x6b14748a
0x6b14748f
0x6b147492
0x6b147493
0x6b1474a9
0x6b1474ae
0x6b1474ae
0x6b147568
0x6b147574

APIs

__EH_prolog3.LIBCMT ref: 6B147390

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13C9BB: __EH_prolog3.LIBCMT ref: 6B13C9C2

Part of subcall function 6B13D1B4: __EH_prolog3.LIBCMT ref: 6B13D1BB

__CxxThrowException@8.LIBCMT ref: 6B147420

Part of subcall function 6B15DBDB: RaiseException.KERNEL32(?,?,6B159236,?,?,?,?,?,6B159236,?,6B167F54,6B1722B4), ref: 6B15DC1D

Part of subcall function 6B14EB56: __wcsicoll.LIBCMT ref: 6B14EB74

__aulldiv.LIBCMT ref: 6B1474F1
__aulldiv.LIBCMT ref: 6B1474FD

Strings

%I64u, xrefs: 6B14748A
$$DownloadTimeOverBroadband$$, xrefs: 6B1474B8
Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false, xrefs: 6B1473B2
$$DownloadSizeEstimate$$, xrefs: 6B147436
$$DownloadTimeOverDialup$$, xrefs: 6B147523

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$__aulldiv$ExceptionException@8RaiseThrow__wcsicoll
String ID: $$DownloadSizeEstimate$$$$$DownloadTimeOverBroadband$$$$$DownloadTimeOverDialup$$$%I64u$Setup engine failed to initialize. engineDataProvider.InitializeItems() returned false
API String ID: 1088788417-581573194
Opcode ID: 1e2bb547dc18ae547563f72ba116d7a8ccd3fc371b579bb006e413f642336ecf
Instruction ID: 39c514de45f869613dcde26fb3cce71617848db28662cb11dbb7d03ad83edb70
Opcode Fuzzy Hash: 1e2bb547dc18ae547563f72ba116d7a8ccd3fc371b579bb006e413f642336ecf
Instruction Fuzzy Hash: B051F572D00218BFDB10CBB8C845BAEBBB9EF01359F154565E565EB281DB3C9A10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B14C626 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B14C626(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t58;
				int _t74;
				struct HWND__** _t76;
				void* _t77;
				void* _t78;

				_t78 = __eflags;
				E6B16265B(0x6b1649a1, __ebx, __edi, __esi);
				_t58 = __ecx;
				_t76 = __ecx + 4;
				SetWindowTextW( *_t76,  *(__ecx + 0x24));
				E6B14E8E8(L"IDS_REBOOT_REQUIRED", _t76, _t78);
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				SetDlgItemTextW( *_t76, 0x65,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x28))))))(_t77 - 0x10, _t77 - 0x10, 8)));
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				E6B158460( *((intOrPtr*)(_t77 - 0x10)) + 0xfffffff0, _t77 - 0x10);
				E6B14E8E8(L"IDS_RESTART_NOW", _t76, _t78);
				 *(_t77 - 4) = 1;
				SetDlgItemTextW( *_t76, 0x66,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x28))))))(_t77 - 0x10, _t77 - 0x10)));
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				E6B158460( *((intOrPtr*)(_t77 - 0x10)) + 0xfffffff0, _t77 - 0x10);
				E6B14E8E8(L"IDS_RESTART_LATER", _t76, _t78);
				_t74 = 2;
				 *(_t77 - 4) = _t74;
				SetDlgItemTextW( *_t76, _t74,  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x28))))))(_t77 - 0x14, _t77 - 0x14)));
				E6B158460( *((intOrPtr*)(_t77 - 0x14)) + 0xfffffff0, _t77 - 0x10);
				E6B13E153(_t76, GetParent( *_t76));
				 *((intOrPtr*)( *((intOrPtr*)(_t77 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b14c626
0x6b14c62d
0x6b14c632
0x6b14c638
0x6b14c63d
0x6b14c64c
0x6b14c651
0x6b14c666
0x6b14c66c
0x6b14c676
0x6b14c684
0x6b14c689
0x6b14c6a1
0x6b14c6a7
0x6b14c6b1
0x6b14c6bf
0x6b14c6c6
0x6b14c6c7
0x6b14c6dc
0x6b14c6e8
0x6b14c6f9
0x6b14c704
0x6b14c70b

APIs

__EH_prolog3.LIBCMT ref: 6B14C62D
SetWindowTextW.USER32(?,?), ref: 6B14C63D

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

SetDlgItemTextW.USER32 ref: 6B14C666
SetDlgItemTextW.USER32 ref: 6B14C6A1
SetDlgItemTextW.USER32 ref: 6B14C6DC
GetParent.USER32(?), ref: 6B14C6EF

Part of subcall function 6B13E153: GetWindowLongW.USER32(?,000000F0), ref: 6B13E179
Part of subcall function 6B13E153: GetParent.USER32 ref: 6B13E18B
Part of subcall function 6B13E153: GetWindowRect.USER32 ref: 6B13E1A5
Part of subcall function 6B13E153: GetWindowLongW.USER32(?,000000F0), ref: 6B13E1BB
Part of subcall function 6B13E153: MonitorFromWindow.USER32(?,00000002), ref: 6B13E1DA

Strings

IDS_REBOOT_REQUIRED, xrefs: 6B14C647
IDS_RESTART_NOW, xrefs: 6B14C67F
IDS_RESTART_LATER, xrefs: 6B14C6BA

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Text$Item$H_prolog3LongParent$FromMonitorRect
String ID: IDS_REBOOT_REQUIRED$IDS_RESTART_LATER$IDS_RESTART_NOW
API String ID: 1194771093-931079857
Opcode ID: 874f3865ca3529bbcf050bf0a55211037fd4ce56075671bd342e1e1c1312ead9
Instruction ID: 2b318bb4177a57b69852707dcb6d390441cda8681015dc35104ea484499273af
Opcode Fuzzy Hash: 874f3865ca3529bbcf050bf0a55211037fd4ce56075671bd342e1e1c1312ead9
Instruction Fuzzy Hash: 0A319172500209EFCF10DFB8C885AADB7B5FF49328B244658F161EB2A5D7359A10DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6B151601 Relevance: 15.5, APIs: 10, Instructions: 459
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6B151601(intOrPtr __ecx, intOrPtr* __edx, void* __eflags, struct HWND__* _a4, intOrPtr* _a8) {
				signed int _v12;
				long _v16;
				signed int _v24;
				signed int _v32;
				void* _v44;
				signed int _v48;
				char _v52;
				char _v56;
				struct tagRECT _v72;
				char _v76;
				char _v84;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v100;
				long _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				int _v124;
				long _v128;
				intOrPtr _v132;
				void* _v136;
				int _v140;
				int _v144;
				int _v148;
				void* _v152;
				void* _v156;
				int _v160;
				struct HWND__* _v164;
				struct HWND__* _v168;
				intOrPtr _v172;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t171;
				signed int _t173;
				void* _t189;
				void* _t195;
				intOrPtr* _t207;
				intOrPtr* _t213;
				void* _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				char _t238;
				char _t241;
				intOrPtr* _t243;
				void* _t247;
				intOrPtr* _t249;
				void* _t253;
				void* _t262;
				intOrPtr _t263;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr* _t268;
				intOrPtr* _t274;
				void* _t277;
				intOrPtr* _t284;
				void* _t287;
				intOrPtr* _t304;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				void* _t316;
				intOrPtr* _t318;
				intOrPtr* _t325;
				void* _t326;
				intOrPtr* _t380;
				intOrPtr* _t382;
				intOrPtr _t408;
				void* _t410;
				intOrPtr _t416;
				intOrPtr* _t426;
				long _t427;
				void* _t428;
				signed int _t431;
				int _t433;
				void* _t434;

				_t434 = __eflags;
				_t394 = __edx;
				_push(0xffffffff);
				_push(0x6b166270);
				_push( *[fs:0x0]);
				_t433 = (_t431 & 0xfffffff8) - 0x58;
				_t171 =  *0x6b16f0a0; // 0xf69ff218
				_v24 = _t171 ^ _t433;
				_t173 =  *0x6b16f0a0; // 0xf69ff218
				_push(_t173 ^ _t433);
				 *[fs:0x0] =  &_v16;
				_t325 = _a8;
				_t408 = __ecx;
				_t426 = __edx;
				_v72.right = __ecx;
				_v88 = __edx;
				_v84 = _t325;
				_v76 = SendMessageW(_a4, 0x31, 0, 0);
				_v72.bottom =  *((intOrPtr*)(_t408 + 8));
				_push( &_v56);
				E6B14E8E8(L"$$", _t426, _t434);
				_v12 = _v12 & 0x00000000;
				_v56 =  *((intOrPtr*)(_v72.bottom - 0xc));
				_push( &_v52);
				E6B14E8E8(L"$$", _t426, _t434);
				_v52 =  *((intOrPtr*)(_v56 - 0xc));
				_v108 = _v108 & 0x00000000;
				_v16 = 1;
				if( *((intOrPtr*)( *_t426))() <= 0) {
					L13:
					_t427 = 0;
					_v104 = 0;
					_t189 =  *((intOrPtr*)( *_t325))();
					_t440 = _t189;
					if(_t189 <= 0) {
						L20:
						E6B158460(_v56 + 0xfffffff0, _t394);
						_t195 = E6B158460(_v72.right + 0xfffffff0, _t394);
						 *[fs:0x0] = _v24;
						_pop(_t410);
						_pop(_t428);
						_pop(_t326);
						return E6B1587C1(_t195, _t326, _v32 ^ _t433, _t394, _t410, _t428);
					}
					_v100 = _v72.left + 0xc;
					while(1) {
						_v48 = _v48 & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))()))))(_t427);
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))())) + 4))(_t427);
						_t207 =  *((intOrPtr*)( *_t325 + 4))(_t427);
						_v112 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t325 + 4))())) + 8))(_t427);
						_v56 = _v112 +  *((intOrPtr*)( *_t207))();
						_t213 =  *((intOrPtr*)( *_t325 + 4))(_t427);
						_v120 =  *((intOrPtr*)( *_t325 + 4))(_t427);
						_t217 =  *((intOrPtr*)( *_t213 + 4))();
						_v72.bottom = _t217 +  *((intOrPtr*)( *_v120 + 0xc))();
						MapDialogRect(_a4,  &_v72);
						if(E6B1591B7(_t217 +  *((intOrPtr*)( *_v120 + 0xc))(), _t427, _t440, 0x28) == 0) {
							_t416 = 0;
							__eflags = 0;
						} else {
							_t416 = E6B154371(_t222,  *((intOrPtr*)(_v96 + 4)));
						}
						_v120 = _t416;
						_t224 =  *((intOrPtr*)( *_t325 + 4))(_t427);
						 *_t433 =  *_t433 & 0x00000000;
						_t394 =  *_t224;
						_v108 = _t433;
						_t225 =  *((intOrPtr*)( *_t224 + 0x14))();
						 *_t433 =  &_v76;
						_v108 = _t433;
						E6B154454(_t416, _a4, _t224,  *_t225, _t325);
						SendMessageW( *(_t416 + 4), 0x30, _v128, 1);
						ShowWindow( *(_t416 + 4), 1);
						E6B154800( &_v140, _v144);
						_v148 = _v148 + 1;
						if(_v148 >=  *( *_v136)()) {
							goto L20;
						}
						_t427 = _v132;
						_t325 = _v120;
					}
					goto L20;
				} else {
					goto L1;
				}
				do {
					L1:
					_v48 = _v48 & 0x00000000;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t238 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))()))))(_v108);
					_v52 = _t238;
					_t241 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))())) + 4))(_v112);
					_v52 = _t241;
					_t243 =  *((intOrPtr*)( *_t426 + 4))(_v116);
					_v120 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))())) + 8))(_v120);
					_t247 =  *((intOrPtr*)( *_t243))();
					_v56 = _v120 + _t247;
					_t249 =  *((intOrPtr*)( *_t426 + 4))(_v124);
					_v128 =  *((intOrPtr*)( *_t426 + 4))(_v128);
					_t253 =  *((intOrPtr*)( *_t249 + 4))();
					_v72.bottom = _t253 +  *((intOrPtr*)( *_v128 + 0xc))();
					MapDialogRect(_a4,  &_v72);
					_v128 = 0;
					_t262 = E6B158199( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))())) + 0x14))(_v132))));
					_push(_v136);
					_t263 =  *_t426;
					if(_t262 <= 0) {
						_t266 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t263 + 4))())) + 0x18))()));
						__eflags =  *(_t266 - 0xc);
						_push(_v140);
						_t267 =  *_t426;
						if( *(_t266 - 0xc) <= 0) {
							_t268 =  *((intOrPtr*)(_t267 + 4))();
							_t394 =  *_t268;
							__eflags =  *( *((intOrPtr*)( *((intOrPtr*)( *_t268 + 0x1c))())) - 0xc);
							if(__eflags <= 0) {
								goto L12;
							}
							_t274 =  *((intOrPtr*)( *_t426 + 4))(_v144);
							_t394 =  *_t274;
							_t380 = _t274;
							_t277 = LoadImageW(0,  *( *((intOrPtr*)( *_t274 + 0x1c))()), 0, 0, 0, 0x10);
							_v140 = _t277;
							__eflags = _t277;
							if(__eflags == 0) {
								goto L12;
							}
							_v128 = _t433;
							 *_t433 = 0;
							_v128 = _t433;
							 *_t433 =  &_v88;
							E6B14F8DE( &_v144, _a4, _t380, 0x6b1379e4, 0x5000020e, _t380);
							E6B14F933( &_v168,  &_v144, _v164);
							_t426 = _v164;
							L11:
							_t325 = _v132;
							goto L12;
						}
						_t284 =  *((intOrPtr*)(_t267 + 4))();
						_t394 =  *_t284;
						_t382 = _t284;
						_t287 = LoadImageW(0,  *( *((intOrPtr*)( *_t284 + 0x18))()), 1, 0, 0, 0x10);
						_v136 = _t287;
						__eflags = _t287;
						if(__eflags != 0) {
							_v124 = _t433;
							 *_t433 = 0;
							_v124 = _t433;
							 *_t433 =  &_v84;
							E6B14F8DE( &_v140, _a4, _t382, 0x6b1379e4, 0x50000203, _t382);
							SendMessageW(_v164, 0x170, _v160, 0);
						}
						goto L12;
					}
					E6B1547AC(_t293,  &_v108,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t263 + 4))())) + 0x14))());
					_v140 = _t433;
					_v56 = 2;
					 *_t433 =  *_t433 & 0;
					_v140 = _t433;
					 *_t433 =  &_v88;
					E6B14F8DE( &_v144, _a4, _t293, _v116, 0x40000000, _t293);
					ShowWindow(_v168, 1);
					SendMessageW(_v168, 0x30, _v148, 1);
					_t304 =  *((intOrPtr*)( *_t426 + 4))(_v172);
					_t394 =  *_t304;
					if( *((intOrPtr*)( *_t304 + 0x20))() != 0) {
						_t311 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t426 + 4))())) + 0x24))(_v144);
						_t313 =  *((intOrPtr*)( *_t426 + 4))(_v148);
						_t394 =  *_t313;
						_t314 =  *((intOrPtr*)( *_t313 + 0x24))();
						_t316 =  *((intOrPtr*)( *_t311 + 4))();
						_t318 =  *((intOrPtr*)( *_t314))();
						_v144 = _t433;
						 *_t433 = E6B1583FD( *_t318 - 0x10) + 0x10;
						E6B13F589(_t314,  *_t313, E6B1583FD( *_t318 - 0x10) + 0x10, _v148, _t314, _t316, 0, 0);
					}
					_v52 = 1;
					E6B158460(_v112 + 0xfffffff0, _t394);
					goto L11;
					L12:
					_v144 = _v144 + 1;
				} while (_v144 <  *((intOrPtr*)( *_t426))());
				goto L13;
			}

0x6b151601
0x6b151601
0x6b151609
0x6b15160b
0x6b151616
0x6b151617
0x6b15161a
0x6b151621
0x6b151628
0x6b15162f
0x6b151634
0x6b15163a
0x6b151646
0x6b151648
0x6b15164a
0x6b15164e
0x6b151652
0x6b15165c
0x6b151663
0x6b15166b
0x6b151671
0x6b151676
0x6b151682
0x6b15168a
0x6b15168b
0x6b151697
0x6b15169b
0x6b1516a0
0x6b1516b0
0x6b151999
0x6b15199b
0x6b15199f
0x6b1519a3
0x6b1519a5
0x6b1519a7
0x6b151af1
0x6b151af8
0x6b151b04
0x6b151b0d
0x6b151b15
0x6b151b16
0x6b151b17
0x6b151b26
0x6b151b26
0x6b1519b4
0x6b1519c2
0x6b1519c2
0x6b1519cd
0x6b1519ce
0x6b1519cf
0x6b1519de
0x6b1519f1
0x6b1519fa
0x6b151a12
0x6b151a20
0x6b151a27
0x6b151a34
0x6b151a3c
0x6b151a54
0x6b151a58
0x6b151a68
0x6b151a7a
0x6b151a7a
0x6b151a6a
0x6b151a76
0x6b151a76
0x6b151a81
0x6b151a85
0x6b151a8b
0x6b151a8e
0x6b151a92
0x6b151a96
0x6b151aa2
0x6b151aa4
0x6b151aad
0x6b151abd
0x6b151ac8
0x6b151ad6
0x6b151ae1
0x6b151aeb
0x00000000
0x00000000
0x6b1519ba
0x6b1519be
0x6b1519be
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1516b6
0x6b1516b6
0x6b1516b6
0x6b1516c5
0x6b1516c6
0x6b1516c7
0x6b1516d3
0x6b1516d9
0x6b1516e8
0x6b1516ef
0x6b1516f7
0x6b151712
0x6b151716
0x6b151724
0x6b15172a
0x6b15173a
0x6b151742
0x6b15175a
0x6b15175e
0x6b15176e
0x6b15177e
0x6b151783
0x6b151789
0x6b15178d
0x6b15188a
0x6b15188c
0x6b15188f
0x6b151893
0x6b151897
0x6b151905
0x6b151908
0x6b151911
0x6b151914
0x00000000
0x00000000
0x6b15191e
0x6b151921
0x6b151923
0x6b151931
0x6b151937
0x6b15193b
0x6b15193d
0x00000000
0x00000000
0x6b151942
0x6b151951
0x6b151959
0x6b15195d
0x6b151967
0x6b151978
0x6b15197d
0x6b151981
0x6b151981
0x00000000
0x6b151981
0x6b151899
0x6b15189c
0x6b15189e
0x6b1518ad
0x6b1518b3
0x6b1518b7
0x6b1518b9
0x6b1518c2
0x6b1518d1
0x6b1518d9
0x6b1518dd
0x6b1518e7
0x6b1518fa
0x6b1518fa
0x00000000
0x6b1518b9
0x6b1517a7
0x6b1517af
0x6b1517b3
0x6b1517b8
0x6b1517ca
0x6b1517ce
0x6b1517d8
0x6b1517e3
0x6b1517f5
0x6b151803
0x6b151806
0x6b15180f
0x6b151820
0x6b15182d
0x6b151830
0x6b151834
0x6b151841
0x6b151849
0x6b151851
0x6b151863
0x6b151865
0x6b151865
0x6b15186a
0x6b151876
0x00000000
0x6b151985
0x6b151987
0x6b15198f
0x00000000

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B151656

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

MapDialogRect.USER32(?,00000000), ref: 6B15175E
ShowWindow.USER32(00000001,00000001,?,?,?,?,40000000,?,?,00000000), ref: 6B1517E3
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B1517F5

Part of subcall function 6B13F589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B13F5AC
Part of subcall function 6B13F589: GetObjectW.GDI32(00000000,0000005C,?), ref: 6B13F5B5
Part of subcall function 6B13F589: CreateFontIndirectW.GDI32(?), ref: 6B13F600
Part of subcall function 6B13F589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B13F610

LoadImageW.USER32 ref: 6B1518AD
SendMessageW.USER32(?,00000170,?,00000000), ref: 6B1518FA
LoadImageW.USER32 ref: 6B151931

Part of subcall function 6B14F933: SendMessageW.USER32(?,00000172,00000000,?), ref: 6B14F944

MapDialogRect.USER32(?,00000000), ref: 6B151A58
SendMessageW.USER32(?,00000030,?,00000001), ref: 6B151ABD
ShowWindow.USER32(?,00000001,?,00000000), ref: 6B151AC8

Part of subcall function 6B14F8DE: CreateWindowExW.USER32 ref: 6B14F91E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
String ID:
API String ID: 727718542-0
Opcode ID: 2ceb487dba3c562f05d81ac4b4afea12acc4fa546e8b42bc90909e3d14fd28e5
Instruction ID: 2fc6a8b571cfd115837df5bc31476b9683ac8a11bea521f9ca8eaa50aa17c85e
Opcode Fuzzy Hash: 2ceb487dba3c562f05d81ac4b4afea12acc4fa546e8b42bc90909e3d14fd28e5
Instruction Fuzzy Hash: 80020F75608300AFCB05DF68C888A1ABBE6FF89714F10496DF596CB360DB35E915CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B1421B8 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6B1421B8(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t97;
				intOrPtr* _t99;
				void* _t108;
				intOrPtr* _t109;
				intOrPtr* _t114;
				void* _t123;
				intOrPtr* _t124;
				intOrPtr* _t129;
				intOrPtr* _t141;
				intOrPtr _t151;
				intOrPtr* _t167;
				intOrPtr* _t182;
				intOrPtr _t186;
				void* _t193;
				intOrPtr* _t210;
				void* _t211;
				void* _t212;

				_t212 = __eflags;
				_t193 = __edx;
				_t187 = __ecx;
				_push(0x30);
				E6B16265B(0x6b167178, __ebx, __edi, __esi);
				_t182 =  *((intOrPtr*)(_t211 + 8));
				_push(_t182);
				E6B141F81( *((intOrPtr*)(_t211 + 0xc)), __esi, _t212);
				 *(_t211 - 4) =  *(_t211 - 4) & 0x00000000;
				 *((intOrPtr*)(_t182 + 0x14)) = 0x6b136f94;
				 *(_t211 - 4) = 1;
				_push(_t211 - 0x10);
				 *_t182 = 0x6b137284;
				 *((intOrPtr*)(_t182 + 0x14)) = 0x6b13729c;
				E6B14E8E8(L"Text", __esi, _t212);
				 *(_t211 - 4) = 2;
				_t97 = E6B13D6C4( *((intOrPtr*)(_t211 + 0xc)), _t182, _t187, _t211 - 0x30, _t211 - 0x10);
				_t183 = _t182 + 0x18;
				_t207 = _t97;
				 *(_t211 - 4) = 3;
				 *((intOrPtr*)(_t211 - 0x20)) = _t182 + 0x18;
				E6B13D76F(_t182 + 0x18, L"Text", _t97, _t212);
				 *(_t211 - 4) = 5;
				_t99 =  *((intOrPtr*)(_t211 - 0x30));
				_t213 = _t99;
				if(_t99 != 0) {
					_t187 =  *_t99;
					 *((intOrPtr*)( *_t99 + 8))(_t99);
				}
				 *(_t211 - 4) = 6;
				E6B158460( *((intOrPtr*)(_t211 - 0x10)) + 0xfffffff0, _t193);
				_push(_t211 - 0x14);
				E6B14E8E8(L"Icon", _t207, _t213);
				 *(_t211 - 4) = 7;
				_t108 = E6B13D6C4( *((intOrPtr*)(_t211 + 0xc)), _t183, _t187, _t211 - 0x3c, _t211 - 0x14);
				_t184 = _t211 - 0x18;
				_t208 = _t108;
				 *(_t211 - 4) = 8;
				_t109 = E6B13D76F(_t211 - 0x18, L"Icon", _t108, _t213);
				 *(_t211 - 4) = 9;
				_t189 =  *((intOrPtr*)(_t211 + 8)) + 0x1c;
				_push(_t189);
				 *((intOrPtr*)(_t211 - 0x24)) = _t189;
				E6B14E8E8( *_t109, _t108, _t213);
				E6B158460( *((intOrPtr*)(_t211 - 0x18)) + 0xfffffff0, _t193);
				 *(_t211 - 4) = 0xc;
				_t114 =  *((intOrPtr*)(_t211 - 0x3c));
				_t214 = _t114;
				if(_t114 != 0) {
					_t189 =  *_t114;
					 *((intOrPtr*)( *_t114 + 8))(_t114);
				}
				 *(_t211 - 4) = 0xd;
				E6B158460( *((intOrPtr*)(_t211 - 0x14)) + 0xfffffff0, _t193);
				_push(_t211 - 0x10);
				E6B14E8E8(L"Bitmap", _t208, _t214);
				 *(_t211 - 4) = 0xe;
				_t123 = E6B13D6C4( *((intOrPtr*)(_t211 + 0xc)), _t184, _t189, _t211 - 0x30, _t211 - 0x10);
				 *(_t211 - 4) = 0xf;
				_t124 = E6B13D76F(_t211 - 0x1c, L"Bitmap", _t123, _t214);
				 *(_t211 - 4) = 0x10;
				_t186 =  *((intOrPtr*)(_t211 + 8));
				_t210 = _t186 + 0x20;
				_push(_t210);
				E6B14E8E8( *_t124, _t210, _t214);
				E6B158460( *((intOrPtr*)(_t211 - 0x1c)) + 0xfffffff0, _t193);
				 *(_t211 - 4) = 0x13;
				_t129 =  *((intOrPtr*)(_t211 - 0x30));
				_t215 = _t129;
				if(_t129 != 0) {
					_t189 =  *_t129;
					 *((intOrPtr*)( *_t129 + 8))(_t129);
				}
				 *(_t211 - 4) = 0x14;
				E6B158460( *((intOrPtr*)(_t211 - 0x10)) + 0xfffffff0, _t193);
				_push(_t211 - 0x14);
				E6B14E8E8(L"Font", _t210, _t215);
				 *(_t211 - 4) = 0x15;
				_push(E6B13D6C4( *((intOrPtr*)(_t211 + 0xc)), _t186, _t189, _t211 - 0x3c, _t211 - 0x14));
				_push(_t186 + 0x24);
				 *(_t211 - 4) = 0x16;
				E6B14200C(_t186, _t189, _t193, L"Font", _t210, _t215);
				 *(_t211 - 4) = 0x18;
				_t141 =  *((intOrPtr*)(_t211 - 0x3c));
				if(_t141 != 0) {
					_t189 =  *_t141;
					 *((intOrPtr*)( *_t141 + 8))(_t141);
				}
				 *(_t211 - 4) = 0x19;
				E6B158460( *((intOrPtr*)(_t211 - 0x14)) + 0xfffffff0, _t193);
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t211 - 0x20)))) - 0xc)) == 0 &&  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t211 - 0x24)))) - 0xc)) == 0) {
					_t151 =  *_t210;
					_t219 =  *((intOrPtr*)(_t151 - 0xc));
					if( *((intOrPtr*)(_t151 - 0xc)) == 0) {
						E6B14E8E8(L"UIInfo.xml", _t210, _t219);
						 *(_t211 - 4) = 0x1a;
						E6B14E8E8(L"UiInfo element \'Static\' should have one of Text, Icon or Bitmap elements!", _t210, _t219);
						 *(_t211 - 4) = 0x1b;
						E6B13CA39(_t186, _t189, _t193, L"UiInfo element \'Static\' should have one of Text, Icon or Bitmap elements!", _t210, _t219);
						E6B158460( *((intOrPtr*)(_t211 + 0xc)) + 0xfffffff0, _t193);
						 *(_t211 - 4) = 0x1e;
						E6B158460( *((intOrPtr*)(_t211 - 0x10)) + 0xfffffff0, _t193);
						_t167 = E6B13CAC2(_t186, _t211 - 0x30, _t193, L"UiInfo element \'Static\' should have one of Text, Icon or Bitmap elements!", _t210, _t219);
						 *(_t211 - 4) = 0x1f;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x10)))) + 4))(0,  *_t167, _t211 - 0x24, _t211 - 0x30, _t211 + 0xc, _t211 - 0x10, _t211 + 0xc, _t211 - 0x10);
						 *(_t211 - 4) = 0x1e;
						E6B158460( *((intOrPtr*)(_t211 - 0x24)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x10)))));
						_push(_t211 - 0x30);
						E6B13D170(_t186, _t211 - 0x3c, L"UiInfo element \'Static\' should have one of Text, Icon or Bitmap elements!", _t210,  *((intOrPtr*)(_t211 - 0x24)) + 0xfffffff0);
						E6B15DBDB(_t211 - 0x3c, 0x6b1682a0);
					}
				}
				return E6B162709(_t186);
			}

0x6b1421b8
0x6b1421b8
0x6b1421b8
0x6b1421b8
0x6b1421bf
0x6b1421c4
0x6b1421ca
0x6b1421cb
0x6b1421d0
0x6b1421d4
0x6b1421de
0x6b1421e2
0x6b1421e8
0x6b1421ee
0x6b1421f5
0x6b142201
0x6b142209
0x6b14220e
0x6b142211
0x6b142213
0x6b142217
0x6b14221a
0x6b14221f
0x6b142223
0x6b142226
0x6b142228
0x6b14222a
0x6b14222d
0x6b14222d
0x6b142230
0x6b14223a
0x6b142242
0x6b142248
0x6b142254
0x6b14225c
0x6b142261
0x6b142264
0x6b142266
0x6b14226a
0x6b14226f
0x6b142278
0x6b14227b
0x6b14227c
0x6b14227f
0x6b14228a
0x6b14228f
0x6b142293
0x6b142296
0x6b142298
0x6b14229a
0x6b14229d
0x6b14229d
0x6b1422a0
0x6b1422aa
0x6b1422b2
0x6b1422b8
0x6b1422c4
0x6b1422cc
0x6b1422d6
0x6b1422da
0x6b1422df
0x6b1422e3
0x6b1422e8
0x6b1422eb
0x6b1422ec
0x6b1422f7
0x6b1422fc
0x6b142300
0x6b142303
0x6b142305
0x6b142307
0x6b14230a
0x6b14230a
0x6b14230d
0x6b142317
0x6b14231f
0x6b142325
0x6b142331
0x6b14233e
0x6b142342
0x6b142343
0x6b142347
0x6b14234c
0x6b142350
0x6b142357
0x6b142359
0x6b14235c
0x6b14235c
0x6b14235f
0x6b142369
0x6b142376
0x6b14238a
0x6b14238c
0x6b14238f
0x6b14239e
0x6b1423ac
0x6b1423b0
0x6b1423c1
0x6b1423c5
0x6b1423d0
0x6b1423d5
0x6b1423df
0x6b1423eb
0x6b1423f3
0x6b1423fe
0x6b142401
0x6b14240b
0x6b142413
0x6b142417
0x6b142425
0x6b142425
0x6b14238f
0x6b142431

APIs

__EH_prolog3.LIBCMT ref: 6B1421BF

Part of subcall function 6B141F81: __EH_prolog3.LIBCMT ref: 6B141F88

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Part of subcall function 6B13CA39: __EH_prolog3.LIBCMT ref: 6B13CA40

Part of subcall function 6B13CAC2: __EH_prolog3.LIBCMT ref: 6B13CAC9

Part of subcall function 6B13D170: __EH_prolog3.LIBCMT ref: 6B13D177

__CxxThrowException@8.LIBCMT ref: 6B142425

Part of subcall function 6B15DBDB: RaiseException.KERNEL32(?,?,6B159236,?,?,?,?,?,6B159236,?,6B167F54,6B1722B4), ref: 6B15DC1D

Strings

Text, xrefs: 6B1421E3
Icon, xrefs: 6B142243
UiInfo element 'Static' should have one of Text, Icon or Bitmap elements!, xrefs: 6B1423A7
Font, xrefs: 6B142320
Bitmap, xrefs: 6B1422B3
UIInfo.xml, xrefs: 6B142399

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: Bitmap$Font$Icon$Text$UIInfo.xml$UiInfo element 'Static' should have one of Text, Icon or Bitmap elements!
API String ID: 1412866469-225342085
Opcode ID: 9654d2287f714c2a059157cf05a678037e4f432a235a6757510d8bf8febb2c2f
Instruction ID: ed3b19349c680d513eb6940bff5189e41614f9b1c9b27287e1922b8bb15c239c
Opcode Fuzzy Hash: 9654d2287f714c2a059157cf05a678037e4f432a235a6757510d8bf8febb2c2f
Instruction Fuzzy Hash: CF813B7290015CFFDB01DBB8C985BDEB7B8AF19318F284195E424EB291D738EA05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B13FCC3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6B13FCC3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HICON__* _t16;
				void* _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				void* _t41;

				_t35 = __edx;
				_push(0x14);
				E6B162693(0x6b163ff0, __ebx, __edi, __esi);
				_t40 = __ecx;
				_t16 = LoadCursorW(0, 0x7f02);
				 *(_t41 - 0x20) = _t16;
				 *(_t41 - 0x1c) = SetCursor(_t16);
				 *((char*)(_t41 - 0x18)) = 1;
				 *((intOrPtr*)(_t41 - 4)) = 0;
				_t37 = CreateThread(0, 0, E6B13FD72, _t40, 0, 0);
				if(_t37 != 0) {
					WaitForSingleObject(_t37, 0xffffffff);
					CloseHandle(_t37);
				}
				if( *((intOrPtr*)(_t40 + 8)) == 0) {
					 *((char*)(_t41 - 4)) = 1;
					_t8 = E6B1583FD( *((intOrPtr*)(_t40 + 4)) - 0x10) + 0x10; // 0x10
					_t38 = _t8;
					 *((intOrPtr*)(_t41 - 0x14)) = _t38;
					 *((char*)(_t41 - 4)) = 2;
					 *((intOrPtr*)( *_t40 + 8))(0, L"open", _t38, 0, 0, 1);
					_t12 = _t38 - 0x10; // 0x0
					E6B158460(_t12, _t35);
				}
				SetCursor( *(_t41 - 0x1c));
				return E6B162709(0);
			}

0x6b13fcc3
0x6b13fcc3
0x6b13fcca
0x6b13fccf
0x6b13fcd9
0x6b13fce0
0x6b13fce9
0x6b13fcec
0x6b13fcfa
0x6b13fd03
0x6b13fd07
0x6b13fd0c
0x6b13fd13
0x6b13fd13
0x6b13fd1c
0x6b13fd1e
0x6b13fd2d
0x6b13fd2d
0x6b13fd30
0x6b13fd3d
0x6b13fd46
0x6b13fd49
0x6b13fd4c
0x6b13fd4c
0x6b13fd5f
0x6b13fd6c

APIs

__EH_prolog3_catch.LIBCMT ref: 6B13FCCA
LoadCursorW.USER32(00000000,00007F02), ref: 6B13FCD9
SetCursor.USER32(00000000,?,6B14CF69,?), ref: 6B13FCE3
CreateThread.KERNEL32 ref: 6B13FCFD
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,?,6B14CF69,?), ref: 6B13FD0C
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,6B14CF69,?), ref: 6B13FD13
SetCursor.USER32(00000001,?,00000000,00000000,?,6B14CF69,?), ref: 6B13FD5F

Strings

open, xrefs: 6B13FD38

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Cursor$CloseCreateH_prolog3_catchHandleLoadObjectSingleThreadWait
String ID: open
API String ID: 3568249301-2758837156
Opcode ID: 1fd349747e198c43b86e2fffdf8a852390c304c8387f24948930d46713710625
Instruction ID: b97995cc076ceb317116df743f874c60e3334ffd02c23bafbc5e496267325dec
Opcode Fuzzy Hash: 1fd349747e198c43b86e2fffdf8a852390c304c8387f24948930d46713710625
Instruction Fuzzy Hash: 1B11A3B0900295FFDF10AFB8C88DEAE7BB8AB05304F104458F065E7281E7788D148B61

Uniqueness

Uniqueness Score: -1.00%

Function 6B15A311 Relevance: 13.7, APIs: 9, Instructions: 196
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E6B15A311() {
				int* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				int* _t73;
				int* _t74;
				void* _t77;
				intOrPtr _t86;
				void* _t87;
				void* _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				intOrPtr* _t111;
				int _t112;
				void** _t115;
				void** _t120;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112);
				_t61 = E6B159F70();
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x6b174080 = _t61;
					 *0x6b17406c = _t112;
					if(_t61 >= _t2) {
						L5:
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							do {
								_t115 = (_t91 << 6) +  *0x6b174080;
								_t62 =  *_t115;
								if(_t62 == 0xffffffff || _t62 == 0xfffffffe) {
									_t115[1] = 0x81;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									if(_t108 == 0xffffffff || _t108 == 0) {
										L43:
										_t115[1] = _t115[1] | 0x00000040;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										_t69 = GetFileType(_t108);
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										if(_t70 != 2) {
											if(_t70 == 3) {
												_t115[1] = _t115[1] | 0x00000008;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -1796685940
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								} else {
									_t115[1] = _t115[1] | 0x00000080;
								}
								L44:
								_t91 = _t91 + 1;
							} while (_t91 < 3);
							SetHandleCount( *0x6b17406c);
							_t68 = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 =  &(_t73[1]);
						_v8 = _t74;
						_v12 = _t74 + _t93;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						if( *0x6b17406c >= _t93) {
							L18:
							_t110 = 0;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								if(_t77 != 0xffffffff && _t77 != 0xfffffffe) {
									_t98 =  *_v8;
									if((_t98 & 0x00000001) != 0 && ((_t98 & 0x00000008) != 0 || GetFileType(_t77) != 0)) {
										_t120 = ((_t110 & 0x0000001f) << 6) + 0x6b174080[_t110 >> 5];
										 *_t120 =  *_v12;
										_t120[1] =  *_v8;
										_t40 =  &(_t120[3]); // 0xc
										_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
										if(_t72 == 0) {
											goto L48;
										}
										_t120[2] = _t120[2] + 1;
									}
								}
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 =  &(_v8[0]);
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x6b174084;
							while(1) {
								_t86 = E6B159F70(0x20, 0x40);
								if(_t86 == 0) {
									break;
								}
								 *0x6b17406c =  *0x6b17406c + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								if(_t86 >= _t16) {
									L15:
									_t111 = _t111 + 4;
									if( *0x6b17406c < _t93) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x6b17406c;
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
					} while (_t11 <  *0x6b174080 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}

0x6b15a31e
0x6b15a324
0x6b15a328
0x6b15a329
0x6b15a32a
0x6b15a335
0x6b15a33f
0x6b15a345
0x6b15a34a
0x6b15a352
0x6b15a38a
0x6b15a390
0x6b15a4a4
0x6b15a4a4
0x6b15a4a6
0x6b15a4ab
0x6b15a4b1
0x6b15a4b6
0x6b15a4c3
0x6b15a4c9
0x6b15a4d0
0x6b15a4d5
0x6b15a4d7
0x6b15a4cb
0x6b15a4cd
0x6b15a4cd
0x6b15a4e1
0x6b15a4e6
0x6b15a52a
0x6b15a52a
0x6b15a52e
0x00000000
0x6b15a4ec
0x6b15a4ed
0x6b15a4f5
0x00000000
0x00000000
0x6b15a4f7
0x6b15a4fc
0x6b15a501
0x6b15a50c
0x6b15a50e
0x6b15a50e
0x6b15a503
0x6b15a503
0x6b15a503
0x6b15a517
0x6b15a51b
0x6b15a523
0x6b15a551
0x6b15a551
0x6b15a54c
0x00000000
0x6b15a525
0x6b15a525
0x00000000
0x6b15a525
0x6b15a523
0x6b15a4bd
0x6b15a4bd
0x6b15a4bd
0x6b15a534
0x6b15a534
0x6b15a535
0x6b15a544
0x6b15a54a
0x00000000
0x6b15a54a
0x6b15a396
0x6b15a39b
0x00000000
0x00000000
0x6b15a3a1
0x6b15a3a3
0x6b15a3a6
0x6b15a3b0
0x6b15a3b5
0x6b15a3b7
0x6b15a3b7
0x6b15a3bf
0x6b15a42c
0x6b15a42c
0x6b15a430
0x00000000
0x00000000
0x00000000
0x00000000
0x6b15a432
0x6b15a432
0x6b15a435
0x6b15a43a
0x6b15a444
0x6b15a449
0x6b15a468
0x6b15a474
0x6b15a47b
0x6b15a483
0x6b15a487
0x6b15a48f
0x00000000
0x00000000
0x6b15a495
0x6b15a495
0x6b15a449
0x6b15a498
0x6b15a49c
0x6b15a49d
0x6b15a4a0
0x00000000
0x6b15a3c1
0x6b15a3c1
0x6b15a3c6
0x6b15a3ca
0x6b15a3d3
0x00000000
0x00000000
0x6b15a3d5
0x6b15a3dc
0x6b15a3e2
0x6b15a3e6
0x6b15a419
0x6b15a419
0x6b15a422
0x00000000
0x00000000
0x00000000
0x6b15a424
0x6b15a3e8
0x6b15a3eb
0x6b15a3eb
0x6b15a3ef
0x6b15a3f3
0x6b15a3f7
0x6b15a3fb
0x6b15a401
0x6b15a407
0x6b15a40d
0x6b15a412
0x6b15a415
0x00000000
0x6b15a3eb
0x6b15a426
0x00000000
0x6b15a426
0x6b15a3bf
0x6b15a354
0x6b15a357
0x6b15a357
0x6b15a35b
0x6b15a361
0x6b15a364
0x6b15a36a
0x6b15a36e
0x6b15a371
0x6b15a37a
0x6b15a37d
0x6b15a386
0x00000000
0x6b15a357
0x00000000

APIs

GetStartupInfoW.KERNEL32(6B1314A0,6B1591D6), ref: 6B15A31E
__calloc_crt.LIBCMT ref: 6B15A32A

Part of subcall function 6B159F70: Sleep.KERNEL32(00000000,?,6B1591D6,?), ref: 6B159F98

__calloc_crt.LIBCMT ref: 6B15A3CA
GetFileType.KERNEL32(74C08559,00000001,6B1591D6), ref: 6B15A451

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: 3ba18ec5c2208717d3aeefadda7844254a826179e4f0de8ed475ebc06dd5173c
Instruction ID: 404fd333f2e500eadd0cb4905ad42fd19b07bfff8b375b16a3870abc6e42c022
Opcode Fuzzy Hash: 3ba18ec5c2208717d3aeefadda7844254a826179e4f0de8ed475ebc06dd5173c
Instruction Fuzzy Hash: 1C6146B39A4311EFD710CF68C888B597BA4EF16325F1946A8D576CB2D1E338E421CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14D86C Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B14D86C(void* __ebx) {
				signed int _v8;
				signed int _v120;
				intOrPtr _v128;
				void* _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				char _t64;
				signed int _t72;
				intOrPtr _t75;
				void* _t123;
				signed int _t126;
				signed int _t130;
				signed int _t144;
				void* _t145;
				char _t146;

				_t123 = __ebx;
				_t62 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t62 ^ _t144;
				_t64 = __ebx + 0x34;
				_t136 = _t64 + 4;
				_t131 = 0;
				_v152 =  *((intOrPtr*)(__ebx + 0x2c));
				_v156 = _t64;
				_v148 = __ebx + 0x90;
				E6B150324(0, __ebx + 0x90, _t136, 0);
				E6B15AF90( &_v132, 0, 0x74);
				_t146 = _t145 + 0xc;
				_v132 = 0x74;
				_v128 = 0x80000000;
				SendMessageW( *_t136, 0x43a, 1,  &_v132);
				_t72 = _v120 * 0x28;
				asm("cdq");
				_t126 = 0x64;
				_t130 = _t72 % _t126;
				_v144 = _t72 / _t126 + _v120;
				_t75 =  *((intOrPtr*)(__ebx + 0x28));
				_t147 =  *((intOrPtr*)(_t75 + 4));
				if( *((intOrPtr*)(_t75 + 4)) <= 0) {
					__eflags =  *((intOrPtr*)(_t75 + 0x10));
					if(__eflags > 0) {
						_push(0);
						_push(_t126);
						_v136 = _t146;
						E6B14E8E8(L"IDS_INSTALLATION_BLOCKERS", _t136, __eflags);
						_v140 = E6B150353(__ebx + 0x38,  *((intOrPtr*)(E6B14D81A( &_v136))), __ebx);
						E6B158460(_v136 + 0xfffffff0, _t130);
						_t134 = E6B150353(__ebx + 0x38, L"\r\n\r\n", 0);
						_t136 = __ebx + 0x34;
						E6B140D3D(__ebx, _t126, _t130, _t102, __ebx + 0x34, _v140, _t102, _v144);
						E6B140E35(__ebx, _t126, _t130, _t134, __ebx + 0x34, _v140, _t134, 5, 5, 1);
						E6B140D3D(__ebx, _t126, _t130, _t134, _t136, _t134, 0xffffffff, _v120);
						E6B140E35(__ebx, _t126, _t130, _t134, _t136, _t134, 0xffffffff, 5, 5, 0);
						_t126 =  &_v156;
						E6B14DD4C( *((intOrPtr*)(__ebx + 0x28)) + 0xc, __ebx, _t126, _t130, _t134, _t146);
						_t131 = 0;
						__eflags = 0;
					}
					_t77 =  *((intOrPtr*)(_t123 + 0x28));
					__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x28)) + 0x1c)) - _t131;
					if(__eflags > 0) {
						E6B150353(_t123 + 0x38, L"\r\n", _t131);
						_push(_t131);
						_push(_t126);
						_v136 = _t146;
						_push(_t146);
						E6B14E8E8(L"IDS_PRE_INSTALLATION_WARNINGS", _t123 + 0x38, __eflags);
						_v140 = E6B150353(_t123 + 0x38,  *((intOrPtr*)(E6B14D81A( &_v136))), _t123);
						E6B158460(_v136 + 0xfffffff0, _t130);
						_t131 = E6B150353(_t123 + 0x38, L"\r\n\r\n", 0);
						_t136 = _t123 + 0x34;
						E6B140D3D(_t123, _t126, _t130, _t87, _t123 + 0x34, _v140, _t87, _v144);
						E6B140E35(_t123, _t126, _t130, _t131, _t123 + 0x34, _v140, _t131, 5, 5, 1);
						E6B140D3D(_t123, _t126, _t130, _t131, _t136, _t131, 0xffffffff, _v120);
						E6B140E35(_t123, _t126, _t130, _t131, _t136, _t131, 0xffffffff, 5, 5, 0);
						_t93 =  *((intOrPtr*)(_t123 + 0x28)) + 0x18;
						__eflags =  *((intOrPtr*)(_t123 + 0x28)) + 0x18;
						goto L6;
					}
				} else {
					_push(0);
					_push(_t126);
					_v136 = _t146;
					_push(_t146);
					E6B14E8E8(L"IDS_SUCCESS_BLOCKERS_LIST_HEADER", _t136, _t147);
					_v140 = E6B150353(__ebx + 0x38,  *((intOrPtr*)(E6B14D81A( &_v136))), __ebx);
					E6B158460(_v136 + 0xfffffff0, _t130);
					_t131 = E6B150353(__ebx + 0x38, L"\r\n\r\n", 0);
					_t136 = __ebx + 0x34;
					E6B140D3D(__ebx, _t126, _t130, _t118, __ebx + 0x34, _v140, _t118, _v144);
					E6B140E35(__ebx, _t126, _t130, _t131, __ebx + 0x34, _v140, _t131, 5, 5, 1);
					E6B140D3D(__ebx, _t126, _t130, _t131, _t136, _t131, 0xffffffff, _v120);
					E6B140E35(__ebx, _t126, _t130, _t131, _t136, _t131, 0xffffffff, 5, 5, 0);
					_t93 =  *((intOrPtr*)(__ebx + 0x28));
					L6:
					_t77 = E6B14DD4C(_t93, _t123,  &_v156, _t130, _t131);
				}
				return E6B1587C1(_t77, _t123, _v8 ^ _t144, _t130, _t131, _t136);
			}

0x6b14d86c
0x6b14d877
0x6b14d87e
0x6b14d886
0x6b14d889
0x6b14d88c
0x6b14d88e
0x6b14d895
0x6b14d8a4
0x6b14d8aa
0x6b14d8b6
0x6b14d8bb
0x6b14d8cb
0x6b14d8d2
0x6b14d8d9
0x6b14d8e2
0x6b14d8e5
0x6b14d8e8
0x6b14d8e9
0x6b14d8ee
0x6b14d8f4
0x6b14d8f7
0x6b14d8fa
0x6b14d99d
0x6b14d99f
0x6b14d9a5
0x6b14d9a6
0x6b14d9a9
0x6b14d9b5
0x6b14d9d1
0x6b14d9e0
0x6b14d9f7
0x6b14da00
0x6b14da04
0x6b14da17
0x6b14da23
0x6b14da32
0x6b14da3d
0x6b14da43
0x6b14da48
0x6b14da48
0x6b14da48
0x6b14da4a
0x6b14da4d
0x6b14da50
0x6b14da5f
0x6b14da64
0x6b14da65
0x6b14da68
0x6b14da6e
0x6b14da74
0x6b14da8f
0x6b14da9e
0x6b14dab5
0x6b14dabe
0x6b14dac2
0x6b14dad5
0x6b14dae1
0x6b14daf0
0x6b14daf8
0x6b14daf8
0x00000000
0x6b14daf8
0x6b14d900
0x6b14d900
0x6b14d901
0x6b14d904
0x6b14d90a
0x6b14d910
0x6b14d92c
0x6b14d93b
0x6b14d952
0x6b14d95b
0x6b14d95f
0x6b14d972
0x6b14d97e
0x6b14d98d
0x6b14d992
0x6b14dafb
0x6b14db01
0x6b14db01
0x6b14db13

APIs

Part of subcall function 6B150324: SendMessageW.USER32(?,00000437,00000000,?), ref: 6B150344

_memset.LIBCMT ref: 6B14D8B6
SendMessageW.USER32(?,0000043A,00000001,?), ref: 6B14D8D9

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14D81A: __EH_prolog3.LIBCMT ref: 6B14D821

Part of subcall function 6B150353: GetWindowTextLengthW.USER32(?), ref: 6B15035B
Part of subcall function 6B150353: SendMessageW.USER32(?,000000C2,?,00000000), ref: 6B150377

Part of subcall function 6B140D3D: _memset.LIBCMT ref: 6B140D6A
Part of subcall function 6B140D3D: SendMessageW.USER32(?,00000444,00000001,?), ref: 6B140D93

Part of subcall function 6B140E35: _memset.LIBCMT ref: 6B140E62
Part of subcall function 6B140E35: SendMessageW.USER32(?,00000444,00000001,00000074), ref: 6B140E92

Strings

IDS_PRE_INSTALLATION_WARNINGS, xrefs: 6B14DA6F
IDS_SUCCESS_BLOCKERS_LIST_HEADER, xrefs: 6B14D90B
, xrefs: 6B14D942, 6B14D9E7, 6B14DAA5
t, xrefs: 6B14D8CB
IDS_INSTALLATION_BLOCKERS, xrefs: 6B14D9B0

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$_memset$H_prolog3$LengthTextWindow
String ID: $IDS_INSTALLATION_BLOCKERS$IDS_PRE_INSTALLATION_WARNINGS$IDS_SUCCESS_BLOCKERS_LIST_HEADER$t
API String ID: 808874516-693864943
Opcode ID: a0fff06f0d4131c54a6e3775cf294f4eded3115663350b917620db646e638260
Instruction ID: 1219b77fabecc6feb2f637f1d247607d7200324c7c503e8c5603a8e2fa187083
Opcode Fuzzy Hash: a0fff06f0d4131c54a6e3775cf294f4eded3115663350b917620db646e638260
Instruction Fuzzy Hash: 3F717E72940124BBCF609B69CC4AF8E7B78AF45718F114294F618FB290DB39AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6B144B2A Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B144B2A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t85;
				intOrPtr* _t87;
				void* _t96;
				intOrPtr* _t98;
				void* _t107;
				intOrPtr* _t109;
				void* _t118;
				intOrPtr* _t120;
				void* _t129;
				intOrPtr* _t131;
				intOrPtr* _t143;
				void* _t155;
				intOrPtr* _t178;
				void* _t179;
				void* _t180;

				_t180 = __eflags;
				_t165 = __edx;
				_t155 = __ebx;
				_push(0x1c);
				E6B16265B(0x6b1679b7, __ebx, __edi, __esi);
				_t178 =  *((intOrPtr*)(_t179 + 8));
				 *_t178 = 0x6b137094;
				 *(_t179 - 4) =  *(_t179 - 4) & 0x00000000;
				_push( *((intOrPtr*)(_t179 + 0xc)));
				_push(__ebx);
				_push(_t178 + 4);
				E6B143AD4(__ebx, __ecx, __edx, __edi, _t178, _t180);
				_push(_t178 + 0x3c);
				 *(_t179 - 4) = 1;
				E6B14396A(__ebx, __ebx, __edx, __edi, _t178, _t180);
				 *(_t179 - 4) = 2;
				_push(_t179 + 0xc);
				 *_t178 = 0x6b13749c;
				E6B14E8E8(L"RefreshButton", _t178, _t180);
				 *(_t179 - 4) = 3;
				_t85 = E6B13D65F(__ebx, __ebx, _t179 - 0x1c, _t179 + 0xc);
				_push(_t178 + 0x78);
				_t159 = _t85;
				 *(_t179 - 4) = 4;
				E6B14434E(__ebx, _t85, __edx, L"RefreshButton", _t178, _t180);
				 *(_t179 - 4) = 6;
				_t87 =  *((intOrPtr*)(_t179 - 0x1c));
				_t181 = _t87;
				if(_t87 != 0) {
					_t159 =  *_t87;
					 *((intOrPtr*)( *_t87 + 8))(_t87);
				}
				 *(_t179 - 4) = 7;
				E6B158460( *((intOrPtr*)(_t179 + 0xc)) + 0xfffffff0, _t165);
				_push(_t179 - 0x10);
				E6B14E8E8(L"ProcessStatusIcon", _t178, _t181);
				 *(_t179 - 4) = 8;
				_t96 = E6B13D6C4(_t155, _t155, _t159, _t179 - 0x28, _t179 - 0x10);
				_t160 = _t178 + 0xa0;
				_push(_t178 + 0xa0);
				 *(_t179 - 4) = 9;
				E6B141F81(_t96, _t178, _t181);
				 *(_t179 - 4) = 0xb;
				_t98 =  *((intOrPtr*)(_t179 - 0x28));
				_t182 = _t98;
				if(_t98 != 0) {
					_t160 =  *_t98;
					 *((intOrPtr*)( *_t98 + 8))(_t98);
				}
				 *(_t179 - 4) = 0xc;
				E6B158460( *((intOrPtr*)(_t179 - 0x10)) + 0xfffffff0, _t165);
				_push(_t179 + 0xc);
				E6B14E8E8(L"ServiceStatusIcon", _t178, _t182);
				 *(_t179 - 4) = 0xd;
				_t107 = E6B13D6C4(_t155, _t155, _t160, _t179 - 0x1c, _t179 + 0xc);
				_t161 = _t178 + 0xb4;
				_push(_t178 + 0xb4);
				 *(_t179 - 4) = 0xe;
				E6B141F81(_t107, _t178, _t182);
				 *(_t179 - 4) = 0x10;
				_t109 =  *((intOrPtr*)(_t179 - 0x1c));
				_t183 = _t109;
				if(_t109 != 0) {
					_t161 =  *_t109;
					 *((intOrPtr*)( *_t109 + 8))(_t109);
				}
				 *(_t179 - 4) = 0x11;
				E6B158460( *((intOrPtr*)(_t179 + 0xc)) + 0xfffffff0, _t165);
				_push(_t179 - 0x10);
				E6B14E8E8(L"ProcessListBox", _t178, _t183);
				 *(_t179 - 4) = 0x12;
				_t118 = E6B13D6C4(_t155, _t155, _t161, _t179 - 0x28, _t179 - 0x10);
				_t162 = _t178 + 0xc8;
				_push(_t178 + 0xc8);
				 *(_t179 - 4) = 0x13;
				E6B141F81(_t118, _t178, _t183);
				 *(_t179 - 4) = 0x15;
				_t120 =  *((intOrPtr*)(_t179 - 0x28));
				_t184 = _t120;
				if(_t120 != 0) {
					_t162 =  *_t120;
					 *((intOrPtr*)( *_t120 + 8))(_t120);
				}
				 *(_t179 - 4) = 0x16;
				E6B158460( *((intOrPtr*)(_t179 - 0x10)) + 0xfffffff0, _t165);
				_push(_t179 + 0xc);
				E6B14E8E8(L"ServiceListBox", _t178, _t184);
				 *(_t179 - 4) = 0x17;
				_t129 = E6B13D6C4(_t155, _t155, _t162, _t179 - 0x1c, _t179 + 0xc);
				_t163 = _t178 + 0xdc;
				_push(_t178 + 0xdc);
				 *(_t179 - 4) = 0x18;
				E6B141F81(_t129, _t178, _t184);
				 *(_t179 - 4) = 0x1a;
				_t131 =  *((intOrPtr*)(_t179 - 0x1c));
				_t185 = _t131;
				if(_t131 != 0) {
					_t163 =  *_t131;
					 *((intOrPtr*)( *_t131 + 8))(_t131);
				}
				 *(_t179 - 4) = 0x1b;
				E6B158460( *((intOrPtr*)(_t179 + 0xc)) + 0xfffffff0, _t165);
				_push(_t179 - 0x10);
				E6B14E8E8(L"DiskSpaceInfo", _t178, _t185);
				 *(_t179 - 4) = 0x1c;
				_push(E6B13D6C4(_t155, _t155, _t163, _t179 - 0x28, _t179 - 0x10));
				_push(_t178 + 0xf0);
				 *(_t179 - 4) = 0x1d;
				E6B1448B6(_t155, _t163, _t165, L"DiskSpaceInfo", _t178, _t185);
				 *(_t179 - 4) = 0x1c;
				_t143 =  *((intOrPtr*)(_t179 - 0x28));
				if(_t143 != 0) {
					 *((intOrPtr*)( *_t143 + 8))(_t143);
				}
				E6B158460( *((intOrPtr*)(_t179 - 0x10)) + 0xfffffff0, _t165);
				return E6B162709(_t178);
			}

0x6b144b2a
0x6b144b2a
0x6b144b2a
0x6b144b2a
0x6b144b31
0x6b144b36
0x6b144b39
0x6b144b3f
0x6b144b43
0x6b144b49
0x6b144b4a
0x6b144b4b
0x6b144b53
0x6b144b56
0x6b144b5a
0x6b144b62
0x6b144b66
0x6b144b6c
0x6b144b72
0x6b144b81
0x6b144b85
0x6b144b8d
0x6b144b8e
0x6b144b90
0x6b144b94
0x6b144b99
0x6b144b9d
0x6b144ba0
0x6b144ba2
0x6b144ba4
0x6b144ba7
0x6b144ba7
0x6b144baa
0x6b144bb4
0x6b144bbc
0x6b144bc2
0x6b144bd1
0x6b144bd5
0x6b144bda
0x6b144be0
0x6b144be3
0x6b144be7
0x6b144bec
0x6b144bf0
0x6b144bf3
0x6b144bf5
0x6b144bf7
0x6b144bfa
0x6b144bfa
0x6b144bfd
0x6b144c07
0x6b144c0f
0x6b144c15
0x6b144c24
0x6b144c28
0x6b144c2d
0x6b144c33
0x6b144c36
0x6b144c3a
0x6b144c3f
0x6b144c43
0x6b144c46
0x6b144c48
0x6b144c4a
0x6b144c4d
0x6b144c4d
0x6b144c50
0x6b144c5a
0x6b144c62
0x6b144c68
0x6b144c77
0x6b144c7b
0x6b144c80
0x6b144c86
0x6b144c89
0x6b144c8d
0x6b144c92
0x6b144c96
0x6b144c99
0x6b144c9b
0x6b144c9d
0x6b144ca0
0x6b144ca0
0x6b144ca3
0x6b144cad
0x6b144cb5
0x6b144cbb
0x6b144cca
0x6b144cce
0x6b144cd3
0x6b144cd9
0x6b144cdc
0x6b144ce0
0x6b144ce5
0x6b144ce9
0x6b144cec
0x6b144cee
0x6b144cf0
0x6b144cf3
0x6b144cf3
0x6b144cf6
0x6b144d00
0x6b144d08
0x6b144d0e
0x6b144d1d
0x6b144d26
0x6b144d2d
0x6b144d2e
0x6b144d32
0x6b144d37
0x6b144d3b
0x6b144d40
0x6b144d45
0x6b144d45
0x6b144d4e
0x6b144d5a

APIs

__EH_prolog3.LIBCMT ref: 6B144B31

Part of subcall function 6B143AD4: __EH_prolog3.LIBCMT ref: 6B143ADB

Part of subcall function 6B14396A: __EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14434E: __EH_prolog3.LIBCMT ref: 6B144355

Part of subcall function 6B141F81: __EH_prolog3.LIBCMT ref: 6B141F88

Strings

RefreshButton, xrefs: 6B144B67
DiskSpaceInfo, xrefs: 6B144D09
ServiceStatusIcon, xrefs: 6B144C10
ProcessListBox, xrefs: 6B144C63
ServiceListBox, xrefs: 6B144CB6
ProcessStatusIcon, xrefs: 6B144BBD

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: DiskSpaceInfo$ProcessListBox$ProcessStatusIcon$RefreshButton$ServiceListBox$ServiceStatusIcon
API String ID: 431132790-2340012964
Opcode ID: 2058295d78e22ae46e92e102bfa65465f64fcbb77cc45d6f0833d936d1810242
Instruction ID: 8879e2ea40cae608285a40e12859565dcb3a0c4f8c43968a9ed882e43cd4969f
Opcode Fuzzy Hash: 2058295d78e22ae46e92e102bfa65465f64fcbb77cc45d6f0833d936d1810242
Instruction Fuzzy Hash: 00711E7190015DFFDB00CBF8C845BDEB7A86F19318F188199E469E7281DB78AA09D721

Uniqueness

Uniqueness Score: -1.00%

Function 6B143AD4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6B143AD4(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t86;
				intOrPtr* _t88;
				void* _t97;
				intOrPtr* _t99;
				void* _t107;
				intOrPtr* _t110;
				void* _t118;
				intOrPtr* _t120;
				intOrPtr _t129;
				intOrPtr* _t131;
				intOrPtr* _t142;
				intOrPtr _t158;
				void* _t165;
				intOrPtr _t182;
				void* _t183;
				intOrPtr _t184;
				void* _t185;

				_t185 = __eflags;
				_t165 = __edx;
				_t161 = __ecx;
				_push(0x20);
				E6B16265B(0x6b167332, __ebx, __edi, __esi);
				_push(_t183 - 0x10);
				E6B14E8E8(L"Title", __esi, _t185);
				 *(_t183 - 4) =  *(_t183 - 4) & 0x00000000;
				_t86 = E6B13D6C4( *((intOrPtr*)(_t183 + 0xc)), __ebx, _t161, _t183 - 0x20, _t183 - 0x10);
				 *(_t183 - 4) = 1;
				_t155 =  *((intOrPtr*)(_t183 + 8));
				_t178 = _t86;
				E6B13D76F( *((intOrPtr*)(_t183 + 8)), L"Title", _t86, _t185);
				 *(_t183 - 4) = 3;
				_t88 =  *((intOrPtr*)(_t183 - 0x20));
				_t186 = _t88;
				if(_t88 != 0) {
					_t161 =  *_t88;
					 *((intOrPtr*)( *_t88 + 8))(_t88);
				}
				 *(_t183 - 4) = 4;
				E6B158460( *((intOrPtr*)(_t183 - 0x10)) + 0xfffffff0, _t165);
				_push(_t183 - 0x14);
				E6B14E8E8(L"SubTitle", _t178, _t186);
				 *(_t183 - 4) = 5;
				_t97 = E6B13D6C4( *((intOrPtr*)(_t183 + 0xc)), _t155, _t161, _t183 - 0x2c, _t183 - 0x14);
				 *(_t183 - 4) = 6;
				_t157 =  *((intOrPtr*)(_t183 + 8)) + 4;
				_t179 = _t97;
				E6B13D76F( *((intOrPtr*)(_t183 + 8)) + 4, L"SubTitle", _t97, _t186);
				 *(_t183 - 4) = 8;
				_t99 =  *((intOrPtr*)(_t183 - 0x2c));
				_t187 = _t99;
				if(_t99 != 0) {
					_t161 =  *_t99;
					 *((intOrPtr*)( *_t99 + 8))(_t99);
				}
				 *(_t183 - 4) = 9;
				E6B158460( *((intOrPtr*)(_t183 - 0x14)) + 0xfffffff0, _t165);
				_push(_t183 - 0x10);
				E6B14E8E8(L"Static", _t179, _t187);
				 *(_t183 - 4) = 0xa;
				 *((intOrPtr*)(_t183 + 0x10)) = _t184;
				E6B13D7DD(_t157, _t165, _t183 - 0x10, _t179, _t187,  *((intOrPtr*)(_t183 + 0xc)), _t184, _t161);
				_t180 = _t183 - 0x20;
				_t107 = E6B13D868( *((intOrPtr*)(_t183 + 0xc)), _t183 - 0x20,  *((intOrPtr*)(_t183 + 0x10)));
				 *(_t183 - 4) = 0xb;
				_t158 =  *((intOrPtr*)(_t183 + 8));
				_push(_t107);
				_push(_t158 + 8);
				E6B1425B2(_t158, _t165,  *((intOrPtr*)(_t183 + 0xc)), _t183 - 0x20, _t187);
				 *(_t183 - 4) = 0xd;
				_t110 =  *((intOrPtr*)(_t183 - 0x20));
				_t188 = _t110;
				if(_t110 != 0) {
					_t161 =  *_t110;
					 *((intOrPtr*)( *_t110 + 8))(_t110);
				}
				 *(_t183 - 4) = 0xe;
				E6B158460( *((intOrPtr*)(_t183 - 0x10)) + 0xfffffff0, _t165);
				E6B14E8E8(L"SysLink", _t180, _t188);
				 *(_t183 - 4) = 0xf;
				 *((intOrPtr*)(_t183 - 0x14)) = _t184;
				E6B13D7DD(_t158, _t165, _t183 + 0x10, _t180, _t188,  *((intOrPtr*)(_t183 + 0xc)), _t184, _t161);
				_t181 = _t183 - 0x2c;
				_t118 = E6B13D868( *((intOrPtr*)(_t183 + 0xc)), _t183 - 0x2c, _t183 + 0x10);
				_push(_t158 + 0x18);
				_t160 = _t118;
				 *(_t183 - 4) = 0x10;
				E6B1428EE(_t118, _t165,  *((intOrPtr*)(_t183 + 0xc)), _t183 - 0x2c, _t188);
				 *(_t183 - 4) = 0x12;
				_t120 =  *((intOrPtr*)(_t183 - 0x2c));
				_t189 = _t120;
				if(_t120 != 0) {
					_t161 =  *_t120;
					 *((intOrPtr*)( *_t120 + 8))(_t120);
				}
				 *(_t183 - 4) = 0x13;
				E6B158460( *((intOrPtr*)(_t183 + 0x10)) + 0xfffffff0, _t165);
				_push(_t183 - 0x14);
				E6B14E8E8(L"File", _t181, _t189);
				 *(_t183 - 4) = 0x14;
				_t129 = E6B13D6C4( *((intOrPtr*)(_t183 + 0xc)), _t160, _t161, _t183 - 0x20, _t183 - 0x14);
				 *(_t183 - 4) = 0x15;
				_t182 =  *((intOrPtr*)(_t183 + 8));
				_push(_t182 + 0x28);
				_t163 = _t129;
				E6B14381C(_t160, _t129, _t165, L"File", _t182, _t189);
				 *(_t183 - 4) = 0x17;
				_t131 =  *((intOrPtr*)(_t183 - 0x20));
				_t190 = _t131;
				if(_t131 != 0) {
					_t163 =  *_t131;
					 *((intOrPtr*)( *_t131 + 8))(_t131);
				}
				 *(_t183 - 4) = 0x18;
				E6B158460( *((intOrPtr*)(_t183 - 0x14)) + 0xfffffff0, _t165);
				_push(_t183 + 0x10);
				E6B14E8E8(L"Hide", _t182, _t190);
				 *(_t183 - 4) = 0x19;
				 *((char*)(_t182 + 0x34)) = E6B13D6C4( *((intOrPtr*)(_t183 + 0xc)), _t160, _t163, _t183 - 0x2c, _t183 + 0x10) & 0xffffff00 |  *_t140 == 0x00000000;
				_t142 =  *((intOrPtr*)(_t183 - 0x2c));
				if(_t142 != 0) {
					 *((intOrPtr*)( *_t142 + 8))(_t142);
				}
				E6B158460( *((intOrPtr*)(_t183 + 0x10)) + 0xfffffff0, _t165);
				return E6B162709(_t182);
			}

0x6b143ad4
0x6b143ad4
0x6b143ad4
0x6b143ad4
0x6b143adb
0x6b143ae3
0x6b143ae9
0x6b143aee
0x6b143afd
0x6b143b02
0x6b143b06
0x6b143b09
0x6b143b0b
0x6b143b10
0x6b143b14
0x6b143b17
0x6b143b19
0x6b143b1b
0x6b143b1e
0x6b143b1e
0x6b143b21
0x6b143b2b
0x6b143b33
0x6b143b39
0x6b143b49
0x6b143b4d
0x6b143b52
0x6b143b59
0x6b143b5c
0x6b143b5e
0x6b143b63
0x6b143b67
0x6b143b6a
0x6b143b6c
0x6b143b6e
0x6b143b71
0x6b143b71
0x6b143b74
0x6b143b7e
0x6b143b86
0x6b143b8c
0x6b143b91
0x6b143b9e
0x6b143ba5
0x6b143bad
0x6b143bb0
0x6b143bb5
0x6b143bb9
0x6b143bbc
0x6b143bc0
0x6b143bc1
0x6b143bc6
0x6b143bca
0x6b143bcd
0x6b143bcf
0x6b143bd1
0x6b143bd4
0x6b143bd4
0x6b143bd7
0x6b143be1
0x6b143bef
0x6b143bf7
0x6b143bfb
0x6b143c05
0x6b143c0d
0x6b143c10
0x6b143c18
0x6b143c19
0x6b143c1b
0x6b143c1f
0x6b143c24
0x6b143c28
0x6b143c2b
0x6b143c2d
0x6b143c2f
0x6b143c32
0x6b143c32
0x6b143c35
0x6b143c3f
0x6b143c47
0x6b143c4d
0x6b143c5d
0x6b143c61
0x6b143c66
0x6b143c6a
0x6b143c70
0x6b143c71
0x6b143c73
0x6b143c78
0x6b143c7c
0x6b143c7f
0x6b143c81
0x6b143c83
0x6b143c86
0x6b143c86
0x6b143c89
0x6b143c93
0x6b143c9b
0x6b143ca1
0x6b143cb1
0x6b143cc0
0x6b143cc3
0x6b143cc8
0x6b143ccd
0x6b143ccd
0x6b143cd6
0x6b143ce2

APIs

__EH_prolog3.LIBCMT ref: 6B143ADB

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Part of subcall function 6B14381C: __EH_prolog3.LIBCMT ref: 6B143823

Strings

Hide, xrefs: 6B143C9C
SysLink, xrefs: 6B143BEA
File, xrefs: 6B143C48
SubTitle, xrefs: 6B143B34
Static, xrefs: 6B143B87
Title, xrefs: 6B143AE4

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: File$Hide$Static$SubTitle$SysLink$Title
API String ID: 431132790-4216723965
Opcode ID: d8ac34b7cb5991f9169e6f8c22dd1b05cd353275bdd73343eb29a1c34d9907a8
Instruction ID: 88d998a1ed61ad01be6aa374b80c0ea5f97bc4ba4c96fead84780ef2d736155e
Opcode Fuzzy Hash: d8ac34b7cb5991f9169e6f8c22dd1b05cd353275bdd73343eb29a1c34d9907a8
Instruction Fuzzy Hash: 1D611C7290025DEFDF00DBB8C845BDEB7B8AF19328F148594E424EB281D779EA05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B1575EA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6B1575EA(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t33;
				void* _t41;
				void* _t42;
				intOrPtr* _t43;
				long _t65;
				void* _t71;
				void* _t80;

				_t71 = __edx;
				_push(0x24);
				E6B16265B(0x6b164f7a, __ebx, __edi, __esi);
				_t79 = "GetProcessImageFileNameW";
				_t33 = GetProcAddress( *( *((intOrPtr*)(_t80 + 8)) + 4), "GetProcessImageFileNameW");
				_t82 = _t33;
				if(_t33 == 0) {
					_t65 = GetLastError();
					_push(_t80 - 0x10);
					E6B14E8E8(L"GetProcAddress looking for ", "GetProcessImageFileNameW", _t82);
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					_push(_t80 - 0x24);
					 *((intOrPtr*)(_t80 - 0x14)) = E6B14E8E8(L" in ", "GetProcessImageFileNameW", _t82);
					_push(_t80 - 0x20);
					 *(_t80 - 4) = 1;
					_t41 = E6B14E93B(_t79, _t79, _t82);
					_push( *((intOrPtr*)(_t80 - 0x14)));
					_push(_t80 - 0x1c);
					 *(_t80 - 4) = 2;
					_t42 = E6B14F092(_t65, _t41, _t79, _t82);
					_push( *((intOrPtr*)(_t80 + 8)) + 8);
					_push(_t80 - 0x18);
					 *(_t80 - 4) = 3;
					_t43 = E6B14F092(_t65, _t42, _t79, _t82);
					 *(_t80 - 4) = 4;
					E6B15383E(_t80 - 0x10, _t80 - 0x18,  *_t43,  *((intOrPtr*)( *_t43 - 0xc)));
					E6B158460( *((intOrPtr*)(_t80 - 0x18)) + 0xfffffff0, _t71);
					E6B158460( *((intOrPtr*)(_t80 - 0x1c)) + 0xfffffff0, _t71);
					E6B158460( *((intOrPtr*)(_t80 - 0x20)) + 0xfffffff0, _t71);
					E6B158460( *((intOrPtr*)(_t80 - 0x24)) + 0xfffffff0, _t71);
					 *(_t80 - 4) = 5;
					 *((intOrPtr*)(_t80 - 0x30)) = 0x6b136e44;
					 *((intOrPtr*)(_t80 - 0x2c)) = _t65;
					 *((intOrPtr*)(_t80 - 0x28)) = E6B1583FD( *((intOrPtr*)(_t80 - 0x10)) + 0xfffffff0) + 0x10;
					 *(_t80 - 4) = 0;
					_t33 = E6B15DBDB(_t80 - 0x30, 0x6b16839c);
				}
				return E6B162709(_t33);
			}

0x6b1575ea
0x6b1575ea
0x6b1575f1
0x6b1575f9
0x6b157602
0x6b157608
0x6b15760a
0x6b157616
0x6b15761b
0x6b157621
0x6b157626
0x6b15762d
0x6b157638
0x6b15763e
0x6b157641
0x6b157645
0x6b15764a
0x6b157650
0x6b157653
0x6b157657
0x6b157662
0x6b157666
0x6b157669
0x6b15766d
0x6b157672
0x6b15767f
0x6b15768a
0x6b157695
0x6b1576a0
0x6b1576ab
0x6b1576b0
0x6b1576ba
0x6b1576c1
0x6b1576cc
0x6b1576d8
0x6b1576dc
0x6b1576dc
0x6b1576e6

APIs

__EH_prolog3.LIBCMT ref: 6B1575F1
GetProcAddress.KERNEL32(00000006,GetProcessImageFileNameW), ref: 6B157602
GetLastError.KERNEL32 ref: 6B157610

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14E93B: __EH_prolog3.LIBCMT ref: 6B14E942

Part of subcall function 6B14F092: __EH_prolog3.LIBCMT ref: 6B14F099

Part of subcall function 6B15383E: _wcsnlen.LIBCMT ref: 6B153871
Part of subcall function 6B15383E: _memcpy_s.LIBCMT ref: 6B1538A7

__CxxThrowException@8.LIBCMT ref: 6B1576DC

Part of subcall function 6B15DBDB: RaiseException.KERNEL32(?,?,6B159236,?,?,?,?,?,6B159236,?,6B167F54,6B1722B4), ref: 6B15DC1D

Strings

in , xrefs: 6B15762E
GetProcAddress looking for , xrefs: 6B15761C
GetProcessImageFileNameW, xrefs: 6B1575F9, 6B1575FE

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$AddressErrorExceptionException@8LastProcRaiseThrow_memcpy_s_wcsnlen
String ID: in $GetProcAddress looking for $GetProcessImageFileNameW
API String ID: 1153917472-2471920563
Opcode ID: 28ebeb3556d94457cde8cff4f0d77cffcbe2d6698632aff85059dee967065680
Instruction ID: 23913064f0b841f89714c3966851d9e4c649cff3b44cb0c2c19f3b6ea84c74e1
Opcode Fuzzy Hash: 28ebeb3556d94457cde8cff4f0d77cffcbe2d6698632aff85059dee967065680
Instruction Fuzzy Hash: BF312BB2910159FFCB00DBF8C845BEEBBB4AF19328F144155E524F7281EB389A158B61

Uniqueness

Uniqueness Score: -1.00%

Function 6B149B4C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E6B149B4C(intOrPtr* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				void* _t13;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				intOrPtr* _t32;
				intOrPtr* _t39;
				void* _t40;
				void* _t41;

				_t41 = __eflags;
				_t39 = __esi;
				_t32 = __ebx;
				_push(8);
				E6B16265B(0x6b16670e, __ebx, __edi, __esi);
				_push( *((intOrPtr*)(__esi + 4)));
				 *(_t40 - 0x14) =  *(_t40 - 0x14) & 0x00000000;
				_t38 = L"IDS_INSTALL_PROGRESS_BAR_HEADER";
				_t13 = E6B13C3BC(__ebx, __edx, L"IDS_INSTALL_PROGRESS_BAR_HEADER", __esi, _t41);
				if(_t13 != 0) {
					_t27 = _t13 - 1;
					if(_t27 == 0) {
						_t38 = L"IDS_ROLLBACK_PROGRESS_BAR_HEADER";
					} else {
						_t28 = _t27 - 1;
						if(_t28 == 0) {
							_t38 = L"IDS_UNINSTALL_PROGRESS_BAR_HEADER";
						} else {
							_t29 = _t28 - 1;
							if(_t29 == 0) {
								_t38 = L"IDS_REPAIR_PROGRESS_BAR_HEADER";
							} else {
								_t30 = _t29 - 4;
								if(_t30 == 0) {
									_t38 = L"IDS_CREATE_LAYOUT_PROGRESS_BAR_HEADER";
								} else {
									_t47 = _t30 == 3;
									if(_t30 == 3) {
										_t38 = L"IDS_UNINSTALLPATCH_PROGRESS_BAR_HEADER";
									}
								}
							}
						}
					}
				}
				E6B14E8E8(_t38, _t39, _t47);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				 *_t32 = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t39))))(_t40 - 0x10, _t40 - 0x10))) - 0x10) + 0x10;
				E6B158460( *((intOrPtr*)(_t40 - 0x10)) + 0xfffffff0, _t40 - 0x10);
				return E6B162709(_t32);
			}

0x6b149b4c
0x6b149b4c
0x6b149b4c
0x6b149b4c
0x6b149b53
0x6b149b58
0x6b149b5b
0x6b149b5f
0x6b149b6a
0x6b149b6b
0x6b149b6d
0x6b149b6e
0x6b149b9c
0x6b149b70
0x6b149b70
0x6b149b71
0x6b149b95
0x6b149b73
0x6b149b73
0x6b149b74
0x6b149b8e
0x6b149b76
0x6b149b76
0x6b149b79
0x6b149b87
0x6b149b7b
0x6b149b7b
0x6b149b7e
0x6b149b80
0x6b149b80
0x6b149b7e
0x6b149b79
0x6b149b74
0x6b149b71
0x6b149b6e
0x6b149ba5
0x6b149baa
0x6b149bc5
0x6b149bcd
0x6b149bd9

APIs

__EH_prolog3.LIBCMT ref: 6B149B53

Part of subcall function 6B13C3BC: __EH_prolog3.LIBCMT ref: 6B13C3C3
Part of subcall function 6B13C3BC: GetCommandLineW.KERNEL32(0000001C,6B149B69,?,00000008,6B14A8A4), ref: 6B13C3C8

Strings

IDS_INSTALL_PROGRESS_BAR_HEADER, xrefs: 6B149B5F
IDS_ROLLBACK_PROGRESS_BAR_HEADER, xrefs: 6B149B9C
IDS_CREATE_LAYOUT_PROGRESS_BAR_HEADER, xrefs: 6B149B87
IDS_UNINSTALL_PROGRESS_BAR_HEADER, xrefs: 6B149B95
IDS_REPAIR_PROGRESS_BAR_HEADER, xrefs: 6B149B8E
IDS_UNINSTALLPATCH_PROGRESS_BAR_HEADER, xrefs: 6B149B80

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: IDS_CREATE_LAYOUT_PROGRESS_BAR_HEADER$IDS_INSTALL_PROGRESS_BAR_HEADER$IDS_REPAIR_PROGRESS_BAR_HEADER$IDS_ROLLBACK_PROGRESS_BAR_HEADER$IDS_UNINSTALLPATCH_PROGRESS_BAR_HEADER$IDS_UNINSTALL_PROGRESS_BAR_HEADER
API String ID: 1384747822-3246460586
Opcode ID: e4d92c17372d7c65471d97757a8e11cd67a82baa7a3d030e9fc607618352b771
Instruction ID: 0dd973b9c1e4fa0a55912363aa2865d4be1ae9c6448c9a1b9790d97bcf195680
Opcode Fuzzy Hash: e4d92c17372d7c65471d97757a8e11cd67a82baa7a3d030e9fc607618352b771
Instruction Fuzzy Hash: 2501DFB242021ABFDF00CB78D666F29B662FBA93EBF550544D020EB345EABED500C751

Uniqueness

Uniqueness Score: -1.00%

Function 6B13E9B3 Relevance: 12.1, APIs: 8, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13E9B3(signed int* __esi, int _a4, struct HWND__* _a8, long _a12) {
				char _v8;
				void* _v12;
				void* _v16;
				void* __ebx;
				signed int _t38;
				WCHAR* _t41;
				long _t42;
				struct HHOOK__* _t45;
				void* _t49;
				WCHAR* _t52;
				WCHAR* _t58;
				WCHAR* _t64;
				WCHAR* _t70;
				struct HHOOK__* _t73;
				void* _t81;
				signed int* _t83;

				_t83 = __esi;
				if(_a4 == 5) {
					_t38 =  *__esi & 0x0000000f;
					if(_t38 == 0) {
						_t41 =  *(E6B13E8C2( &(__esi[2]),  &_v16, 1));
						if( *((intOrPtr*)(_t41 - 0xc)) != 0) {
							SetDlgItemTextW(_a8, 1, _t41);
						}
						_t42 = _v16;
						L20:
						E6B158460(_t42 + 0xfffffff0, _t81);
						_t45 = _t83[1];
						if(_t45 != 0) {
							UnhookWindowsHookEx(_t45);
							_t83[1] = _t83[1] & 0;
						}
						goto L22;
					}
					_t49 = _t38 - 1;
					if(_t49 == 0) {
						_t52 =  *(E6B13E8C2( &(__esi[2]),  &_v8, 1));
						if( *((intOrPtr*)(_t52 - 0xc)) != 0) {
							SetDlgItemTextW(_a8, 1, _t52);
						}
						E6B158460(_v8 + 0xfffffff0, _t81);
						_t58 =  *(E6B13E8C2( &(_t83[2]),  &_v12, 2));
						if( *((intOrPtr*)(_t58 - 0xc)) != 0) {
							SetDlgItemTextW(_a8, 2, _t58);
						}
						_t42 = _v12;
						goto L20;
					}
					if(_t49 == 3) {
						_t64 =  *(E6B13E8C2( &(__esi[2]),  &_a4, 6));
						if( *((intOrPtr*)(_t64 - 0xc)) != 0) {
							SetDlgItemTextW(_a8, 6, _t64);
						}
						E6B158460(_a4 + 0xfffffff0, _t81);
						_t70 =  *(E6B13E8C2( &(_t83[2]),  &_a12, 7));
						if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
							SetDlgItemTextW(_a8, 7, _t70);
						}
						_t42 = _a12;
						goto L20;
					}
					_t73 = __esi[1];
					if(_t73 != 0) {
						UnhookWindowsHookEx(_t73);
						__esi[1] = 0;
					}
					goto L22;
				} else {
					CallNextHookEx(__esi[1], _a4, _a8, _a12);
					L22:
					return 0;
				}
			}

0x6b13e9b3
0x6b13e9c1
0x6b13e9e1
0x6b13e9e3
0x6b13eab8
0x6b13eabd
0x6b13eac5
0x6b13eac5
0x6b13eacb
0x6b13eace
0x6b13ead1
0x6b13ead6
0x6b13eadb
0x6b13eade
0x6b13eae4
0x6b13eae4
0x00000000
0x6b13eadb
0x6b13e9e9
0x6b13e9ea
0x6b13ea68
0x6b13ea6d
0x6b13ea75
0x6b13ea75
0x6b13ea81
0x6b13ea93
0x6b13ea98
0x6b13eaa0
0x6b13eaa0
0x6b13eaa6
0x00000000
0x6b13eaa6
0x6b13e9ef
0x6b13ea18
0x6b13ea1d
0x6b13ea25
0x6b13ea25
0x6b13ea31
0x6b13ea43
0x6b13ea48
0x6b13ea50
0x6b13ea50
0x6b13ea56
0x00000000
0x6b13ea56
0x6b13e9f1
0x6b13e9f6
0x6b13e9fd
0x6b13ea03
0x6b13ea03
0x00000000
0x6b13e9c3
0x6b13e9cf
0x6b13eae8
0x6b13eaec
0x6b13eaec

APIs

CallNextHookEx.USER32(?,00000005,?,?), ref: 6B13E9CF
UnhookWindowsHookEx.USER32(?), ref: 6B13E9FD

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Hook$CallNextUnhookWindows
String ID:
API String ID: 969045306-0
Opcode ID: d2cb3a5c569fd85a50e1635305276bedef1c42ba0ac14a6d7536693b28016ab9
Instruction ID: c149ddb8073808574ba7fbb97f05a6190f459275f796b3c94862c3c1609d35c9
Opcode Fuzzy Hash: d2cb3a5c569fd85a50e1635305276bedef1c42ba0ac14a6d7536693b28016ab9
Instruction Fuzzy Hash: B9414C32A10B19FFDB10DF28C889EA9B7B5FF41716F108594F4659A1A0E335EE64CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6B140B43 Relevance: 12.1, APIs: 8, Instructions: 77
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E6B140B43(void* __eax, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed short _t37;
				struct HWND__* _t39;
				void* _t48;

				_t48 = __eax;
				if(_a4 != 9) {
					if(_a4 != 0xd) {
						L10:
						 *_a8 =  *_a8 & 0x00000000;
						return 0;
					}
					_v12 = _v12 | 0xffffffff;
					_v8 = _v8 | 0xffffffff;
					_v16 = 0;
					SendMessageW(GetParent( *(__eax + 4)), 0x6da, 0,  &_v16);
					if(_v16 == 0) {
						goto L10;
					}
					SendMessageW(GetParent( *(_t48 + 4)), 0x6dd, _v12, _v8);
					L6:
					 *_a8 = 1;
					return 1;
				}
				_t37 = GetKeyState(0x10);
				_v12 = _v12 | 0xffffffff;
				_v8 = _v8 | 0xffffffff;
				_t49 = _t48 + 4;
				_push( *(_t48 + 4));
				_v16 = 0;
				if((_t37 & 0x8000) == 0) {
					_t39 = GetParent();
					_t46 =  &_v16;
					_push( &_v16);
					_push(0);
					_push(0x6db);
				} else {
					_t39 = GetParent();
					_t46 =  &_v16;
					_push( &_v16);
					_push(0);
					_push(0x6dc);
				}
				SendMessageW(_t39, ??, ??, ??);
				if(_v16 == 0) {
					goto L10;
				} else {
					E6B150324(_v12, _t46, _t49, _v8);
					goto L6;
				}
			}

0x6b140b52
0x6b140b54
0x6b140bc4
0x6b140c0c
0x6b140c0f
0x00000000
0x6b140c12
0x6b140bcf
0x6b140bd3
0x6b140bd7
0x6b140bef
0x6b140bf5
0x00000000
0x00000000
0x6b140c08
0x6b140bb6
0x6b140bbc
0x00000000
0x6b140bbc
0x6b140b58
0x6b140b5e
0x6b140b62
0x6b140b69
0x6b140b6c
0x6b140b6e
0x6b140b77
0x6b140b8c
0x6b140b92
0x6b140b95
0x6b140b96
0x6b140b98
0x6b140b79
0x6b140b79
0x6b140b7f
0x6b140b82
0x6b140b83
0x6b140b85
0x6b140b85
0x6b140b9e
0x6b140ba8
0x00000000
0x6b140baa
0x6b140bb1
0x00000000
0x6b140bb1

APIs

GetKeyState.USER32 ref: 6B140B58
GetParent.USER32 ref: 6B140B79
GetParent.USER32 ref: 6B140B8C
SendMessageW.USER32(00000000,000006DB,00000000,00000000), ref: 6B140B9E
GetParent.USER32(?), ref: 6B140BDB
SendMessageW.USER32(00000000,000006DA,00000000,00000000), ref: 6B140BEF
GetParent.USER32(000000FF), ref: 6B140BFA
SendMessageW.USER32(00000000,000006DD,000000FF,000000FF), ref: 6B140C08

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Parent$MessageSend$State
String ID:
API String ID: 1493399426-0
Opcode ID: eca764f549cf60d575cc2faae08764d1d7a5ea146ab87ae505e60c9b7d05bc3f
Instruction ID: 9fe4495c460b7c22fdd4cda3376661486387ae395dbb60d60ccd078bd71ddee4
Opcode Fuzzy Hash: eca764f549cf60d575cc2faae08764d1d7a5ea146ab87ae505e60c9b7d05bc3f
Instruction Fuzzy Hash: 64219275D00208FFDF21ABA9CC4AF9EBFB5EB12365F108195F161A60D0D7789611CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6B1448B6 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6B1448B6(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t85;
				intOrPtr* _t87;
				void* _t98;
				void* _t99;
				intOrPtr* _t101;
				intOrPtr* _t102;
				void* _t116;
				void* _t117;
				intOrPtr* _t119;
				intOrPtr* _t120;
				void* _t134;
				void* _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				intOrPtr* _t155;
				intOrPtr _t157;
				void* _t170;
				void* _t185;
				void* _t186;

				_t186 = __eflags;
				_t170 = __edx;
				_t158 = __ecx;
				_push(0x40);
				E6B16265B(0x6b166ff0, __ebx, __edi, __esi);
				 *(_t185 - 4) =  *(_t185 - 4) & 0x00000000;
				_t155 =  *((intOrPtr*)(_t185 + 8));
				_push(_t185 - 0x10);
				 *_t155 = 0x6b137484;
				E6B14E8E8(L"Text", __esi, _t186);
				 *(_t185 - 4) = 1;
				_t85 = E6B13D6C4( *((intOrPtr*)(_t185 + 0xc)), _t155, _t158, _t185 - 0x28, _t185 - 0x10);
				_t156 = _t155 + 4;
				_t183 = _t85;
				 *(_t185 - 4) = 2;
				E6B13D76F(_t155 + 4, L"Text", _t85, _t186);
				 *(_t185 - 4) = 4;
				_t87 =  *((intOrPtr*)(_t185 - 0x28));
				_t187 = _t87;
				if(_t87 != 0) {
					_t158 =  *_t87;
					 *((intOrPtr*)( *_t87 + 8))(_t87);
				}
				 *(_t185 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t185 - 0x10)) + 0xfffffff0, _t170);
				_push(_t185 - 0x18);
				E6B14E8E8(L"Drive1", _t183, _t187);
				_t184 = L"Placement";
				_push(_t185 - 0x14);
				 *(_t185 - 4) = 6;
				E6B14E8E8(L"Placement", L"Placement", _t187);
				 *(_t185 - 4) = 7;
				_t98 = E6B13D6C4( *((intOrPtr*)(_t185 + 0xc)), _t156, _t158, _t185 - 0x40, _t185 - 0x14);
				 *(_t185 - 4) = 8;
				_t99 = E6B13D6C4(_t98, _t156, _t185 - 0x34, _t185 - 0x34, _t185 - 0x18);
				 *(_t185 - 4) = 9;
				_t157 =  *((intOrPtr*)(_t185 + 8));
				_t161 = _t157 + 8;
				_push(_t157 + 8);
				E6B141F81(_t99, _t184, _t187);
				 *(_t185 - 4) = 0xb;
				_t101 =  *((intOrPtr*)(_t185 - 0x34));
				if(_t101 != 0) {
					_t161 =  *_t101;
					 *((intOrPtr*)( *_t101 + 8))(_t101);
				}
				 *(_t185 - 4) = 0xc;
				_t102 =  *((intOrPtr*)(_t185 - 0x40));
				_t189 = _t102;
				if(_t102 != 0) {
					_t161 =  *_t102;
					 *((intOrPtr*)( *_t102 + 8))(_t102);
				}
				E6B158460( *((intOrPtr*)(_t185 - 0x14)) + 0xfffffff0, _t170);
				 *(_t185 - 4) = 0xe;
				E6B158460( *((intOrPtr*)(_t185 - 0x18)) + 0xfffffff0, _t170);
				_push(_t185 - 0x1c);
				E6B14E8E8(L"Drive2", _t184, _t189);
				_push(_t185 - 0x10);
				 *(_t185 - 4) = 0xf;
				E6B14E8E8(_t184, _t184, _t189);
				 *(_t185 - 4) = 0x10;
				_t116 = E6B13D6C4( *((intOrPtr*)(_t185 + 0xc)), _t157, _t161, _t185 - 0x4c, _t185 - 0x10);
				 *(_t185 - 4) = 0x11;
				_t117 = E6B13D6C4(_t116, _t157, _t185 - 0x28, _t185 - 0x28, _t185 - 0x1c);
				_t164 = _t157 + 0x1c;
				_push(_t157 + 0x1c);
				 *(_t185 - 4) = 0x12;
				E6B141F81(_t117, _t184, _t189);
				 *(_t185 - 4) = 0x14;
				_t119 =  *((intOrPtr*)(_t185 - 0x28));
				if(_t119 != 0) {
					_t164 =  *_t119;
					 *((intOrPtr*)( *_t119 + 8))(_t119);
				}
				 *(_t185 - 4) = 0x15;
				_t120 =  *((intOrPtr*)(_t185 - 0x4c));
				_t191 = _t120;
				if(_t120 != 0) {
					_t164 =  *_t120;
					 *((intOrPtr*)( *_t120 + 8))(_t120);
				}
				E6B158460( *((intOrPtr*)(_t185 - 0x10)) + 0xfffffff0, _t170);
				 *(_t185 - 4) = 0x17;
				E6B158460( *((intOrPtr*)(_t185 - 0x1c)) + 0xfffffff0, _t170);
				_push(_t185 - 0x14);
				E6B14E8E8(L"Drive3", _t184, _t191);
				_push(_t185 - 0x18);
				 *(_t185 - 4) = 0x18;
				E6B14E8E8(_t184, _t184, _t191);
				 *(_t185 - 4) = 0x19;
				_t134 = E6B13D6C4( *((intOrPtr*)(_t185 + 0xc)), _t157, _t164, _t185 - 0x34, _t185 - 0x18);
				 *(_t185 - 4) = 0x1a;
				_t135 = E6B13D6C4(_t134, _t157, _t185 - 0x40, _t185 - 0x40, _t185 - 0x14);
				_push(_t157 + 0x30);
				 *(_t185 - 4) = 0x1b;
				E6B141F81(_t135, _t184, _t191);
				 *(_t185 - 4) = 0x1a;
				_t137 =  *((intOrPtr*)(_t185 - 0x40));
				if(_t137 != 0) {
					 *((intOrPtr*)( *_t137 + 8))(_t137);
				}
				 *(_t185 - 4) = 0x19;
				_t138 =  *((intOrPtr*)(_t185 - 0x34));
				if(_t138 != 0) {
					 *((intOrPtr*)( *_t138 + 8))(_t138);
				}
				E6B158460( *((intOrPtr*)(_t185 - 0x18)) + 0xfffffff0, _t170);
				E6B158460( *((intOrPtr*)(_t185 - 0x14)) + 0xfffffff0, _t170);
				return E6B162709(_t157);
			}

0x6b1448b6
0x6b1448b6
0x6b1448b6
0x6b1448b6
0x6b1448bd
0x6b1448c2
0x6b1448c6
0x6b1448cc
0x6b1448d2
0x6b1448d8
0x6b1448e8
0x6b1448ec
0x6b1448f1
0x6b1448f4
0x6b1448f6
0x6b1448fa
0x6b1448ff
0x6b144903
0x6b144906
0x6b144908
0x6b14490a
0x6b14490d
0x6b14490d
0x6b144910
0x6b14491a
0x6b144922
0x6b144928
0x6b144930
0x6b144935
0x6b144938
0x6b14493c
0x6b14494c
0x6b144950
0x6b14495d
0x6b144961
0x6b144966
0x6b14496a
0x6b14496d
0x6b144970
0x6b144973
0x6b144978
0x6b14497c
0x6b144981
0x6b144983
0x6b144986
0x6b144986
0x6b144989
0x6b14498d
0x6b144990
0x6b144992
0x6b144994
0x6b144997
0x6b144997
0x6b1449a0
0x6b1449a5
0x6b1449af
0x6b1449b7
0x6b1449bd
0x6b1449c5
0x6b1449c8
0x6b1449cc
0x6b1449dc
0x6b1449e0
0x6b1449ed
0x6b1449f1
0x6b1449f6
0x6b1449f9
0x6b1449fc
0x6b144a00
0x6b144a05
0x6b144a09
0x6b144a0e
0x6b144a10
0x6b144a13
0x6b144a13
0x6b144a16
0x6b144a1a
0x6b144a1d
0x6b144a1f
0x6b144a21
0x6b144a24
0x6b144a24
0x6b144a2d
0x6b144a32
0x6b144a3c
0x6b144a44
0x6b144a4a
0x6b144a52
0x6b144a55
0x6b144a59
0x6b144a69
0x6b144a6d
0x6b144a7a
0x6b144a7e
0x6b144a86
0x6b144a89
0x6b144a8d
0x6b144a92
0x6b144a96
0x6b144a9b
0x6b144aa0
0x6b144aa0
0x6b144aa3
0x6b144aa7
0x6b144aac
0x6b144ab1
0x6b144ab1
0x6b144aba
0x6b144ac5
0x6b144ad1

APIs

__EH_prolog3.LIBCMT ref: 6B1448BD

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Part of subcall function 6B141F81: __EH_prolog3.LIBCMT ref: 6B141F88

Strings

Placement, xrefs: 6B144930
Text, xrefs: 6B1448CD
Drive1, xrefs: 6B144923
Drive3, xrefs: 6B144A45
Drive2, xrefs: 6B1449B8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Drive1$Drive2$Drive3$Placement$Text
API String ID: 431132790-3260609399
Opcode ID: d47aecac01fca458749720ec3ed404a24a3421d19a601a21ea43981387414b1f
Instruction ID: 3c868efef59521028b76528e96e3052893501c1ace26f6521ef4c711f28f26f8
Opcode Fuzzy Hash: d47aecac01fca458749720ec3ed404a24a3421d19a601a21ea43981387414b1f
Instruction Fuzzy Hash: 22713E7290015DEFDF00CBF8C545BEEBBB8AF19318F284198E515E7281DB38AA49D721

Uniqueness

Uniqueness Score: -1.00%

Function 6B147FE0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B147FE0(intOrPtr __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t113;
				int _t127;
				int _t141;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t152;
				intOrPtr _t160;
				intOrPtr _t168;
				intOrPtr _t176;
				void* _t178;
				intOrPtr _t184;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t208;
				void* _t210;
				void* _t211;

				_t211 = __eflags;
				_t178 = __edx;
				_t160 = __ebx;
				_push(0x14);
				E6B16265B(0x6b1657d5, __ebx, __edi, __esi);
				_push(_t210 - 0x18);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t210 + 8)))), __esi, _t211);
				 *(_t210 - 4) =  *(_t210 - 4) & 0x00000000;
				_push(_t210 - 0x14);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0xc)))), __esi, _t211);
				_t113 = PathGetDriveNumberW( *(_t210 - 0x14));
				 *((char*)(_t210 - 0xe)) = _t113 == PathGetDriveNumberW( *(_t210 - 0x18));
				E6B158460( &(( *(_t210 - 0x14))[0xfffffffffffffff8]), _t178);
				 *(_t210 - 4) =  *(_t210 - 4) | 0xffffffff;
				E6B158460( &(( *(_t210 - 0x18))[0xfffffffffffffff8]), _t178);
				_push(_t210 - 0x14);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)))), PathGetDriveNumberW, _t113 - PathGetDriveNumberW( *(_t210 - 0x18)));
				 *(_t210 - 4) = 1;
				_push(_t210 - 0x18);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t210 + 8)))), PathGetDriveNumberW, _t113 - PathGetDriveNumberW( *(_t210 - 0x18)));
				_t127 = PathGetDriveNumberW( *(_t210 - 0x18));
				 *((char*)(_t210 - 0xd)) = _t127 == PathGetDriveNumberW( *(_t210 - 0x14));
				E6B158460( &(( *(_t210 - 0x18))[0xfffffffffffffff8]), _t178);
				 *(_t210 - 4) =  *(_t210 - 4) | 0xffffffff;
				E6B158460( &(( *(_t210 - 0x14))[0xfffffffffffffff8]), _t178);
				_push(_t210 - 0x20);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0xc)))), PathGetDriveNumberW, _t127 - PathGetDriveNumberW( *(_t210 - 0x14)));
				 *(_t210 - 4) = 2;
				_push(_t210 - 0x1c);
				E6B14E8E8( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)))), PathGetDriveNumberW, _t127 - PathGetDriveNumberW( *(_t210 - 0x14)));
				_t141 = PathGetDriveNumberW( *(_t210 - 0x1c));
				 *((char*)(_t210 - 0xf)) = _t141 == PathGetDriveNumberW( *(_t210 - 0x20));
				E6B158460( &(( *(_t210 - 0x1c))[0xfffffffffffffff8]), _t178);
				 *(_t210 - 4) =  *(_t210 - 4) | 0xffffffff;
				E6B158460( &(( *(_t210 - 0x20))[0xfffffffffffffff8]), _t178);
				 *((intOrPtr*)(__ebx + 8)) = 0;
				_t208 =  *((intOrPtr*)(_t210 + 0x14));
				_t149 =  *((intOrPtr*)(_t210 + 0x18));
				 *((intOrPtr*)(__ebx + 0xc)) = 0;
				 *((intOrPtr*)(_t208 + 8)) = 0;
				 *((intOrPtr*)(_t208 + 0xc)) = 0;
				 *((intOrPtr*)(_t149 + 8)) = 0;
				 *((intOrPtr*)(_t149 + 0xc)) = 0;
				if( *((intOrPtr*)(_t210 - 0xe)) == 0 ||  *((intOrPtr*)(_t210 - 0xd)) == 0) {
					_t150 =  *((intOrPtr*)(_t210 + 0xc));
					__eflags =  *((intOrPtr*)(_t210 - 0xf));
					if( *((intOrPtr*)(_t210 - 0xf)) == 0) {
						__eflags =  *((intOrPtr*)(_t210 - 0xd));
						if( *((intOrPtr*)(_t210 - 0xd)) == 0) {
							__eflags =  *((intOrPtr*)(_t210 - 0xe));
							if( *((intOrPtr*)(_t210 - 0xe)) == 0) {
								 *((intOrPtr*)(_t208 + 8)) =  *((intOrPtr*)(_t150 + 8));
								 *((intOrPtr*)(_t208 + 0xc)) =  *((intOrPtr*)(_t150 + 0xc));
								E6B14EA8D(_t150, _t208);
								_t152 =  *((intOrPtr*)(_t210 + 0x10));
								_t199 =  *((intOrPtr*)(_t210 + 0x18));
								 *((intOrPtr*)(_t199 + 8)) =  *((intOrPtr*)(_t152 + 8));
								 *((intOrPtr*)(_t199 + 0xc)) =  *((intOrPtr*)(_t152 + 0xc));
								E6B14EA8D(_t152, _t199);
								_t154 =  *((intOrPtr*)(_t210 + 8));
								 *((intOrPtr*)(_t160 + 8)) =  *((intOrPtr*)(_t154 + 8));
								 *((intOrPtr*)(_t160 + 0xc)) =  *((intOrPtr*)(_t154 + 0xc));
								goto L12;
							} else {
								_t168 =  *((intOrPtr*)(_t210 + 8));
								asm("adc ecx, [eax+0xc]");
								 *((intOrPtr*)(_t160 + 8)) =  *((intOrPtr*)(_t168 + 8)) +  *((intOrPtr*)(_t150 + 8));
								 *((intOrPtr*)(_t160 + 0xc)) =  *((intOrPtr*)(_t168 + 0xc));
								E6B14EA8D(_t150, _t160);
								_t154 =  *((intOrPtr*)(_t210 + 0x10));
								goto L5;
							}
						} else {
							 *((intOrPtr*)(_t160 + 8)) =  *((intOrPtr*)(_t150 + 8));
							 *((intOrPtr*)(_t160 + 0xc)) =  *((intOrPtr*)(_t150 + 0xc));
							E6B14EA8D(_t150, _t160);
							_t154 =  *((intOrPtr*)(_t210 + 8));
							asm("adc edi, [ecx+0xc]");
							 *((intOrPtr*)(_t208 + 8)) =  *((intOrPtr*)(_t154 + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)) + 8));
							 *((intOrPtr*)(_t208 + 0xc)) =  *((intOrPtr*)(_t154 + 0xc));
							goto L6;
						}
					} else {
						_t184 =  *((intOrPtr*)(_t150 + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)) + 8));
						__eflags = _t184;
						asm("adc edi, [ecx+0xc]");
						 *((intOrPtr*)(_t160 + 8)) = _t184;
						 *((intOrPtr*)(_t160 + 0xc)) =  *((intOrPtr*)(_t150 + 0xc));
						E6B14EA8D(_t150, _t160);
						_t154 =  *((intOrPtr*)(_t210 + 8));
						L5:
						 *((intOrPtr*)(_t208 + 8)) =  *((intOrPtr*)(_t154 + 8));
						 *((intOrPtr*)(_t208 + 0xc)) =  *((intOrPtr*)(_t154 + 0xc));
						L6:
						_t200 = _t208;
					}
				} else {
					_t176 =  *((intOrPtr*)(_t210 + 8));
					_t154 =  *((intOrPtr*)(_t210 + 0xc));
					asm("adc esi, [eax+0xc]");
					asm("adc esi, [ecx+0xc]");
					 *((intOrPtr*)(__ebx + 8)) =  *((intOrPtr*)(_t176 + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t210 + 0xc)) + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x10)) + 8));
					 *((intOrPtr*)(__ebx + 0xc)) =  *((intOrPtr*)(_t176 + 0xc));
					L12:
					_t200 = _t160;
				}
				return E6B162709(E6B14EA8D(_t154, _t200));
			}

0x6b147fe0
0x6b147fe0
0x6b147fe0
0x6b147fe0
0x6b147fe7
0x6b147ff4
0x6b147ff5
0x6b147ffd
0x6b148006
0x6b148007
0x6b148015
0x6b148023
0x6b14802a
0x6b14802f
0x6b148039
0x6b148046
0x6b148047
0x6b14804f
0x6b14805b
0x6b14805c
0x6b148064
0x6b148072
0x6b148079
0x6b14807e
0x6b148088
0x6b148095
0x6b148096
0x6b14809e
0x6b1480aa
0x6b1480ab
0x6b1480b3
0x6b1480c1
0x6b1480c8
0x6b1480cd
0x6b1480d7
0x6b1480de
0x6b1480e1
0x6b1480e4
0x6b1480e7
0x6b1480ea
0x6b1480ed
0x6b1480f0
0x6b1480f3
0x6b1480f9
0x6b148126
0x6b148129
0x6b14812c
0x6b148160
0x6b148163
0x6b148192
0x6b148195
0x6b1481bb
0x6b1481c3
0x6b1481c6
0x6b1481cb
0x6b1481d1
0x6b1481d4
0x6b1481da
0x6b1481dd
0x6b1481e2
0x6b1481e8
0x6b1481ee
0x00000000
0x6b148197
0x6b148197
0x6b1481a3
0x6b1481a8
0x6b1481ab
0x6b1481ae
0x6b1481b3
0x00000000
0x6b1481b3
0x6b148165
0x6b148168
0x6b148170
0x6b148173
0x6b148178
0x6b148187
0x6b14818a
0x6b14818d
0x00000000
0x6b14818d
0x6b14812e
0x6b148134
0x6b148134
0x6b14813a
0x6b14813d
0x6b148140
0x6b148145
0x6b14814a
0x6b14814d
0x6b148150
0x6b148156
0x6b148159
0x6b148159
0x6b148159
0x6b148100
0x6b148100
0x6b148106
0x6b14810f
0x6b148118
0x6b14811b
0x6b14811e
0x6b1481f1
0x6b1481f1
0x6b1481f1
0x6b1481fd

APIs

__EH_prolog3.LIBCMT ref: 6B147FE7

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

PathGetDriveNumberW.SHLWAPI(?,?,?,00000014,6B149180,?,?,?,?,?,?,?,?), ref: 6B148015
PathGetDriveNumberW.SHLWAPI(?), ref: 6B14801C
PathGetDriveNumberW.SHLWAPI(?,?,?,?), ref: 6B148064
PathGetDriveNumberW.SHLWAPI(?), ref: 6B14806B
PathGetDriveNumberW.SHLWAPI(00000001,00000001,?,?), ref: 6B1480B3
PathGetDriveNumberW.SHLWAPI(?), ref: 6B1480BA

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: DriveNumberPath$H_prolog3
String ID:
API String ID: 2285536258-0
Opcode ID: 4a59f452a2534c9d21c05e833eb27ad17e6f7912fffbc2738874049933bee356
Instruction ID: 00a856f52e9a0b3f469f5bb0ddf1713915d9628506aef1b8cd04320f225a6221
Opcode Fuzzy Hash: 4a59f452a2534c9d21c05e833eb27ad17e6f7912fffbc2738874049933bee356
Instruction Fuzzy Hash: 7B81FA76900209EFCB04CF68C48595DBBB1FF49338B29C599E868AB3A1C735E951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6B144E46 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6B144E46(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t91;
				intOrPtr* _t93;
				void* _t102;
				intOrPtr* _t104;
				void* _t113;
				intOrPtr* _t115;
				void* _t124;
				intOrPtr* _t126;
				void* _t135;
				intOrPtr* _t137;
				intOrPtr _t151;
				intOrPtr _t169;
				intOrPtr _t171;
				void* _t172;
				void* _t173;

				_t173 = __eflags;
				_t159 = __edx;
				_push(0x20);
				E6B16265B(0x6b1678d4, __ebx, __edi, __esi);
				_t171 =  *((intOrPtr*)(_t172 + 8));
				_t150 =  *((intOrPtr*)(_t172 + 0xc));
				_push(_t171);
				E6B14396A( *((intOrPtr*)(_t172 + 0xc)),  *((intOrPtr*)(_t172 + 0xc)), __edx, __edi, _t171, _t173);
				 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
				_push(_t172 - 0x10);
				E6B14E8E8(L"Install", _t171, _t173);
				 *(_t172 - 4) = 1;
				_t91 = E6B13D65F(_t150, _t150, _t172 - 0x20, _t172 - 0x10);
				 *(_t172 - 4) = 2;
				E6B143AD4(_t150, _t171 + 0x3c, __edx, L"Install", _t171, _t173, _t171 + 0x3c, _t91,  *((intOrPtr*)(_t172 + 0x10)));
				 *(_t172 - 4) = 4;
				_t93 =  *((intOrPtr*)(_t172 - 0x20));
				_t174 = _t93;
				if(_t93 != 0) {
					 *((intOrPtr*)( *_t93 + 8))(_t93);
				}
				 *(_t172 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t172 - 0x10)) + 0xfffffff0, _t159);
				_push(_t172 - 0x14);
				E6B14E8E8(L"Repair", _t171, _t174);
				 *(_t172 - 4) = 6;
				_t102 = E6B13D65F(_t150, _t150, _t172 - 0x2c, _t172 - 0x14);
				 *(_t172 - 4) = 7;
				E6B143AD4(_t150, _t171 + 0x74, _t159, L"Repair", _t171, _t174, _t171 + 0x74, _t102,  *((intOrPtr*)(_t172 + 0x10)));
				 *(_t172 - 4) = 9;
				_t104 =  *((intOrPtr*)(_t172 - 0x2c));
				_t175 = _t104;
				if(_t104 != 0) {
					 *((intOrPtr*)( *_t104 + 8))(_t104);
				}
				 *(_t172 - 4) = 0xa;
				E6B158460( *((intOrPtr*)(_t172 - 0x14)) + 0xfffffff0, _t159);
				_push(_t172 - 0x10);
				E6B14E8E8(L"Uninstall", _t171, _t175);
				 *(_t172 - 4) = 0xb;
				_t113 = E6B13D65F(_t150, _t150, _t172 - 0x20, _t172 - 0x10);
				_t155 = _t171 + 0xac;
				 *(_t172 - 4) = 0xc;
				E6B143AD4(_t150, _t171 + 0xac, _t159, L"Uninstall", _t171, _t175, _t171 + 0xac, _t113,  *((intOrPtr*)(_t172 + 0x10)));
				 *(_t172 - 4) = 0xe;
				_t115 =  *((intOrPtr*)(_t172 - 0x20));
				_t176 = _t115;
				if(_t115 != 0) {
					_t155 =  *_t115;
					 *((intOrPtr*)( *_t115 + 8))(_t115);
				}
				 *(_t172 - 4) = 0xf;
				E6B158460( *((intOrPtr*)(_t172 - 0x10)) + 0xfffffff0, _t159);
				_push(_t172 - 0x14);
				E6B14E8E8(L"CreateLayout", _t171, _t176);
				 *(_t172 - 4) = 0x10;
				_t124 = E6B13D65F(_t150, _t150, _t172 - 0x2c, _t172 - 0x14);
				_t151 = _t171 + 0xe4;
				 *(_t172 - 4) = 0x11;
				E6B143AD4(_t151, _t155, _t159, L"CreateLayout", _t171, _t176, _t151, _t124,  *((intOrPtr*)(_t172 + 0x10)));
				 *(_t172 - 4) = 0x13;
				_t126 =  *((intOrPtr*)(_t172 - 0x2c));
				_t177 = _t126;
				if(_t126 != 0) {
					_t155 =  *_t126;
					 *((intOrPtr*)( *_t126 + 8))(_t126);
				}
				 *(_t172 - 4) = 0x14;
				E6B158460( *((intOrPtr*)(_t172 - 0x14)) + 0xfffffff0, _t159);
				_push(_t172 - 0x10);
				E6B14E8E8(L"UninstallPatch", _t171, _t177);
				 *(_t172 - 4) = 0x15;
				_t135 = E6B13D65F( *((intOrPtr*)(_t172 + 0xc)), _t151, _t172 - 0x20, _t172 - 0x10);
				_t169 = _t171 + 0x11c;
				 *(_t172 - 4) = 0x16;
				E6B143AD4(_t151, _t155, _t159, _t169, _t171, _t177, _t169, _t135,  *((intOrPtr*)(_t172 + 0x10)));
				 *(_t172 - 4) = 0x15;
				_t137 =  *((intOrPtr*)(_t172 - 0x20));
				if(_t137 != 0) {
					 *((intOrPtr*)( *_t137 + 8))(_t137);
				}
				E6B158460( *((intOrPtr*)(_t172 - 0x10)) + 0xfffffff0, _t159);
				 *((intOrPtr*)(_t171 + 0x158)) = _t171;
				 *((intOrPtr*)(_t171 + 0x154)) = 0x6b1374dc;
				 *((intOrPtr*)(_t171 + 0x15c)) = _t171 + 0x3c;
				 *((intOrPtr*)(_t171 + 0x160)) = 0x6b1374dc;
				 *((intOrPtr*)(_t171 + 0x164)) = _t171;
				 *((intOrPtr*)(_t171 + 0x168)) = _t171 + 0x74;
				 *((intOrPtr*)(_t171 + 0x16c)) = 0x6b1374dc;
				 *((intOrPtr*)(_t171 + 0x170)) = _t171;
				 *((intOrPtr*)(_t171 + 0x174)) = _t171 + 0xac;
				 *((intOrPtr*)(_t171 + 0x178)) = 0x6b1374dc;
				 *((intOrPtr*)(_t171 + 0x17c)) = _t171;
				 *((intOrPtr*)(_t171 + 0x180)) = _t151;
				 *((intOrPtr*)(_t171 + 0x184)) = 0x6b1374dc;
				 *((intOrPtr*)(_t171 + 0x188)) = _t171;
				 *((intOrPtr*)(_t171 + 0x18c)) = _t169;
				return E6B162709(_t171);
			}

0x6b144e46
0x6b144e46
0x6b144e46
0x6b144e4d
0x6b144e52
0x6b144e55
0x6b144e58
0x6b144e5b
0x6b144e60
0x6b144e67
0x6b144e6d
0x6b144e7c
0x6b144e80
0x6b144e8d
0x6b144e91
0x6b144e96
0x6b144e9a
0x6b144e9d
0x6b144e9f
0x6b144ea4
0x6b144ea4
0x6b144ea7
0x6b144eb1
0x6b144eb9
0x6b144ebf
0x6b144ece
0x6b144ed2
0x6b144edf
0x6b144ee3
0x6b144ee8
0x6b144eec
0x6b144eef
0x6b144ef1
0x6b144ef6
0x6b144ef6
0x6b144ef9
0x6b144f03
0x6b144f0b
0x6b144f11
0x6b144f20
0x6b144f24
0x6b144f2c
0x6b144f34
0x6b144f38
0x6b144f3d
0x6b144f41
0x6b144f44
0x6b144f46
0x6b144f48
0x6b144f4b
0x6b144f4b
0x6b144f4e
0x6b144f58
0x6b144f60
0x6b144f66
0x6b144f75
0x6b144f79
0x6b144f81
0x6b144f89
0x6b144f8d
0x6b144f92
0x6b144f96
0x6b144f99
0x6b144f9b
0x6b144f9d
0x6b144fa0
0x6b144fa0
0x6b144fa3
0x6b144fad
0x6b144fb5
0x6b144fbb
0x6b144fcb
0x6b144fcf
0x6b144fd7
0x6b144fdf
0x6b144fe3
0x6b144fe8
0x6b144fec
0x6b144ff1
0x6b144ff6
0x6b144ff6
0x6b144fff
0x6b145004
0x6b14500f
0x6b145018
0x6b14501e
0x6b145024
0x6b14502d
0x6b145033
0x6b145039
0x6b145045
0x6b14504b
0x6b145051
0x6b145057
0x6b14505d
0x6b145063
0x6b145069
0x6b145076

APIs

__EH_prolog3.LIBCMT ref: 6B144E4D

Part of subcall function 6B14396A: __EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B143AD4: __EH_prolog3.LIBCMT ref: 6B143ADB

Strings

CreateLayout, xrefs: 6B144F61
Repair, xrefs: 6B144EBA
UninstallPatch, xrefs: 6B144FB6
Install, xrefs: 6B144E68
Uninstall, xrefs: 6B144F0C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: CreateLayout$Install$Repair$Uninstall$UninstallPatch
API String ID: 431132790-791770018
Opcode ID: 80e1ef14a9bffe8e8dbbcb110adb1952b741643f09d3926025c68f3fcb54adac
Instruction ID: 7c4f1160f2ba3153977bbe686217728af385063aef40c38aa51f22461139cf14
Opcode Fuzzy Hash: 80e1ef14a9bffe8e8dbbcb110adb1952b741643f09d3926025c68f3fcb54adac
Instruction Fuzzy Hash: FD715CB1900659EFDF10CFB8C844BDEBBF8AF08308F144559E469E7241DB78AA05DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B141C23 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6B141C23(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t40;
				intOrPtr _t51;
				void* _t96;

				_push(0x14);
				E6B16265B(0x6b166e8a, __ebx, __edi, __esi);
				_t86 = 0;
				 *((intOrPtr*)(_t96 - 0x20)) = 0;
				 *((intOrPtr*)(_t96 - 0x1c)) = 0;
				 *((intOrPtr*)(_t96 - 0x18)) = 0;
				 *((intOrPtr*)(_t96 - 4)) = 0;
				_t40 = E6B1412CC( *((intOrPtr*)(__ebx + 0x110)), _t96 - 0x20, _t96 - 0x14);
				_t100 = _t40;
				if(_t40 != 0) {
					__eflags =  *((char*)(__ebx + 0x80));
					if(__eflags == 0) {
						 *((char*)( *((intOrPtr*)(__ebx + 0x108)))) = 1;
						goto L4;
					} else {
						_t86 = E6B154870(__ebx, 0, __ebx, __eflags);
					}
				} else {
					E6B154870(__ebx, 0, __ebx, _t100);
					if( *((char*)( *((intOrPtr*)(__ebx + 0x108)))) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x13c)))) + 4))();
						SetWindowTextW( *(__ebx + 0xb8), 0x6b1379e4);
						_t51 =  *0x6b16fe10; // 0x6b1333ec
						 *((intOrPtr*)(_t96 - 0x10)) =  *((intOrPtr*)(_t51 + 0xc))(1, L"User Cancelled!") + 0x10;
						_push(_t96 - 0x14);
						 *((char*)(_t96 - 4)) = 1;
						E6B14E8E8(L"IDS_CANCELLING", __ebx, __eflags);
						 *((char*)(_t96 - 4)) = 2;
						_push(_t96 - 0x14);
						E6B155075( *((intOrPtr*)(__ebx + 0x78)), _t96 - 0x10, L"%1.",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x78))))))())));
						 *((char*)(_t96 - 4)) = 1;
						E6B158460( *((intOrPtr*)(_t96 - 0x14)) + 0xfffffff0, _t96 - 0x14);
						E6B150353(__ebx + 0xb8,  *((intOrPtr*)(_t96 - 0x10)), 0);
						E6B150353(__ebx + 0xb8, L"\r\n", 0);
						_push(_t96 - 0x14);
						E6B14E8E8(L"IDS_PLEASE_WAIT", __ebx + 0xb8, __eflags);
						 *((char*)(_t96 - 4)) = 3;
						_push(_t96 - 0x14);
						E6B1414EE( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x78))))))(), __ebx + 0xb4);
						E6B158460( *((intOrPtr*)(_t96 - 0x14)) + 0xfffffff0, _t96 - 0x14);
						E6B1412AB( *((intOrPtr*)(__ebx + 0x110)));
						__eflags =  *((intOrPtr*)(_t96 - 0x10)) + 0xfffffff0;
						E6B158460( *((intOrPtr*)(_t96 - 0x10)) + 0xfffffff0, _t96 - 0x14);
						L4:
						_t86 = 1;
					}
				}
				E6B14F3EC(_t96 - 0x20);
				return E6B162709(_t86);
			}

0x6b141c23
0x6b141c2a
0x6b141c2f
0x6b141c31
0x6b141c34
0x6b141c37
0x6b141c41
0x6b141c4b
0x6b141c50
0x6b141c52
0x6b141d60
0x6b141d67
0x6b141d7d
0x00000000
0x6b141d69
0x6b141d70
0x6b141d70
0x6b141c58
0x6b141c5a
0x6b141c68
0x6b141c89
0x6b141c97
0x6b141c9d
0x6b141cad
0x6b141cb3
0x6b141cb9
0x6b141cbd
0x6b141cc2
0x6b141cce
0x6b141cdc
0x6b141ce1
0x6b141cee
0x6b141cfe
0x6b141d0a
0x6b141d12
0x6b141d18
0x6b141d1d
0x6b141d29
0x6b141d32
0x6b141d3d
0x6b141d48
0x6b141d50
0x6b141d53
0x6b141d58
0x6b141d5a
0x6b141d5a
0x6b141c68
0x6b141c6d
0x6b141c79

APIs

SetWindowTextW.USER32(?,6B1379E4), ref: 6B141C97
__EH_prolog3.LIBCMT ref: 6B141C2A

Part of subcall function 6B154870: __EH_prolog3.LIBCMT ref: 6B154877

Strings

%1., xrefs: 6B141CD6
IDS_PLEASE_WAIT, xrefs: 6B141D13
User Cancelled!, xrefs: 6B141C82
IDS_CANCELLING, xrefs: 6B141CB4

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$TextWindow
String ID: %1.$IDS_CANCELLING$IDS_PLEASE_WAIT$User Cancelled!
API String ID: 1938513527-756668064
Opcode ID: eb3f9a61ee0e44d41ffb8fa99f865bc5633428897e1f5d4cbec5c45b9a481cc1
Instruction ID: d3a4583f64bbf1907936cbdf96af5ff77e67ed29ec2a6746bad879c825e92bfd
Opcode Fuzzy Hash: eb3f9a61ee0e44d41ffb8fa99f865bc5633428897e1f5d4cbec5c45b9a481cc1
Instruction Fuzzy Hash: F7419F72800119EFCF00CFB8C885BDD7BB4AF45318F1905A4E814BB266DB799A64CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F6DE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E6B14F6DE(void* __ebx, void* __edi, intOrPtr __esi, void* __eflags) {
				short* _t52;
				intOrPtr _t55;
				short* _t58;
				intOrPtr _t59;
				void* _t60;

				_t59 = __esi;
				_push(0x120);
				E6B1626CE(0x6b1636e1, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t60 - 0x128)) =  *((intOrPtr*)(_t60 + 8));
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0;
				 *((intOrPtr*)(_t60 - 0x12c)) = __esi;
				 *((intOrPtr*)(__esi + 0x18)) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(_t60 - 4)) = 0;
				E6B15AF90(__esi + 0x20, 0, 0x58);
				 *(__esi + 0x78) =  *(__esi + 0x78) & 0;
				_t58 = __esi + 0x27c;
				_t52 = __esi + 0x7c;
				 *_t58 = 0;
				 *_t52 = 0;
				 *((intOrPtr*)(__esi + 0x20)) = 0x58;
				E6B15AF90(_t60 - 0x120, 0, 0x110);
				 *(_t60 - 0x124) = 0x114;
				if(GetVersionExW(_t60 - 0x124) == 0 ||  *((intOrPtr*)(_t60 - 0x120)) < 5 && ( *((intOrPtr*)(_t60 - 0x120)) != 4 ||  *((intOrPtr*)(_t60 - 0x11c)) < 0x5a)) {
					 *((intOrPtr*)(_t59 + 0x20)) = 0x4c;
				}
				 *((intOrPtr*)(_t59 + 0x2c)) =  *((intOrPtr*)(_t60 + 0xc));
				 *((intOrPtr*)(_t59 + 0x3c)) = _t58;
				 *((intOrPtr*)(_t59 + 0x40)) = 0x104;
				 *((intOrPtr*)(_t59 + 0x5c)) = L"rtf";
				 *((intOrPtr*)(_t59 + 0x44)) = _t52;
				 *((intOrPtr*)(_t59 + 0x48)) = 0x100;
				 *((intOrPtr*)(_t59 + 0x54)) = 0x880426;
				_t55 =  *0x6b172f94; // 0x3070000
				 *((intOrPtr*)(_t59 + 0x28)) = _t55;
				 *((intOrPtr*)(_t59 + 0x64)) = E6B155DA0;
				 *((intOrPtr*)(_t59 + 0x24)) =  *((intOrPtr*)(_t60 + 0x10));
				if( *((intOrPtr*)(_t60 - 0x128)) != 0) {
					E6B157E20(E6B159064(_t58, 0x104,  *((intOrPtr*)(_t60 - 0x128)), 0xffffffff));
				}
				return E6B162722(_t52, _t58, _t59);
			}

0x6b14f6de
0x6b14f6de
0x6b14f6e8
0x6b14f6f0
0x6b14f6f8
0x6b14f6fb
0x6b14f6fe
0x6b14f704
0x6b14f707
0x6b14f711
0x6b14f714
0x6b14f71b
0x6b14f723
0x6b14f729
0x6b14f72d
0x6b14f730
0x6b14f73a
0x6b14f741
0x6b14f750
0x6b14f762
0x6b14f77f
0x6b14f77f
0x6b14f795
0x6b14f798
0x6b14f79b
0x6b14f79e
0x6b14f7a5
0x6b14f7a8
0x6b14f7af
0x6b14f7b6
0x6b14f7bc
0x6b14f7c2
0x6b14f7c9
0x6b14f7cc
0x6b14f7e0
0x6b14f7e0
0x6b14f7ec

APIs

__EH_prolog3_GS.LIBCMT ref: 6B14F6E8
_memset.LIBCMT ref: 6B14F714
_memset.LIBCMT ref: 6B14F741
GetVersionExW.KERNEL32 ref: 6B14F75A

Strings

rtf, xrefs: 6B14F79E
Z, xrefs: 6B14F776

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: _memset$H_prolog3_Version
String ID: Z$rtf
API String ID: 3297208538-589749439
Opcode ID: 376ab069126b30371889aaf02bd96a6e38ca57265856f856410cbba134e0307a
Instruction ID: 85be4fb53f8d753fe443ae12f909d4ee7e1c4e089692128b1a152262d4761734
Opcode Fuzzy Hash: 376ab069126b30371889aaf02bd96a6e38ca57265856f856410cbba134e0307a
Instruction Fuzzy Hash: 553138B0900714AFDB61CF24C84169AB7F4BF1C705F0049AED59A96640E778A694CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6B141B63 Relevance: 10.6, APIs: 7, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B141B63(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__** _t26;
				void* _t45;
				struct HWND__** _t48;
				void* _t50;

				_push(0x10);
				E6B16265B(0x6b1658b1, __ebx, __edi, __esi);
				_t45 = __ecx;
				 *( *((intOrPtr*)(__ecx + 0x68)) + 4) = 0x65;
				_t48 = __ecx + 4;
				E6B13F415(_t45 + 0x118, GetParent( *_t48));
				 *((intOrPtr*)(_t50 - 0x1c)) = 0;
				 *((intOrPtr*)(_t50 - 0x18)) = 0;
				 *((intOrPtr*)(_t50 - 0x14)) = 0;
				 *((intOrPtr*)(_t50 - 4)) = 0;
				if(E6B1412CC( *((intOrPtr*)(_t45 + 0x110)), _t50 - 0x1c, _t50 - 0x10) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x70))))();
				}
				_t26 = _t48;
				if( *((char*)(_t45 + 0x80)) == 0) {
					_push(0);
				} else {
					_push(2);
				}
				E6B13E389(_t26);
				PostMessageW( *_t48, 0x28, 0, 0);
				SetWindowLongW( *_t48, 0xfffffff4, 0x65);
				SetWindowTextW(GetParent( *_t48),  *(_t45 + 0x58));
				PostMessageW( *_t48, 0x6f5, 0, 0);
				E6B14F3EC(_t50 - 0x1c);
				return E6B162709(1);
			}

0x6b141b63
0x6b141b6a
0x6b141b6f
0x6b141b74
0x6b141b7b
0x6b141b8d
0x6b141b94
0x6b141b97
0x6b141b9a
0x6b141ba4
0x6b141bb5
0x6b141bbc
0x6b141bbc
0x6b141bc5
0x6b141bc7
0x6b141bcd
0x6b141bc9
0x6b141bc9
0x6b141bc9
0x6b141bce
0x6b141bdf
0x6b141be7
0x6b141bfa
0x6b141c0b
0x6b141c10
0x6b141c1d

APIs

__EH_prolog3.LIBCMT ref: 6B141B6A
GetParent.USER32(00000065), ref: 6B141B80

Part of subcall function 6B13F415: GetDlgItem.USER32 ref: 6B13F479
Part of subcall function 6B13F415: GetWindowLongW.USER32(00000000,000000EB), ref: 6B13F484
Part of subcall function 6B13F415: SetWindowLongW.USER32 ref: 6B13F4C4

PostMessageW.USER32(00000065,00000028,00000000,00000000), ref: 6B141BDF
SetWindowLongW.USER32 ref: 6B141BE7
GetParent.USER32(00000065), ref: 6B141BF2
SetWindowTextW.USER32(00000000,?), ref: 6B141BFA
PostMessageW.USER32(00000065,000006F5,00000000,00000000), ref: 6B141C0B

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Long$MessageParentPost$H_prolog3ItemText
String ID:
API String ID: 870142269-0
Opcode ID: 7392d3568a74687a50eb8af82ef8127a7bd3728e17ce07ad01cf5ac9efd634cd
Instruction ID: fd8b022d98426cfc3b535b02de79a00603f40b4e45ca0d7ec0791863e9ea8b18
Opcode Fuzzy Hash: 7392d3568a74687a50eb8af82ef8127a7bd3728e17ce07ad01cf5ac9efd634cd
Instruction Fuzzy Hash: 1221AF75A00215FFDB109FB4CC89F9ABBB9FF04744F100428F251A7190EB75A925CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6B14FB4F Relevance: 10.6, APIs: 7, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B14FB4F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				long _t48;
				long _t49;
				void* _t52;
				void* _t53;

				_t52 = __esi;
				_t46 = __edx;
				_push(4);
				E6B16265B(0x6b164429, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t53 - 4)) = 1;
				 *(_t53 - 0x10) = SendMessageW(GetParent( *(__esi + 4)), 0x481,  *(__esi + 4), 0);
				if( *((intOrPtr*)( *((intOrPtr*)(_t53 + 8)) - 0xc)) != 0) {
					E6B14EA8D(_t53 + 8, __esi + 0x5c);
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t53 + 0xc)) - 0xc)) != 0) {
					E6B14EA8D(_t53 + 0xc, _t52 + 0x60);
				}
				_t48 =  *(_t52 + 0x5c);
				if( *((intOrPtr*)(_t48 - 0xc)) != 0) {
					SendMessageW(GetParent( *(_t52 + 4)), 0x47e,  *(_t53 - 0x10), _t48);
				}
				_t49 =  *(_t52 + 0x60);
				if( *((intOrPtr*)(_t49 - 0xc)) != 0) {
					SendMessageW(GetParent( *(_t52 + 4)), 0x480,  *(_t53 - 0x10), _t49);
				}
				E6B158460( *((intOrPtr*)(_t53 + 8)) + 0xfffffff0, _t46);
				return E6B162709(E6B158460( *((intOrPtr*)(_t53 + 0xc)) + 0xfffffff0, _t46));
			}

0x6b14fb4f
0x6b14fb4f
0x6b14fb4f
0x6b14fb56
0x6b14fb5b
0x6b14fb7e
0x6b14fb88
0x6b14fb90
0x6b14fb90
0x6b14fb9c
0x6b14fba4
0x6b14fba4
0x6b14fba9
0x6b14fbb0
0x6b14fbc1
0x6b14fbc1
0x6b14fbc7
0x6b14fbce
0x6b14fbdf
0x6b14fbdf
0x6b14fbeb
0x6b14fc00

APIs

__EH_prolog3.LIBCMT ref: 6B14FB56
GetParent.USER32(00000001), ref: 6B14FB6B
SendMessageW.USER32(00000000,00000481,00000001,00000000), ref: 6B14FB78
GetParent.USER32(00000001), ref: 6B14FBB5
SendMessageW.USER32(00000000,0000047E,?,?), ref: 6B14FBC1
GetParent.USER32(00000001), ref: 6B14FBD3
SendMessageW.USER32(00000000,00000480,?,?), ref: 6B14FBDF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageParentSend$H_prolog3
String ID:
API String ID: 1482283565-0
Opcode ID: 96237f9fcf95f0b45ac1781e5b82bf9d5fe083ae6db0821d3782208591084921
Instruction ID: 4bb1bb8949adca140a3556cb10c7c174c6763ff2e86ef6ec240f49f5c28b0774
Opcode Fuzzy Hash: 96237f9fcf95f0b45ac1781e5b82bf9d5fe083ae6db0821d3782208591084921
Instruction Fuzzy Hash: 49113471400608FFDB109F64C84AB9AB7A6BF11769F108918F5656A6A0C7B8EA64CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6B13EE95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B13EE95(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t33;
				long _t36;
				intOrPtr* _t45;
				WCHAR** _t48;
				void* _t52;

				_push(0xc);
				E6B16265B(0x6b164c8a, __ebx, __edi, __esi);
				_t45 =  *((intOrPtr*)(_t52 + 8));
				 *(_t45 + 4) =  *(_t45 + 4) & 0x00000000;
				_t48 = _t45 + 8;
				_t51 = _t48;
				 *_t45 = 0x6b137128;
				E6B1583B4(_t48);
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				E6B14EA8D( *((intOrPtr*)(_t52 + 0xc)), _t48);
				if( *((intOrPtr*)( *_t48 - 0xc)) != 0) {
					_t30 =  *(_t45 + 4);
					if(_t30 != 0) {
						FreeLibrary(_t30);
						 *(_t45 + 4) =  *(_t45 + 4) & 0x00000000;
					}
					E6B14EA8D( *((intOrPtr*)(_t52 + 0xc)), _t48);
					_t33 = LoadLibraryW( *_t48);
					 *(_t45 + 4) = _t33;
					_t57 = _t33;
					if(_t33 == 0) {
						_push(_t52 + 0xc);
						E6B14E8E8(L"LoadLibrary", _t51, _t57);
						_t36 = GetLastError();
						 *(_t52 - 4) = 2;
						 *(_t52 - 0x14) = _t36;
						 *((intOrPtr*)(_t52 - 0x18)) = 0x6b136e44;
						 *((intOrPtr*)(_t52 - 0x10)) = E6B1583FD( *((intOrPtr*)(_t52 + 0xc)) + 0xfffffff0) + 0x10;
						 *(_t52 - 4) = 1;
						E6B15DBDB(_t52 - 0x18, 0x6b16839c);
					}
				}
				return E6B162709(_t45);
			}

0x6b13ee95
0x6b13ee9c
0x6b13eea1
0x6b13eea4
0x6b13eea8
0x6b13eeab
0x6b13eead
0x6b13eeb3
0x6b13eeb8
0x6b13eebf
0x6b13eeca
0x6b13eecc
0x6b13eed1
0x6b13eed4
0x6b13eeda
0x6b13eeda
0x6b13eee1
0x6b13eee8
0x6b13eeee
0x6b13eef1
0x6b13eef3
0x6b13eef8
0x6b13eefe
0x6b13ef03
0x6b13ef09
0x6b13ef0d
0x6b13ef16
0x6b13ef25
0x6b13ef31
0x6b13ef35
0x6b13ef35
0x6b13eef3
0x6b13ef41

APIs

__EH_prolog3.LIBCMT ref: 6B13EE9C
FreeLibrary.KERNEL32(00000000,0000000C,6B155B81,?,?,?), ref: 6B13EED4
LoadLibraryW.KERNEL32(?,0000000C,6B155B81,?,?,?), ref: 6B13EEE8
GetLastError.KERNEL32(00000000), ref: 6B13EF03
__CxxThrowException@8.LIBCMT ref: 6B13EF35

Strings

LoadLibrary, xrefs: 6B13EEF9

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Library$ErrorException@8FreeH_prolog3LastLoadThrow
String ID: LoadLibrary
API String ID: 3026435860-2077302977
Opcode ID: 860ba1ecb749317b6ed6642f7507dd9c1879bbe2f8bb68b1dcf18b77b491e050
Instruction ID: c473bab7822e3e4bf1ed3d7618e658efb89f9c340f65af8fd5ad1352b1c21fa0
Opcode Fuzzy Hash: 860ba1ecb749317b6ed6642f7507dd9c1879bbe2f8bb68b1dcf18b77b491e050
Instruction Fuzzy Hash: EB118C72910209FFEB00DF78C48AB8DBBB4BF10359F108164E818AF241E778CA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B154ECE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6B154ECE(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t13;
				void* _t24;
				char* _t29;
				void* _t32;
				void* _t33;

				_t33 = __eflags;
				_t24 = __ecx;
				_push(4);
				E6B16265B(0x6b1650ad, __ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 0xc));
				 *((intOrPtr*)(_t32 - 4)) = 0;
				 *((intOrPtr*)(_t32 - 0x10)) = 0;
				E6B14E8E8(L"None",  *((intOrPtr*)(_t32 + 0xc)), _t33);
				 *((intOrPtr*)(_t32 - 4)) = 0;
				 *((intOrPtr*)(_t32 - 0x10)) = 1;
				_t13 = E6B13E74C( *((intOrPtr*)( *((intOrPtr*)(_t32 + 8)) + 0x68)),  *((intOrPtr*)(_t32 + 0xc)));
				if(_t13 == 2) {
					_t29 = L"Welcome";
					goto L8;
				} else {
					if(_t13 == 3) {
						_t29 = L"Eula";
						goto L8;
					} else {
						if(_t13 == 4) {
							_t29 = L"SystemRequirement";
							goto L8;
						} else {
							if(_t13 + 0xfffffffb <= 1) {
								_t29 = L"Progress Page";
								L8:
								E6B15811C(_t31, E6B158199(_t29), _t24, _t29);
							}
						}
					}
				}
				return E6B162709(_t31);
			}

0x6b154ece
0x6b154ece
0x6b154ece
0x6b154ed5
0x6b154eda
0x6b154edf
0x6b154ee8
0x6b154eeb
0x6b154ef3
0x6b154efc
0x6b154eff
0x6b154f07
0x6b154f2f
0x00000000
0x6b154f09
0x6b154f0c
0x6b154f28
0x00000000
0x6b154f0e
0x6b154f11
0x6b154f21
0x00000000
0x6b154f13
0x6b154f18
0x6b154f1a
0x6b154f34
0x6b154f40
0x6b154f40
0x6b154f18
0x6b154f11
0x6b154f0c
0x6b154f4c

APIs

__EH_prolog3.LIBCMT ref: 6B154ED5

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Strings

SystemRequirement, xrefs: 6B154F21
Progress Page, xrefs: 6B154F1A
Welcome, xrefs: 6B154F2F
None, xrefs: 6B154EE3
Eula, xrefs: 6B154F28, 6B154F3D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Eula$None$Progress Page$SystemRequirement$Welcome
API String ID: 431132790-1170989405
Opcode ID: 81631959b797a5ed6088343a7a538c7aaca6af02f9fdee171f5589a6cdd662f3
Instruction ID: 2651e3514c4c89a545cb1bb819c93ea27f668acd1e035aab7edbc24553a983d0
Opcode Fuzzy Hash: 81631959b797a5ed6088343a7a538c7aaca6af02f9fdee171f5589a6cdd662f3
Instruction Fuzzy Hash: 2A01F4F3A15118BB9F00DF6C4C8141DF1A1AF995647660003E430EB214E73CCD32D781

Uniqueness

Uniqueness Score: -1.00%

Function 6B159AA9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E6B159AA9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x6b167fa8);
				E6B15AA30(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x6b1314a0;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x6b16f220;
				E6B15EA00(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t12 = _t39 + 0x68; // 0x83ec8b55
				InterlockedIncrement( *_t12);
				 *(_t40 - 4) = 0xfffffffe;
				E6B159B4B();
				E6B15EA00(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x6b16f988; // 0x6b16f8b0
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				_t18 = _t39 + 0x6c; // 0x7500107d
				E6B15E33B( *_t18);
				 *(_t40 - 4) = 0xfffffffe;
				return E6B15AA75(E6B159B54());
			}

0x6b159aa9
0x6b159aa9
0x6b159aab
0x6b159ab0
0x6b159aba
0x6b159ac0
0x6b159ac3
0x6b159aca
0x6b159ad1
0x6b159ad4
0x6b159ad7
0x6b159ade
0x6b159ae5
0x6b159aee
0x6b159af4
0x6b159af8
0x6b159afb
0x6b159b01
0x6b159b08
0x6b159b0f
0x6b159b15
0x6b159b18
0x6b159b1b
0x6b159b20
0x6b159b22
0x6b159b27
0x6b159b27
0x6b159b2a
0x6b159b2d
0x6b159b33
0x6b159b44

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6B167FA8,00000008,6B159BB6,00000000,00000000,?,6B15B575,6B159054,?,?,6B1591D6,?), ref: 6B159ABA
__lock.LIBCMT ref: 6B159AEE

Part of subcall function 6B15EA00: __mtinitlocknum.LIBCMT ref: 6B15EA16
Part of subcall function 6B15EA00: __amsg_exit.LIBCMT ref: 6B15EA22
Part of subcall function 6B15EA00: EnterCriticalSection.KERNEL32(6B1591D6,6B1591D6,?,6B159AF3,0000000D), ref: 6B15EA2A

InterlockedIncrement.KERNEL32(83EC8B55), ref: 6B159AFB
__lock.LIBCMT ref: 6B159B0F
___addlocaleref.LIBCMT ref: 6B159B2D

Strings

KERNEL32.DLL, xrefs: 6B159AB5

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: f37600c2ec6ff94890e1903fa51ae945c8dc26fbf08e4329fc5f0f9c6b30e600
Instruction ID: 1c780f0ea5301282ad62a86d47a0075e47a388552d1ebd61d6ebfc5b5719688c
Opcode Fuzzy Hash: f37600c2ec6ff94890e1903fa51ae945c8dc26fbf08e4329fc5f0f9c6b30e600
Instruction Fuzzy Hash: 5D0140B2804B00FFE720DF79D455B49FBE0AF54365F20894ED4E697290DBB8A660CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00D73979 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00D73979(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				void* _t35;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0xd76f08);
				E00D73DB0(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0xd71b90;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0xd78560;
				E00D74331(__ebx, _t35, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E00D73A1B();
				E00D74331(_t31, _t35, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0xd78558; // 0xd78480
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E00D75396( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E00D73DF5(E00D73A24());
			}

0x00d73979
0x00d73979
0x00d7397b
0x00d73980
0x00d7398a
0x00d73990
0x00d73993
0x00d7399a
0x00d739a1
0x00d739a4
0x00d739a7
0x00d739ae
0x00d739b5
0x00d739be
0x00d739c4
0x00d739cb
0x00d739d1
0x00d739d8
0x00d739df
0x00d739e5
0x00d739e8
0x00d739eb
0x00d739f0
0x00d739f2
0x00d739f7
0x00d739f7
0x00d739fd
0x00d73a03
0x00d73a14

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00D76F08,00000008,00D73A86,00000000,00000000,?,00D72FA5,00000003), ref: 00D7398A
__lock.LIBCMT ref: 00D739BE

Part of subcall function 00D74331: __mtinitlocknum.LIBCMT ref: 00D74347
Part of subcall function 00D74331: __amsg_exit.LIBCMT ref: 00D74353
Part of subcall function 00D74331: EnterCriticalSection.KERNEL32(?,?,?,00D739C3,0000000D,?,00D72FA5,00000003), ref: 00D7435B

InterlockedIncrement.KERNEL32(00D78560), ref: 00D739CB
__lock.LIBCMT ref: 00D739DF
___addlocaleref.LIBCMT ref: 00D739FD

Strings

KERNEL32.DLL, xrefs: 00D73985

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 4d953d0966e60f2b1851f81ac23389f5b4a6e172f0c8d6e65adaaaa9318cd501
Instruction ID: 0f4b0abf2e2e6f5557d49d6e5a5e42024a67cc513ff220b79636bb8798eab520
Opcode Fuzzy Hash: 4d953d0966e60f2b1851f81ac23389f5b4a6e172f0c8d6e65adaaaa9318cd501
Instruction Fuzzy Hash: 24015775440B009ED720AF69D80A749FBE0EF40321F10CA0AE49E967A1EBB0A685DB31

Uniqueness

Uniqueness Score: -1.00%

Function 6B16288F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6B16288F(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				void* _t16;
				intOrPtr* _t19;
				void* _t24;

				_t26 = __esi;
				_t24 = __edx;
				_t31 =  *((intOrPtr*)( *_a4)) - 0xe0434352;
				if( *((intOrPtr*)( *_a4)) == 0xe0434352) {
					L8:
					__eflags =  *(E6B159BE0(__eflags) + 0x90);
					if(__eflags > 0) {
						_t16 = E6B159BE0(__eflags);
						_t9 = _t16 + 0x90;
						 *_t9 =  *(_t16 + 0x90) - 1;
						__eflags =  *_t9;
					}
					goto L10;
				} else {
					__eflags = __eax - 0xe0434f4d;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = __eax - 0xe06d7363;
						if(__eflags != 0) {
							L10:
							__eflags = 0;
							return 0;
						} else {
							 *(E6B159BE0(__eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
							_push(8);
							_push(0x6b168038);
							E6B15AA30(__ebx, __edi, __esi);
							_t19 =  *((intOrPtr*)(E6B159BE0(_t31) + 0x78));
							if(_t19 != 0) {
								_v8 = _v8 & 0x00000000;
								 *_t19();
								_v8 = 0xfffffffe;
							}
							return E6B15AA75(E6B15E800(_t24, _t26));
						}
					}
				}
			}

0x6b16288f
0x6b16288f
0x6b16289b
0x6b1628a0
0x6b1628c1
0x6b1628c6
0x6b1628cd
0x6b1628cf
0x6b1628d4
0x6b1628d4
0x6b1628d4
0x6b1628d4
0x00000000
0x6b1628a2
0x6b1628a2
0x6b1628a7
0x00000000
0x6b1628a9
0x6b1628a9
0x6b1628ae
0x6b1628da
0x6b1628da
0x6b1628dd
0x6b1628b0
0x6b1628b5
0x6b15d44d
0x6b15d44f
0x6b15d454
0x6b15d45e
0x6b15d463
0x6b15d465
0x6b15d469
0x6b15d474
0x6b15d474
0x6b15d485
0x6b15d485
0x6b1628ae
0x6b1628a7

APIs

__getptd.LIBCMT ref: 6B1628B0

Part of subcall function 6B159BE0: __getptd_noexit.LIBCMT ref: 6B159BE3
Part of subcall function 6B159BE0: __amsg_exit.LIBCMT ref: 6B159BF0

__getptd.LIBCMT ref: 6B1628C1
__getptd.LIBCMT ref: 6B1628CF

Strings

csm, xrefs: 6B1628A9
RCC, xrefs: 6B16289B
MOC, xrefs: 6B1628A2

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: c95cb452513ca19a93679836afc226ef36163cfd16b51e0311ae908c2184dada
Instruction ID: cf787174d2e9bdbddce1bc1b752e185dd2f9327af39b64ac021685753af75efd
Opcode Fuzzy Hash: c95cb452513ca19a93679836afc226ef36163cfd16b51e0311ae908c2184dada
Instruction Fuzzy Hash: 78E01276118104AFD7109774C496F5833D8BB54399F6504E1D45CC7223D73CE4B08A93

Uniqueness

Uniqueness Score: -1.00%

Function 6B15849B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B15849B() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t4;

				if( *0x6b172ff8 == 0) {
					_t2 = LoadLibraryW(L"kernel32.dll");
					 *0x6b172ff8 = _t2;
					 *0x6b172ffc = GetProcAddress(_t2, "EncodePointer");
					_t4 = GetProcAddress( *0x6b172ff8, "DecodePointer");
					 *0x6b173000 = _t4;
					return _t4;
				}
				return _t1;
			}

0x6b1584a2
0x6b1584aa
0x6b1584bc
0x6b1584ce
0x6b1584d3
0x6b1584d5
0x00000000
0x6b1584da
0x6b1584db

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?,6B1584EB), ref: 6B1584AA
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6B1584C1
GetProcAddress.KERNEL32(DecodePointer), ref: 6B1584D3

Strings

DecodePointer, xrefs: 6B1584C3
kernel32.dll, xrefs: 6B1584A5
EncodePointer, xrefs: 6B1584B6

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DecodePointer$EncodePointer$kernel32.dll
API String ID: 2238633743-1525541703
Opcode ID: 63c79409c91646fa2e9e4f3742df5529cb395e49c0a52c3c94571db9ffb84fca
Instruction ID: 433fb7d17a8f70c32a54b0034ea3dd11579d7002e393717421aa42af996cd4cd
Opcode Fuzzy Hash: 63c79409c91646fa2e9e4f3742df5529cb395e49c0a52c3c94571db9ffb84fca
Instruction Fuzzy Hash: 29E04CB1814235FADF10DFBD9848F863E64E707261B054567E425A3144E7789552AFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D72930 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D72930() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t4;

				if( *0xd79888 == 0) {
					_t2 = LoadLibraryW(L"kernel32.dll");
					 *0xd79888 = _t2;
					 *0xd7988c = GetProcAddress(_t2, "EncodePointer");
					_t4 = GetProcAddress( *0xd79888, "DecodePointer");
					 *0xd79890 = _t4;
					return _t4;
				}
				return _t1;
			}

0x00d72937
0x00d7293f
0x00d72951
0x00d72963
0x00d72968
0x00d7296a
0x00000000
0x00d7296f
0x00d72970

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?,00D72980), ref: 00D7293F
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00D72956
GetProcAddress.KERNEL32(DecodePointer), ref: 00D72968

Strings

kernel32.dll, xrefs: 00D7293A
DecodePointer, xrefs: 00D72958
EncodePointer, xrefs: 00D7294B

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DecodePointer$EncodePointer$kernel32.dll
API String ID: 2238633743-1525541703
Opcode ID: 8153a7180c265721196471dd14c47b6ee2c4c24a677659a831fcee624cd3fbe0
Instruction ID: d07aa19e9be95d36c46b03e65c28db3ceda13159b2681ac12b438079873717bd
Opcode Fuzzy Hash: 8153a7180c265721196471dd14c47b6ee2c4c24a677659a831fcee624cd3fbe0
Instruction Fuzzy Hash: 64E0E2768503A0AECB04AF65BC2AEA27EE4E74A321B004026A11CD2360F37104C4DF72

Uniqueness

Uniqueness Score: -1.00%

Function 6B153BC0 Relevance: 9.1, APIs: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B153BC0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t46;
				int _t50;
				intOrPtr* _t51;
				intOrPtr _t52;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr _t82;
				void* _t83;

				_t75 = __edx;
				_push(0x698);
				E6B1626CE(0x6b164306, __ebx, __edi, __esi);
				_t77 = __ecx;
				_t79 = __edx;
				 *((char*)(_t83 - 0x69d)) = GetCurrentDirectoryW(0x104, _t83 - 0x218) != 0;
				E6B14F6DE(0x104, _t77, _t83 - 0x69c, GetCurrentDirectoryW(0x104, _t83 - 0x218),  *((intOrPtr*)( *_t77)), _t79,  *((intOrPtr*)(_t77 + 4)));
				 *((intOrPtr*)(_t83 - 0x69c)) = 0x6b136f20;
				 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
				_t46 =  *((intOrPtr*)(_t77 + 4));
				if( *((intOrPtr*)(_t83 - 0x678)) == 0) {
					 *((intOrPtr*)(_t83 - 0x678)) = _t46;
				}
				E6B157DD2(_t83 - 0x69c, _t83 - 0x694);
				_push(_t83 - 0x67c);
				if( *((intOrPtr*)(_t83 - 0x624)) == 0) {
					_t50 = GetSaveFileNameW();
				} else {
					_t50 = GetOpenFileNameW();
				}
				 *(_t83 - 0x698) =  *(_t83 - 0x698) & 0x00000000;
				_t20 = (0 | _t50 == 0x00000000) + 1; // 0x1
				_t82 = _t20;
				if( *((char*)(_t83 - 0x69d)) != 0) {
					SetCurrentDirectoryW(_t83 - 0x218);
				}
				if(_t82 != 2) {
					_t51 =  *0x6b16fe10; // 0x6b1333ec
					_t52 =  *_t51(0x104, 2);
					__eflags = _t52;
					if(_t52 == 0) {
						_t52 = E6B1583ED();
					}
					_t26 = _t52 + 0x10; // 0x10
					_t82 = _t26;
					 *((intOrPtr*)(_t83 - 0x6a4)) = _t82;
					__eflags =  *((intOrPtr*)(_t82 - 8)) - 0x104;
					if( *((intOrPtr*)(_t82 - 8)) < 0x104) {
						E6B1583CE(0x6b16fe10, 0x80070057);
					}
					 *(_t82 - 0xc) = 0x104;
					 *((short*)(_t82 + 0x208)) = 0;
					E6B158923(_t82, 0x208, _t83 - 0x420, 0x208);
					 *(_t83 - 4) = 1;
					E6B14EA8D(_t83 - 0x6a4, _t77);
					_t34 = _t82 - 0x10; // 0x0
					E6B158460(_t34, _t75);
					 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
					__eflags =  *((intOrPtr*)(_t83 - 0x688));
					if( *((intOrPtr*)(_t83 - 0x688)) != 0) {
						E6B16216C( *((intOrPtr*)(_t83 - 0x688)));
					}
				} else {
					 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
					if( *((intOrPtr*)(_t83 - 0x688)) != 0) {
						E6B16216C( *((intOrPtr*)(_t83 - 0x688)));
					}
				}
				return E6B162722(0x104, _t77, _t82);
			}

0x6b153bc0
0x6b153bc0
0x6b153bca
0x6b153bdc
0x6b153bde
0x6b153bf7
0x6b153bfe
0x6b153c03
0x6b153c0d
0x6b153c18
0x6b153c1b
0x6b153c1d
0x6b153c1d
0x6b153c2f
0x6b153c41
0x6b153c42
0x6b153c4c
0x6b153c44
0x6b153c44
0x6b153c44
0x6b153c52
0x6b153c67
0x6b153c67
0x6b153c6a
0x6b153c73
0x6b153c73
0x6b153c7c
0x6b153c9d
0x6b153caa
0x6b153cac
0x6b153cae
0x6b153cb0
0x6b153cb0
0x6b153cb5
0x6b153cb5
0x6b153cb8
0x6b153cbe
0x6b153cc1
0x6b153cc8
0x6b153cc8
0x6b153ccf
0x6b153cd2
0x6b153ce8
0x6b153cf0
0x6b153cfc
0x6b153d01
0x6b153d04
0x6b153d09
0x6b153d0d
0x6b153d14
0x6b153d1c
0x6b153d1c
0x6b153c7e
0x6b153c7e
0x6b153c89
0x6b153c91
0x6b153c91
0x6b153c96
0x6b153d28

APIs

__EH_prolog3_GS.LIBCMT ref: 6B153BCA
GetCurrentDirectoryW.KERNEL32(00000104,?,00000698,6B1503E4,00000000), ref: 6B153BE0

Part of subcall function 6B14F6DE: __EH_prolog3_GS.LIBCMT ref: 6B14F6E8
Part of subcall function 6B14F6DE: _memset.LIBCMT ref: 6B14F714
Part of subcall function 6B14F6DE: _memset.LIBCMT ref: 6B14F741
Part of subcall function 6B14F6DE: GetVersionExW.KERNEL32 ref: 6B14F75A

GetOpenFileNameW.COMDLG32(?), ref: 6B153C44
GetSaveFileNameW.COMDLG32(?), ref: 6B153C4C
SetCurrentDirectoryW.KERNEL32(?), ref: 6B153C73
_memcpy_s.LIBCMT ref: 6B153CE8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CurrentDirectoryFileH_prolog3_Name_memset$OpenSaveVersion_memcpy_s
String ID:
API String ID: 133044998-0
Opcode ID: 254f7dbb851d03b2a3035dda2076a39a450f3384c12a2e0eb7a1fae67b743dfd
Instruction ID: 305a2048184e242dd61639b3661869821718a6223e2fc492607c14630daea840
Opcode Fuzzy Hash: 254f7dbb851d03b2a3035dda2076a39a450f3384c12a2e0eb7a1fae67b743dfd
Instruction Fuzzy Hash: 6E41A0B2901128EFDB30DB24CC4ABC9B7B9AF51315F4041E9E029A3190DB399AB5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6B162B64 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E6B162B64(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t56;
				void* _t57;
				void* _t60;

				_t60 = __eflags;
				_push(0x2c);
				_push(0x6b16d230);
				E6B15AA30(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t54 =  *((intOrPtr*)(_t57 + 0xc));
				_t56 =  *((intOrPtr*)(_t57 + 8));
				 *((intOrPtr*)(_t57 - 0x1c)) = __ecx;
				 *(_t57 - 0x34) =  *(_t57 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t57 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 0xc)) - 4));
				 *((intOrPtr*)(_t57 - 0x28)) = E6B162542(_t57 - 0x3c,  *((intOrPtr*)(_t56 + 0x18)));
				 *((intOrPtr*)(_t57 - 0x2c)) =  *((intOrPtr*)(E6B159BE0(_t60) + 0x88));
				 *((intOrPtr*)(_t57 - 0x30)) =  *((intOrPtr*)(E6B159BE0(_t60) + 0x8c));
				 *((intOrPtr*)(E6B159BE0(_t60) + 0x88)) = _t56;
				 *((intOrPtr*)(E6B159BE0(_t60) + 0x8c)) =  *((intOrPtr*)(_t57 + 0x10));
				 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
				 *((intOrPtr*)(_t57 + 0x10)) = 1;
				 *(_t57 - 4) = 1;
				 *((intOrPtr*)(_t57 - 0x1c)) = E6B1625F6(_t54,  *((intOrPtr*)(_t57 + 0x14)), _t48,  *((intOrPtr*)(_t57 + 0x18)),  *((intOrPtr*)(_t57 + 0x1c)));
				 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
				 *(_t57 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t57 + 0x10)) = 0;
				E6B162C8A(_t48, _t54, _t56, _t60);
				return E6B15AA75( *((intOrPtr*)(_t57 - 0x1c)));
			}

0x6b162b64
0x6b162b64
0x6b162b66
0x6b162b6b
0x6b162b70
0x6b162b72
0x6b162b75
0x6b162b78
0x6b162b7b
0x6b162b82
0x6b162b93
0x6b162ba1
0x6b162baf
0x6b162bb7
0x6b162bc5
0x6b162bcb
0x6b162bd2
0x6b162bd5
0x6b162beb
0x6b162bee
0x6b162c63
0x6b162c6a
0x6b162c71
0x6b162c7e

APIs

__CreateFrameInfo.LIBCMT ref: 6B162B8C

Part of subcall function 6B162542: __getptd.LIBCMT ref: 6B162550
Part of subcall function 6B162542: __getptd.LIBCMT ref: 6B16255E

__getptd.LIBCMT ref: 6B162B96

Part of subcall function 6B159BE0: __getptd_noexit.LIBCMT ref: 6B159BE3
Part of subcall function 6B159BE0: __amsg_exit.LIBCMT ref: 6B159BF0

__getptd.LIBCMT ref: 6B162BA4
__getptd.LIBCMT ref: 6B162BB2
__getptd.LIBCMT ref: 6B162BBD
_CallCatchBlock2.LIBCMT ref: 6B162BE3

Part of subcall function 6B1625F6: __CallSettingFrame@12.LIBCMT ref: 6B162642

Part of subcall function 6B162C8A: __getptd.LIBCMT ref: 6B162C99
Part of subcall function 6B162C8A: __getptd.LIBCMT ref: 6B162CA7

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 3d51b2c120c9219d7082e20d22bc56ce39d26452ebb9a10e78afbbf908a5ecbe
Instruction ID: 9029896c333fa5636a34029bb856b5cff823963e1d7e3e9961897b2099813fd0
Opcode Fuzzy Hash: 3d51b2c120c9219d7082e20d22bc56ce39d26452ebb9a10e78afbbf908a5ecbe
Instruction Fuzzy Hash: DC11C6B6C04209AFDB00DFA4C555BEEBBB4FF04354F108069E864A7251EB789A21DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B153FCE Relevance: 9.0, APIs: 6, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B153FCE(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t45;
				void* _t46;

				_t45 = __esi;
				_push(0x18);
				E6B16265B(0x6b16366b, __ebx, __edi, __esi);
				 *((intOrPtr*)( *__esi + 0x10))();
				SetWindowLongW( *(__esi + 4), 0xfffffff4, 0x67);
				 *(_t46 - 0x24) =  *(__esi + 4);
				 *((intOrPtr*)(_t46 - 0x20)) = 0;
				 *((intOrPtr*)(_t46 - 0x1c)) = 0;
				 *((intOrPtr*)(_t46 - 0x18)) = 0;
				 *((intOrPtr*)(_t46 - 0x14)) = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E6B13FF14(_t46 - 0x24);
				if( *((intOrPtr*)(_t46 - 0x20)) != 0) {
					E6B158E26( *((intOrPtr*)(_t46 - 0x20)));
				}
				if(SendMessageW(GetParent( *(_t45 + 4)), 0x485, 0, 0x67) == 0) {
					 *((intOrPtr*)(_t46 - 0x10)) = GetParent( *(_t45 + 4));
					E6B13E153(_t46 - 0x10, GetDesktopWindow());
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b153fce
0x6b153fce
0x6b153fd5
0x6b153fde
0x6b153fe9
0x6b153ff4
0x6b153ff7
0x6b153ffa
0x6b153ffd
0x6b154000
0x6b154006
0x6b154009
0x6b154011
0x6b154016
0x6b15401b
0x6b154038
0x6b15403f
0x6b15404d
0x6b15404d
0x6b154058
0x6b15405f

APIs

__EH_prolog3.LIBCMT ref: 6B153FD5
SetWindowLongW.USER32 ref: 6B153FE9

Part of subcall function 6B13FF14: EnumChildWindows.USER32 ref: 6B13FF21

GetParent.USER32(?), ref: 6B154025
SendMessageW.USER32(00000000,00000485,00000000,00000067), ref: 6B154030
GetParent.USER32(?), ref: 6B15403D
GetDesktopWindow.USER32 ref: 6B154042

Part of subcall function 6B158E26: HeapFree.KERNEL32(00000000,00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E3C
Part of subcall function 6B158E26: GetLastError.KERNEL32(00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E4E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: d40b2cab666bcb3c73a13d0d14116eaa52f369a6cba4a45e52ae3008a3c3e4f8
Instruction ID: ccec70d3a12e9db899683c514d20d2647fa55631f5155103937064b78e7aa7e3
Opcode Fuzzy Hash: d40b2cab666bcb3c73a13d0d14116eaa52f369a6cba4a45e52ae3008a3c3e4f8
Instruction Fuzzy Hash: 18112AB5900614EBCB209FB8C88599EFBF4FF59744B10451AE526E7290EB799A20CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6B153E60 Relevance: 9.0, APIs: 6, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B153E60(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t45;
				void* _t46;

				_t45 = __esi;
				_push(0x18);
				E6B16265B(0x6b16366b, __ebx, __edi, __esi);
				 *((intOrPtr*)( *__esi + 0x10))();
				SetWindowLongW( *(__esi + 4), 0xfffffff4, 0x66);
				 *(_t46 - 0x24) =  *(__esi + 4);
				 *((intOrPtr*)(_t46 - 0x20)) = 0;
				 *((intOrPtr*)(_t46 - 0x1c)) = 0;
				 *((intOrPtr*)(_t46 - 0x18)) = 0;
				 *((intOrPtr*)(_t46 - 0x14)) = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E6B13FF14(_t46 - 0x24);
				if( *((intOrPtr*)(_t46 - 0x20)) != 0) {
					E6B158E26( *((intOrPtr*)(_t46 - 0x20)));
				}
				if(SendMessageW(GetParent( *(_t45 + 4)), 0x485, 0, 0x66) == 0) {
					 *((intOrPtr*)(_t46 - 0x10)) = GetParent( *(_t45 + 4));
					E6B13E153(_t46 - 0x10, GetDesktopWindow());
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b153e60
0x6b153e60
0x6b153e67
0x6b153e70
0x6b153e7b
0x6b153e86
0x6b153e89
0x6b153e8c
0x6b153e8f
0x6b153e92
0x6b153e98
0x6b153e9b
0x6b153ea3
0x6b153ea8
0x6b153ead
0x6b153eca
0x6b153ed1
0x6b153edf
0x6b153edf
0x6b153eea
0x6b153ef1

APIs

__EH_prolog3.LIBCMT ref: 6B153E67
SetWindowLongW.USER32 ref: 6B153E7B

Part of subcall function 6B13FF14: EnumChildWindows.USER32 ref: 6B13FF21

GetParent.USER32(?), ref: 6B153EB7
SendMessageW.USER32(00000000,00000485,00000000,00000066), ref: 6B153EC2
GetParent.USER32(?), ref: 6B153ECF
GetDesktopWindow.USER32 ref: 6B153ED4

Part of subcall function 6B158E26: HeapFree.KERNEL32(00000000,00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E3C
Part of subcall function 6B158E26: GetLastError.KERNEL32(00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E4E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 2f192bca640f210554ebc8c03724c01597f5b23321dc0c23abb832bf5450dd87
Instruction ID: 86541dba773f13062efece8cba3ae2c8c2fe87d04bde3b6c0b49b97f0f57f2bf
Opcode Fuzzy Hash: 2f192bca640f210554ebc8c03724c01597f5b23321dc0c23abb832bf5450dd87
Instruction Fuzzy Hash: F5115EB1D00214EFCB20DF78C84599EFBF4FF59744B10451AE426E7290EB799A11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B153D2E Relevance: 9.0, APIs: 6, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B153D2E(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t45;
				void* _t46;

				_t45 = __esi;
				_push(0x18);
				E6B16265B(0x6b16366b, __ebx, __edi, __esi);
				 *((intOrPtr*)( *__esi + 0x10))();
				SetWindowLongW( *(__esi + 4), 0xfffffff4, 0x65);
				 *(_t46 - 0x24) =  *(__esi + 4);
				 *((intOrPtr*)(_t46 - 0x20)) = 0;
				 *((intOrPtr*)(_t46 - 0x1c)) = 0;
				 *((intOrPtr*)(_t46 - 0x18)) = 0;
				 *((intOrPtr*)(_t46 - 0x14)) = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E6B13FF14(_t46 - 0x24);
				if( *((intOrPtr*)(_t46 - 0x20)) != 0) {
					E6B158E26( *((intOrPtr*)(_t46 - 0x20)));
				}
				if(SendMessageW(GetParent( *(_t45 + 4)), 0x485, 0, 0x65) == 0) {
					 *((intOrPtr*)(_t46 - 0x10)) = GetParent( *(_t45 + 4));
					E6B13E153(_t46 - 0x10, GetDesktopWindow());
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)))) = 1;
				return E6B162709(1);
			}

0x6b153d2e
0x6b153d2e
0x6b153d35
0x6b153d3e
0x6b153d49
0x6b153d54
0x6b153d57
0x6b153d5a
0x6b153d5d
0x6b153d60
0x6b153d66
0x6b153d69
0x6b153d71
0x6b153d76
0x6b153d7b
0x6b153d98
0x6b153d9f
0x6b153dad
0x6b153dad
0x6b153db8
0x6b153dbf

APIs

__EH_prolog3.LIBCMT ref: 6B153D35
SetWindowLongW.USER32 ref: 6B153D49

Part of subcall function 6B13FF14: EnumChildWindows.USER32 ref: 6B13FF21

GetParent.USER32(?), ref: 6B153D85
SendMessageW.USER32(00000000,00000485,00000000,00000065), ref: 6B153D90
GetParent.USER32(?), ref: 6B153D9D
GetDesktopWindow.USER32 ref: 6B153DA2

Part of subcall function 6B158E26: HeapFree.KERNEL32(00000000,00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E3C
Part of subcall function 6B158E26: GetLastError.KERNEL32(00000000,?,6B159BCC,00000000,?,6B15B575,6B159054), ref: 6B158E4E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
String ID:
API String ID: 1093383602-0
Opcode ID: 0800522918ba6e824a4385cfb6fe856bb7d43f22507b21b7fe7b0cf95c25e9b7
Instruction ID: 3085d4c61440405929ddb98bec1650bfbdedd38028ebb5a17d6735d058bc4314
Opcode Fuzzy Hash: 0800522918ba6e824a4385cfb6fe856bb7d43f22507b21b7fe7b0cf95c25e9b7
Instruction Fuzzy Hash: AB115AB1900614EFCB209FB8C88999EFBF4FF59740B10451AE426E7290EB399A11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D7591A Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00D7591A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xd77018);
				E00D73DB0(__ebx, __edi, __esi);
				_t31 = E00D73AB0();
				_t15 =  *0xd78aec; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00D74331(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xd78988; // 0x30533e0
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0xd78560;
								if(_t33 != 0xd78560) {
									E00D74EF9(_t33);
								}
							}
						}
						_t21 =  *0xd78988; // 0x30533e0
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xd78988; // 0x30533e0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00D759B5();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					_push(0x20);
					E00D72F1C();
				}
				return E00D73DF5(_t33);
			}

0x00d7591a
0x00d7591a
0x00d7591a
0x00d7591c
0x00d75921
0x00d7592b
0x00d7592d
0x00d75935
0x00d75956
0x00d7595c
0x00d75960
0x00d75963
0x00d75966
0x00d7596c
0x00d7596e
0x00d75970
0x00d75973
0x00d75979
0x00d7597b
0x00d7597d
0x00d75983
0x00d75986
0x00d7598b
0x00d75983
0x00d7597b
0x00d7598c
0x00d75991
0x00d75994
0x00d7599a
0x00d7599e
0x00d7599e
0x00d759a4
0x00d759ab
0x00d7593d
0x00d7593d
0x00d7593d
0x00d75942
0x00d75944
0x00d75946
0x00d7594b
0x00d75953

APIs

__getptd.LIBCMT ref: 00D75926

Part of subcall function 00D73AB0: __getptd_noexit.LIBCMT ref: 00D73AB3
Part of subcall function 00D73AB0: __amsg_exit.LIBCMT ref: 00D73AC0

__amsg_exit.LIBCMT ref: 00D75946
__lock.LIBCMT ref: 00D75956
InterlockedDecrement.KERNEL32(?), ref: 00D75973
_free.LIBCMT ref: 00D75986
InterlockedIncrement.KERNEL32(030533E0), ref: 00D7599E

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c05b713c1107e598757a5c2c50e59ab738b7e630917c75c95ef824f711363a3b
Instruction ID: c799c1fdafdbc28f60c1e8429be5e5df337e0e6cda667e6a96a392de0012be16
Opcode Fuzzy Hash: c05b713c1107e598757a5c2c50e59ab738b7e630917c75c95ef824f711363a3b
Instruction Fuzzy Hash: D7016131941B21DBCB21AB69A80676EB760BF00730F188115E50CAB295FB746D85DFF3

Uniqueness

Uniqueness Score: -1.00%

Function 6B1445DE Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6B1445DE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t95;
				void* _t110;
				intOrPtr* _t115;
				void* _t126;
				intOrPtr* _t130;
				intOrPtr _t139;
				intOrPtr* _t154;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				_t146 = __edx;
				_push(0x78);
				E6B16265B(0x6b167a7e, __ebx, __edi, __esi);
				_t139 =  *((intOrPtr*)(_t158 + 0xc));
				_t154 =  *((intOrPtr*)(_t158 + 8));
				E6B143AD4(_t139, __ecx, __edx, __edi, _t154, _t159, _t154 + 4, _t139,  *((intOrPtr*)(_t158 + 0x10)));
				 *(_t158 - 4) =  *(_t158 - 4) & 0x00000000;
				_push(_t154 + 0x3c);
				_t143 = _t139;
				E6B14396A(_t139, _t139, __edx, __edi, _t154, _t159);
				 *(_t158 - 4) = 2;
				_push(_t158 + 0x10);
				 *_t154 = 0x6b137444;
				E6B14E8E8(L"PrintButton", _t154, _t159);
				 *(_t158 - 4) = 3;
				_push(E6B13D6C4(_t139, _t139, _t139, _t158 - 0x20, _t158 + 0x10));
				_push(_t154 + 0x78);
				 *(_t158 - 4) = 4;
				E6B1440EA(_t139, _t139, __edx, L"PrintButton", _t154, _t159);
				 *(_t158 - 4) = 6;
				_t83 =  *((intOrPtr*)(_t158 - 0x20));
				_t160 = _t83;
				if(_t83 != 0) {
					_t143 =  *_t83;
					 *((intOrPtr*)( *_t83 + 8))(_t83);
				}
				 *(_t158 - 4) = 7;
				E6B158460( *((intOrPtr*)(_t158 + 0x10)) + 0xfffffff0, _t146);
				_push(_t158 - 0x10);
				E6B14E8E8(L"SaveButton", _t154, _t160);
				 *(_t158 - 4) = 8;
				_push(E6B13D6C4(_t139, _t139, _t143, _t158 - 0x2c, _t158 - 0x10));
				_push(_t154 + 0x98);
				 *(_t158 - 4) = 9;
				E6B1440EA(_t139, _t143, _t146, L"SaveButton", _t154, _t160);
				 *(_t158 - 4) = 0xb;
				_t95 =  *((intOrPtr*)(_t158 - 0x2c));
				_t161 = _t95;
				if(_t95 != 0) {
					_t143 =  *_t95;
					 *((intOrPtr*)( *_t95 + 8))(_t95);
				}
				E6B158460( *((intOrPtr*)(_t158 - 0x10)) + 0xfffffff0, _t146);
				 *((intOrPtr*)(_t158 - 0x10)) = _t154 + 0xb8;
				E6B144217(_t154 + 0xb8, _t161);
				_t140 = _t154 + 0xd4;
				 *((intOrPtr*)(_t158 - 0x14)) = _t154 + 0xd4;
				E6B14452D(_t154 + 0xd4, _t143, _t161);
				 *(_t158 - 4) = 0xe;
				_t162 =  *((char*)(_t154 + 0x38));
				if( *((char*)(_t154 + 0x38)) != 0) {
					_push(_t158 + 0x10);
					E6B14E8E8(L"LicenseTermsCheckbox", _t154, _t162);
					 *(_t158 - 4) = 0xf;
					_push(E6B13D6C4( *((intOrPtr*)(_t158 + 0xc)), _t140, _t143, _t158 - 0x2c, _t158 + 0x10));
					_push(_t158 - 0x48);
					 *(_t158 - 4) = 0x10;
					_t110 = E6B144247(_t140, _t146, L"LicenseTermsCheckbox", _t154, _t162);
					 *(_t158 - 4) = 0x11;
					_t141 = _t110;
					E6B1442CD(_t110,  *((intOrPtr*)(_t158 - 0x10)));
					 *((intOrPtr*)(_t158 - 0x40)) = 0x6b136f7c;
					E6B158460( *((intOrPtr*)(_t158 - 0x44)) + 0xfffffff0, _t146);
					 *(_t158 - 4) = 0xf;
					_t115 =  *((intOrPtr*)(_t158 - 0x2c));
					 *((intOrPtr*)(_t158 - 0x48)) = 0x6b136f7c;
					_t163 = _t115;
					if(_t115 != 0) {
						_t143 =  *_t115;
						 *((intOrPtr*)( *_t115 + 8))(_t115);
					}
					 *(_t158 - 4) = 0xe;
					E6B158460( *((intOrPtr*)(_t158 + 0x10)) + 0xfffffff0, _t146);
					_push(_t158 + 0x10);
					E6B14E8E8(L"UserExperienceDataCollection", 0x6b136f7c, _t163);
					 *(_t158 - 4) = 0x12;
					_push(E6B13D6C4( *((intOrPtr*)(_t158 + 0xc)), _t141, _t143, _t158 - 0x2c, _t158 + 0x10));
					_push(_t158 - 0x84);
					 *(_t158 - 4) = 0x13;
					_t126 = E6B14443D(_t141, _t143, _t146, L"UserExperienceDataCollection", 0x6b136f7c, _t163);
					 *(_t158 - 4) = 0x14;
					E6B144575(_t126,  *((intOrPtr*)(_t158 - 0x14)));
					E6B142888(_t158 - 0x64);
					E6B14432F(_t158 - 0x80);
					 *(_t158 - 4) = 0x12;
					_t130 =  *((intOrPtr*)(_t158 - 0x2c));
					if(_t130 != 0) {
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
					E6B158460( *((intOrPtr*)(_t158 + 0x10)) + 0xfffffff0, _t146);
					_t154 =  *((intOrPtr*)(_t158 + 8));
				}
				return E6B162709(_t154);
			}

0x6b1445de
0x6b1445de
0x6b1445de
0x6b1445e5
0x6b1445ed
0x6b1445f0
0x6b1445f8
0x6b1445fd
0x6b144604
0x6b144605
0x6b144607
0x6b14460f
0x6b144613
0x6b144619
0x6b14461f
0x6b14462e
0x6b144637
0x6b14463b
0x6b14463c
0x6b144640
0x6b144645
0x6b144649
0x6b14464c
0x6b14464e
0x6b144650
0x6b144653
0x6b144653
0x6b144656
0x6b144660
0x6b144668
0x6b14466e
0x6b14467d
0x6b144686
0x6b14468d
0x6b14468e
0x6b144692
0x6b144697
0x6b14469b
0x6b14469e
0x6b1446a0
0x6b1446a2
0x6b1446a5
0x6b1446a5
0x6b1446ae
0x6b1446b9
0x6b1446bc
0x6b1446c1
0x6b1446c7
0x6b1446ca
0x6b1446cf
0x6b1446d3
0x6b1446d7
0x6b1446e0
0x6b1446e6
0x6b1446f6
0x6b1446ff
0x6b144703
0x6b144704
0x6b144708
0x6b14470d
0x6b144714
0x6b144716
0x6b144726
0x6b144729
0x6b14472e
0x6b144732
0x6b144735
0x6b144738
0x6b14473a
0x6b14473c
0x6b14473f
0x6b14473f
0x6b144742
0x6b14474c
0x6b144754
0x6b14475a
0x6b14476a
0x6b144773
0x6b14477a
0x6b14477b
0x6b14477f
0x6b144787
0x6b14478b
0x6b144793
0x6b14479b
0x6b1447a0
0x6b1447a4
0x6b1447a9
0x6b1447ae
0x6b1447ae
0x6b1447b7
0x6b1447bc
0x6b1447bc
0x6b1447c6

APIs

__EH_prolog3.LIBCMT ref: 6B1445E5

Part of subcall function 6B143AD4: __EH_prolog3.LIBCMT ref: 6B143ADB

Part of subcall function 6B14396A: __EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B1440EA: __EH_prolog3.LIBCMT ref: 6B1440F1

Strings

UserExperienceDataCollection, xrefs: 6B144755
PrintButton, xrefs: 6B144614
LicenseTermsCheckbox, xrefs: 6B1446E1
SaveButton, xrefs: 6B144669

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: LicenseTermsCheckbox$PrintButton$SaveButton$UserExperienceDataCollection
API String ID: 431132790-2575726183
Opcode ID: d76fe958ec226d3151f3ab1b42f5ad7b2fa32c41b2b7dc88aa4212259a4f2467
Instruction ID: 4bd31781e144c399f46c85d24c04672dfa3e92041bce8f3a870acdbcfb70f0db
Opcode Fuzzy Hash: d76fe958ec226d3151f3ab1b42f5ad7b2fa32c41b2b7dc88aa4212259a4f2467
Instruction Fuzzy Hash: 27513BB1900249EFDF01CFB8C845BDEB7A8AF19218F148499E565E7241DB38AA05DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B151B2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E6B151B2E(intOrPtr* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t55;
				intOrPtr* _t92;
				intOrPtr* _t97;
				signed int _t100;
				intOrPtr* _t101;
				intOrPtr _t105;
				intOrPtr* _t107;
				void* _t108;

				_t92 = __ebx;
				_push(4);
				E6B16265B(0x6b1635a3, __ebx, __edi, __esi);
				_t105 = __ecx;
				 *((intOrPtr*)(_t108 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x6b1376cc;
				 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
				_t100 = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L6:
					return E6B162709(E6B155CB3(_t105 + 0xc));
				} else {
					while(_t100 >= 0 && _t100 <  *((intOrPtr*)(_t105 + 0x10))) {
						_t97 =  *((intOrPtr*)( *((intOrPtr*)(_t105 + 0xc)) + _t100 * 4));
						if(_t97 != 0) {
							 *((intOrPtr*)( *_t97 + 4))(1);
						}
						_t100 = _t100 + 1;
						if(_t100 <  *((intOrPtr*)(_t105 + 0x10))) {
							continue;
						} else {
							goto L6;
						}
						goto L8;
					}
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					E6B16265B(0x6b16537a, _t92, _t100, _t105);
					_t107 =  *((intOrPtr*)(_t108 + 8));
					 *((intOrPtr*)(_t107 + 4)) = 0;
					 *((intOrPtr*)(_t107 + 0x14)) = 0;
					_t101 = _t107 + 0x20;
					 *((intOrPtr*)(_t107 + 0x18)) = 0;
					 *((intOrPtr*)(_t107 + 0x1c)) = 0;
					E6B15AF90(_t101, 0, 0x34);
					 *_t101 = 0x34;
					 *((intOrPtr*)(_t107 + 0x24)) = 0x80;
					_t55 =  *0x6b172f94; // 0x3070000
					 *((intOrPtr*)(_t107 + 0x28)) = _t55;
					 *((intOrPtr*)(_t107 + 0x2c)) = 0x6a;
					 *((intOrPtr*)(_t107 + 0x38)) = E6B155DA0;
					 *((intOrPtr*)(_t107 + 0x40)) = E6B154908;
					 *((intOrPtr*)(_t107 + 0x3c)) = _t107;
					 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
					 *((intOrPtr*)(_t107 + 0x54)) =  *((intOrPtr*)(_t108 + 0xc));
					 *_t107 = 0x6b137748;
					 *((intOrPtr*)(_t107 + 0x58)) = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x14)))) + 8))( *((intOrPtr*)( *_t92))(0)))) - 0x10) + 0x10;
					 *(_t108 - 4) = 1;
					 *((intOrPtr*)(_t107 + 0x5c)) = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x1c)))) - 0x10) + 0x10;
					 *(_t108 - 4) = 2;
					 *((intOrPtr*)(_t107 + 0x60)) = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x20)))) - 0x10) + 0x10;
					 *(_t108 - 4) = 3;
					E6B14E8E8(L"IDS_IS_REALLY_CANCEL", _t107, __eflags);
					 *(_t108 - 4) = 4;
					 *((intOrPtr*)(_t107 + 0x64)) = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x10))))))(_t108 + 0x14, _t108 + 0x14))) - 0x10) + 0x10;
					__eflags =  *((intOrPtr*)(_t108 + 0x14)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t108 + 0x14)) + 0xfffffff0, _t108 + 0x14);
					 *((intOrPtr*)(_t107 + 0x68)) =  *((intOrPtr*)(_t108 + 0x18));
					 *((intOrPtr*)(_t107 + 0x6c)) = _t92;
					return E6B162709(_t107);
				}
				L8:
			}

0x6b151b2e
0x6b151b2e
0x6b151b35
0x6b151b3a
0x6b151b3c
0x6b151b3f
0x6b151b45
0x6b151b49
0x6b151b4e
0x6b151b70
0x6b151b7d
0x6b151b50
0x6b151b50
0x6b151b5c
0x6b151b61
0x6b151b67
0x6b151b67
0x6b151b6a
0x6b151b6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6b151b6e
0x6b151b89
0x6b151b8f
0x6b151b90
0x6b151b91
0x6b151b92
0x6b151b93
0x6b151b94
0x6b151b9c
0x6b151ba1
0x6b151ba8
0x6b151bac
0x6b151baf
0x6b151bb3
0x6b151bb6
0x6b151bb9
0x6b151bbe
0x6b151bc4
0x6b151bcb
0x6b151bd3
0x6b151bd6
0x6b151bdd
0x6b151be4
0x6b151beb
0x6b151bee
0x6b151bf5
0x6b151bfb
0x6b151c1d
0x6b151c23
0x6b151c34
0x6b151c3a
0x6b151c4b
0x6b151c57
0x6b151c5b
0x6b151c66
0x6b151c7c
0x6b151c82
0x6b151c85
0x6b151c8d
0x6b151c90
0x6b151c9a
0x6b151c9a
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B151B35
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000004,6B1485F7,00000000,6B1498A4), ref: 6B151B89
__EH_prolog3.LIBCMT ref: 6B151B9C
_memset.LIBCMT ref: 6B151BB9

Strings

IDS_IS_REALLY_CANCEL, xrefs: 6B151C52

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionRaise_memset
String ID: IDS_IS_REALLY_CANCEL
API String ID: 1117901877-1805271499
Opcode ID: 706cdef94e74eacb64dc87ddb9b3d305c9fe7b4842a0816202600e5e9a873f74
Instruction ID: dfab04ecbececc0ca577966da364f33f35e4dee4b7a5e578396955332aeba0d9
Opcode Fuzzy Hash: 706cdef94e74eacb64dc87ddb9b3d305c9fe7b4842a0816202600e5e9a873f74
Instruction Fuzzy Hash: 264125B2600705EFDB21CF68C545B4ABBF0FF18704F104959E596AB740EB78E925CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B14396A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6B14396A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t57;
				intOrPtr* _t69;
				intOrPtr* _t81;
				intOrPtr* _t93;
				intOrPtr _t105;
				intOrPtr _t115;
				void* _t117;
				void* _t118;

				_t118 = __eflags;
				_t108 = __edx;
				_t106 = __ecx;
				_push(0x20);
				E6B16265B(0x6b166e22, __ebx, __edi, __esi);
				_t115 = __ecx;
				_t105 =  *((intOrPtr*)(_t117 + 8));
				_push(_t117 - 0x10);
				E6B14E8E8(L"BackButton", __ecx, _t118);
				 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
				_push(E6B13D6C4(_t115, _t105, _t106, _t117 - 0x20, _t117 - 0x10));
				_push(_t105);
				 *(_t117 - 4) = 1;
				E6B143654(_t105, _t106, __edx, L"BackButton", _t115, _t118);
				 *(_t117 - 4) = 3;
				_t57 =  *((intOrPtr*)(_t117 - 0x20));
				_t119 = _t57;
				if(_t57 != 0) {
					_t106 =  *_t57;
					 *((intOrPtr*)( *_t57 + 8))(_t57);
				}
				 *(_t117 - 4) = 4;
				E6B158460( *((intOrPtr*)(_t117 - 0x10)) + 0xfffffff0, _t108);
				_push(_t117 - 0x14);
				E6B14E8E8(L"NextButton", _t115, _t119);
				 *(_t117 - 4) = 5;
				_push(E6B13D6C4(_t115, _t105, _t106, _t117 - 0x2c, _t117 - 0x14));
				_push(_t105 + 0xc);
				 *(_t117 - 4) = 6;
				E6B143654(_t105, _t106, _t108, L"NextButton", _t115, _t119);
				 *(_t117 - 4) = 8;
				_t69 =  *((intOrPtr*)(_t117 - 0x2c));
				_t120 = _t69;
				if(_t69 != 0) {
					_t106 =  *_t69;
					 *((intOrPtr*)( *_t69 + 8))(_t69);
				}
				 *(_t117 - 4) = 9;
				E6B158460( *((intOrPtr*)(_t117 - 0x14)) + 0xfffffff0, _t108);
				_push(_t117 - 0x10);
				E6B14E8E8(L"CancelButton", _t115, _t120);
				 *(_t117 - 4) = 0xa;
				_push(E6B13D6C4(_t115, _t105, _t106, _t117 - 0x20, _t117 - 0x10));
				_push(_t105 + 0x18);
				 *(_t117 - 4) = 0xb;
				E6B143654(_t105, _t106, _t108, L"CancelButton", _t115, _t120);
				 *(_t117 - 4) = 0xd;
				_t81 =  *((intOrPtr*)(_t117 - 0x20));
				_t121 = _t81;
				if(_t81 != 0) {
					_t106 =  *_t81;
					 *((intOrPtr*)( *_t81 + 8))(_t81);
				}
				 *(_t117 - 4) = 0xe;
				E6B158460( *((intOrPtr*)(_t117 - 0x10)) + 0xfffffff0, _t108);
				_push(_t117 - 0x14);
				E6B14E8E8(L"FinishButton", _t115, _t121);
				 *(_t117 - 4) = 0xf;
				_push(E6B13D6C4(_t115, _t105, _t106, _t117 - 0x2c, _t117 - 0x14));
				_push(_t105 + 0x24);
				 *(_t117 - 4) = 0x10;
				E6B143654(_t105, _t106, _t108, L"FinishButton", _t115, _t121);
				 *(_t117 - 4) = 0xf;
				_t93 =  *((intOrPtr*)(_t117 - 0x2c));
				if(_t93 != 0) {
					 *((intOrPtr*)( *_t93 + 8))(_t93);
				}
				E6B158460( *((intOrPtr*)(_t117 - 0x14)) + 0xfffffff0, _t108);
				 *((intOrPtr*)(_t105 + 0x30)) = 0x6b137350;
				E6B1583B4(_t105 + 0x34);
				 *((short*)(_t105 + 0x38)) = 0;
				return E6B162709(_t105);
			}

0x6b14396a
0x6b14396a
0x6b14396a
0x6b14396a
0x6b143971
0x6b143976
0x6b143978
0x6b14397e
0x6b143984
0x6b143989
0x6b14399c
0x6b14399d
0x6b14399e
0x6b1439a2
0x6b1439a7
0x6b1439ab
0x6b1439ae
0x6b1439b0
0x6b1439b2
0x6b1439b5
0x6b1439b5
0x6b1439b8
0x6b1439c2
0x6b1439ca
0x6b1439d0
0x6b1439df
0x6b1439e8
0x6b1439ec
0x6b1439ed
0x6b1439f1
0x6b1439f6
0x6b1439fa
0x6b1439fd
0x6b1439ff
0x6b143a01
0x6b143a04
0x6b143a04
0x6b143a07
0x6b143a11
0x6b143a19
0x6b143a1f
0x6b143a2e
0x6b143a37
0x6b143a3b
0x6b143a3c
0x6b143a40
0x6b143a45
0x6b143a49
0x6b143a4c
0x6b143a4e
0x6b143a50
0x6b143a53
0x6b143a53
0x6b143a56
0x6b143a60
0x6b143a68
0x6b143a6e
0x6b143a7d
0x6b143a86
0x6b143a8a
0x6b143a8b
0x6b143a8f
0x6b143a94
0x6b143a98
0x6b143a9d
0x6b143aa2
0x6b143aa2
0x6b143aab
0x6b143ab3
0x6b143aba
0x6b143abf
0x6b143acc

APIs

__EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B143654: __EH_prolog3.LIBCMT ref: 6B14365B

Strings

BackButton, xrefs: 6B14397F
FinishButton, xrefs: 6B143A69
NextButton, xrefs: 6B1439CB
CancelButton, xrefs: 6B143A1A

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: BackButton$CancelButton$FinishButton$NextButton
API String ID: 431132790-22014311
Opcode ID: 7cab571d8a198690b938e11edafdacac6c38d780614308385c45e8d29eb83f5e
Instruction ID: 142f61670ac5320963c0d6a643c83be7fb7c24ebf80b0eed9ae1373a38d3eae5
Opcode Fuzzy Hash: 7cab571d8a198690b938e11edafdacac6c38d780614308385c45e8d29eb83f5e
Instruction Fuzzy Hash: B64128B2900159EFDF01CBF8C984B9EB7ACAF19218F2441A5E425E7281D778EA09C771

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F2BE Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6B13F2BE(intOrPtr* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t37;
				intOrPtr* _t49;
				intOrPtr* _t61;
				intOrPtr* _t73;
				void* _t76;
				void* _t94;
				intOrPtr _t100;
				void* _t112;
				intOrPtr* _t113;
				void* _t114;

				_t114 = __eflags;
				_t94 = __edx;
				_push(8);
				E6B16265B(0x6b164c1f, __ebx, __edi, __esi);
				_push(_t112 - 0x10);
				E6B14E8E8(L"IDS_IS_BACK", __esi, _t114);
				 *(_t112 - 4) =  *(_t112 - 4) & 0x00000000;
				_push(_t112 - 0x10);
				_t37 =  *((intOrPtr*)( *__ebx))();
				_push(__ebx);
				 *((intOrPtr*)(_t112 - 0x14)) = _t113;
				 *_t113 = E6B1583FD( *_t37 - 0x10) + 0x10;
				_push(0x3023);
				E6B13F20C(__ebx, __ebx, _t94, L"IDS_IS_BACK",  *((intOrPtr*)(_t112 + 8)), _t114);
				 *(_t112 - 4) = 2;
				E6B158460( *((intOrPtr*)(_t112 - 0x10)) + 0xfffffff0, _t94);
				_push(_t112 - 0x14);
				E6B14E8E8(L"IDS_IS_NEXT",  *((intOrPtr*)(_t112 + 8)), _t114);
				 *(_t112 - 4) = 3;
				_push(_t112 - 0x14);
				_t49 =  *((intOrPtr*)( *__ebx))();
				_push(__ebx);
				 *((intOrPtr*)(_t112 - 0x10)) = _t113;
				 *_t113 = E6B1583FD( *_t49 - 0x10) + 0x10;
				_push(0x3024);
				E6B13F20C(__ebx, __ebx, _t94, L"IDS_IS_NEXT",  *((intOrPtr*)(_t112 + 8)) + 8, _t114);
				 *(_t112 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t112 - 0x14)) + 0xfffffff0, _t94);
				_push(_t112 - 0x10);
				E6B14E8E8(L"IDS_IS_CANCEL",  *((intOrPtr*)(_t112 + 8)) + 8, _t114);
				 *(_t112 - 4) = 6;
				_push(_t112 - 0x10);
				_t61 =  *((intOrPtr*)( *__ebx))();
				_push(__ebx);
				 *((intOrPtr*)(_t112 - 0x14)) = _t113;
				 *_t113 = E6B1583FD( *_t61 - 0x10) + 0x10;
				_push(2);
				E6B13F20C(__ebx, __ebx, _t94, L"IDS_IS_CANCEL",  *((intOrPtr*)(_t112 + 8)) + 0x10, _t114);
				 *(_t112 - 4) = 8;
				E6B158460( *((intOrPtr*)(_t112 - 0x10)) + 0xfffffff0, _t94);
				_push(_t112 - 0x14);
				E6B14E8E8(L"IDS_IS_FINISH",  *((intOrPtr*)(_t112 + 8)) + 0x10, _t114);
				 *(_t112 - 4) = 9;
				_push(_t112 - 0x14);
				_t73 =  *((intOrPtr*)( *__ebx))();
				_push(__ebx);
				 *((intOrPtr*)(_t112 - 0x10)) = _t113;
				_t76 = E6B1583FD( *_t73 - 0x10);
				_t100 =  *((intOrPtr*)(_t112 + 8));
				 *_t113 = _t76 + 0x10;
				_push(0x3025);
				E6B13F20C(__ebx, __ebx, _t94, _t100, _t100 + 0x18, _t114);
				E6B158460( *((intOrPtr*)(_t112 - 0x14)) + 0xfffffff0, _t94);
				 *((intOrPtr*)(_t100 + 0x20)) =  *((intOrPtr*)(_t112 + 0xc));
				return E6B162709(_t100);
			}

0x6b13f2be
0x6b13f2be
0x6b13f2be
0x6b13f2c5
0x6b13f2cd
0x6b13f2d3
0x6b13f2d8
0x6b13f2e1
0x6b13f2e4
0x6b13f2e8
0x6b13f2ec
0x6b13f2f9
0x6b13f2fe
0x6b13f303
0x6b13f308
0x6b13f312
0x6b13f31a
0x6b13f320
0x6b13f328
0x6b13f32e
0x6b13f331
0x6b13f335
0x6b13f339
0x6b13f346
0x6b13f34b
0x6b13f353
0x6b13f358
0x6b13f362
0x6b13f36a
0x6b13f370
0x6b13f378
0x6b13f37e
0x6b13f381
0x6b13f385
0x6b13f389
0x6b13f396
0x6b13f39b
0x6b13f3a0
0x6b13f3a5
0x6b13f3af
0x6b13f3b7
0x6b13f3bd
0x6b13f3c5
0x6b13f3cb
0x6b13f3ce
0x6b13f3d2
0x6b13f3d6
0x6b13f3db
0x6b13f3e0
0x6b13f3e6
0x6b13f3e8
0x6b13f3f0
0x6b13f3fb
0x6b13f403
0x6b13f40d

APIs

__EH_prolog3.LIBCMT ref: 6B13F2C5

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13F20C: __EH_prolog3.LIBCMT ref: 6B13F213

Part of subcall function 6B1583FD: _memcpy_s.LIBCMT ref: 6B15844E

Strings

IDS_IS_CANCEL, xrefs: 6B13F36B
IDS_IS_FINISH, xrefs: 6B13F3B8
IDS_IS_NEXT, xrefs: 6B13F31B
IDS_IS_BACK, xrefs: 6B13F2CE

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$_memcpy_s
String ID: IDS_IS_BACK$IDS_IS_CANCEL$IDS_IS_FINISH$IDS_IS_NEXT
API String ID: 1663610674-2063768433
Opcode ID: 7001edbff5b9999c9ecf5790f478f10eaceb410a832355fbd059f431e6ca692e
Instruction ID: e282de81869d5c6b5a77a660cf30e44f78d16cec89bc189cf2f8a4f14f95ac90
Opcode Fuzzy Hash: 7001edbff5b9999c9ecf5790f478f10eaceb410a832355fbd059f431e6ca692e
Instruction Fuzzy Hash: EE4141B2910119EFDB44DFBCC84676E77B4AF19318F540598E464EB381DB38EA048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B14B4CC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6B14B4CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t34;
				void* _t37;
				intOrPtr _t38;
				void* _t49;
				intOrPtr _t54;
				void* _t63;
				void* _t64;
				void* _t76;
				void* _t90;

				_push(0x10);
				E6B16265B(0x6b164a21, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t90 - 0x1c)) = 0;
				 *((intOrPtr*)(_t90 - 4)) = 0;
				_t34 = E6B14EB56(_t90 + 0xc, L"$$FailureReason$$");
				_t94 = _t34;
				if(_t34 != 0) {
					_t37 = E6B1583FD( *((intOrPtr*)(_t90 + 0xc)) + 0xfffffff0);
					_t88 =  *((intOrPtr*)(_t90 + 8));
					_t38 = _t37 + 0x10;
					__eflags = _t38;
					 *((intOrPtr*)( *((intOrPtr*)(_t90 + 8)))) = _t38;
				} else {
					_push(0);
					_push( *((intOrPtr*)(__ebx + 0x7c)));
					_push(_t90 - 0x10);
					E6B157FA1(__ebx, _t76, __edi, 0, _t94);
					_t89 = _t90 - 0x10;
					 *((char*)(_t90 - 4)) = 1;
					if(E6B14ED1C(0, _t90 - 0x10, L"HRESULT") == 0) {
						_t96 =  *((intOrPtr*)(__ebx + 0xac)) - 1;
						if( *((intOrPtr*)(__ebx + 0xac)) == 1) {
							_t54 =  *0x6b16fe10; // 0x6b1333ec
							 *((intOrPtr*)(_t90 - 0x14)) =  *((intOrPtr*)(_t54 + 0xc))() + 0x10;
							 *((char*)(_t90 - 4)) = 2;
							E6B1580BA(_t90 - 0x14, L"0x%x",  *((intOrPtr*)(__ebx + 0x7c)));
							_push(_t90 - 0x18);
							E6B14E8E8(L"IDS_DOWNLOAD_ERROR_MESSAGE", _t89, _t96);
							 *((char*)(_t90 - 4)) = 3;
							_push(_t90 - 0x14);
							_t81 = _t90 - 0x18;
							_push(_t90 - 0x18);
							_t63 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x88))))))();
							_push(_t90 - 0x1c);
							_t64 = E6B14F092(__ebx, _t63, _t89, _t96);
							 *((char*)(_t90 - 4)) = 4;
							E6B14EA8D(_t64, _t89);
							E6B158460( *((intOrPtr*)(_t90 - 0x1c)) + 0xfffffff0, _t90 - 0x18);
							E6B158460( *((intOrPtr*)(_t90 - 0x18)) + 0xfffffff0, _t90 - 0x18);
							 *((char*)(_t90 - 4)) = 1;
							E6B158460( *((intOrPtr*)(_t90 - 0x14)) + 0xfffffff0, _t81);
						}
					}
					_t49 = E6B1583FD( *((intOrPtr*)(_t90 - 0x10)) + 0xfffffff0);
					_t88 =  *((intOrPtr*)(_t90 + 8));
					 *((intOrPtr*)( *((intOrPtr*)(_t90 + 8)))) = _t49 + 0x10;
					E6B158460( *((intOrPtr*)(_t90 - 0x10)) + 0xfffffff0, _t81);
				}
				E6B158460( *((intOrPtr*)(_t90 + 0xc)) + 0xfffffff0, _t81);
				return E6B162709(_t88);
			}

0x6b14b4cc
0x6b14b4d3
0x6b14b4da
0x6b14b4e6
0x6b14b4e9
0x6b14b4ee
0x6b14b4f0
0x6b14b5db
0x6b14b5e0
0x6b14b5e3
0x6b14b5e3
0x6b14b5e6
0x6b14b4f6
0x6b14b4f6
0x6b14b4f7
0x6b14b4fd
0x6b14b4fe
0x6b14b50a
0x6b14b50d
0x6b14b518
0x6b14b51e
0x6b14b525
0x6b14b52b
0x6b14b53b
0x6b14b53e
0x6b14b54e
0x6b14b559
0x6b14b55f
0x6b14b564
0x6b14b571
0x6b14b574
0x6b14b577
0x6b14b578
0x6b14b57d
0x6b14b580
0x6b14b587
0x6b14b58b
0x6b14b596
0x6b14b5a1
0x6b14b5a6
0x6b14b5b0
0x6b14b5b0
0x6b14b525
0x6b14b5bb
0x6b14b5c0
0x6b14b5c6
0x6b14b5ce
0x6b14b5ce
0x6b14b5ee
0x6b14b5fa

APIs

__EH_prolog3.LIBCMT ref: 6B14B4D3

Part of subcall function 6B14EB56: __wcsicoll.LIBCMT ref: 6B14EB74

Part of subcall function 6B157FA1: __EH_prolog3.LIBCMT ref: 6B157FA8
Part of subcall function 6B157FA1: FormatMessageW.KERNEL32(00001300,00000000,?,?,?,00000000,00000000,00000008,6B13C9AE,?,00000000,?), ref: 6B157FDB

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14F092: __EH_prolog3.LIBCMT ref: 6B14F099

Strings

HRESULT, xrefs: 6B14B503
0x%x, xrefs: 6B14B548
IDS_DOWNLOAD_ERROR_MESSAGE, xrefs: 6B14B55A
$$FailureReason$$, xrefs: 6B14B4DD

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$FormatMessage__wcsicoll
String ID: $$FailureReason$$$0x%x$HRESULT$IDS_DOWNLOAD_ERROR_MESSAGE
API String ID: 3776434076-2273825792
Opcode ID: e3ab287dafd126cf662aaeccaeb26d3272d66f9241cced23b17f2b956d9c8c51
Instruction ID: e8ffa36d20f2a3a7a5adabeac86da8e5d248b5d633ab17d782c67cfc96d81fe0
Opcode Fuzzy Hash: e3ab287dafd126cf662aaeccaeb26d3272d66f9241cced23b17f2b956d9c8c51
Instruction Fuzzy Hash: CC314D72900119FFCF00DBB8C846BAEB7B4AF0532CF148655E574EB385DB789A548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B1573D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E6B1573D5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t48;
				signed int _t52;
				signed int _t54;
				intOrPtr* _t60;
				void* _t63;
				void* _t65;
				signed int _t66;
				void* _t71;

				_push(0x24);
				E6B1626CE(0x6b164202, __ebx, __edi, __esi);
				_push(4);
				_t70 = __ecx;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t71 + 8)))));
				_push( *((intOrPtr*)(__ecx + 0x14)));
				_t52 = __edx;
				_t63 =  *((intOrPtr*)(__ecx + 8))();
				if(_t63 != 0) {
					 *(_t71 - 0x2c) =  *(_t71 - 0x2c) & 0x00000000;
					_t54 = 6;
					_t65 = _t71 - 0x28;
					memset(_t65, 0, _t54 << 2);
					_t66 = _t65 + _t54;
					_push(_t71 - 0x2c);
					_push(_t63);
					if( *((intOrPtr*)(_t70 + 0xc))() == 0) {
						_t52 = GetLastError();
						_t66 = _t52;
						if(_t52 > 0) {
							_t66 = _t66 & 0x0000ffff | 0x80070000;
						}
						_t33 =  *0x6b16fe10; // 0x6b1333ec
						 *((intOrPtr*)(_t71 - 0x30)) =  *((intOrPtr*)(_t33 + 0xc))() + 0x10;
						_push(_t52);
						 *(_t71 - 4) = 1;
						_push(L"QueryServiceStatus failed with error: %u");
						goto L12;
					} else {
						 *_t52 =  *(_t71 - 0x28);
					}
				} else {
					_t52 = GetLastError();
					if(_t52 == 0x7b || _t52 == 0x424) {
					} else {
						_t66 = _t52;
						if(_t52 > 0) {
							_t66 = _t66 & 0x0000ffff | 0x80070000;
						}
						_t48 =  *0x6b16fe10; // 0x6b1333ec
						 *((intOrPtr*)(_t71 - 0x30)) =  *((intOrPtr*)(_t48 + 0xc))() + 0x10;
						 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
						_push(_t52);
						_push(L"OpenService failed with error: %u");
						L12:
						E6B155002(_t71 - 0x30);
						_t60 =  *((intOrPtr*)(_t70 + 0x18));
						_t70 =  *((intOrPtr*)(_t71 - 0x30));
						 *((intOrPtr*)( *_t60 + 4))(0,  *((intOrPtr*)(_t71 - 0x30)));
						if(_t66 >= 0) {
							_t66 = 0x80004005;
						}
						E6B158460(_t70 - 0x10, _t63);
					}
				}
				return E6B162722(_t52, _t66, _t70);
			}

0x6b1573d5
0x6b1573dc
0x6b1573e6
0x6b1573e8
0x6b1573ea
0x6b1573eb
0x6b1573ee
0x6b1573f3
0x6b1573f7
0x6b157447
0x6b15744d
0x6b157450
0x6b157453
0x6b157453
0x6b157458
0x6b157459
0x6b15745f
0x6b157470
0x6b157472
0x6b157476
0x6b15747e
0x6b15747e
0x6b157484
0x6b157494
0x6b157497
0x6b157498
0x6b15749f
0x00000000
0x6b157461
0x6b157464
0x6b157466
0x6b1573f9
0x6b1573ff
0x6b157404
0x6b15740e
0x6b15740e
0x6b157412
0x6b15741a
0x6b15741a
0x6b157420
0x6b157430
0x6b157433
0x6b157437
0x6b157438
0x6b1574a4
0x6b1574a7
0x6b1574ae
0x6b1574b1
0x6b1574b9
0x6b1574be
0x6b1574c0
0x6b1574c0
0x6b1574c8
0x6b1574cd
0x6b157404
0x6b1574d4

APIs

__EH_prolog3_GS.LIBCMT ref: 6B1573DC
GetLastError.KERNEL32 ref: 6B1573F9
GetLastError.KERNEL32 ref: 6B15746A

Strings

QueryServiceStatus failed with error: %u, xrefs: 6B15749F
OpenService failed with error: %u, xrefs: 6B157438

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorLast$H_prolog3_
String ID: OpenService failed with error: %u$QueryServiceStatus failed with error: %u
API String ID: 3339191932-3526490536
Opcode ID: bb88fae1b4af56ed2b8322375b0fe3d509839253970a7671e40841afcf62a1a2
Instruction ID: 7689212648ba72afbcc96937c434f889c9fed48e3f32c64fcd9c35bcf9eba699
Opcode Fuzzy Hash: bb88fae1b4af56ed2b8322375b0fe3d509839253970a7671e40841afcf62a1a2
Instruction Fuzzy Hash: 0F31F7B3A10205BFD710CF68C885B6A7BF6BF54311F158439E525DB240DB79E8208B61

Uniqueness

Uniqueness Score: -1.00%

Function 6B142661 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6B142661(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t64;
				void* _t71;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t79;

				_t71 = __ecx;
				_push(8);
				E6B16265B(0x6b164827, __ebx, __edi, __esi);
				_t73 = __ecx;
				 *((intOrPtr*)(_t79 - 4)) = 0;
				_t77 =  *((intOrPtr*)(_t79 + 8));
				 *_t77 = 0x6b1372c8;
				_t78 = _t77 + 4;
				 *_t78 = 0;
				 *((intOrPtr*)(_t78 + 4)) = 0;
				 *((intOrPtr*)(_t78 + 8)) = 0;
				 *((char*)(_t79 - 4)) = 1;
				 *((intOrPtr*)(_t79 - 0x10)) = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L5:
					_t74 =  *((intOrPtr*)(_t79 + 0xc));
					 *((intOrPtr*)(_t79 - 0x10)) = 0;
					if( *((intOrPtr*)(_t74 + 8)) <= 0) {
						L10:
						_t75 =  *((intOrPtr*)(_t79 + 0x10));
						 *((intOrPtr*)(_t79 + 0xc)) = 0;
						if( *((intOrPtr*)(_t75 + 8)) <= 0) {
							L15:
							return E6B162709( *((intOrPtr*)(_t79 + 8)));
						} else {
							 *((intOrPtr*)(_t79 + 0x10)) = 0;
							while(1) {
								_t53 =  *((intOrPtr*)(_t79 + 0xc));
								if(_t53 < 0) {
									goto L16;
								}
								_t91 = _t53 -  *((intOrPtr*)(_t75 + 8));
								if(_t53 >=  *((intOrPtr*)(_t75 + 8))) {
									goto L16;
								} else {
									_push( *((intOrPtr*)(_t75 + 4)) +  *((intOrPtr*)(_t79 + 0x10)));
									E6B150686(_t75, _t78, _t91);
									 *((intOrPtr*)(_t79 + 0xc)) =  *((intOrPtr*)(_t79 + 0xc)) + 1;
									 *((intOrPtr*)(_t79 + 0x10)) =  *((intOrPtr*)(_t79 + 0x10)) + 0x30;
									if( *((intOrPtr*)(_t79 + 0xc)) <  *((intOrPtr*)(_t75 + 8))) {
										continue;
									} else {
										goto L15;
									}
								}
								goto L17;
							}
							goto L16;
						}
					} else {
						 *((intOrPtr*)(_t79 + 0xc)) = 0;
						while(1) {
							_t59 =  *((intOrPtr*)(_t79 - 0x10));
							if(_t59 < 0) {
								goto L16;
							}
							_t87 = _t59 -  *((intOrPtr*)(_t74 + 8));
							if(_t59 >=  *((intOrPtr*)(_t74 + 8))) {
								goto L16;
							} else {
								_push( *((intOrPtr*)(_t74 + 4)) +  *((intOrPtr*)(_t79 + 0xc)));
								E6B150686(_t74, _t78, _t87);
								 *((intOrPtr*)(_t79 - 0x10)) =  *((intOrPtr*)(_t79 - 0x10)) + 1;
								 *((intOrPtr*)(_t79 + 0xc)) =  *((intOrPtr*)(_t79 + 0xc)) + 0x30;
								if( *((intOrPtr*)(_t79 - 0x10)) <  *((intOrPtr*)(_t74 + 8))) {
									continue;
								} else {
									goto L10;
								}
							}
							goto L17;
						}
						goto L16;
					}
				} else {
					 *((intOrPtr*)(_t79 - 0x14)) = 0;
					while(1) {
						_t64 =  *((intOrPtr*)(_t79 - 0x10));
						if(_t64 < 0) {
							break;
						}
						_t83 = _t64 -  *((intOrPtr*)(_t73 + 8));
						if(_t64 >=  *((intOrPtr*)(_t73 + 8))) {
							break;
						} else {
							_push( *((intOrPtr*)(_t73 + 4)) +  *((intOrPtr*)(_t79 - 0x14)));
							E6B150686(_t73, _t78, _t83);
							 *((intOrPtr*)(_t79 - 0x10)) =  *((intOrPtr*)(_t79 - 0x10)) + 1;
							 *((intOrPtr*)(_t79 - 0x14)) =  *((intOrPtr*)(_t79 - 0x14)) + 0x30;
							if( *((intOrPtr*)(_t79 - 0x10)) <  *((intOrPtr*)(_t73 + 8))) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L17;
					}
					L16:
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *((intOrPtr*)(_t71 + 8));
				}
				L17:
			}

0x6b142661
0x6b142661
0x6b142668
0x6b14266d
0x6b142671
0x6b142674
0x6b142677
0x6b14267d
0x6b142680
0x6b142682
0x6b142685
0x6b142688
0x6b14268c
0x6b142692
0x6b1426c6
0x6b1426c6
0x6b1426c9
0x6b1426cf
0x6b1426fb
0x6b1426fb
0x6b1426fe
0x6b142704
0x6b142730
0x6b142738
0x6b142706
0x6b142706
0x6b142709
0x6b142709
0x6b14270e
0x00000000
0x00000000
0x6b142710
0x6b142713
0x00000000
0x6b142715
0x6b14271b
0x6b14271c
0x6b142721
0x6b142727
0x6b14272e
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14272e
0x00000000
0x6b142713
0x00000000
0x6b142709
0x6b1426d1
0x6b1426d1
0x6b1426d4
0x6b1426d4
0x6b1426d9
0x00000000
0x00000000
0x6b1426db
0x6b1426de
0x00000000
0x6b1426e0
0x6b1426e6
0x6b1426e7
0x6b1426ec
0x6b1426f2
0x6b1426f9
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1426f9
0x00000000
0x6b1426de
0x00000000
0x6b1426d4
0x6b142694
0x6b142694
0x6b142697
0x6b142697
0x6b14269c
0x00000000
0x00000000
0x6b1426a2
0x6b1426a5
0x00000000
0x6b1426ab
0x6b1426b1
0x6b1426b2
0x6b1426b7
0x6b1426bd
0x6b1426c4
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1426c4
0x00000000
0x6b1426a5
0x6b14273b
0x6b142744
0x6b14274a
0x6b14274b
0x6b14274c
0x6b14274d
0x6b14274e
0x6b14274f
0x6b142753
0x6b142753
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B142668
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000008,6B1450B8,?,?,?,00000000,6B145C04,?,?,?,00000048,?), ref: 6B142744

Part of subcall function 6B150686: __EH_prolog3.LIBCMT ref: 6B15068D
Part of subcall function 6B150686: __recalloc.LIBCMT ref: 6B1506D5

Strings

0, xrefs: 6B142727
0, xrefs: 6B1426BD
0, xrefs: 6B1426F2

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionRaise__recalloc
String ID: 0$0$0
API String ID: 3369754026-3137946472
Opcode ID: 3697f41be99d48869eeaf6d043aacfe756b05ebb9fd0b0973458e26c7a40df7c
Instruction ID: 4d3d0ac8d1b96ffd6723e1620797421a291ef68d9f527e0a9168dab286152e47
Opcode Fuzzy Hash: 3697f41be99d48869eeaf6d043aacfe756b05ebb9fd0b0973458e26c7a40df7c
Instruction Fuzzy Hash: 1031D6B591061AFFCB00CF99C5C199EF7B0BF14315B64892AE869DB601C334EAA1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6B141310 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B141310(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t45;
				char* _t48;
				intOrPtr* _t55;
				intOrPtr* _t77;
				void* _t78;

				_t77 = __esi;
				_t65 = __ebx;
				_push(0x14);
				E6B16265B(0x6b1646e3, __ebx, __edi, __esi);
				if( *((intOrPtr*)(__esi + 0x14)) == 1) {
					L4:
					_t34 =  *(_t77 + 0x28);
					if( *( *(_t77 + 0x28)) == 0) {
						 *(_t77 + 0x18) = 0x80004005;
						_t34 =  *((intOrPtr*)( *((intOrPtr*)( *_t77)) + 4))();
						__eflags = _t34;
						if(_t34 != 0) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)( *_t77)) + 8))( *(_t77 + 0x28));
							__eflags = _t34;
							if(_t34 != 0) {
								E6B14F289(_t77 + 8, _t65,  *_t77,  *((intOrPtr*)( *((intOrPtr*)( *_t77)) + 0xc))( *(_t77 + 0x28)), _t77);
								asm("sbb eax, eax");
								_t34 =  ~( *( *(_t77 + 0x28)) & 0x000000ff) & 0x80004004;
								__eflags = _t34;
								 *(_t77 + 0x18) = _t34;
							}
						}
					} else {
						 *(_t77 + 0x18) = 0x80004004;
					}
					 *((intOrPtr*)(_t77 + 0x14)) = 2;
					return E6B162709(_t34);
				}
				_t45 =  *0x6b16fe10; // 0x6b1333ec
				 *((intOrPtr*)(_t78 - 0x10)) =  *((intOrPtr*)(_t45 + 0xc))() + 0x10;
				 *((intOrPtr*)(_t78 - 4)) = 0;
				_t48 = L"NotStarted";
				_t83 =  *((intOrPtr*)(__esi + 0x14));
				if( *((intOrPtr*)(__esi + 0x14)) != 0) {
					_t48 = L"Completed";
				}
				E6B1580BA(_t78 - 0x10, L"Unexpected behavior: AffectedProducts::ComputeAffectedProductsList() method called when computation state is %s", _t48);
				E6B13C9BB(_t65, 0x6b16fe10, 0, _t77, _t83);
				 *((char*)(_t78 - 4)) = 1;
				_t55 = E6B13C9F6(_t78 - 0x20, _t78 - 0x14);
				 *((char*)(_t78 - 4)) = 2;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x2c)))) + 4))(0,  *_t55, _t78 - 0x20, _t78 - 0x10);
				 *((char*)(_t78 - 4)) = 1;
				E6B158460( *((intOrPtr*)(_t78 - 0x14)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x2c)))));
				_push(_t78 - 0x20);
				E6B13D1B4(_t65, _t78 - 0x18, 0, _t77,  *((intOrPtr*)(_t78 - 0x14)) + 0xfffffff0);
				E6B15DBDB(_t78 - 0x18, 0x6b168328);
				goto L4;
			}

0x6b141310
0x6b141310
0x6b141310
0x6b141317
0x6b141320
0x6b1413b5
0x6b1413b5
0x6b1413bb
0x6b1413c8
0x6b1413d1
0x6b1413d4
0x6b1413d6
0x6b1413df
0x6b1413e2
0x6b1413e4
0x6b1413f5
0x6b141402
0x6b141404
0x6b141404
0x6b141409
0x6b141409
0x6b1413e4
0x6b1413bd
0x6b1413bd
0x6b1413bd
0x6b14140c
0x6b141418
0x6b141418
0x6b141326
0x6b141336
0x6b14133b
0x6b14133e
0x6b141343
0x6b141346
0x6b141348
0x6b141348
0x6b141357
0x6b141367
0x6b141373
0x6b141377
0x6b14137c
0x6b141389
0x6b14138c
0x6b141396
0x6b14139e
0x6b1413a2
0x6b1413b0
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B141317
__CxxThrowException@8.LIBCMT ref: 6B1413B0

Strings

NotStarted, xrefs: 6B14133E
Completed, xrefs: 6B141348, 6B14134D
Unexpected behavior: AffectedProducts::ComputeAffectedProductsList() method called when computation state is %s, xrefs: 6B141351

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: Completed$NotStarted$Unexpected behavior: AffectedProducts::ComputeAffectedProductsList() method called when computation state is %s
API String ID: 3670251406-2979706164
Opcode ID: 7dcb3e2c8e3dd018833d47f223df374c57c721bfb01c435184414a4cdd76276a
Instruction ID: d8433e7d4ed899485b0d57ffc48095c6e78c2e6ca2ede149c618a37879368c35
Opcode Fuzzy Hash: 7dcb3e2c8e3dd018833d47f223df374c57c721bfb01c435184414a4cdd76276a
Instruction Fuzzy Hash: 533190B1500214EFCB10CFB5C444AAABBF5BF15305B04469DE552AB261EB39EA58CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6B157FA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E6B157FA1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t27;
				signed short* _t33;
				intOrPtr* _t34;
				intOrPtr* _t37;
				void* _t39;
				signed int _t41;
				signed int _t44;
				void* _t48;

				_push(8);
				E6B16265B(0x6b164860, __ebx, __edi, __esi);
				_t37 =  *((intOrPtr*)(_t48 + 8));
				 *((intOrPtr*)(_t48 - 0x14)) = 0;
				 *(_t48 - 0x10) = 0;
				E6B1583B4(_t37);
				 *((intOrPtr*)(_t48 - 4)) = 0;
				 *((intOrPtr*)(_t48 - 0x14)) = 1;
				if(FormatMessageW(0x1300, 0,  *(_t48 + 0xc),  *(_t48 + 0x10), _t48 - 0x10, 0, 0) != 0) {
					E6B1581B6(_t37,  *(_t48 - 0x10));
					LocalFree( *(_t48 - 0x10));
					_t27 =  *_t37;
					_t44 =  *(_t27 - 0xc);
					 *(_t48 + 0xc) = _t44;
					if(_t44 <= 0) {
						L10:
						E6B1582D1(_t37, _t44);
						E6B15830D(_t44, _t37);
						goto L11;
					} else {
						_t39 = _t44 - 1;
						_t33 = _t27 + _t44 * 2 - 2;
						while(_t39 >= 0 && _t39 <=  *(_t48 + 0xc)) {
							_t41 =  *_t33 & 0x0000ffff;
							if(_t41 == 0xd) {
								L9:
								_t44 = _t44 - 1;
								_t33 = _t33 - 2;
								_t39 = _t39 - 1;
								if(_t44 > 0) {
									continue;
								} else {
									goto L10;
								}
							} else {
								if(_t39 >  *(_t48 + 0xc)) {
									break;
								} else {
									if(_t41 != 0xa) {
										goto L10;
									} else {
										goto L9;
									}
								}
							}
							goto L13;
						}
						_t34 = E6B1583CE(_t39, 0x80070057);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						__imp__#6( *_t34);
						return _t34;
					}
				} else {
					E6B1580BA(_t37, L"HRESULT 0x%8.8x",  *(_t48 + 0xc));
					L11:
					return E6B162709(_t37);
				}
				L13:
			}

0x6b157fa1
0x6b157fa8
0x6b157fad
0x6b157fb2
0x6b157fb7
0x6b157fba
0x6b157fc8
0x6b157fce
0x6b157fe3
0x6b157ffc
0x6b158004
0x6b15800a
0x6b15800c
0x6b15800f
0x6b158014
0x6b158041
0x6b158044
0x6b15804d
0x00000000
0x6b158016
0x6b158016
0x6b158019
0x6b15801d
0x6b158026
0x6b15802c
0x6b158038
0x6b158038
0x6b158039
0x6b15803c
0x6b15803f
0x00000000
0x00000000
0x00000000
0x00000000
0x6b15802e
0x6b158031
0x00000000
0x6b158033
0x6b158036
0x00000000
0x00000000
0x00000000
0x00000000
0x6b158036
0x6b158031
0x00000000
0x6b15802c
0x6b158061
0x6b158066
0x6b158067
0x6b158068
0x6b158069
0x6b15806a
0x6b15806b
0x6b15806e
0x6b158074
0x6b158074
0x6b157fe5
0x6b157fee
0x6b158052
0x6b158059
0x6b158059
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B157FA8
FormatMessageW.KERNEL32(00001300,00000000,?,?,?,00000000,00000000,00000008,6B13C9AE,?,00000000,?), ref: 6B157FDB
LocalFree.KERNEL32(?,?,?), ref: 6B158004

Part of subcall function 6B1583CE: __CxxThrowException@8.LIBCMT ref: 6B1583E2

SysFreeString.OLEAUT32(00000000), ref: 6B15806E

Strings

HRESULT 0x%8.8x, xrefs: 6B157FE8

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Free$Exception@8FormatH_prolog3LocalMessageStringThrow
String ID: HRESULT 0x%8.8x
API String ID: 3624661282-2887418326
Opcode ID: 381f1f99148c381da7a6d22708b08d998a62ab235c3612b436e76feaa7d4813d
Instruction ID: e207f819fc74d158a3069e1f8792dd13cc5680847183b310c789374f378391fc
Opcode Fuzzy Hash: 381f1f99148c381da7a6d22708b08d998a62ab235c3612b436e76feaa7d4813d
Instruction Fuzzy Hash: 5121CFB6910119FBCF109F64CC84D9EBB75FFA1311B00845AE8346A110DB388625CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6B14D073 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E6B14D073(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr* _t33;
				intOrPtr* _t45;
				void* _t67;
				void* _t68;

				_t67 = __esi;
				E6B16265B(0x6b1648f8, __ebx, __edi, __esi);
				_t26 =  *0x6b16fe10; // 0x6b1333ec
				 *(_t68 - 0x10) =  *((intOrPtr*)(_t26 + 0xc))(8) + 0x10;
				 *((intOrPtr*)(_t68 - 4)) = 0;
				_t72 =  *((intOrPtr*)(__esi + 0x8c));
				if( *((intOrPtr*)(__esi + 0x8c)) == 0) {
					__eflags =  *((intOrPtr*)(__esi + 0x8d));
					_push(_t68 - 0x14);
					if(__eflags == 0) {
						E6B14E8E8(L"IDS_INSTALL_WARNING_DESCRIPTION_FORMAT", __esi, __eflags);
						 *((char*)(_t68 - 4)) = 3;
						goto L5;
					} else {
						E6B14E8E8(L"IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S", __esi, __eflags);
						 *((char*)(_t68 - 4)) = 2;
						_t45 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x24)))) + 4))();
						_t60 =  *_t45;
						E6B155075( *((intOrPtr*)(__esi + 0x20)), _t68 - 0x10,  *((intOrPtr*)( *((intOrPtr*)( *_t45))(_t68 - 0x14))),  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x20)))));
					}
				} else {
					_push(_t68 - 0x14);
					E6B14E8E8(L"IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT", __esi, _t72);
					 *((char*)(_t68 - 4)) = 1;
					L5:
					_t33 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x24)))) + 4))();
					_t60 =  *_t33;
					E6B14EA8D( *((intOrPtr*)( *_t33))(_t68 - 0x14), _t68 - 0x10);
				}
				E6B158460( *((intOrPtr*)(_t68 - 0x14)) + 0xfffffff0, _t60);
				SetDlgItemTextW( *(_t67 + 4), 0x65,  *(_t68 - 0x10));
				return E6B162709(E6B158460( *(_t68 - 0x10) - 0x10, _t60));
			}

0x6b14d073
0x6b14d07a
0x6b14d07f
0x6b14d08f
0x6b14d094
0x6b14d097
0x6b14d09d
0x6b14d0b3
0x6b14d0bc
0x6b14d0bd
0x6b14d0f9
0x6b14d0fe
0x00000000
0x6b14d0bf
0x6b14d0c4
0x6b14d0c9
0x6b14d0d2
0x6b14d0d5
0x6b14d0ea
0x6b14d0ef
0x6b14d09f
0x6b14d0a2
0x6b14d0a8
0x6b14d0ad
0x6b14d102
0x6b14d107
0x6b14d10a
0x6b14d117
0x6b14d117
0x6b14d122
0x6b14d130
0x6b14d143

APIs

__EH_prolog3.LIBCMT ref: 6B14D07A
SetDlgItemTextW.USER32 ref: 6B14D130

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Strings

IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S, xrefs: 6B14D0BF
IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT, xrefs: 6B14D0A3
IDS_INSTALL_WARNING_DESCRIPTION_FORMAT, xrefs: 6B14D0F4

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ItemText
String ID: IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S$IDS_INSTALL_WARNING_DESCRIPTION_FORMAT$IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT
API String ID: 2878149499-3033223209
Opcode ID: 2467d336017deb194113e4436b1477e4374346935fbc4fcbdef25ae64ad4aded
Instruction ID: c3c2e9de83e25299420da01557d31bb2dd732b1a8cf9640286b8ad971ea63fb2
Opcode Fuzzy Hash: 2467d336017deb194113e4436b1477e4374346935fbc4fcbdef25ae64ad4aded
Instruction Fuzzy Hash: 0E21A471900109EFCF00DBB8C449A6EBBF2BF4A708F284458E151EB291DB34AA14CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6B14CFA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B14CFA5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr _t37;
				struct HWND__* _t43;
				long _t51;
				void* _t52;
				struct HWND__* _t62;
				intOrPtr* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t52 = __ebx;
				E6B16265B(0x6b164928, __ebx, __edi, __esi);
				E6B14E8E8(L"IDS_BLOCK_DIALOGS_SYSLINK_TEXT", __esi, _t70);
				 *(_t67 - 4) =  *(_t67 - 4) & 0x00000000;
				_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x24)))) + 4))();
				_t58 =  *_t32;
				_t33 =  *((intOrPtr*)( *_t32))(_t67 - 0x10, _t67 - 0x10, 8);
				 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
				E6B158460( *(_t67 - 0x10) + 0xfffffff0,  *_t32);
				_t37 =  *0x6b16fe10; // 0x6b1333ec
				 *(_t67 - 0x14) =  *((intOrPtr*)(_t37 + 0xc))() + 0x10;
				 *(_t67 - 4) = 1;
				E6B155075(0x6b16fe10, _t67 - 0x14,  *_t33,  *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x20)))));
				_t43 = GetDlgItem( *(__ebx + 4), 0x67);
				_t65 = __ebx + 0x64;
				 *(_t67 - 0x10) = _t43;
				if(E6B13E2E1( *((intOrPtr*)( *_t65 + 8))(), _t65 + 8, _t65) != 0) {
					_t62 =  *(_t67 - 0x10);
					_t51 = SetWindowLongW(_t62, 0xfffffffc,  *(_t65 + 0x14));
					if(_t51 != 0) {
						 *(_t65 + 0x20) = _t51;
						 *(_t65 + 4) = _t62;
					}
				}
				SetDlgItemTextW( *(_t52 + 4), 0x67,  *(_t67 - 0x14));
				return E6B162709(E6B158460( *(_t67 - 0x14) - 0x10, _t58));
			}

0x6b14cfa5
0x6b14cfa5
0x6b14cfac
0x6b14cfba
0x6b14cfbf
0x6b14cfc8
0x6b14cfcb
0x6b14cfd3
0x6b14cfd5
0x6b14cfe1
0x6b14cfe6
0x6b14cff6
0x6b14cff9
0x6b14d00b
0x6b14d018
0x6b14d01e
0x6b14d021
0x6b14d036
0x6b14d03b
0x6b14d041
0x6b14d049
0x6b14d04b
0x6b14d04e
0x6b14d04e
0x6b14d049
0x6b14d05a
0x6b14d06d

APIs

__EH_prolog3.LIBCMT ref: 6B14CFAC

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

GetDlgItem.USER32 ref: 6B14D018

Part of subcall function 6B13E2E1: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 6B13E319
Part of subcall function 6B13E2E1: FlushInstructionCache.KERNEL32(00000000), ref: 6B13E320

SetWindowLongW.USER32 ref: 6B14D041
SetDlgItemTextW.USER32 ref: 6B14D05A

Strings

IDS_BLOCK_DIALOGS_SYSLINK_TEXT, xrefs: 6B14CFB5

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3Item$CacheCurrentFlushInstructionLongProcessTextWindow
String ID: IDS_BLOCK_DIALOGS_SYSLINK_TEXT
API String ID: 2244164258-355004722
Opcode ID: 03b9547c6992d44b4ba1a184849a61ee725f9977529026e6c4996f016597fb3f
Instruction ID: be63e5b2daa70999ad605e9f70a316f0e94c7d49c147a887ef8cc4714d7e0f92
Opcode Fuzzy Hash: 03b9547c6992d44b4ba1a184849a61ee725f9977529026e6c4996f016597fb3f
Instruction Fuzzy Hash: 1821B371900116EFCF10DFA8C844AAEBBF5FF09318B144558E865EB2A1E734E925CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6B14D2BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6B14D2BF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t23;
				intOrPtr* _t32;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				E6B16265B(0x6b164928, __ebx, __edi, __esi);
				E6B14E8E8(L"IDS_CONTINUE", __esi, _t54);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				_t23 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x24)))) + 4))();
				SetDlgItemTextW( *(__esi + 4), 0xb,  *( *((intOrPtr*)( *_t23))(_t53 - 0x10, _t53 - 0x10, 8)));
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				E6B158460( *((intOrPtr*)(_t53 - 0x10)) + 0xfffffff0,  *_t23);
				E6B14E8E8(L"IDS_CLOSE", __esi, _t54);
				 *(_t53 - 4) = 1;
				_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x24)))) + 4))();
				SetDlgItemTextW( *(__esi + 4), 8,  *( *((intOrPtr*)( *_t32))(_t53 - 0x14, _t53 - 0x14)));
				return E6B162709(E6B158460( *((intOrPtr*)(_t53 - 0x14)) + 0xfffffff0,  *_t32));
			}

0x6b14d2bf
0x6b14d2c6
0x6b14d2d4
0x6b14d2d9
0x6b14d2e2
0x6b14d2fc
0x6b14d2fe
0x6b14d308
0x6b14d316
0x6b14d31b
0x6b14d327
0x6b14d33b
0x6b14d34d

APIs

__EH_prolog3.LIBCMT ref: 6B14D2C6

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

SetDlgItemTextW.USER32 ref: 6B14D2FC
SetDlgItemTextW.USER32 ref: 6B14D33B

Strings

IDS_CLOSE, xrefs: 6B14D311
IDS_CONTINUE, xrefs: 6B14D2CF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3ItemText
String ID: IDS_CLOSE$IDS_CONTINUE
API String ID: 2008326593-3637486705
Opcode ID: e8949f63e2431d79163b27f87cb16065abcd834005b0eec138a957dc37b6d690
Instruction ID: 6aa7f0a8b6910dad7d52eaae2c0da78549f006641d9c12b2bceeaca702f174ba
Opcode Fuzzy Hash: e8949f63e2431d79163b27f87cb16065abcd834005b0eec138a957dc37b6d690
Instruction Fuzzy Hash: A1118E71510505EFCF14DFB8C985A6EB7F5BF49718F144258E111EB2E0DB39A910CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6B157E95 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B157E95(intOrPtr* __esi, WCHAR* _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24) {
				struct HINSTANCE__* _t14;

				if( *__esi == 0) {
					if( *((intOrPtr*)(__esi + 4)) == 0) {
						L6:
						return _t14 | 0xffffffff;
					}
					return CreateFileW(_a4, _a8, _a12, _a16, _a20, _a24, 0);
				}
				_t14 = GetModuleHandleW(L"kernel32.dll");
				if(_t14 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t14, "CreateFileTransactedW");
				if(_t14 == 0) {
					goto L6;
				}
				return _t14->i(_a4, _a8, _a12, _a16, _a20, _a24, 0,  *__esi, 0, 0);
			}

0x6b157e9f
0x6b157ede
0x6b157efb
0x00000000
0x6b157efb
0x00000000
0x6b157ef3
0x6b157ea6
0x6b157eae
0x00000000
0x00000000
0x6b157eb6
0x6b157ebe
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6B157F46,00002100,00000002,00000000,6B157BC3,C0000000,?,?,?,6B157BC3,?,C0000000,00000000), ref: 6B157EA6
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6B157EB6
CreateFileW.KERNEL32(00002100,00000002,00000000,C0000000,?,6B157BC3,00000000,?,?,6B157F46,00002100,00000002,00000000,6B157BC3,C0000000,?), ref: 6B157EF3

Strings

CreateFileTransactedW, xrefs: 6B157EB0
kernel32.dll, xrefs: 6B157EA1

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: cf5a6cc3b969f2685f7c3ead3b493d87e99ad477e66a54503e4ee0adda184349
Instruction ID: cdf6cfe3badb8d55877c5a53619b588f128c4a1cfb24d1214fde9851414e4974
Opcode Fuzzy Hash: cf5a6cc3b969f2685f7c3ead3b493d87e99ad477e66a54503e4ee0adda184349
Instruction Fuzzy Hash: F201BB7200464AFBCF221E99CC09C9B3F76FB95B517108926F97590860D736C9B1EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B149AD4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E6B149AD4(intOrPtr* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t26;
				char* _t30;
				intOrPtr* _t31;
				void* _t32;

				_t31 = __esi;
				_t26 = __ebx;
				_push(4);
				E6B16265B(0x6b16470b, __ebx, __edi, __esi);
				 *(_t32 - 0x10) =  *(_t32 - 0x10) & 0x00000000;
				if( *((char*)(__esi + 4)) == 0) {
					__eflags =  *((char*)(__esi + 5));
					_t30 = L"IDS_DOWNLOAD_SUCCESS";
					if(__eflags == 0) {
						_t30 = L"IDS_DOWNLOAD_PROGRESS_STATUS";
					}
				} else {
					_t35 =  *((char*)(__esi + 5));
					if( *((char*)(__esi + 5)) == 0) {
						_t30 = L"IDS_FILE_VERIFICATION_PROGRESS_STATUS";
					} else {
						_t30 = L"IDS_FILE_VERIFICATION_SUCCESS";
					}
				}
				E6B14E8E8(_t30, _t31, _t35);
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				 *_t26 = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t31))))(_t32 - 0x10, _t32 - 0x10))) - 0x10) + 0x10;
				E6B158460( *(_t32 - 0x10) + 0xfffffff0, _t32 - 0x10);
				return E6B162709(_t26);
			}

0x6b149ad4
0x6b149ad4
0x6b149ad4
0x6b149adb
0x6b149ae0
0x6b149ae8
0x6b149afe
0x6b149b02
0x6b149b07
0x6b149b09
0x6b149b09
0x6b149aea
0x6b149aea
0x6b149aee
0x6b149af7
0x6b149af0
0x6b149af0
0x6b149af0
0x6b149aee
0x6b149b12
0x6b149b17
0x6b149b32
0x6b149b3a
0x6b149b46

APIs

__EH_prolog3.LIBCMT ref: 6B149ADB

Strings

IDS_FILE_VERIFICATION_PROGRESS_STATUS, xrefs: 6B149AF7
IDS_DOWNLOAD_SUCCESS, xrefs: 6B149B02
IDS_DOWNLOAD_PROGRESS_STATUS, xrefs: 6B149B09
IDS_FILE_VERIFICATION_SUCCESS, xrefs: 6B149AF0

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: IDS_DOWNLOAD_PROGRESS_STATUS$IDS_DOWNLOAD_SUCCESS$IDS_FILE_VERIFICATION_PROGRESS_STATUS$IDS_FILE_VERIFICATION_SUCCESS
API String ID: 431132790-1342741052
Opcode ID: ee04beb9baee89be483055cb82f8d5621adf339a4c9ba7eed77fb590782d5c15
Instruction ID: 5fc29e0b6b2ce21aff0d2be5c00f58eef9578d198eb48822308201388dcb5492
Opcode Fuzzy Hash: ee04beb9baee89be483055cb82f8d5621adf339a4c9ba7eed77fb590782d5c15
Instruction Fuzzy Hash: 2301D1F2904200BFDF10CBB8C998BAAB6A0AF55358F158848D0619B395D7BDD508C741

Uniqueness

Uniqueness Score: -1.00%

Function 6B13D086 Relevance: 7.6, APIs: 5, Instructions: 88
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E6B13D086(signed int __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a8, void* _a12) {
				signed int _v4;
				void* _v8;
				signed int _v16;
				intOrPtr _v24;
				char _v32;
				intOrPtr* _t32;
				void* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				signed int _t47;
				signed int _t48;
				intOrPtr* _t50;
				intOrPtr _t57;
				intOrPtr* _t59;

				_t47 = __ebx;
				E6B16265B(0x6b164d7a, __ebx, __edi, __esi);
				_v16 = 0;
				_v4 = 0;
				__imp__#8( &_v32, 0x14);
				_v4 = 1;
				_t32 =  *_a12;
				_t59 = _a8;
				if(_t32 != 0) {
					__imp__#2(_t32);
					_a12 = _t32;
					__eflags = _t32;
					if(__eflags != 0) {
						goto L2;
					} else {
						E6B1583CE(_t50, 0x8007000e);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t50);
						_t42 = 0;
						_v24 = 0;
						__eflags = _t50;
						if(_t50 != 0) {
							 *((intOrPtr*)( *_t50))(_t50, 0x6b137920,  &_v8);
							_t42 = _v8;
						}
						__eflags = _t42;
						_push(_t47);
						_t48 = _t47 & 0xffffff00 | _t42 != 0x00000000;
						__eflags = _t42;
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42 + 8))(_t42);
						}
						return _t48;
					}
				} else {
					_a12 = 0;
					L2:
					_v4 = 2;
					_t34 =  *((intOrPtr*)( *_t59 + 0xb0))(_t59, _a12,  &_v32);
					_v4 = 1;
					_t60 = _t34;
					__imp__#6(_a12);
					if(_t34 != 0) {
						L4:
						_t57 = 0x6b1379e4;
					} else {
						_t69 = _v32 - 8;
						_t57 = _v24;
						if(_v32 != 8) {
							goto L4;
						}
					}
					E6B14E8E8(_t57, _t60, _t69);
					__imp__#9( &_v32, _t47);
					_v4 = _v4 | 0xffffffff;
					_t37 = _a8;
					if(_t37 != 0) {
						 *((intOrPtr*)( *_t37 + 8))(_t37);
					}
					return E6B162709(_t47);
				}
			}

0x6b13d086
0x6b13d08d
0x6b13d094
0x6b13d09b
0x6b13d09e
0x6b13d0a4
0x6b13d0ab
0x6b13d0ad
0x6b13d0b2
0x6b13d119
0x6b13d11f
0x6b13d122
0x6b13d124
0x00000000
0x6b13d126
0x6b13d12b
0x6b13d130
0x6b13d131
0x6b13d132
0x6b13d133
0x6b13d134
0x6b13d135
0x6b13d13b
0x6b13d13c
0x6b13d13e
0x6b13d141
0x6b13d143
0x6b13d151
0x6b13d153
0x6b13d153
0x6b13d156
0x6b13d158
0x6b13d159
0x6b13d15c
0x6b13d15e
0x6b13d163
0x6b13d163
0x6b13d16a
0x6b13d16a
0x6b13d0b4
0x6b13d0b4
0x6b13d0b7
0x6b13d0bb
0x6b13d0c5
0x6b13d0cb
0x6b13d0d2
0x6b13d0d4
0x6b13d0dc
0x6b13d0e8
0x6b13d0e8
0x6b13d0de
0x6b13d0de
0x6b13d0e3
0x6b13d0e6
0x00000000
0x00000000
0x6b13d0e6
0x6b13d0ee
0x6b13d0f7
0x6b13d0fd
0x6b13d101
0x6b13d106
0x6b13d10b
0x6b13d10b
0x6b13d115
0x6b13d115

APIs

__EH_prolog3.LIBCMT ref: 6B13D08D
VariantInit.OLEAUT32(?), ref: 6B13D09E
SysFreeString.OLEAUT32(?), ref: 6B13D0D4
VariantClear.OLEAUT32(?), ref: 6B13D0F7
SysAllocString.OLEAUT32(?), ref: 6B13D119

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: StringVariant$AllocClearFreeH_prolog3Init
String ID:
API String ID: 1692324188-0
Opcode ID: 8cb05b1f9c680b91f2505549816c56fd48fb197709a41e234cae69f2eca7eb5a
Instruction ID: 37293cd1ba0a5e3d3a5938d1a69f9610b65022acf6c03946795da83782f7c822
Opcode Fuzzy Hash: 8cb05b1f9c680b91f2505549816c56fd48fb197709a41e234cae69f2eca7eb5a
Instruction Fuzzy Hash: 32319E75900218FFDF10DFA8C848A9DBBB9EF58315F248599F865EB240E739DA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6B15269C Relevance: 7.6, APIs: 5, Instructions: 87
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E6B15269C(void* __eax, struct _PSP* _a4) {
				struct _PROPSHEETPAGE* _v8;
				void* __ebx;
				void* __esi;
				int _t17;
				intOrPtr _t18;
				struct _PSP* _t19;
				struct HWND__* _t20;
				long _t21;
				signed int _t31;
				struct _PSP* _t33;
				void* _t36;
				int _t39;
				struct _PSP* _t42;

				_t36 = __eax;
				_t17 =  *(__eax + 0x5c);
				if(_t17 <= 0) {
					L6:
					_t18 =  *((intOrPtr*)(_t36 + 0x58));
					if(_t18 != 0) {
						_t18 = E6B158E26(_t18);
						 *((intOrPtr*)(_t36 + 0x58)) = 0;
					}
					 *((intOrPtr*)(_t36 + 0x5c)) = 0;
					 *((intOrPtr*)(_t36 + 0x60)) = 0;
					_t37 =  *((intOrPtr*)(_t36 + 0x14));
					if( *((intOrPtr*)(_t36 + 0x14)) != 0) {
						_t18 = E6B16216C(_t37);
					}
					return _t18;
				} else {
					_t31 = 0;
					if(_t17 <= 0) {
						L5:
						goto L6;
					} else {
						while(_t31 >= 0 && _t31 <  *((intOrPtr*)(_t36 + 0x5c))) {
							_t17 = DestroyPropertySheetPage( *( *((intOrPtr*)(_t36 + 0x58)) + _t31 * 4));
							_t31 = _t31 + 1;
							if(_t31 <  *((intOrPtr*)(_t36 + 0x5c))) {
								continue;
							} else {
								goto L5;
							}
							goto L19;
						}
						RaiseException(0xc000008c, 1, 0, 0);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t36);
						_push(_t31);
						_t39 = _t17;
						_t19 = CreatePropertySheetPageW(_v8);
						_t33 = _t19;
						if(_t33 != 0) {
							_t20 =  *(_t39 + 4);
							_a4 = _t33;
							if(_t20 == 0) {
								_push(0);
								_t21 = E6B154800( &_a4, _t39 + 0x58);
							} else {
								_t21 = SendMessageW(_t20, 0x467, 0, _t33);
							}
							_t42 = _t21;
							if(_t42 == 0) {
								DestroyPropertySheetPage(_t33);
							}
							_t19 = _t42;
						}
						return _t19;
					}
				}
				L19:
			}

0x6b1526a0
0x6b1526a2
0x6b1526a9
0x6b1526ce
0x6b1526ce
0x6b1526d3
0x6b1526d6
0x6b1526dc
0x6b1526dc
0x6b1526df
0x6b1526e2
0x6b1526e5
0x6b1526ea
0x6b1526ed
0x6b1526ed
0x6b1526f4
0x6b1526ab
0x6b1526ac
0x6b1526b0
0x6b1526cd
0x00000000
0x6b1526b2
0x6b1526b2
0x6b1526c1
0x6b1526c7
0x6b1526cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6b1526cb
0x6b1526fe
0x6b152704
0x6b152705
0x6b152706
0x6b152707
0x6b152708
0x6b152709
0x6b15270f
0x6b152710
0x6b152714
0x6b152716
0x6b15271c
0x6b152720
0x6b152722
0x6b152725
0x6b15272a
0x6b15273d
0x6b152744
0x6b15272c
0x6b152735
0x6b152735
0x6b15274a
0x6b15274e
0x6b152751
0x6b152751
0x6b152757
0x6b152757
0x6b15275c
0x6b15275c
0x6b1526b0
0x00000000

APIs

DestroyPropertySheetPage.COMCTL32(?,00000000), ref: 6B1526C1
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 6B1526FE
CreatePropertySheetPageW.COMCTL32(?,00000000,00000000), ref: 6B152716
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 6B152735
DestroyPropertySheetPage.COMCTL32(00000000), ref: 6B152751

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: PagePropertySheet$Destroy$CreateExceptionMessageRaiseSend
String ID:
API String ID: 1284076499-0
Opcode ID: 13ccd8aa198375599b823c6f0e94099a77bb821263dc24c48160d83c1ece8df3
Instruction ID: ae5c5be33f0af60802b44dbf74fc1f419b29d02c24ad0c7522bed3ac4008edc2
Opcode Fuzzy Hash: 13ccd8aa198375599b823c6f0e94099a77bb821263dc24c48160d83c1ece8df3
Instruction Fuzzy Hash: 422107B3500750BBCB209F6DC8C4D4BB7E9EB957A57010429F965D3600CB38EC618BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B146655 Relevance: 7.6, APIs: 5, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6B146655(void* __ebx, struct HWND__* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t103;
				intOrPtr _t110;
				void* _t115;
				void* _t125;
				signed int _t129;
				intOrPtr* _t133;
				void* _t141;
				int _t150;
				void* _t165;
				intOrPtr* _t175;
				signed int _t188;
				struct HWND__* _t193;
				intOrPtr _t202;
				WCHAR** _t203;
				void* _t206;
				intOrPtr* _t221;
				signed int _t225;
				intOrPtr* _t231;
				intOrPtr* _t232;
				intOrPtr _t233;
				intOrPtr* _t236;
				void* _t238;
				void* _t242;

				_t242 = __eflags;
				_t215 = __edx;
				_push(0x40);
				E6B1626CE(0x6b165837, __ebx, __edi, __esi);
				_t103 =  *((intOrPtr*)(_t238 + 8));
				 *((intOrPtr*)(_t238 - 0x4c)) = _t103;
				_t231 = _t103 + 8;
				_push(_t238 - 0x44);
				 *(_t238 - 0x48) = __ecx;
				E6B14E8E8(__edx, _t231, _t242);
				_t201 = _t238 - 0x44;
				 *(_t238 - 4) = 0;
				E6B14F35E(_t238 - 0x44, _t231);
				 *(_t238 - 4) =  *(_t238 - 4) | 0xffffffff;
				E6B158460( *((intOrPtr*)(_t238 - 0x44)) + 0xfffffff0, _t215);
				_t110 =  *((intOrPtr*)(_t231 + 4));
				_t208 = _t110 - 1;
				if(_t208 < 0 || _t208 >= _t110) {
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x4c);
					E6B16265B(0x6b166506, _t201, 0, _t231);
					_push(_t238 - 0x34);
					_t221 = E6B141E75(_t201, _t208, _t215, 0, _t231, __eflags);
					 *(_t238 - 4) =  *(_t238 - 4) & 0x00000000;
					_t202 =  *((intOrPtr*)(_t238 + 8));
					_t232 =  *((intOrPtr*)(_t202 + 0x34));
					_t203 = _t202 + 0x30;
					_t115 = PathIsRelativeW( *_t203);
					__eflags = _t115;
					if(_t115 != 0) {
						 *(_t238 - 0x14) = E6B1583FD( *_t221 - 0x10) + 0x10;
						 *(_t238 - 4) = 1;
						E6B14F21D(_t238 - 0x14,  *((intOrPtr*)(_t221 + 4)));
						E6B14F21D(_t238 - 0x14,  *_t203);
						_t221 = PathFileExistsW;
						PathFileExistsW( *(_t238 - 0x14));
						_t125 = PathFileExistsW( *(_t238 - 0x14));
						__eflags = _t125;
						if(_t125 == 0) {
							 *(_t238 - 4) = 0;
							E6B158460( &(( *(_t238 - 0x14))[0xfffffffffffffff8]), _t215);
							_t129 = 0;
							__eflags = 0;
							goto L11;
						} else {
							E6B14EA8D(_t238 - 0x14, _t203);
							 *(_t238 - 4) = 0;
							E6B158460( &(( *(_t238 - 0x14))[0xfffffffffffffff8]), _t215);
							goto L12;
						}
					} else {
						_t188 = PathFileExistsW( *_t203);
						__eflags = _t188;
						_t129 = _t188 & 0xffffff00 | _t188 != 0x00000000;
						L11:
						__eflags = _t129;
						if(__eflags == 0) {
							E6B13C9BB(_t203, _t208, _t221, _t232, __eflags);
							 *((intOrPtr*)(_t238 - 0x20)) = 0x6b136e38;
							 *(_t238 - 4) = 2;
							_t133 = E6B13CB96(_t203, _t238 - 0x20, _t215, 0x6b136e38, _t232, __eflags);
							 *(_t238 - 4) = 3;
							 *((intOrPtr*)( *_t232 + 4))(0,  *_t133, _t238 + 8, _t238 - 0x20, _t203);
							 *(_t238 - 4) = 2;
							E6B158460( *((intOrPtr*)(_t238 + 8)) + 0xfffffff0,  *_t232);
							_push(_t238 - 0x20);
							_t208 = _t238 - 0x18;
							E6B13D1B4(_t203, _t238 - 0x18, 0x6b136e38, _t232, __eflags);
							 *(_t238 - 0x18) = 0x6b136e38;
							_push(0x6b168364);
							_t141 = _t238 - 0x18;
							goto L14;
						} else {
							L12:
							_push( *_t203);
							_push(L"Successfuly found file %s ");
							_t225 = 4;
							_push(_t225);
							E6B13B93E(_t203, _t215, _t225, _t232, __eflags);
							E6B158460( *(_t238 - 0x30) + 0xfffffff0, _t215);
							E6B158460( *((intOrPtr*)(_t238 - 0x34)) + 0xfffffff0, _t215);
							 *(_t238 - 0x2c) = 0;
							 *((intOrPtr*)(_t238 - 0x28)) = 0;
							 *(_t238 - 4) = _t225;
							__eflags = E6B157F22(_t238 - 0x2c,  *_t203, 0x80000000, 1, 3, 0x80, 0);
							if(__eflags < 0) {
								 *((intOrPtr*)(_t238 + 0xc)) = E6B14E8E8(L"ParameterInfo.xml", 0, __eflags);
								 *(_t238 - 4) = 5;
								_t165 = E6B14F143(_t203, _t203, 0, __eflags);
								 *(_t238 - 4) = 6;
								E6B13CA39(_t203, _t208, _t215, _t203, 0, __eflags);
								E6B158460( &(( *(_t238 - 0x14))[0xfffffffffffffff8]), _t215);
								 *(_t238 - 4) = 9;
								E6B158460( *((intOrPtr*)(_t238 - 0x1c)) + 0xfffffff0, _t215);
								_t175 = E6B13CAC2(_t203, _t238 - 0x4c, _t215, _t203, 0, __eflags);
								 *(_t238 - 4) = 0xa;
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 8)) + 0x34)))) + 4))(0,  *_t175, _t238 + 0xc, _t238 - 0x4c, _t165,  *((intOrPtr*)(_t238 + 0xc)), _t238 - 0x14, L"can\'t open EULA file: ", _t238 - 0x1c);
								 *(_t238 - 4) = 9;
								__eflags =  *((intOrPtr*)(_t238 + 0xc)) + 0xfffffff0;
								E6B158460( *((intOrPtr*)(_t238 + 0xc)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t238 + 8)) + 0x34)))));
								_push(_t238 - 0x4c);
								_t208 = _t238 - 0x58;
								E6B13D170(_t203, _t238 - 0x58, _t203, 0, __eflags);
								_push(0x6b1682a0);
								_t141 = _t238 - 0x58;
								L14:
								_push(_t141);
								E6B15DBDB();
							}
						}
					}
					_t233 =  *((intOrPtr*)(_t238 + 8));
					E6B140B11( *((intOrPtr*)(_t238 + 0xc)), _t233, __eflags);
					 *((intOrPtr*)(_t238 - 0x24)) = _t238 - 0x2c;
					asm("stosd");
					asm("stosd");
					 *(_t238 - 0x40) = _t238 - 0x24;
					_t234 = _t233 + 4;
					 *(_t238 - 0x38) = E6B14698A;
					SendMessageW( *(_t233 + 4), 0x449, 2, _t238 - 0x40);
					__eflags =  *(_t238 - 0x2c);
					if( *(_t238 - 0x2c) != 0) {
						CloseHandle( *(_t238 - 0x2c));
						 *(_t238 - 0x2c) = 0;
					}
					_t150 = E6B150324(0, _t208, _t234, 0);
					__eflags =  *(_t238 - 0x2c);
					if( *(_t238 - 0x2c) != 0) {
						_t150 = CloseHandle( *(_t238 - 0x2c));
					}
					return E6B162709(_t150);
				} else {
					_t236 =  *_t231 + _t208 * 4;
					_t190 =  *_t236;
					if( *((intOrPtr*)( *_t236 - 4)) > 1) {
						E6B1581DE(_t208, _t236,  *((intOrPtr*)(_t190 - 0xc)));
					}
					_t206 = 0x30;
					E6B15AF90(_t238 - 0x40, 0, _t206);
					_t193 =  *(_t238 - 0x48);
					 *(_t238 - 0x40) = _t206;
					 *((intOrPtr*)(_t238 - 0x3c)) = 0x10;
					 *(_t238 - 0x38) = _t193;
					 *((intOrPtr*)(_t238 - 0x34)) = 0;
					 *((intOrPtr*)(_t238 - 0x1c)) =  *_t236;
					GetClientRect(_t193, _t238 - 0x30);
					SendMessageW( *( *((intOrPtr*)(_t238 - 0x4c)) + 4), 0x432, 0, _t238 - 0x40);
					return E6B162722(_t206, 0,  *_t236);
				}
			}

0x6b146655
0x6b146655
0x6b146655
0x6b14665c
0x6b146661
0x6b146664
0x6b146667
0x6b14666f
0x6b146670
0x6b146673
0x6b14667a
0x6b14667d
0x6b146680
0x6b146685
0x6b14668f
0x6b146694
0x6b146697
0x6b14669c
0x6b146713
0x6b146719
0x6b14671a
0x6b14671b
0x6b14671c
0x6b14671d
0x6b14671e
0x6b14671f
0x6b146726
0x6b14672e
0x6b146734
0x6b146736
0x6b14673a
0x6b14673d
0x6b146740
0x6b146745
0x6b14674b
0x6b14674d
0x6b14676b
0x6b14676e
0x6b146778
0x6b146782
0x6b14678a
0x6b146790
0x6b146795
0x6b146797
0x6b146799
0x6b1467b6
0x6b1467c0
0x6b1467c5
0x6b1467c5
0x00000000
0x6b14679b
0x6b1467a0
0x6b1467a5
0x6b1467af
0x00000000
0x6b1467af
0x6b14674f
0x6b146751
0x6b146757
0x6b146759
0x6b1467c7
0x6b1467c7
0x6b1467c9
0x6b14692d
0x6b146937
0x6b146941
0x6b146945
0x6b14694a
0x6b146957
0x6b14695a
0x6b146964
0x6b14696c
0x6b14696d
0x6b146970
0x6b146975
0x6b146978
0x6b14697d
0x00000000
0x6b1467cf
0x6b1467cf
0x6b1467cf
0x6b1467d1
0x6b1467d8
0x6b1467d9
0x6b1467da
0x6b1467e8
0x6b1467f3
0x6b1467fa
0x6b1467fd
0x6b14680a
0x6b14681d
0x6b14681f
0x6b146833
0x6b146841
0x6b146845
0x6b14684a
0x6b146856
0x6b146861
0x6b146866
0x6b146870
0x6b14687c
0x6b146881
0x6b146891
0x6b146894
0x6b14689b
0x6b14689e
0x6b1468a6
0x6b1468a7
0x6b1468aa
0x6b1468af
0x6b1468b4
0x6b1468b7
0x6b1468b7
0x6b1468b8
0x6b1468b8
0x6b14681f
0x6b1467c9
0x6b1468c0
0x6b1468c3
0x6b1468cb
0x6b1468d3
0x6b1468d4
0x6b1468d8
0x6b1468e6
0x6b1468eb
0x6b1468f2
0x6b146900
0x6b146903
0x6b146908
0x6b14690a
0x6b14690a
0x6b146911
0x6b146916
0x6b146919
0x6b14691e
0x6b14691e
0x6b146925
0x6b1466a2
0x6b1466a4
0x6b1466a7
0x6b1466ad
0x6b1466b3
0x6b1466b3
0x6b1466bc
0x6b1466c3
0x6b1466c8
0x6b1466d3
0x6b1466d6
0x6b1466dd
0x6b1466e0
0x6b1466e3
0x6b1466e6
0x6b1466fc
0x6b146707
0x6b146707

APIs

__EH_prolog3_GS.LIBCMT ref: 6B14665C

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14F35E: __EH_prolog3.LIBCMT ref: 6B14F365
Part of subcall function 6B14F35E: __recalloc.LIBCMT ref: 6B14F3A7

_memset.LIBCMT ref: 6B1466C3
GetClientRect.USER32 ref: 6B1466E6
SendMessageW.USER32(00000001,00000432,00000000,?), ref: 6B1466FC

Part of subcall function 6B1581DE: _memcpy_s.LIBCMT ref: 6B158224

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000040,6B14730F,?,?,?,?,?,?,?,?,?), ref: 6B146713

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$ClientExceptionH_prolog3_MessageRaiseRectSend__recalloc_memcpy_s_memset
String ID:
API String ID: 4097222183-0
Opcode ID: 3af6bf3640b25f9c2ce4c4c46cde47aaf85a99497876d0b18e6c68864bb5bc84
Instruction ID: 74400dee6a91b4a66db0979c49137a144fc63a08bbf96194ec46f8f3cb8c07ca
Opcode Fuzzy Hash: 3af6bf3640b25f9c2ce4c4c46cde47aaf85a99497876d0b18e6c68864bb5bc84
Instruction Fuzzy Hash: AF2135B1900218EFCB24DFA8C889E9EBBB8FF44318F148419F514A7250D734AA12CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6B14C1B2 Relevance: 7.6, APIs: 5, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E6B14C1B2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				struct HWND__* _v8;
				signed char _v12;
				void* __ecx;
				struct HWND__* _t19;
				signed int _t30;
				intOrPtr _t32;
				void* _t39;
				intOrPtr _t40;

				_t39 = __esi;
				_push(_t32);
				SetWindowTextW( *(__esi + 4),  *( *(__esi + 0x2c)));
				_t19 = GetDlgItem( *(__esi + 4), 0x65);
				_t30 = 0;
				_v8 = _t19;
				if( *((intOrPtr*)(__esi + 0x24)) <= 0) {
					L4:
					E6B13E153(_t39 + 4, GetParent( *(_t39 + 4)));
					 *_a4 = 1;
					return 1;
				} else {
					while(_t30 >= 0 && _t30 <  *((intOrPtr*)(_t39 + 0x24))) {
						_t32 =  *((intOrPtr*)(_t39 + 0x20));
						SendMessageW(_v8, 0x180, 0,  *(_t32 + _t30 * 4));
						_t30 = _t30 + 1;
						if(_t30 <  *((intOrPtr*)(_t39 + 0x24))) {
							continue;
						} else {
							goto L4;
						}
						goto L8;
					}
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t39);
					_t40 = _t32;
					E6B14C189(_t32);
					if((_v12 & 0x00000001) != 0) {
						_push(_t40);
						E6B1587B1();
					}
					return _t40;
				}
				L8:
			}

0x6b14c1b2
0x6b14c1b7
0x6b14c1c2
0x6b14c1cd
0x6b14c1d3
0x6b14c1d5
0x6b14c1db
0x6b14c203
0x6b14c211
0x6b14c21d
0x6b14c221
0x6b14c1dd
0x6b14c1dd
0x6b14c1e8
0x6b14c1f7
0x6b14c1fd
0x6b14c201
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14c201
0x6b14c22d
0x6b14c233
0x6b14c234
0x6b14c235
0x6b14c236
0x6b14c237
0x6b14c238
0x6b14c23e
0x6b14c23f
0x6b14c241
0x6b14c24a
0x6b14c24c
0x6b14c24d
0x6b14c252
0x6b14c257
0x6b14c257
0x00000000

APIs

SetWindowTextW.USER32(?,?), ref: 6B14C1C2
GetDlgItem.USER32 ref: 6B14C1CD
SendMessageW.USER32(?,00000180,00000000,?), ref: 6B14C1F7
GetParent.USER32(?), ref: 6B14C206
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,6B14C10E,00000110), ref: 6B14C22D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ExceptionItemMessageParentRaiseSendTextWindow
String ID:
API String ID: 3396959766-0
Opcode ID: 681e530cf52479de261025d84e392e49cb94891c4fa75dcc34ed41c343747578
Instruction ID: 625e4b0cd2e1ac7a0cb611b05e15ce654a0e05bcfe4e76000b7a02bf5e7cffbe
Opcode Fuzzy Hash: 681e530cf52479de261025d84e392e49cb94891c4fa75dcc34ed41c343747578
Instruction Fuzzy Hash: 6C110131100714FFC721ABB8CC85D5BBBE9EF49754F104429F546C2510DBB1E921CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D76235 Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00D76235(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t6;
				void* _t7;
				intOrPtr* _t8;
				intOrPtr* _t12;
				void* _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					if(_t30 != 0) {
						_push(__edi);
						while(_t30 <= 0xffffffe0) {
							if(_t30 == 0) {
								_t30 = _t30 + 1;
							}
							_t6 = HeapReAlloc( *0xd793a4, 0, _a4, _t30);
							_t27 = _t6;
							if(_t27 != 0) {
								L17:
								_t7 = _t27;
							} else {
								if( *0xd79880 == _t6) {
									_t8 = E00D747E5();
									 *_t8 = E00D7479E(GetLastError());
									goto L17;
								} else {
									if(E00D74771(_t30) == 0) {
										_t12 = E00D747E5();
										 *_t12 = E00D7479E(GetLastError());
										L12:
										_t7 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00D74771(_t30);
						 *((intOrPtr*)(E00D747E5())) = 0xc;
						goto L12;
					} else {
						E00D74EF9(_a4);
						_t7 = 0;
					}
					L14:
					return _t7;
				} else {
					return E00D76115(__edx, __edi, __esi, _a8);
				}
			}

0x00d7623e
0x00d7624b
0x00d7624c
0x00d76251
0x00d76260
0x00d76293
0x00d76265
0x00d76267
0x00d76267
0x00d76274
0x00d7627a
0x00d7627e
0x00d762de
0x00d762de
0x00d76280
0x00d76286
0x00d762c8
0x00d762dc
0x00000000
0x00d76288
0x00d76291
0x00d762b0
0x00d762c4
0x00d762aa
0x00d762aa
0x00000000
0x00000000
0x00000000
0x00d76291
0x00d76286
0x00000000
0x00d762ac
0x00d76299
0x00d762a4
0x00000000
0x00d76253
0x00d76256
0x00d7625c
0x00d7625c
0x00d762ad
0x00d762af
0x00d76240
0x00d7624a
0x00d7624a

APIs

_malloc.LIBCMT ref: 00D76243

Part of subcall function 00D76115: __FF_MSGBANNER.LIBCMT ref: 00D7612E
Part of subcall function 00D76115: __NMSG_WRITE.LIBCMT ref: 00D76135
Part of subcall function 00D76115: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00D74F49,?,00000001,?,?,00D742B7,00000018,00D76F78,0000000C,00D7434C), ref: 00D7615A

_free.LIBCMT ref: 00D76256

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: bf7f5d9d59ddd91ffeb0390791db51c9923660a974205555a8728b4c4501c03c
Instruction ID: bbe8f3354c10d0b862d3608bbd720676e338cbc8d21444fc272aa0503de58345
Opcode Fuzzy Hash: bf7f5d9d59ddd91ffeb0390791db51c9923660a974205555a8728b4c4501c03c
Instruction Fuzzy Hash: 6B11A336504B25ABCB662F74EC05A5A3B94EF42370B25C525F84CDB692FF34C88087B8

Uniqueness

Uniqueness Score: -1.00%

Function 6B14CB21 Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E6B14CB21(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HICON__* _t24;
				struct HICON__* _t25;
				struct HICON__* _t26;
				struct HICON__* _t27;
				void* _t31;
				intOrPtr _t44;
				void* _t49;

				_push(4);
				E6B16265B(0x6b16393a, __ebx, __edi, __esi);
				_t44 = __ecx;
				 *((intOrPtr*)(_t49 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x6b137890;
				 *(_t49 - 4) = 1;
				_t24 =  *(__ecx + 0x9c);
				if(_t24 != 0) {
					DestroyIcon(_t24);
				}
				_t25 =  *(_t44 + 0xa0);
				if(_t25 != 0) {
					DestroyIcon(_t25);
				}
				_t26 =  *(_t44 + 0xa4);
				if(_t26 != 0) {
					DestroyIcon(_t26);
				}
				_t27 =  *(_t44 + 0xa8);
				if(_t27 != 0) {
					DestroyIcon(_t27);
				}
				E6B14F3EC(_t44 + 0xb4);
				_t29 =  *(_t44 + 0x90);
				if( *(_t44 + 0x90) != 0) {
					E6B158E26(_t29);
					 *(_t44 + 0x90) =  *(_t44 + 0x90) & 0x00000000;
				}
				 *(_t44 + 0x94) =  *(_t44 + 0x94) & 0x00000000;
				 *(_t44 + 0x98) =  *(_t44 + 0x98) & 0x00000000;
				 *((intOrPtr*)(_t44 + 0x64)) = 0x6b137160;
				_t30 =  *((intOrPtr*)(_t44 + 0x78));
				if( *((intOrPtr*)(_t44 + 0x78)) != 0) {
					E6B16216C(_t30);
				}
				 *(_t49 - 4) = 0;
				_t31 = E6B1409E1(_t44 + 0x34);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *((intOrPtr*)(_t44 + 0x14));
				if( *((intOrPtr*)(_t44 + 0x14)) != 0) {
					_t31 = E6B16216C(_t45);
				}
				return E6B162709(_t31);
			}

0x6b14cb21
0x6b14cb28
0x6b14cb2d
0x6b14cb2f
0x6b14cb32
0x6b14cb38
0x6b14cb3f
0x6b14cb4d
0x6b14cb50
0x6b14cb50
0x6b14cb52
0x6b14cb5a
0x6b14cb5d
0x6b14cb5d
0x6b14cb5f
0x6b14cb67
0x6b14cb6a
0x6b14cb6a
0x6b14cb6c
0x6b14cb74
0x6b14cb77
0x6b14cb77
0x6b14cb7f
0x6b14cb84
0x6b14cb8c
0x6b14cb8f
0x6b14cb94
0x6b14cb9b
0x6b14cb9c
0x6b14cba3
0x6b14cbaa
0x6b14cbb1
0x6b14cbb6
0x6b14cbb9
0x6b14cbb9
0x6b14cbc1
0x6b14cbc5
0x6b14cbca
0x6b14cbce
0x6b14cbd3
0x6b14cbd6
0x6b14cbd6
0x6b14cbe0

APIs

__EH_prolog3.LIBCMT ref: 6B14CB28
DestroyIcon.USER32(?,00000004), ref: 6B14CB50
DestroyIcon.USER32(?,00000004), ref: 6B14CB5D
DestroyIcon.USER32(?,00000004), ref: 6B14CB6A
DestroyIcon.USER32(?,00000004), ref: 6B14CB77

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: DestroyIcon$H_prolog3
String ID:
API String ID: 1886938828-0
Opcode ID: 9ba3fb5743df1185927d9d306820fb1789ebf5ed1b0bf0dcbc9cc559db75281e
Instruction ID: 97f7760a778b3450228970f9c074c713d51e6c7b31fcd33b612c8f32a5f85a43
Opcode Fuzzy Hash: 9ba3fb5743df1185927d9d306820fb1789ebf5ed1b0bf0dcbc9cc559db75281e
Instruction Fuzzy Hash: EE118FB1B00606FBEB04DF74C945B9AF7A8BF11795F1002499428E7280DBBCE964CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6B1503F5 Relevance: 7.6, APIs: 5, Instructions: 50
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6B1503F5(void* _a4) {
				int _v8;
				struct tagMSG _v36;
				int _t10;

				goto L1;
				do {
					while(1) {
						L1:
						_t10 = MsgWaitForMultipleObjects(1,  &_a4, 0, 0x64, 0x4ff);
						_v8 = _t10;
						if(_t10 != 1) {
							goto L4;
						}
						if(PeekMessageW( &_v36, 0, 0, 0, _t10) == 0) {
							continue;
						} else {
							do {
								TranslateMessage( &_v36);
								DispatchMessageW( &_v36);
								_t10 = PeekMessageW( &_v36, 0, 0, 0, 1);
							} while (_t10 != 0);
						}
						goto L4;
					}
					L4:
				} while (_v8 != 0 && _v8 != 0xffffffff);
				return _t10;
			}

0x6b150405
0x6b150407
0x6b150407
0x6b150407
0x6b150415
0x6b15041b
0x6b150421
0x00000000
0x00000000
0x6b15042f
0x00000000
0x00000000
0x6b150431
0x6b150435
0x6b15043f
0x6b15044e
0x6b150450
0x6b150431
0x00000000
0x6b15042f
0x6b150454
0x6b150454
0x6b150462

APIs

MsgWaitForMultipleObjects.USER32 ref: 6B150415
PeekMessageW.USER32 ref: 6B15042B
TranslateMessage.USER32(?), ref: 6B150435
DispatchMessageW.USER32 ref: 6B15043F
PeekMessageW.USER32 ref: 6B15044E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: 9b085a0d0cfb824b3527d44088826b84a725bd99bf9f7d3774dfc087c05d3168
Instruction ID: 24bb8ebab0271af33bea3321ad3a85fac1a63427c445f9c06715f8cf0b66d7e1
Opcode Fuzzy Hash: 9b085a0d0cfb824b3527d44088826b84a725bd99bf9f7d3774dfc087c05d3168
Instruction Fuzzy Hash: F10171B3C01229BADF20A6E58C4CDDF7B7CEF4A765F100125FA10E6080E674D255C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 6B15DE5E Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E6B15DE5E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x6b168078);
				E6B15AA30(__ebx, __edi, __esi);
				_t31 = E6B159BE0(_t35);
				_t15 =  *0x6b16f740; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E6B15EA00(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x6b16f648; // 0x1471800
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x6b16f220;
								if(__eflags != 0) {
									E6B158E26(_t33);
								}
							}
						}
						_t21 =  *0x6b16f648; // 0x1471800
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x6b16f648; // 0x1471800
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E6B15DEF9();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E6B15A2EE(_t29, _t38);
				}
				return E6B15AA75(_t33);
			}

0x6b15de5e
0x6b15de5e
0x6b15de5e
0x6b15de5e
0x6b15de60
0x6b15de65
0x6b15de6f
0x6b15de71
0x6b15de79
0x6b15de9a
0x6b15dea0
0x6b15dea4
0x6b15dea7
0x6b15deaa
0x6b15deb0
0x6b15deb2
0x6b15deb4
0x6b15debd
0x6b15debf
0x6b15dec1
0x6b15dec7
0x6b15deca
0x6b15decf
0x6b15dec7
0x6b15debf
0x6b15ded0
0x6b15ded5
0x6b15ded8
0x6b15dede
0x6b15dee2
0x6b15dee2
0x6b15dee8
0x6b15deef
0x6b15de81
0x6b15de81
0x6b15de81
0x6b15de84
0x6b15de86
0x6b15de88
0x6b15de8a
0x6b15de8f
0x6b15de97

APIs

__getptd.LIBCMT ref: 6B15DE6A

Part of subcall function 6B159BE0: __getptd_noexit.LIBCMT ref: 6B159BE3
Part of subcall function 6B159BE0: __amsg_exit.LIBCMT ref: 6B159BF0

__amsg_exit.LIBCMT ref: 6B15DE8A
__lock.LIBCMT ref: 6B15DE9A
InterlockedDecrement.KERNEL32(?), ref: 6B15DEB7
InterlockedIncrement.KERNEL32(01471800), ref: 6B15DEE2

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1bd1d4e962948517bbf8017cee5c46bfbfbf7b66d6279d34b9f806d2f0f11216
Instruction ID: cdbcf8775bab6af079539ada8c42cd65f6ffa9a678f80266c535e53763afd758
Opcode Fuzzy Hash: 1bd1d4e962948517bbf8017cee5c46bfbfbf7b66d6279d34b9f806d2f0f11216
Instruction Fuzzy Hash: 420180B3D86721BBDB11AB788445B5EB760EF25725F004169E830A7290DB3CA9E0CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 6B157BEC Relevance: 7.5, APIs: 5, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B157BEC(void** __eax, WCHAR* _a4) {
				void* _t5;
				signed int* _t14;

				_t14 = __eax;
				_t5 =  *__eax;
				if(_t5 != 0) {
					CloseHandle(_t5);
					 *_t14 =  *_t14 & 0x00000000;
				}
				if(_a4 != 0) {
					if(DeleteFileW(_a4) != 0 || GetLastError() == 2) {
						if(MoveFileW( &(_t14[2]), _a4) != 0) {
							goto L4;
						}
						return E6B157F08();
					} else {
						return E6B157BD8(_t10);
					}
				} else {
					DeleteFileW( &(_t14[2]));
					L4:
					return 0;
				}
			}

0x6b157bf2
0x6b157bf4
0x6b157bf8
0x6b157bfb
0x6b157c01
0x6b157c01
0x6b157c08
0x6b157c26
0x6b157c49
0x00000000
0x00000000
0x00000000
0x6b157c33
0x00000000
0x6b157c33
0x6b157c0a
0x6b157c0e
0x6b157c14
0x00000000
0x6b157c14

APIs

CloseHandle.KERNEL32(?,00000000,?,6B140FC5,F69FF218), ref: 6B157BFB
DeleteFileW.KERNEL32(?,00000000,?,6B140FC5,F69FF218), ref: 6B157C0E
DeleteFileW.KERNEL32(00000000,00000000,?,6B140FC5,F69FF218), ref: 6B157C1E
GetLastError.KERNEL32(?,6B140FC5,F69FF218), ref: 6B157C28
MoveFileW.KERNEL32(?,00000000), ref: 6B157C41

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: File$Delete$CloseErrorHandleLastMove
String ID:
API String ID: 4022683281-0
Opcode ID: 7ccf98e53ae3cbc9f586e4156e44ab135558ca7d8a6df15993117dec649577ea
Instruction ID: ce4214d1f18cbb565896b829a0d16b7b2e6495c2b627156e031c37bec1104e1f
Opcode Fuzzy Hash: 7ccf98e53ae3cbc9f586e4156e44ab135558ca7d8a6df15993117dec649577ea
Instruction Fuzzy Hash: 4FF036B3904115BBDB216F78DC0BB8A37A9AF23357B018466F969D5100E738C5B08AA6

Uniqueness

Uniqueness Score: -1.00%

Function 6B15E60F Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E6B15E60F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x6b1680b8);
				E6B15AA30(__ebx, __edi, __esi);
				_t28 = E6B159BE0(_t31);
				_t12 =  *0x6b16f740; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E6B15EA00(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E6B15E5BD(_t29,  *0x6b16f988);
					 *(_t30 - 4) = 0xfffffffe;
					E6B15E67C();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E6B159BE0(_t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E6B15A2EE(_t25, _t34);
				}
				return E6B15AA75(_t29);
			}

0x6b15e60f
0x6b15e60f
0x6b15e60f
0x6b15e60f
0x6b15e60f
0x6b15e611
0x6b15e616
0x6b15e620
0x6b15e622
0x6b15e62a
0x6b15e64e
0x6b15e650
0x6b15e656
0x6b15e660
0x6b15e66b
0x6b15e66e
0x6b15e675
0x6b15e62c
0x6b15e62c
0x6b15e630
0x00000000
0x6b15e632
0x6b15e637
0x6b15e637
0x6b15e630
0x6b15e63a
0x6b15e63c
0x6b15e63e
0x6b15e640
0x6b15e645
0x6b15e64d

APIs

__getptd.LIBCMT ref: 6B15E61B

Part of subcall function 6B159BE0: __getptd_noexit.LIBCMT ref: 6B159BE3
Part of subcall function 6B159BE0: __amsg_exit.LIBCMT ref: 6B159BF0

__getptd.LIBCMT ref: 6B15E632
__amsg_exit.LIBCMT ref: 6B15E640
__lock.LIBCMT ref: 6B15E650
__updatetlocinfoEx_nolock.LIBCMT ref: 6B15E664

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 6784c229e8e936887d78e184242b0537b52fff76fe9e9b1622660fc0569f48f3
Instruction ID: 2924eeff105d528e42b4b0ce4175b09f6dc10a10865b45b09cf4691e2b1423dc
Opcode Fuzzy Hash: 6784c229e8e936887d78e184242b0537b52fff76fe9e9b1622660fc0569f48f3
Instruction Fuzzy Hash: 7AF0BBF3DA4610FFD7109B78C403B4D77916F04799F114149D471971C0DB3C4660CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D7566A Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00D7566A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;

				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xd76ff8);
				E00D73DB0(__ebx, __edi, __esi);
				_t28 = E00D73AB0();
				_t12 =  *0xd78aec; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0 ||  *((intOrPtr*)(_t28 + 0x6c)) == 0) {
					E00D74331(_t20, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00D75618(_t29,  *0xd78558);
					 *(_t30 - 4) = 0xfffffffe;
					E00D756D7();
				} else {
					_t29 =  *((intOrPtr*)(E00D73AB0() + 0x6c));
				}
				if(_t29 == 0) {
					_push(0x20);
					E00D72F1C();
				}
				return E00D73DF5(_t29);
			}

0x00d7566a
0x00d7566a
0x00d7566a
0x00d7566a
0x00d7566c
0x00d75671
0x00d7567b
0x00d7567d
0x00d75685
0x00d756ab
0x00d756b1
0x00d756bb
0x00d756c6
0x00d756c9
0x00d756d0
0x00d7568d
0x00d75692
0x00d75692
0x00d75697
0x00d75699
0x00d7569b
0x00d756a0
0x00d756a8

APIs

__getptd.LIBCMT ref: 00D75676

Part of subcall function 00D73AB0: __getptd_noexit.LIBCMT ref: 00D73AB3
Part of subcall function 00D73AB0: __amsg_exit.LIBCMT ref: 00D73AC0

__getptd.LIBCMT ref: 00D7568D
__amsg_exit.LIBCMT ref: 00D7569B
__lock.LIBCMT ref: 00D756AB
__updatetlocinfoEx_nolock.LIBCMT ref: 00D756BF

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c21912a7078008144d2508642c916ed448de53e0bf186453286ba797cfa1d5a1
Instruction ID: e9cb1161f7bc2e2e3d24f4c831b12753f03f05163151b396adce505a154bc274
Opcode Fuzzy Hash: c21912a7078008144d2508642c916ed448de53e0bf186453286ba797cfa1d5a1
Instruction Fuzzy Hash: DFF0BB32940B109BD721BB74A807B5E73A0DF00720F64C509F15CA72D6FFB48A409AB7

Uniqueness

Uniqueness Score: -1.00%

Function 6B143E14 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B143E14(void* __ebx, intOrPtr __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				void* _t133;
				void* _t138;
				void* _t143;
				void* _t148;
				intOrPtr* _t149;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr* _t159;
				intOrPtr* _t163;
				intOrPtr* _t167;
				intOrPtr* _t171;
				intOrPtr* _t184;
				intOrPtr* _t193;
				intOrPtr* _t198;
				intOrPtr* _t205;
				intOrPtr* _t211;
				signed char _t213;
				void* _t227;
				signed int _t228;
				signed int _t229;
				intOrPtr* _t234;
				char* _t240;
				intOrPtr* _t246;
				void* _t247;

				_t228 = __edi;
				_t227 = __edx;
				_t220 = __ecx;
				_push(0x74);
				E6B16265B(0x6b1668b4, __ebx, __edi, __esi);
				 *(_t247 - 0x14) =  *(_t247 - 0x14) & 0x00000000;
				_t251 =  *((intOrPtr*)( *((intOrPtr*)(_t247 + 0xc))));
				_t213 = 3;
				_t240 = "X";
				if( *((intOrPtr*)( *((intOrPtr*)(_t247 + 0xc)))) == 0) {
					L3:
					 *((char*)(_t247 - 0xd)) = 1;
					L4:
					if(( *(_t247 - 0x14) & 0x00000008) != 0) {
						_t198 =  *((intOrPtr*)(_t247 - 0x44));
						 *(_t247 - 0x14) =  *(_t247 - 0x14) & 0xfffffff7;
						if(_t198 != 0) {
							_t220 =  *_t198;
							 *((intOrPtr*)( *_t198 + 8))(_t198);
						}
					}
					if(( *(_t247 - 0x14) & 0x00000004) != 0) {
						 *(_t247 - 0x14) =  *(_t247 - 0x14) & 0xfffffffb;
						E6B158460( *((intOrPtr*)(_t247 - 0x18)) + 0xfffffff0, _t227);
					}
					 *(_t247 - 4) =  *(_t247 - 4) & 0x00000000;
					if(( *(_t247 - 0x14) & 0x00000002) != 0) {
						_t193 =  *((intOrPtr*)(_t247 - 0x50));
						 *(_t247 - 0x14) =  *(_t247 - 0x14) & 0xfffffffd;
						if(_t193 != 0) {
							_t220 =  *_t193;
							 *((intOrPtr*)( *_t193 + 8))(_t193);
						}
					}
					_t229 = _t228 | 0xffffffff;
					 *(_t247 - 4) = _t229;
					if(( *(_t247 - 0x14) & 0x00000001) != 0) {
						E6B158460( *((intOrPtr*)(_t247 - 0x1c)) + 0xfffffff0, _t227);
					}
					if( *((char*)(_t247 - 0xd)) == 0) {
						_push(_t247 - 0x28);
						E6B14E8E8(L"Height", _t240, __eflags);
						_push(_t247 - 0x24);
						 *(_t247 - 4) = _t213;
						E6B14E8E8(L"Width", _t240, __eflags);
						_push(_t247 - 0x20);
						 *(_t247 - 4) = 4;
						E6B14E8E8("Y", _t240, __eflags);
						_push(_t247 - 0x14);
						 *(_t247 - 4) = 5;
						E6B14E8E8(_t240, _t240, __eflags);
						 *(_t247 - 4) = 6;
						_t133 = E6B13D6C4( *((intOrPtr*)(_t247 + 0xc)), _t213, _t220, _t247 - 0x80, _t247 - 0x28);
						 *(_t247 - 4) = 7;
						_t234 = E6B13D76F(_t247 - 0x38, _t240, _t133, __eflags);
						 *(_t247 - 4) = 8;
						_t138 = E6B13D6C4( *((intOrPtr*)(_t247 + 0xc)), _t247 - 0x38, _t220, _t247 - 0x74, _t247 - 0x24);
						 *(_t247 - 4) = 9;
						 *((intOrPtr*)(_t247 - 0x1c)) = E6B13D76F(_t247 - 0x34, _t234, _t138, __eflags);
						 *(_t247 - 4) = 0xa;
						_t143 = E6B13D6C4( *((intOrPtr*)(_t247 + 0xc)), _t247 - 0x34, _t220, _t247 - 0x68, _t247 - 0x20);
						 *(_t247 - 4) = 0xb;
						 *((intOrPtr*)(_t247 - 0x18)) = E6B13D76F(_t247 - 0x30, _t234, _t143, __eflags);
						 *(_t247 - 4) = 0xc;
						_t148 = E6B13D6C4( *((intOrPtr*)(_t247 + 0xc)), _t247 - 0x30, _t220, _t247 - 0x5c, _t247 - 0x14);
						 *(_t247 - 4) = 0xd;
						_t149 = E6B13D76F(_t247 - 0x2c, _t234, _t148, __eflags);
						_push( *_t234);
						 *((intOrPtr*)(_t247 + 0xc)) =  *_t149;
						_t151 = E6B158E16();
						_push( *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x1c)))));
						_t152 = E6B158E16();
						_push( *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x18)))));
						 *((intOrPtr*)(_t247 - 0x1c)) = _t152;
						_t153 = E6B158E16();
						_push( *((intOrPtr*)(_t247 + 0xc)));
						_t154 = E6B158E16();
						_t246 =  *((intOrPtr*)(_t247 + 8));
						 *((intOrPtr*)(_t246 + 4)) = _t154;
						 *((intOrPtr*)(_t246 + 0xc)) =  *((intOrPtr*)(_t247 - 0x1c));
						 *_t246 = 0x6b13725c;
						 *((intOrPtr*)(_t246 + 8)) = _t153;
						 *((intOrPtr*)(_t246 + 0x10)) = _t151;
						E6B158460( *((intOrPtr*)(_t247 - 0x2c)) + 0xfffffff0, _t227);
						 *(_t247 - 4) = 0xc;
						_t159 =  *((intOrPtr*)(_t247 - 0x5c));
						__eflags = _t159;
						if(_t159 != 0) {
							 *((intOrPtr*)( *_t159 + 8))(_t159);
						}
						E6B158460( *((intOrPtr*)(_t247 - 0x30)) + 0xfffffff0, _t227);
						 *(_t247 - 4) = 0xa;
						_t163 =  *((intOrPtr*)(_t247 - 0x68));
						__eflags = _t163;
						if(_t163 != 0) {
							 *((intOrPtr*)( *_t163 + 8))(_t163);
						}
						E6B158460( *((intOrPtr*)(_t247 - 0x34)) + 0xfffffff0, _t227);
						 *(_t247 - 4) = 8;
						_t167 =  *((intOrPtr*)(_t247 - 0x74));
						__eflags = _t167;
						if(_t167 != 0) {
							 *((intOrPtr*)( *_t167 + 8))(_t167);
						}
						E6B158460( *((intOrPtr*)(_t247 - 0x38)) + 0xfffffff0, _t227);
						 *(_t247 - 4) = 6;
						_t171 =  *((intOrPtr*)(_t247 - 0x80));
						__eflags = _t171;
						if(_t171 != 0) {
							 *((intOrPtr*)( *_t171 + 8))(_t171);
						}
						E6B158460( *(_t247 - 0x14) + 0xfffffff0, _t227);
						E6B158460( *((intOrPtr*)(_t247 - 0x20)) + 0xfffffff0, _t227);
						E6B158460( *((intOrPtr*)(_t247 - 0x24)) + 0xfffffff0, _t227);
						__eflags =  *((intOrPtr*)(_t247 - 0x28)) + 0xfffffff0;
						E6B158460( *((intOrPtr*)(_t247 - 0x28)) + 0xfffffff0, _t227);
						_t184 = _t246;
					} else {
						_t184 =  *((intOrPtr*)(_t247 + 8));
						 *_t184 = 0x6b13725c;
						 *(_t184 + 4) = _t229;
						 *(_t184 + 8) = _t229;
						 *(_t184 + 0xc) = _t229;
						 *(_t184 + 0x10) = _t229;
					}
					return E6B162709(_t184);
				}
				_push(_t247 - 0x1c);
				E6B14E8E8(L"Hide", _t240, _t251);
				 *(_t247 - 4) =  *(_t247 - 4) & 0x00000000;
				_t228 = 1;
				 *(_t247 - 0x14) = 1;
				_t205 = E6B13D6C4( *((intOrPtr*)(_t247 + 0xc)), _t213, _t220, _t247 - 0x50, _t247 - 0x1c);
				 *(_t247 - 4) = 1;
				_t252 =  *_t205;
				 *(_t247 - 0x14) = _t213;
				if( *_t205 != 0) {
					goto L3;
				}
				_push(_t247 - 0x18);
				_t228 = _t240;
				E6B14E8E8(_t228, _t240, _t252);
				 *(_t247 - 4) = 2;
				 *(_t247 - 0x14) = 7;
				_t211 = E6B13D6C4( *((intOrPtr*)(_t247 + 0xc)), _t213, _t220, _t247 - 0x44, _t247 - 0x18);
				 *(_t247 - 0x14) = 0xf;
				 *((char*)(_t247 - 0xd)) = 0;
				if( *_t211 != 0) {
					goto L4;
				}
				goto L3;
			}

0x6b143e14
0x6b143e14
0x6b143e14
0x6b143e14
0x6b143e1b
0x6b143e23
0x6b143e27
0x6b143e2c
0x6b143e2d
0x6b143e32
0x6b143ea0
0x6b143ea0
0x6b143ea4
0x6b143ea8
0x6b143eaa
0x6b143ead
0x6b143eb3
0x6b143eb5
0x6b143eb8
0x6b143eb8
0x6b143eb3
0x6b143ebf
0x6b143ec4
0x6b143ecb
0x6b143ecb
0x6b143ed0
0x6b143ed8
0x6b143eda
0x6b143edd
0x6b143ee3
0x6b143ee5
0x6b143ee8
0x6b143ee8
0x6b143ee3
0x6b143eeb
0x6b143eee
0x6b143ef5
0x6b143efd
0x6b143efd
0x6b143f06
0x6b143f25
0x6b143f2b
0x6b143f33
0x6b143f39
0x6b143f3c
0x6b143f44
0x6b143f4a
0x6b143f4e
0x6b143f56
0x6b143f59
0x6b143f5d
0x6b143f6d
0x6b143f71
0x6b143f7b
0x6b143f84
0x6b143f91
0x6b143f95
0x6b143f9f
0x6b143fa8
0x6b143fb6
0x6b143fba
0x6b143fc4
0x6b143fcd
0x6b143fdb
0x6b143fdf
0x6b143fe9
0x6b143fed
0x6b144000
0x6b144001
0x6b144004
0x6b144009
0x6b14400c
0x6b144011
0x6b144012
0x6b144015
0x6b14401a
0x6b14401f
0x6b144024
0x6b144027
0x6b14402d
0x6b144039
0x6b14403f
0x6b144042
0x6b144045
0x6b14404a
0x6b14404e
0x6b144051
0x6b144053
0x6b144058
0x6b144058
0x6b144061
0x6b144066
0x6b14406a
0x6b14406d
0x6b14406f
0x6b144074
0x6b144074
0x6b14407d
0x6b144082
0x6b144086
0x6b144089
0x6b14408b
0x6b144090
0x6b144090
0x6b144099
0x6b14409e
0x6b1440a2
0x6b1440a5
0x6b1440a7
0x6b1440ac
0x6b1440ac
0x6b1440b5
0x6b1440c0
0x6b1440cb
0x6b1440d3
0x6b1440d6
0x6b1440db
0x6b143f08
0x6b143f08
0x6b143f0b
0x6b143f11
0x6b143f14
0x6b143f17
0x6b143f1a
0x6b143f1a
0x6b1440e2
0x6b1440e2
0x6b143e37
0x6b143e3d
0x6b143e42
0x6b143e53
0x6b143e54
0x6b143e57
0x6b143e5c
0x6b143e5f
0x6b143e62
0x6b143e65
0x00000000
0x00000000
0x6b143e6a
0x6b143e6b
0x6b143e6d
0x6b143e7d
0x6b143e84
0x6b143e8b
0x6b143e93
0x6b143e9a
0x6b143e9e
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B143E1B

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Strings

Width, xrefs: 6B143F34
Height, xrefs: 6B143F26
Hide, xrefs: 6B143E38

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Height$Hide$Width
API String ID: 431132790-1313002608
Opcode ID: 16660dc45da5c11097bdfb66a1297a044e6edbd08a467dfbf0dfa35e50e0a1e8
Instruction ID: 5546c5578f9ebbe3b7d8983773cfbda37e05d830fb4ec40fca776ba167f3021e
Opcode Fuzzy Hash: 16660dc45da5c11097bdfb66a1297a044e6edbd08a467dfbf0dfa35e50e0a1e8
Instruction Fuzzy Hash: 89A12B72D01249EFDB11CBF8C545BDEBBB8AF09328F244195E424FB291D738AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14C7AB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B14C7AB(intOrPtr* __ecx, intOrPtr* _a8) {
				intOrPtr _v0;
				int _v4;
				intOrPtr _v8;
				void* _v12;
				short _v20;
				signed int _v24;
				short _v28;
				int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				signed int _t133;
				intOrPtr* _t134;
				intOrPtr* _t137;
				signed int _t139;
				signed int _t145;
				intOrPtr _t146;
				signed int _t154;
				void* _t167;
				void* _t172;
				intOrPtr _t176;
				void* _t185;
				int _t187;
				void* _t193;
				signed int _t194;
				intOrPtr _t198;
				void* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				void* _t202;
				signed int _t205;
				signed int _t211;
				void* _t218;
				void* _t220;
				void* _t221;

				_t192 = __ecx;
				_push(0x30);
				E6B16265B(0x6b164969, _t185, _t199, _t202);
				_t200 = __ecx;
				_v4 = 0;
				_push( &_v24);
				_v32 = 0;
				E6B14E8E8(__ecx, 0, _t221);
				_t187 = 1;
				_v4 = 1;
				E6B14ED86( &_v24);
				_t133 = _v24;
				if( *((intOrPtr*)(_t133 - 4)) > 1) {
					E6B1581DE(_t192,  &_v24,  *((intOrPtr*)(_t133 - 0xc)));
					_t133 = _v24;
				}
				_v36 = _t133;
				_t134 = _t200;
				_t193 = _t134 + 2;
				do {
					_t198 =  *_t134;
					_t134 = _t134 + 2;
				} while (_t198 != 0);
				_t201 = (_t134 - _t193 >> 1) - 1;
				_t137 = _a8;
				 *_t137 = 0;
				 *((intOrPtr*)(_t137 + 4)) = 0;
				 *((intOrPtr*)(_t137 + 8)) = 0;
				_t194 = 0;
				_v32 = _t187;
				_t205 = E6B14ED1C(0,  &_v24, L"<a");
				if(_t205 == 0xffffffff) {
					L40:
					_t139 = _v24;
					goto L41;
				} else {
					while(1) {
						_t19 = _t205 + 0x11; // 0x11
						if(_t19 > _t201) {
							goto L40;
						}
						_t20 = _t205 + 2; // 0x2
						_t145 = _t20;
						if(_t145 < 0) {
							L42:
							_t146 = E6B1583CE(_t194, 0x80070057);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t218 = _t220;
							_push(_t187);
							 *((intOrPtr*)(_t201 + 4)) = 0;
							 *((intOrPtr*)(_t201 + 0x14)) = 0;
							 *((intOrPtr*)(_t201 + 0x20)) = _t146;
							 *((intOrPtr*)(_t201 + 0x24)) = _v4;
							 *(_t201 + 0x28) =  *(_t218 + 0x14);
							 *((intOrPtr*)(_t201 + 0x2c)) = _v0;
							_push(_t205);
							 *((intOrPtr*)(_t201 + 0x18)) = 0;
							 *((intOrPtr*)(_t201 + 0x1c)) = 0;
							 *_t201 = 0x6b137890;
							 *((intOrPtr*)(_t201 + 0x30)) = _v8;
							E6B1409A7(_t201 + 0x34);
							 *((intOrPtr*)(_t201 + 0x68)) = 0;
							 *((intOrPtr*)(_t201 + 0x78)) = 0;
							 *((intOrPtr*)(_t201 + 0x7c)) = 0;
							 *((intOrPtr*)(_t201 + 0x80)) = 0;
							 *((intOrPtr*)(_t201 + 0x84)) = DefWindowProcW;
							 *((intOrPtr*)(_t201 + 0x64)) = 0x6b137160;
							 *((intOrPtr*)(_t201 + 0x88)) = E6B13F634();
							_t154 =  *(_t218 + 0x14);
							__eflags =  *(_t154 + 4);
							_t195 = _t194 & 0xffffff00 | __eflags > 0x00000000;
							 *((char*)(_t201 + 0x8c)) = _t194 & 0xffffff00 | __eflags > 0x00000000;
							__eflags =  *(_t154 + 0x10);
							_t118 =  *(_t154 + 0x10) > 0;
							__eflags = _t118;
							 *((char*)(_t201 + 0x8d)) = _t154 & 0xffffff00 | _t118;
							 *((intOrPtr*)(_t201 + 0x90)) = 0;
							 *((intOrPtr*)(_t201 + 0x94)) = 0;
							 *((intOrPtr*)(_t201 + 0x98)) = 0;
							 *((intOrPtr*)(_t201 + 0x9c)) = 0;
							 *((intOrPtr*)(_t201 + 0xa0)) = 0;
							 *((intOrPtr*)(_t201 + 0xa4)) = 0;
							 *((intOrPtr*)(_t201 + 0xa8)) = 0;
							E6B1465D7(_t195, _t201 + 0xac);
							return _t201;
						} else {
							_t194 = _v24;
							if(_t145 >  *((intOrPtr*)(_t194 - 0xc))) {
								goto L42;
							} else {
								_v28 =  *(_t194 + _t145 * 2) & 0x0000ffff;
								GetStringTypeExW(0, _t187,  &_v28, _t187,  &_v20);
								if((_v20 & 0x00000008) == 0) {
									goto L40;
								} else {
									_v60 = _t205;
									_v28 = _t205 + 3;
									if(L6B14C764(_t187, _t201,  &_v28,  &_v24) == 0) {
										goto L40;
									} else {
										_t211 = _v28;
										if(_t211 + 0xe > _t201) {
											goto L40;
										} else {
											_t167 = E6B15923C(_v36 + _t211 * 2, L"href", 4);
											_t220 = _t220 + 0xc;
											if(_t167 != 0) {
												goto L40;
											} else {
												_v28 = _t211 + 4;
												_t205 =  &_v28;
												if(L6B14C764(_t187, _t201, _t205,  &_v24) == 0) {
													goto L40;
												} else {
													if(_v28 < 0) {
														goto L42;
													} else {
														_t139 = _v24;
														_t194 = _v28;
														if(_t194 >  *(_t139 - 0xc)) {
															goto L42;
														} else {
															if( *((short*)(_t139 + _t194 * 2)) != 0x3d) {
																L41:
																E6B158460(_t139 + 0xfffffff0, _t198);
																return E6B162709(_a8);
															} else {
																_v28 = _v28 + 1;
																if(L6B14C764(_t187, _t201, _t205,  &_v24) == 0) {
																	goto L40;
																} else {
																	_t194 = _v28;
																	if(_t194 < 0) {
																		goto L42;
																	} else {
																		_t139 = _v24;
																		_t205 =  *(_t139 - 0xc);
																		if(_t194 > _t205) {
																			goto L42;
																		} else {
																			if( *((short*)(_t139 + _t194 * 2)) != 0x22) {
																				goto L41;
																			} else {
																				_t194 = _t194 + 1;
																				if(_t194 < 0 || _t194 > _t205) {
																					goto L42;
																				} else {
																					if( *((short*)(_t139 + _t194 * 2)) == 0x22) {
																						goto L41;
																					} else {
																						_v44 = _t194;
																						_t172 = E6B14ECE8(_t194 + 1,  &_v24, 0x22);
																						if(_t172 == 0xffffffff) {
																							goto L40;
																						} else {
																							_t61 = _t172 - 1; // -1
																							_v28 = _t172 + 1;
																							_t205 =  &_v28;
																							_v40 = _t61;
																							if(L6B14C764(_t187, _t201, _t205,  &_v24) == 0) {
																								goto L40;
																							} else {
																								_t194 = _v28;
																								if(_t194 < 0) {
																									goto L42;
																								} else {
																									_t139 = _v24;
																									_t205 =  *(_t139 - 0xc);
																									if(_t194 > _t205) {
																										goto L42;
																									} else {
																										if( *((short*)(_t139 + _t194 * 2)) != 0x3e) {
																											goto L41;
																										} else {
																											_v56 = _t194;
																											_t194 = _t194 + 1;
																											if(_t194 < 0 || _t194 > _t205) {
																												goto L42;
																											} else {
																												if( *((short*)(_t139 + _t194 * 2)) == 0x3c) {
																													goto L41;
																												} else {
																													_t194 = _t194 + 1;
																													if(_t194 >= _t201) {
																														goto L41;
																													} else {
																														_t176 = E6B14ED1C(_t194,  &_v24, L"</a");
																														_v52 = _t176;
																														if(_t176 == 0xffffffff) {
																															goto L40;
																														} else {
																															_v28 = _t176 + 3;
																															if(L6B14C764(_t187, _t201,  &_v28,  &_v24) == 0) {
																																goto L40;
																															} else {
																																_t205 = _v28;
																																if(_t205 < 0) {
																																	goto L42;
																																} else {
																																	_t139 = _v24;
																																	if(_t205 >  *(_t139 - 0xc)) {
																																		goto L42;
																																	} else {
																																		if( *((short*)(_t139 + _t205 * 2)) != 0x3e) {
																																			goto L41;
																																		} else {
																																			_v48 = _t205;
																																			E6B1527DF(_a8,  &_v60);
																																			_t194 = _t205 + 1;
																																			_t205 = E6B14ED1C(_t194,  &_v24, L"<a");
																																			if(_t205 != 0xffffffff) {
																																				_t187 = 1;
																																				__eflags = 1;
																																				continue;
																																			} else {
																																				goto L40;
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L44;
					}
					goto L40;
				}
				L44:
			}

0x6b14c7ab
0x6b14c7ab
0x6b14c7b2
0x6b14c7b7
0x6b14c7be
0x6b14c7c1
0x6b14c7c2
0x6b14c7c5
0x6b14c7cc
0x6b14c7d0
0x6b14c7d3
0x6b14c7d8
0x6b14c7de
0x6b14c7e7
0x6b14c7ec
0x6b14c7ec
0x6b14c7ef
0x6b14c7f2
0x6b14c7f4
0x6b14c7f7
0x6b14c7f7
0x6b14c7fa
0x6b14c7fd
0x6b14c806
0x6b14c809
0x6b14c80c
0x6b14c80e
0x6b14c811
0x6b14c819
0x6b14c81e
0x6b14c826
0x6b14c82b
0x6b14ca34
0x6b14ca34
0x00000000
0x6b14c831
0x6b14c836
0x6b14c836
0x6b14c83b
0x00000000
0x00000000
0x6b14c841
0x6b14c841
0x6b14c846
0x6b14ca4a
0x6b14ca4f
0x6b14ca54
0x6b14ca55
0x6b14ca56
0x6b14ca57
0x6b14ca58
0x6b14ca59
0x6b14ca5d
0x6b14ca5f
0x6b14ca62
0x6b14ca65
0x6b14ca68
0x6b14ca6e
0x6b14ca74
0x6b14ca7a
0x6b14ca80
0x6b14ca84
0x6b14ca87
0x6b14ca8a
0x6b14ca90
0x6b14ca93
0x6b14ca9d
0x6b14caa0
0x6b14caa3
0x6b14caa6
0x6b14caac
0x6b14cab2
0x6b14cabe
0x6b14cac4
0x6b14cac7
0x6b14cad0
0x6b14cad3
0x6b14cad9
0x6b14cadc
0x6b14cadc
0x6b14cadf
0x6b14cae5
0x6b14caeb
0x6b14caf1
0x6b14caf7
0x6b14cafd
0x6b14cb03
0x6b14cb09
0x6b14cb0f
0x6b14cb19
0x6b14c84c
0x6b14c84c
0x6b14c852
0x00000000
0x6b14c858
0x6b14c85c
0x6b14c86b
0x6b14c875
0x00000000
0x6b14c87b
0x6b14c87b
0x6b14c884
0x6b14c892
0x00000000
0x6b14c898
0x6b14c898
0x6b14c8a0
0x00000000
0x6b14c8a6
0x6b14c8b4
0x6b14c8b9
0x6b14c8be
0x00000000
0x6b14c8c4
0x6b14c8ca
0x6b14c8ce
0x6b14c8d8
0x00000000
0x6b14c8de
0x6b14c8e2
0x00000000
0x6b14c8e8
0x6b14c8e8
0x6b14c8eb
0x6b14c8f1
0x00000000
0x6b14c8f7
0x6b14c8fc
0x6b14ca37
0x6b14ca3a
0x6b14ca47
0x6b14c902
0x6b14c902
0x6b14c910
0x00000000
0x6b14c916
0x6b14c916
0x6b14c91b
0x00000000
0x6b14c921
0x6b14c921
0x6b14c924
0x6b14c929
0x00000000
0x6b14c92f
0x6b14c934
0x00000000
0x6b14c93a
0x6b14c93a
0x6b14c93b
0x00000000
0x6b14c949
0x6b14c94e
0x00000000
0x6b14c954
0x6b14c954
0x6b14c95d
0x6b14c965
0x00000000
0x6b14c96b
0x6b14c96b
0x6b14c96f
0x6b14c975
0x6b14c978
0x6b14c982
0x00000000
0x6b14c988
0x6b14c988
0x6b14c98d
0x00000000
0x6b14c993
0x6b14c993
0x6b14c996
0x6b14c99b
0x00000000
0x6b14c9a1
0x6b14c9a6
0x00000000
0x6b14c9ac
0x6b14c9ac
0x6b14c9af
0x6b14c9b0
0x00000000
0x6b14c9be
0x6b14c9c3
0x00000000
0x6b14c9c5
0x6b14c9c5
0x6b14c9c8
0x00000000
0x6b14c9ca
0x6b14c9d2
0x6b14c9d7
0x6b14c9dd
0x00000000
0x6b14c9df
0x6b14c9e2
0x6b14c9f2
0x00000000
0x6b14c9f4
0x6b14c9f4
0x6b14c9f9
0x00000000
0x6b14c9fb
0x6b14c9fb
0x6b14ca01
0x00000000
0x6b14ca03
0x6b14ca08
0x00000000
0x6b14ca0a
0x6b14ca11
0x6b14ca14
0x6b14ca19
0x6b14ca29
0x6b14ca2e
0x6b14c835
0x6b14c835
0x00000000
0x00000000
0x00000000
0x00000000
0x6b14ca2e
0x6b14ca08
0x6b14ca01
0x6b14c9f9
0x6b14c9f2
0x6b14c9dd
0x6b14c9c8
0x6b14c9c3
0x6b14c9b0
0x6b14c9a6
0x6b14c99b
0x6b14c98d
0x6b14c982
0x6b14c965
0x6b14c94e
0x6b14c93b
0x6b14c934
0x6b14c929
0x6b14c91b
0x6b14c910
0x6b14c8fc
0x6b14c8f1
0x6b14c8e2
0x6b14c8d8
0x6b14c8be
0x6b14c8a0
0x6b14c892
0x6b14c875
0x6b14c852
0x00000000
0x6b14c846
0x00000000
0x6b14c836
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B14C7B2

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

GetStringTypeExW.KERNEL32(00000000,00000001,?,00000001,?,6B135D9C,?,00000030,80070057), ref: 6B14C86B

Part of subcall function 6B1581DE: _memcpy_s.LIBCMT ref: 6B158224

Part of subcall function 6B14ECE8: _wcschr.LIBCMT ref: 6B14ECFF

Strings

href, xrefs: 6B14C8AE
</a, xrefs: 6B14C9CA

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$StringType_memcpy_s_wcschr
String ID: </a$href
API String ID: 3166021290-1826667848
Opcode ID: 801a6a7bc3a56ab0e6574aa6a83fdeca4ea534215503f044d7a141ec7262cc34
Instruction ID: 2ba4e533b26411cee4bb473e313655aabf6779fd7f2dc159320ae1445baf685a
Opcode Fuzzy Hash: 801a6a7bc3a56ab0e6574aa6a83fdeca4ea534215503f044d7a141ec7262cc34
Instruction Fuzzy Hash: 2971A271D0121AAFCF14DFA4C4959EEBB74EF00714F214169D921EB2A1E77CA94ECB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B14883F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B14883F(void* __ebx, void* __ecx, unsigned int __edx, unsigned int* __edi, void* __esi, void* __eflags) {
				void* _t65;
				void* _t67;
				void* _t74;
				unsigned int _t76;
				unsigned int _t82;
				void* _t92;
				signed int _t95;
				intOrPtr _t99;
				void* _t110;
				void* _t114;
				intOrPtr _t117;
				unsigned int _t119;
				intOrPtr* _t121;
				void* _t131;
				signed int _t134;
				unsigned int _t147;
				unsigned int* _t148;
				intOrPtr* _t150;
				unsigned int _t153;
				unsigned int _t154;
				unsigned int _t157;
				void* _t159;
				void* _t162;

				_t162 = __eflags;
				_t148 = __edi;
				_t147 = __edx;
				E6B16265B(0x6b165f28, __ebx, __edi, __esi);
				_t131 = __ecx;
				 *(_t159 - 0x28) =  *(_t159 - 0x28) & 0x00000000;
				 *(_t159 - 4) =  *(_t159 - 4) & 0x00000000;
				 *(_t159 - 0x18) = E6B151169(__ecx, __ecx, __edi, __esi, _t162);
				 *(_t159 - 4) = 1;
				_t150 =  *((intOrPtr*)(_t131 + 0x12c));
				_t65 =  *((intOrPtr*)( *_t150))(_t159 - 0x20, 0x30);
				_t140 = _t150;
				_t67 =  *((intOrPtr*)( *_t150 + 0x30))();
				_t151 = _t159 - 0x3c;
				E6B147FA9( *(_t159 - 0x18), _t150, _t159 - 0x3c, _t162, _t67, _t147, _t65);
				 *(_t159 - 4) = 3;
				E6B158460( *((intOrPtr*)(_t159 - 0x20)) + 0xfffffff0, _t147);
				_t74 = E6B14EB56(_t159 + 8, L"$$SystemDrive$$");
				_t163 = _t74;
				if(_t74 != 0) {
					_t76 = E6B14EB56(_t159 + 8, L"$$RequiredSpaceOnSystemDrive$$");
					__eflags = _t76;
					if(_t76 != 0) {
						__eflags = E6B14EB56(_t159 + 8, L"$$AvailableSpaceOnSystemDrive$$");
						if(__eflags != 0) {
							_t82 = E6B1583FD( *((intOrPtr*)(_t159 + 8)) + 0xfffffff0) + 0x10;
							__eflags = _t82;
							 *__edi = _t82;
						} else {
							_t92 = E6B151169(_t131, _t140, __edi, _t151, __eflags);
							 *(_t159 - 4) = 8;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x12c)))) + 0x10))(_t159 - 0x28);
							_t95 = E6B151360(_t147, _t92);
							 *(_t159 - 4) = 3;
							_t153 = _t147;
							E6B158460( *(_t159 - 0x28) + 0xfffffff0, _t147);
							_t99 =  *0x6b16fe10; // 0x6b1333ec
							_t134 = (_t153 << 0x00000020 | _t95) >> 0x14;
							_t154 = _t153 >> 0x14;
							 *(_t159 - 0x18) =  *((intOrPtr*)(_t99 + 0xc))() + 0x10;
							 *(_t159 - 4) = 9;
							goto L5;
						}
					} else {
						_t110 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x12c)))) + 0x30))();
						 *(_t159 - 0x18) = _t147;
						 *((intOrPtr*)(_t159 - 0x2c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x12c)))) + 0x2c))();
						 *(_t159 - 0x28) = _t147;
						_t114 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x12c)))) + 0x24))();
						asm("adc edx, [ebp-0x28]");
						asm("adc edx, [ebp-0x18]");
						_t117 =  *0x6b16fe10; // 0x6b1333ec
						_t157 = _t147;
						_t134 = (_t157 << 0x00000020 | _t114 +  *((intOrPtr*)(_t159 - 0x2c)) + _t110) >> 0x14;
						_t154 = _t157 >> 0x14;
						_t119 =  *((intOrPtr*)(_t117 + 0xc))() + 0x10;
						__eflags = _t119;
						 *(_t159 - 0x18) = _t119;
						 *(_t159 - 4) = 7;
						L5:
						_push(_t154);
						E6B1580BA(_t159 - 0x18, L"%d", _t134);
						goto L2;
					}
				} else {
					_push(_t159 - 0x28);
					_t121 = E6B151169(_t131, _t140, __edi, _t151, _t163);
					 *(_t159 - 4) = 4;
					 *(_t159 - 0x18) = E6B1583FD( *_t121 - 0x10) + 0x10;
					 *(_t159 - 4) = 6;
					E6B158460( *(_t159 - 0x28) + 0xfffffff0, _t147);
					L6B14F1E0(1, _t159 - 0x18);
					L2:
					 *_t148 = E6B1583FD( *(_t159 - 0x18) - 0x10) + 0x10;
					E6B158460( *(_t159 - 0x18) - 0x10, _t147);
				}
				E6B158460( *((intOrPtr*)(_t159 - 0x3c)) + 0xfffffff0, _t147);
				E6B158460( *((intOrPtr*)(_t159 + 8)) + 0xfffffff0, _t147);
				return E6B162709(_t148);
			}

0x6b14883f
0x6b14883f
0x6b14883f
0x6b148846
0x6b14884b
0x6b14884d
0x6b148851
0x6b14885e
0x6b148861
0x6b148865
0x6b14886f
0x6b148874
0x6b148876
0x6b14887e
0x6b148881
0x6b148886
0x6b148890
0x6b14889e
0x6b1488a3
0x6b1488a5
0x6b148904
0x6b148909
0x6b14890b
0x6b14898c
0x6b14898e
0x6b1489f0
0x6b1489f0
0x6b1489f3
0x6b148990
0x6b148994
0x6b14899b
0x6b1489a7
0x6b1489ad
0x6b1489b4
0x6b1489be
0x6b1489c0
0x6b1489c5
0x6b1489ca
0x6b1489d3
0x6b1489dc
0x6b1489df
0x00000000
0x6b1489df
0x6b14890d
0x6b148915
0x6b148922
0x6b14892e
0x6b148933
0x6b148936
0x6b148941
0x6b148946
0x6b14894b
0x6b148950
0x6b148952
0x6b148956
0x6b14895c
0x6b14895c
0x6b14895f
0x6b148962
0x6b148966
0x6b148966
0x6b148971
0x00000000
0x6b148976
0x6b1488a7
0x6b1488aa
0x6b1488ab
0x6b1488b0
0x6b1488c1
0x6b1488c4
0x6b1488ce
0x6b1488d9
0x6b1488de
0x6b1488ec
0x6b1488f1
0x6b1488f1
0x6b1489fb
0x6b148a06
0x6b148a12

APIs

__EH_prolog3.LIBCMT ref: 6B148846

Part of subcall function 6B151169: __EH_prolog3.LIBCMT ref: 6B151170
Part of subcall function 6B151169: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 6B1511B1

Part of subcall function 6B14EB56: __wcsicoll.LIBCMT ref: 6B14EB74

Part of subcall function 6B151360: GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?,Action,6B16FE10,?,?,?,F69FF218,Action,?,00000000), ref: 6B151395
Part of subcall function 6B151360: GetLastError.KERNEL32(?,?,?,F69FF218,Action,?,00000000), ref: 6B1513A5

Strings

$$RequiredSpaceOnSystemDrive$$, xrefs: 6B1488FB
$$AvailableSpaceOnSystemDrive$$, xrefs: 6B14897E
$$SystemDrive$$, xrefs: 6B148895

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$DirectoryDiskErrorFreeLastSpaceSystem__wcsicoll
String ID: $$AvailableSpaceOnSystemDrive$$$$$RequiredSpaceOnSystemDrive$$$$$SystemDrive$$
API String ID: 2351290856-2773778658
Opcode ID: 6d3a20807f689bfd6af5479986399b3d5997bdbc10a914915ad1ad5a7a1d065e
Instruction ID: 07f89425f8c12f34f019075ef8ef6516031ad998b6979d320f4b4a05e92a67b3
Opcode Fuzzy Hash: 6d3a20807f689bfd6af5479986399b3d5997bdbc10a914915ad1ad5a7a1d065e
Instruction Fuzzy Hash: DD513172910118EFCB00DFB8C885BDDBBF4AF09318F1445A5EA64EB395D778DA148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B141003 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6B141003(short* __ecx, intOrPtr __edx, void* __eflags) {
				short* _v12;
				char _v16;
				signed int _v24;
				void* _v28;
				void* _v36;
				short* _v560;
				char _v564;
				char _v568;
				intOrPtr _v572;
				char _v576;
				WCHAR* _v580;
				short* _v584;
				char _v588;
				short* _v592;
				void* _v596;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				signed int _t48;
				intOrPtr* _t52;
				intOrPtr _t60;
				intOrPtr _t90;
				void* _t94;
				intOrPtr _t97;
				void* _t107;
				short* _t109;
				intOrPtr _t110;
				void* _t111;
				short* _t112;
				void* _t113;
				intOrPtr _t115;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				void* _t120;

				_t120 = __eflags;
				_t106 = __edx;
				_t118 = (_t116 & 0xfffffff8) - 0x230;
				_t46 =  *0x6b16f0a0; // 0xf69ff218
				_v24 = _t46 ^ _t118;
				_t48 =  *0x6b16f0a0; // 0xf69ff218
				 *[fs:0x0] =  &_v16;
				_t112 = __ecx;
				_v560 = __ecx;
				_t52 = E6B13F179(__ecx,  &_v568);
				_v12 = 0;
				E6B14E8E8( *_t52, __ecx, _t120);
				E6B158460(_v576 + 0xfffffff0, __edx);
				_v564 = 0;
				_v560 = 0;
				_v16 = 3;
				E6B157ACF(0,  &_v564, __edx, _v572);
				E6B140ECA(_v568, _t112);
				_t60 =  *0x6b16fe10; // 0x6b1333ec
				_v592 =  *((intOrPtr*)(_t60 + 0xc))( &_v568, _t48 ^ _t118, _t107, _t111, _t94,  *[fs:0x0], 0x6b166ba5, 0xffffffff) + 0x10;
				_push(1);
				_v24 = 4;
				_v584 = 1;
				_t96 = L"%s\\BlockersInfo%d.rtf";
				E6B1580BA( &_v592, L"%s\\BlockersInfo%d.rtf", _v580);
				_t109 = _v592;
				_t119 = _t118 + 0x10;
				_push( &_v588);
				E6B14E8E8(_t109, _t112, _t120);
				_t113 = PathFileExistsW;
				while(PathFileExistsW(_v580) != 0) {
					E6B158460( &(_v580[0xfffffffffffffff8]), _t106);
					_t23 =  &_v576;
					 *_t23 = _v576 + 1;
					__eflags =  *_t23;
					_push(_v576);
					E6B1580BA( &_v584, _t96, _v572);
					_t109 = _v584;
					_t119 = _t119 + 0x10;
					_push( &_v580);
					E6B14E8E8(_t109, _t113,  *_t23);
				}
				E6B157BEC( &_v564, _v580);
				E6B158460( &(_v584[0xfffffffffffffff8]), _t106);
				if( *((intOrPtr*)(_t109 - 4)) > 1) {
					E6B1581DE(0x6b16fe10,  &_v584,  *((intOrPtr*)(_t109 - 0xc)));
					_t109 = _v592;
				}
				ShellExecuteW( *(_v568 + 4), L"print", _t109, 0, 0, 0);
				E6B158460(_t109 - 0x10, _t106);
				E6B157C57( &_v564);
				_t90 = E6B158460(_v572 + 0xfffffff0, _t106);
				 *[fs:0x0] = _v24;
				_pop(_t110);
				_pop(_t115);
				_pop(_t97);
				return E6B1587C1(_t90, _t97,  *(_t119 + 0x228) ^ _t119, _t106, _t110, _t115);
			}

0x6b141003
0x6b141003
0x6b141019
0x6b14101f
0x6b141026
0x6b141030
0x6b14103f
0x6b141049
0x6b14104c
0x6b141050
0x6b14105b
0x6b141065
0x6b141071
0x6b141076
0x6b14107a
0x6b14107e
0x6b14108e
0x6b141098
0x6b14109d
0x6b1410ad
0x6b1410b4
0x6b1410b5
0x6b1410c1
0x6b1410c5
0x6b1410d0
0x6b1410d5
0x6b1410d9
0x6b1410e0
0x6b1410e1
0x6b1410e6
0x6b141122
0x6b1410f5
0x6b1410fa
0x6b1410fa
0x6b1410fa
0x6b1410fe
0x6b14110c
0x6b141111
0x6b141115
0x6b14111c
0x6b14111d
0x6b14111d
0x6b141134
0x6b141140
0x6b141149
0x6b141153
0x6b141158
0x6b141158
0x6b14116e
0x6b141177
0x6b141180
0x6b14118c
0x6b141198
0x6b1411a0
0x6b1411a1
0x6b1411a2
0x6b1411b4

APIs

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B157ACF: GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 6B157AFC

Part of subcall function 6B140ECA: SendMessageW.USER32(00000000,0000044A,00000002,?), ref: 6B140F06

PathFileExistsW.SHLWAPI(?,?,F69FF218), ref: 6B141126
ShellExecuteW.SHELL32(00000001,print,?,00000000,00000000,00000000), ref: 6B14116E

Strings

%s\BlockersInfo%d.rtf, xrefs: 6B1410C5, 6B1410CE, 6B14110A
print, xrefs: 6B141166

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Path$ExecuteExistsFileH_prolog3MessageSendShellTemp
String ID: %s\BlockersInfo%d.rtf$print
API String ID: 2742019059-575943144
Opcode ID: 99284f9af20037ea9b804203591f184e286b4066338cf9d45435c34d1f0cd81e
Instruction ID: 3d5bc8840f79aee389cf912768bc48600445934d236e10836a8fdf40dc01fc45
Opcode Fuzzy Hash: 99284f9af20037ea9b804203591f184e286b4066338cf9d45435c34d1f0cd81e
Instruction Fuzzy Hash: 434162B2518345EFC710DF78C845A5FBBE9FF89718F040A29F4A4A3251D738D9258B62

Uniqueness

Uniqueness Score: -1.00%

Function 6B145ECE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6B145ECE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t59;
				intOrPtr* _t61;
				intOrPtr _t70;
				intOrPtr* _t72;
				void* _t86;
				intOrPtr* _t90;
				intOrPtr* _t115;
				void* _t117;
				void* _t118;

				_t118 = __eflags;
				_t109 = __edx;
				_push(0x58);
				E6B16265B(0x6b1673d0, __ebx, __edi, __esi);
				_t98 =  *((intOrPtr*)(_t117 + 0xc));
				_t115 =  *((intOrPtr*)(_t117 + 8));
				E6B143AD4( *((intOrPtr*)(_t117 + 0xc)), __ecx, __edx, __edi, _t115, _t118, _t115 + 4,  *((intOrPtr*)(_t117 + 0xc)),  *((intOrPtr*)(_t117 + 0x10)));
				 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
				E6B14396A( *((intOrPtr*)(_t117 + 0xc)), _t98, __edx, __edi, _t115, _t118, _t115 + 0x3c);
				 *(_t117 - 4) = 2;
				_push(_t117 + 0x10);
				 *_t115 = 0x6b13751c;
				E6B14E8E8(L"RepairRadioButton", _t115, _t118);
				 *(_t117 - 4) = 3;
				_t59 = E6B13D65F(_t98, _t98, _t117 - 0x1c, _t117 + 0x10);
				_push(_t115 + 0x78);
				 *(_t117 - 4) = 4;
				E6B14434E(_t98, _t59, __edx, L"RepairRadioButton", _t115, _t118);
				 *(_t117 - 4) = 6;
				_t61 =  *((intOrPtr*)(_t117 - 0x1c));
				_t119 = _t61;
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				 *(_t117 - 4) = 7;
				E6B158460( *((intOrPtr*)(_t117 + 0x10)) + 0xfffffff0, _t109);
				_push(_t117 - 0x10);
				E6B14E8E8(L"UninstallRadioButton", _t115, _t119);
				 *(_t117 - 4) = 8;
				_t70 = E6B13D65F(_t98, _t98, _t117 - 0x28, _t117 - 0x10);
				_push(_t115 + 0xa0);
				_t105 = _t70;
				 *(_t117 - 4) = 9;
				E6B14434E(_t98, _t70, _t109, L"UninstallRadioButton", _t115, _t119);
				 *(_t117 - 4) = 0xb;
				_t72 =  *((intOrPtr*)(_t117 - 0x28));
				_t120 = _t72;
				if(_t72 != 0) {
					_t105 =  *_t72;
					 *((intOrPtr*)( *_t72 + 8))(_t72);
				}
				E6B158460( *((intOrPtr*)(_t117 - 0x10)) + 0xfffffff0, _t109);
				_t99 = _t115 + 0xc8;
				E6B14452D(_t115 + 0xc8, _t105, _t120);
				 *(_t117 - 4) = 0xd;
				_t121 =  *((char*)(_t115 + 0x38));
				if( *((char*)(_t115 + 0x38)) != 0) {
					_push(_t117 + 0x10);
					E6B14E8E8(L"UserExperienceDataCollection", _t115, _t121);
					 *(_t117 - 4) = 0xe;
					_push(E6B13D6C4( *((intOrPtr*)(_t117 + 0xc)), _t99, _t105, _t117 - 0x28, _t117 + 0x10));
					_push(_t117 - 0x64);
					 *(_t117 - 4) = 0xf;
					_t86 = E6B14443D(_t99, _t105, _t109, L"UserExperienceDataCollection", _t115, _t121);
					 *(_t117 - 4) = 0x10;
					E6B144575(_t86, _t99);
					E6B142888(_t117 - 0x44);
					E6B14432F(_t117 - 0x60);
					 *(_t117 - 4) = 0xe;
					_t90 =  *((intOrPtr*)(_t117 - 0x28));
					if(_t90 != 0) {
						 *((intOrPtr*)( *_t90 + 8))(_t90);
					}
					E6B158460( *((intOrPtr*)(_t117 + 0x10)) + 0xfffffff0, _t109);
					_t115 =  *((intOrPtr*)(_t117 + 8));
				}
				return E6B162709(_t115);
			}

0x6b145ece
0x6b145ece
0x6b145ece
0x6b145ed5
0x6b145edd
0x6b145ee0
0x6b145ee8
0x6b145eed
0x6b145ef7
0x6b145eff
0x6b145f03
0x6b145f09
0x6b145f0f
0x6b145f1e
0x6b145f22
0x6b145f2a
0x6b145f2d
0x6b145f31
0x6b145f36
0x6b145f3a
0x6b145f3d
0x6b145f3f
0x6b145f44
0x6b145f44
0x6b145f47
0x6b145f51
0x6b145f59
0x6b145f5f
0x6b145f6e
0x6b145f72
0x6b145f7d
0x6b145f7e
0x6b145f80
0x6b145f84
0x6b145f89
0x6b145f8d
0x6b145f90
0x6b145f92
0x6b145f94
0x6b145f97
0x6b145f97
0x6b145fa0
0x6b145fa5
0x6b145fab
0x6b145fb0
0x6b145fb4
0x6b145fb8
0x6b145fbd
0x6b145fc3
0x6b145fd3
0x6b145fdc
0x6b145fe0
0x6b145fe1
0x6b145fe5
0x6b145feb
0x6b145fef
0x6b145ff7
0x6b145fff
0x6b146004
0x6b146008
0x6b14600d
0x6b146012
0x6b146012
0x6b14601b
0x6b146020
0x6b146020
0x6b14602a

APIs

__EH_prolog3.LIBCMT ref: 6B145ED5

Part of subcall function 6B143AD4: __EH_prolog3.LIBCMT ref: 6B143ADB

Part of subcall function 6B14396A: __EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B14434E: __EH_prolog3.LIBCMT ref: 6B144355

Strings

UserExperienceDataCollection, xrefs: 6B145FBE
RepairRadioButton, xrefs: 6B145F04
UninstallRadioButton, xrefs: 6B145F5A

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: RepairRadioButton$UninstallRadioButton$UserExperienceDataCollection
API String ID: 431132790-1241949946
Opcode ID: 2fd2f2c4f8d2622684ebf56e4a2181ec779e4f27d0f88ca1b07bf286675d381a
Instruction ID: 7c7613994d7324f62a30cb05145a946bf19455a5e361a44740cacbbd5f219b95
Opcode Fuzzy Hash: 2fd2f2c4f8d2622684ebf56e4a2181ec779e4f27d0f88ca1b07bf286675d381a
Instruction Fuzzy Hash: 1C414CB150028DFFDB01CFB8C845BDEB7A8AF19318F544499E559E7281DB38EA49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B14381C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6B14381C(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t39;
				intOrPtr _t46;
				signed char _t63;
				void* _t72;
				intOrPtr* _t78;
				void* _t81;
				void* _t87;

				_t72 = __edx;
				_push(0x10);
				E6B16265B(0x6b165f9d, __ebx, __edi, __esi);
				_t78 = __ecx;
				 *(_t81 - 0x10) = 0;
				 *(_t81 - 4) = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t81 + 8)))) = 0x6b137364;
				_t83 =  *__ecx;
				if( *__ecx == 0) {
					_push(_t81 - 0x14);
					_t39 = E6B14E8E8(0x6b1379e4, __ecx, __eflags);
					_t63 = 2;
					 *(_t81 - 4) = _t63;
					 *(_t81 - 0x10) = _t63;
				} else {
					_t39 = E6B13D76F(_t81 - 0x18, __edi, __ecx, _t83);
					 *(_t81 - 4) = 1;
					 *(_t81 - 0x10) = 1;
					_t63 = 2;
				}
				_push( *((intOrPtr*)(_t81 + 8)) + 4);
				E6B14E8E8( *_t39, _t78, _t83);
				 *(_t81 - 4) = 3;
				if(( *(_t81 - 0x10) & _t63) != 0) {
					 *(_t81 - 0x10) =  *(_t81 - 0x10) & 0xfffffffd;
					E6B158460( *((intOrPtr*)(_t81 - 0x14)) + 0xfffffff0, _t72);
				}
				 *(_t81 - 4) = 5;
				if(( *(_t81 - 0x10) & 0x00000001) != 0) {
					_t87 =  *((intOrPtr*)(_t81 - 0x18)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t81 - 0x18)) + 0xfffffff0, _t72);
				}
				_push(_t81 - 0x10);
				E6B14E8E8(L"Type", _t78, _t87);
				 *(_t81 - 4) = 6;
				_t79 = E6B13D727(_t78, _t81 - 0x1c, _t81 - 0x10);
				 *(_t81 - 4) = 7;
				_t46 = E6B14EB56(_t45, L"RTF");
				if(_t46 != 0) {
					_t30 = (0 | E6B14EB56(_t79, L"HTML") != 0x00000000) + 1; // 0x1
					_t46 = _t30;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t81 + 8)) + 8)) = _t46;
				E6B158460( *((intOrPtr*)(_t81 - 0x1c)) + 0xfffffff0, _t72);
				E6B158460( *(_t81 - 0x10) + 0xfffffff0, _t72);
				return E6B162709( *((intOrPtr*)(_t81 + 8)));
			}

0x6b14381c
0x6b14381c
0x6b143823
0x6b143828
0x6b14382c
0x6b14382f
0x6b143835
0x6b14383b
0x6b14383d
0x6b14385a
0x6b143860
0x6b143867
0x6b143868
0x6b14386b
0x6b14383f
0x6b143842
0x6b143849
0x6b14384d
0x6b143854
0x6b143854
0x6b143876
0x6b143877
0x6b14387c
0x6b143886
0x6b14388b
0x6b143892
0x6b143892
0x6b143897
0x6b14389f
0x6b1438a4
0x6b1438a7
0x6b1438a7
0x6b1438af
0x6b1438b5
0x6b1438c3
0x6b1438cc
0x6b1438d4
0x6b1438d8
0x6b1438df
0x6b1438f3
0x6b1438f3
0x6b1438f3
0x6b1438f9
0x6b143902
0x6b14390d
0x6b143919

APIs

__EH_prolog3.LIBCMT ref: 6B143823

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Strings

HTML, xrefs: 6B1438E1
Type, xrefs: 6B1438B0
RTF, xrefs: 6B1438CE

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: HTML$RTF$Type
API String ID: 431132790-2981198847
Opcode ID: eccd1a58b0725b7b1486b6e62041da3af87063de9ea3e9e0b26fdd954e6d87b5
Instruction ID: a32c4eeec80c6aacfc0007aeae8213360ad57347556c2440ab833008b75e87dc
Opcode Fuzzy Hash: eccd1a58b0725b7b1486b6e62041da3af87063de9ea3e9e0b26fdd954e6d87b5
Instruction Fuzzy Hash: 6731617290021AEBDB10DFB8C841BAEB7B4AF1536CF244659E824F72C0E779AA45C751

Uniqueness

Uniqueness Score: -1.00%

Function 6B1574DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6B1574DC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t33;
				intOrPtr _t43;
				void* _t51;
				intOrPtr _t52;
				signed int _t57;
				void* _t67;
				void* _t69;
				intOrPtr _t70;
				void* _t73;

				_t67 = __edx;
				_push(0xc);
				E6B16265B(0x6b1641d2, __ebx, __edi, __esi);
				_t72 =  *((intOrPtr*)(_t73 + 8));
				_t69 = __ecx;
				 *(_t73 - 0x18) =  *(_t73 - 0x18) & 0x00000000;
				_t57 = 1;
				 *((intOrPtr*)(_t73 - 4)) = 1;
				E6B1583B4( *((intOrPtr*)(_t73 + 8)));
				 *(_t73 - 0x18) = 1;
				 *((intOrPtr*)(_t73 - 0x10)) = 0x100;
				_t33 = E6B1582D1( *((intOrPtr*)(_t73 + 8)), 0x100);
				_push(_t73 - 0x10);
				_push(_t33);
				_push( *((intOrPtr*)(_t73 + 0xc)));
				_push( *((intOrPtr*)(_t69 + 0x14)));
				if( *((intOrPtr*)(_t69 + 0x10))() == 0) {
					_t57 = GetLastError;
					if(GetLastError() != 0x7a) {
						_t43 =  *0x6b16fe10; // 0x6b1333ec
						 *((intOrPtr*)(_t73 - 0x14)) =  *((intOrPtr*)(_t43 + 0xc))() + 0x10;
						 *((char*)(_t73 - 4)) = 3;
						goto L5;
					} else {
						_t51 = E6B1582D1(_t72,  *((intOrPtr*)(_t73 - 0x10)));
						_push(_t73 - 0x10);
						_push(_t51);
						_push( *((intOrPtr*)(_t73 + 0xc)));
						_push( *((intOrPtr*)(_t69 + 0x14)));
						if( *((intOrPtr*)(_t69 + 0x10))() != 0) {
							_t52 =  *0x6b16fe10; // 0x6b1333ec
							 *((intOrPtr*)(_t73 - 0x14)) =  *((intOrPtr*)(_t52 + 0xc))() + 0x10;
							 *((char*)(_t73 - 4)) = 2;
							L5:
							E6B155002(_t73 - 0x14, L"GetServiceDisplayName failed with error: %u", GetLastError());
							_t70 =  *((intOrPtr*)(_t73 - 0x14));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t69 + 0x18)))) + 4))(0, _t70);
							_t26 = _t70 - 0x10; // -15
							 *((char*)(_t73 - 4)) = 1;
							_t34 = E6B158460(_t26, _t67);
						}
					}
				}
				L6B14F1A2(_t34 | 0xffffffff, _t57, _t72);
				E6B158460( *((intOrPtr*)(_t73 + 0xc)) + 0xfffffff0, _t67);
				return E6B162709(_t72);
			}

0x6b1574dc
0x6b1574dc
0x6b1574e3
0x6b1574e8
0x6b1574eb
0x6b1574ed
0x6b1574f3
0x6b1574f4
0x6b1574f7
0x6b157502
0x6b157505
0x6b157508
0x6b157510
0x6b157511
0x6b157512
0x6b157515
0x6b15751d
0x6b157523
0x6b15752e
0x6b157563
0x6b157573
0x6b157576
0x00000000
0x6b157530
0x6b157533
0x6b15753b
0x6b15753c
0x6b15753d
0x6b157540
0x6b157548
0x6b15754a
0x6b15755a
0x6b15755d
0x6b15757a
0x6b157585
0x6b15758f
0x6b157597
0x6b15759a
0x6b15759d
0x6b1575a1
0x6b1575a1
0x6b157548
0x6b15752e
0x6b1575a9
0x6b1575b4
0x6b1575c0

APIs

__EH_prolog3.LIBCMT ref: 6B1574E3
GetLastError.KERNEL32 ref: 6B157529
GetLastError.KERNEL32 ref: 6B15757A

Strings

GetServiceDisplayName failed with error: %u, xrefs: 6B15757D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID: GetServiceDisplayName failed with error: %u
API String ID: 3502553090-3718371905
Opcode ID: b5e9a60b85c13c83b0b2b3d98d5b7a8115298f268549e4ebda486759d339581e
Instruction ID: 2365f037f3d978108748944d17df11f21b02116777cb028df646ee1bb94b86cc
Opcode Fuzzy Hash: b5e9a60b85c13c83b0b2b3d98d5b7a8115298f268549e4ebda486759d339581e
Instruction Fuzzy Hash: 782151B1910105FFDB00DFB8C846AAEBB75FF15319F104528E534A7291DB78EA64CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B157341 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6B157341(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t13;
				signed int _t14;
				intOrPtr _t17;
				signed int _t26;
				void* _t33;
				signed int _t35;
				intOrPtr* _t38;
				intOrPtr _t39;
				void* _t40;

				_t33 = __edx;
				_push(4);
				E6B16265B(0x6b16470b, __ebx, __edi, __esi);
				_t38 = __ecx;
				_push(0x20004);
				_push(L"ServicesActive");
				_push(0);
				_t13 =  *__ecx();
				 *((intOrPtr*)(__ecx + 0x14)) = _t13;
				if(_t13 != 0) {
					_t14 = 0;
				} else {
					_t26 = GetLastError();
					_t35 = _t26;
					if(_t26 > 0) {
						_t35 = _t35 & 0x0000ffff | 0x80070000;
					}
					_t17 =  *0x6b16fe10; // 0x6b1333ec
					 *((intOrPtr*)(_t40 - 0x10)) =  *((intOrPtr*)(_t17 + 0xc))() + 0x10;
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					E6B155002(_t40 - 0x10, L"OpenSCManager failed with error: %u", _t26);
					_t39 =  *((intOrPtr*)(_t40 - 0x10));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x18)))) + 4))(0, _t39);
					if(_t35 >= 0) {
						_t35 = 0x80004005;
					}
					_t10 = _t39 - 0x10; // -16
					E6B158460(_t10, _t33);
					_t14 = _t35;
				}
				return E6B162709(_t14);
			}

0x6b157341
0x6b157341
0x6b157348
0x6b15734d
0x6b15734f
0x6b157354
0x6b157359
0x6b15735b
0x6b15735d
0x6b157362
0x6b1573c8
0x6b157364
0x6b15736a
0x6b15736c
0x6b157370
0x6b157378
0x6b157378
0x6b15737e
0x6b15738e
0x6b157391
0x6b15739e
0x6b1573a8
0x6b1573b0
0x6b1573b5
0x6b1573b7
0x6b1573b7
0x6b1573bc
0x6b1573bf
0x6b1573c4
0x6b1573c4
0x6b1573cf

APIs

__EH_prolog3.LIBCMT ref: 6B157348
GetLastError.KERNEL32 ref: 6B157364

Strings

ServicesActive, xrefs: 6B157354
OpenSCManager failed with error: %u, xrefs: 6B157396

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: OpenSCManager failed with error: %u$ServicesActive
API String ID: 685212868-337506387
Opcode ID: 54c8bb963ed1d40af1a7e24e102ac54a475822ebdb51bd848d60b60496fae564
Instruction ID: 9534dd55f5cd0c867d57994487c144bc5cc950c46c818ef9e533f9f9765d847d
Opcode Fuzzy Hash: 54c8bb963ed1d40af1a7e24e102ac54a475822ebdb51bd848d60b60496fae564
Instruction Fuzzy Hash: 1E01D8B6740301FBE710CBB5CC46B6977A1BF50725F114479E524DB280EB7CD9248BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B1478D5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E6B1478D5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t31;
				intOrPtr* _t38;
				void* _t41;

				_push(0);
				E6B16265B(0x6b16461c, __ebx, __edi, __esi);
				_t38 =  *((intOrPtr*)(_t41 + 8));
				 *_t38 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t38 + 4)) = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x10)))) - 0x10) + 0x10;
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				 *((intOrPtr*)(_t38 + 8)) = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x14)))) - 0x10) + 0x10;
				_t40 = _t38 + 0x10;
				 *((char*)(_t38 + 0xc)) =  *((intOrPtr*)(_t41 + 0x18));
				E6B1583B4(_t38 + 0x10);
				 *(_t41 - 4) = 2;
				_t31 = L"Visible";
				if( *((char*)(_t38 + 0xc)) == 0) {
					_t31 = L"Not Visible";
				}
				_push(_t31);
				_push( *((intOrPtr*)(_t38 + 8)));
				_push( *((intOrPtr*)(_t38 + 4)));
				E6B1580BA(_t40, L"[%u] [%s] [%s] [%s]",  *_t38);
				return E6B162709(_t38);
			}

0x6b1478d5
0x6b1478dc
0x6b1478e1
0x6b1478e7
0x6b1478f9
0x6b1478fc
0x6b147910
0x6b147916
0x6b147919
0x6b14791c
0x6b147921
0x6b147929
0x6b14792e
0x6b147930
0x6b147930
0x6b147935
0x6b147936
0x6b147939
0x6b147944
0x6b147953

APIs

__EH_prolog3.LIBCMT ref: 6B1478DC

Part of subcall function 6B1583FD: _memcpy_s.LIBCMT ref: 6B15844E

Strings

Visible, xrefs: 6B147929
[%u] [%s] [%s] [%s], xrefs: 6B14793E
Not Visible, xrefs: 6B147930, 6B147935

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3_memcpy_s
String ID: Not Visible$Visible$[%u] [%s] [%s] [%s]
API String ID: 1212206098-88040887
Opcode ID: 233542fa49a2bcdfbece83d379a29a1ee59e75d69c9c5efea6d5fc324b32ea11
Instruction ID: 41464c5448a4933035b1cff56c21331e6694820eaec5e822c5272e2e08a80216
Opcode Fuzzy Hash: 233542fa49a2bcdfbece83d379a29a1ee59e75d69c9c5efea6d5fc324b32ea11
Instruction Fuzzy Hash: 800116B6600546BFDB01CF78C845B5DBBA1FF25244F448554E9A8AB301EB3CE9358BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D729CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D729CB(void* __eax) {
				_Unknown_base(*)()* _t4;

				if(__eax < 6) {
					_t4 = GetProcAddress(GetModuleHandleW(L"KERNEL32.DLL"), "SetProcessDEPPolicy");
					if(_t4 != 0) {
						 *_t4(1);
					}
				}
				return 0;
			}

0x00d729cd
0x00d729e0
0x00d729e8
0x00d729ec
0x00d729ec
0x00d729e8
0x00d729f0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00D729D4
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00D729E0

Strings

KERNEL32.DLL, xrefs: 00D729CF
SetProcessDEPPolicy, xrefs: 00D729DA

Memory Dump Source

Source File: 00000009.00000002.424009398.0000000000D71000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000009.00000002.423967853.0000000000D70000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424072987.0000000000D78000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.424108233.0000000000D7A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d70000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetProcessDEPPolicy
API String ID: 1646373207-1809394400
Opcode ID: 8065ff144bd89d32fb6e4478bf9c71db74ed438314cddecb05433ac900fcf835
Instruction ID: 5b484acb5f1eafc54ab967098dcc34972de3aaeda9e65db2f4784cb0a7ab2ab2
Opcode Fuzzy Hash: 8065ff144bd89d32fb6e4478bf9c71db74ed438314cddecb05433ac900fcf835
Instruction Fuzzy Hash: 1FC0123EAD0385ABCB801BF80D0BB25225A6B40B22F888608BA4DE4184FAA085849930

Uniqueness

Uniqueness Score: -1.00%

Function 6B160047 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6B160047(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E6B15929F( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E6B1594F4( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E6B15B570(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x6b160051
0x6b160058
0x6b16006f
0x00000000
0x6b16005f
0x6b160061
0x6b16007b
0x6b160080
0x6b160083
0x6b160086
0x6b1600ae
0x6b1600b5
0x6b1600b7
0x6b160138
0x6b160153
0x6b160155
0x6b160095
0x6b160095
0x6b160098
0x6b16009a
0x6b16009d
0x6b16009d
0x6b16009d
0x6b16009d
0x00000000
0x6b1600a3
0x6b160117
0x6b160117
0x6b16011c
0x6b160122
0x6b160125
0x6b160127
0x6b16012a
0x6b16012a
0x6b16012a
0x6b16012a
0x00000000
0x6b16012e
0x6b1600b9
0x6b1600bc
0x6b1600c2
0x6b1600c5
0x6b1600ec
0x6b1600ef
0x6b1600f5
0x00000000
0x00000000
0x6b1600f7
0x6b1600fa
0x00000000
0x00000000
0x6b1600fc
0x6b1600fc
0x6b160102
0x6b160105
0x6b160074
0x6b160074
0x6b16010e
0x00000000
0x6b16010e
0x6b1600c7
0x6b1600ca
0x00000000
0x00000000
0x6b1600ce
0x6b1600df
0x6b1600e5
0x6b1600e7
0x6b1600ea
0x00000000
0x00000000
0x00000000
0x6b1600ea
0x6b160088
0x6b16008b
0x6b16008d
0x6b160092
0x6b160092
0x00000000
0x6b160063
0x6b160063
0x6b160068
0x6b16006c
0x6b16006c
0x00000000
0x6b160068
0x6b160061

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6B16007B
__isleadbyte_l.LIBCMT ref: 6B1600AE
MultiByteToWideChar.KERNEL32(00000080,00000009,6B158AB5,?,00000000,00000000,?,?,?,?,6B158AB5,00000000), ref: 6B1600DF
MultiByteToWideChar.KERNEL32(00000080,00000009,6B158AB5,00000001,00000000,00000000,?,?,?,?,6B158AB5,00000000), ref: 6B16014D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 463725bb7c059940a7173890012f6c1c9be8ef9fcc23e1bf586e8e95a55acffc
Instruction ID: df5c3db73f2c182e26222602de92b4b6c33d65a980f1070d4bbe17041c5c5a96
Opcode Fuzzy Hash: 463725bb7c059940a7173890012f6c1c9be8ef9fcc23e1bf586e8e95a55acffc
Instruction Fuzzy Hash: E831CE31E04299FFDB10CF68C8E9DAE3BB5AF013D2B1185A9E4608B191F735D9A0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B150E5C Relevance: 6.1, APIs: 4, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6B150E5C(void* __ecx, intOrPtr* __edx, struct HWND__* _a4) {
				signed int _v12;
				struct tagRECT _v28;
				signed int* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t36;
				void* _t40;
				void* _t45;
				intOrPtr* _t48;
				void* _t58;
				void* _t67;
				char _t78;
				intOrPtr* _t79;
				signed int _t82;
				signed int* _t83;
				void* _t84;

				_t72 = __edx;
				_t28 =  *0x6b16f0a0; // 0xf69ff218
				_v12 = _t28 ^ _t82;
				_v28.left = _v28.left & 0x00000000;
				asm("stosd");
				asm("stosd");
				_t79 = __edx;
				_t58 = __ecx;
				asm("stosd");
				_v28.left =  *((intOrPtr*)( *__edx))();
				_v28.top =  *((intOrPtr*)( *__edx + 4))();
				_t36 =  *((intOrPtr*)( *__edx + 8))();
				_v28.right = _t36 +  *((intOrPtr*)( *__edx))();
				_t40 =  *((intOrPtr*)( *__edx + 0xc))();
				_v28.bottom = _t40 +  *((intOrPtr*)( *__edx + 4))();
				MapDialogRect(_a4,  &_v28);
				_t45 = E6B1591B7(_t40 +  *((intOrPtr*)( *__edx + 4))(), _t79, _t84, 0x28);
				_pop(_t67);
				if(_t45 == 0) {
					_t78 = 0;
					__eflags = 0;
				} else {
					_t78 = E6B154371(_t45,  *((intOrPtr*)(_t58 + 4)));
				}
				 *_t83 =  *_t83 & 0x00000000;
				_v36 = _t78;
				_v32 = _t83;
				_t48 =  *((intOrPtr*)( *_t79 + 0x14))();
				 *_t83 =  &_v28;
				_v32 = _t83;
				E6B154454(_t78, _a4, _t79,  *_t48, _t67);
				SendMessageW( *(_t78 + 4), 0x30, SendMessageW(_a4, 0x31, 0, 0), 1);
				ShowWindow( *(_t78 + 4), 1);
				return E6B1587C1(E6B154800( &_v36, _t58 + 0xc),  &_v36, _v12 ^ _t82, _t72, _t78, _t58 + 0xc);
			}

0x6b150e5c
0x6b150e64
0x6b150e6b
0x6b150e6e
0x6b150e7a
0x6b150e7b
0x6b150e7c
0x6b150e7e
0x6b150e80
0x6b150e87
0x6b150e91
0x6b150e98
0x6b150ea9
0x6b150eac
0x6b150ec1
0x6b150ec4
0x6b150ecc
0x6b150ed1
0x6b150ed4
0x6b150ee2
0x6b150ee2
0x6b150ed6
0x6b150ede
0x6b150ede
0x6b150ee7
0x6b150eee
0x6b150ef1
0x6b150ef4
0x6b150eff
0x6b150f01
0x6b150f09
0x6b150f27
0x6b150f2e
0x6b150f4d

APIs

MapDialogRect.USER32(?,00000000), ref: 6B150EC4

Part of subcall function 6B1591B7: _malloc.LIBCMT ref: 6B1591D1

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B150F1D
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B150F27
ShowWindow.USER32(?,00000001,?,00000000,?,00000000), ref: 6B150F2E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$DialogRectShowWindow_malloc
String ID:
API String ID: 929715566-0
Opcode ID: 2a0ce235e94ebddfa11ae30568f51f7fa3b887221ae2d60bf35e9295b996e186
Instruction ID: 2611e029c82240c0f00de6111a4bc00dbf6669c8ca155d1f1ca741cdddb2a6b1
Opcode Fuzzy Hash: 2a0ce235e94ebddfa11ae30568f51f7fa3b887221ae2d60bf35e9295b996e186
Instruction Fuzzy Hash: 68317C76A00118AFCF159F68C889AAEBBF5FF8C350F104019F615EB360DB759A11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F589 Relevance: 6.1, APIs: 4, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6B13F589(intOrPtr __ebx, signed int __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed int _a12, char _a16, char _a20) {
				signed int _v8;
				struct tagLOGFONTW _v100;
				void* __edi;
				void* __esi;
				signed int _t17;
				int _t28;
				intOrPtr _t37;
				signed int _t41;
				intOrPtr _t43;
				signed int _t44;

				_t41 = __edx;
				_t37 = __ebx;
				_t17 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t17 ^ _t44;
				_t43 = SendMessageW;
				GetObjectW(SendMessageW(_a4, 0x31, 0, 0), 0x5c,  &_v100);
				if(E6B158199(_a8) > 0) {
					E6B158D93( &(_v100.lfFaceName), 0x20, _a8);
				}
				if(_a16 != 0) {
					_v100.lfWeight = 0x2bc;
				}
				if(_a20 != 0) {
					_v100.lfItalic = 1;
				}
				asm("cdq");
				_v100.lfHeight =  ~((_a12 ^ _t41) - _t41);
				_t28 = CreateFontIndirectW( &_v100);
				_t42 = _t28;
				SendMessageW(_a4, 0x30, _t28, 1);
				E6B158460(_a8 + 0xfffffff0, _t41);
				return E6B1587C1(_t28, _t37, _v8 ^ _t44, _t41, _t42, _t43);
			}

0x6b13f589
0x6b13f589
0x6b13f591
0x6b13f598
0x6b13f59c
0x6b13f5b5
0x6b13f5c5
0x6b13f5d0
0x6b13f5d5
0x6b13f5dc
0x6b13f5de
0x6b13f5de
0x6b13f5e9
0x6b13f5eb
0x6b13f5eb
0x6b13f5f2
0x6b13f5f9
0x6b13f600
0x6b13f608
0x6b13f610
0x6b13f618
0x6b13f62c

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6B13F5AC
GetObjectW.GDI32(00000000,0000005C,?), ref: 6B13F5B5
CreateFontIndirectW.GDI32(?), ref: 6B13F600
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6B13F610

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectObject
String ID:
API String ID: 2018999545-0
Opcode ID: 61103529aba1ab5544c6d302f229333fb09a95a6465b7f3424c626225ededa53
Instruction ID: faaeff67103116745b877ad6dce7ecb3ce5e0cdedd5ae8b2edaae84c0358a6b0
Opcode Fuzzy Hash: 61103529aba1ab5544c6d302f229333fb09a95a6465b7f3424c626225ededa53
Instruction Fuzzy Hash: A7119071A0021CBBDF109F78CC4ABDE3BA9AB55714F044115B925EB1C0EBB4EA14CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B154870 Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6B154870(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t30;
				void* _t44;

				_push(4);
				E6B16265B(0x6b16470b, __ebx, __edi, __esi);
				if( *((char*)( *((intOrPtr*)(__esi + 0x54)))) == 1) {
					L4:
					_t18 = 1;
					__eflags = 1;
				} else {
					_t39 =  *((intOrPtr*)(__esi + 0x64));
					_t41 =  *(__esi + 4);
					if(E6B13EB19(0x104,  *(__esi + 4),  *((intOrPtr*)(__esi + 0x64)),  *((intOrPtr*)(__esi + 0x58))) == 6) {
						EnableMenuItem(GetSystemMenu(GetParent( *(__esi + 4)), 0), 0xf060, 1);
						E6B13E36B(__esi + 4);
						 *((char*)( *((intOrPtr*)(__esi + 0x54)))) = 1;
						_t30 = E6B154ECE(__ebx, _t39, __edi, __esi, __eflags, __esi, _t44 - 0x10);
						 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
						_push(_t30);
						E6B14F491( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x6c)))) + 0x14))(), __edi, __esi, __eflags);
						__eflags =  *((intOrPtr*)(_t44 - 0x10)) + 0xfffffff0;
						E6B158460( *((intOrPtr*)(_t44 - 0x10)) + 0xfffffff0, _t41);
						goto L4;
					} else {
						_t18 = 0;
					}
				}
				return E6B162709(_t18);
			}

0x6b154870
0x6b154877
0x6b154882
0x6b1548fa
0x6b1548fc
0x6b1548fc
0x6b154884
0x6b154887
0x6b15488a
0x6b15489d
0x6b1548bd
0x6b1548c6
0x6b1548ce
0x6b1548d6
0x6b1548db
0x6b1548e2
0x6b1548ea
0x6b1548f2
0x6b1548f5
0x00000000
0x6b15489f
0x6b15489f
0x6b15489f
0x6b15489d
0x6b154902

APIs

__EH_prolog3.LIBCMT ref: 6B154877

Part of subcall function 6B13EB19: GetCurrentThreadId.KERNEL32 ref: 6B13EB3A
Part of subcall function 6B13EB19: SetWindowsHookExW.USER32(00000005,Function_0000EAF4,00000000,00000000), ref: 6B13EB4A
Part of subcall function 6B13EB19: MessageBoxW.USER32(?,?,?), ref: 6B13EB5D
Part of subcall function 6B13EB19: UnhookWindowsHookEx.USER32(?), ref: 6B13EB6D

GetParent.USER32(?), ref: 6B1548A6
GetSystemMenu.USER32(00000000,00000000,0000F060,00000001,?,6B15158F,?,000006F5,?,?,?,00000000,?,00000001), ref: 6B1548B6
EnableMenuItem.USER32 ref: 6B1548BD

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: HookMenuWindows$CurrentEnableH_prolog3ItemMessageParentSystemThreadUnhook
String ID:
API String ID: 267827553-0
Opcode ID: 366a1fe64913a8ad8dfe77c60c6d2bc1bb703b548ac8709f49efc657bca75f4a
Instruction ID: 0e448836ddfdaa00505d6c9434ffee27000ef5f8d3f0338f3ca705fe5d4d08c1
Opcode Fuzzy Hash: 366a1fe64913a8ad8dfe77c60c6d2bc1bb703b548ac8709f49efc657bca75f4a
Instruction Fuzzy Hash: AC1161B5640740BFD710DBB8C985F6A73E4EF05B18F000854F562D7690D7B8E960CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6B146ABD Relevance: 6.0, APIs: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B146ABD(void* __eax, void* __ecx, intOrPtr* __edi, void* __eflags, struct HWND__** _a4) {
				void* __ebx;
				void* __esi;
				int _t17;
				struct HWND__* _t20;
				void* _t25;
				long _t26;
				void* _t27;

				_t27 = __eflags;
				_t25 = __eax;
				_t20 = GetDlgItem( *_a4,  *(__eax + 0x24));
				E6B15547B(_t20, _t25, _t27);
				if( *((intOrPtr*)( *__edi))() == 0) {
					_a4 =  *_a4;
					_t17 = E6B13EDE8(__edi + 4,  &_a4, _t20);
				} else {
					ShowWindow(_t20, 0);
					_t17 = EnableWindow(_t20, 0);
				}
				_t26 =  *(_t25 + 0x28);
				if(_t26 != 0) {
					return SendMessageW(_t20, 0xf7, 1, _t26);
				}
				return _t17;
			}

0x6b146abd
0x6b146ac4
0x6b146ad4
0x6b146ad6
0x6b146ae3
0x6b146afe
0x6b146b09
0x6b146ae5
0x6b146ae8
0x6b146af1
0x6b146af1
0x6b146b0e
0x6b146b13
0x00000000
0x6b146b1e
0x6b146b27

APIs

GetDlgItem.USER32 ref: 6B146ACE
ShowWindow.USER32(00000000,00000000), ref: 6B146AE8
EnableWindow.USER32(00000000,00000000), ref: 6B146AF1
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6B146B1E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$EnableItemMessageSendShow
String ID:
API String ID: 1246583984-0
Opcode ID: b91761957fe0ba5f7cbb738b9fab76ab61eabd27c36e9a07d4fdd2e50f4ba9b2
Instruction ID: 7d2ba40a42b53d39a0df58e8786a8ac803516fc9ab6c3f5079daa574f2e3b583
Opcode Fuzzy Hash: b91761957fe0ba5f7cbb738b9fab76ab61eabd27c36e9a07d4fdd2e50f4ba9b2
Instruction Fuzzy Hash: ED018176200318BFDB20AF64CC89FAA7BA8EF09765F104451FA069B650EB75E910CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B13EB19 Relevance: 6.0, APIs: 4, Instructions: 38
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B13EB19(int __eax, struct HWND__* _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HHOOK__* _t14;
				int _t17;
				int _t18;
				signed int* _t19;

				_t17 = __eax;
				if(E6B13E7D4() != 0) {
					_t17 = _t17 | 0x00180000;
				}
				_t19 = E6B13E968();
				 *_t19 = _t17;
				_t19[1] = SetWindowsHookExW(5, E6B13EAF4, 0, GetCurrentThreadId());
				_t18 = MessageBoxW(_a4, _a8, _a12, _t17);
				_t14 = _t19[1];
				if(_t14 != 0) {
					UnhookWindowsHookEx(_t14);
					_t19[1] = _t19[1] & 0x00000000;
				}
				 *_t19 =  *_t19 & 0x00000000;
				return _t18;
			}

0x6b13eb20
0x6b13eb29
0x6b13eb2b
0x6b13eb2b
0x6b13eb36
0x6b13eb38
0x6b13eb54
0x6b13eb63
0x6b13eb65
0x6b13eb6a
0x6b13eb6d
0x6b13eb73
0x6b13eb73
0x6b13eb77
0x6b13eb7f

APIs

Part of subcall function 6B13E7D4: GetThreadLocale.KERNEL32(?,?,6B13EB27), ref: 6B13E7DE
Part of subcall function 6B13E7D4: GetThreadLocale.KERNEL32(?,?,6B13EB27), ref: 6B13E7ED

GetCurrentThreadId.KERNEL32 ref: 6B13EB3A
SetWindowsHookExW.USER32(00000005,Function_0000EAF4,00000000,00000000), ref: 6B13EB4A
MessageBoxW.USER32(?,?,?), ref: 6B13EB5D
UnhookWindowsHookEx.USER32(?), ref: 6B13EB6D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Thread$HookLocaleWindows$CurrentMessageUnhook
String ID:
API String ID: 3998944487-0
Opcode ID: c8ee9a05a5a272b0c82a952213c5b1d6bf4cfc5aaccacfcf12d147a69ae84afc
Instruction ID: 31e1d4508b89df1f8c1ef1c4409fbe99d810eeadd9b23964e70555d3c1710f00
Opcode Fuzzy Hash: c8ee9a05a5a272b0c82a952213c5b1d6bf4cfc5aaccacfcf12d147a69ae84afc
Instruction Fuzzy Hash: 6CF06233200321BBDB216F65CC09B5ABBE9EF85762F114428F969D7140E775D921CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6B161EFE Relevance: 6.0, APIs: 4, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6B161EFE(void* __ecx, signed int _a4) {
				signed int _t8;
				intOrPtr _t12;
				struct _CRITICAL_SECTION* _t14;
				void* _t15;
				intOrPtr _t16;

				_t15 = __ecx;
				_t1 = _t15 + 0x14; // 0x6b172fa0
				_t14 = _t1;
				EnterCriticalSection(_t14);
				_t2 = _t15 + 0x30; // 0x0
				_t12 =  *_t2;
				_t8 = _a4;
				if(_t8 > _t12 || _t8 < 0) {
					L8:
					LeaveCriticalSection(_t14);
					__eflags = 0;
					return 0;
				} else {
					if(_t8 != _t12) {
						if(__eflags >= 0) {
							RaiseException(0xc000008c, 1, 0, 0);
							goto L8;
						}
						_t5 = _t15 + 0x2c; // 0x0
						_t16 =  *((intOrPtr*)( *_t5 + _t8 * 4));
						L4:
						LeaveCriticalSection(_t14);
						return _t16;
					}
					_t4 = _t15 + 8; // 0x3070000
					_t16 =  *_t4;
					goto L4;
				}
			}

0x6b161f05
0x6b161f07
0x6b161f07
0x6b161f0b
0x6b161f11
0x6b161f11
0x6b161f14
0x6b161f19
0x6b161f4c
0x6b161f4d
0x6b161f53
0x00000000
0x6b161f1f
0x6b161f21
0x6b161f31
0x6b161f46
0x00000000
0x6b161f46
0x6b161f33
0x6b161f36
0x6b161f26
0x6b161f27
0x00000000
0x6b161f2d
0x6b161f23
0x6b161f23
0x00000000
0x6b161f23

APIs

EnterCriticalSection.KERNEL32(6B172FA0,6B172F8C,?,?,6B14EFB9,00000000,?,?,?,?,?,6B14E923,?,-00000010), ref: 6B161F0B
LeaveCriticalSection.KERNEL32(6B172FA0,?,6B14EFB9,00000000,?,?,?,?,?,6B14E923,?,-00000010), ref: 6B161F27
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,6B14EFB9,00000000,?,?,?,?,?,6B14E923,?,-00000010), ref: 6B161F46
LeaveCriticalSection.KERNEL32(6B172FA0,?,6B14EFB9,00000000,?,?,?,?,?,6B14E923,?,-00000010), ref: 6B161F4D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExceptionRaise
String ID:
API String ID: 799838862-0
Opcode ID: 5f383e3b4a479e2e9e205f11262da38cbc85cbf61ae5c5c9915b189bc29053bf
Instruction ID: be1a3561ab2140adedeedc94462042a2ed8d7786439edb313735465bdc032335
Opcode Fuzzy Hash: 5f383e3b4a479e2e9e205f11262da38cbc85cbf61ae5c5c9915b189bc29053bf
Instruction Fuzzy Hash: DBF02B36244620B7D7305F68DC84F5A7774EB867A1F011499FA05D7500E774FC3A8750

Uniqueness

Uniqueness Score: -1.00%

Function 6B157DD2 Relevance: 6.0, APIs: 4, Instructions: 29
threadCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6B157DD2(intOrPtr __eax, intOrPtr __esi) {
				intOrPtr _t6;
				void* _t7;

				_t3 = __eax;
				if(__esi == 0 || __eax == 0) {
					RaiseException(0xc0000005, 1, 0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					if(_t3 != 0) {
						if(_t3 == 0xc) {
							_push(0x8007000e);
							L10:
							E6B1583CE(_t7);
							L11:
							_push(0x80070057);
							goto L10;
						}
						if(_t3 == 0x16 || _t3 == 0x22) {
							goto L11;
						}
						if(_t3 != 0x50) {
							_push(0x80004005);
							goto L10;
						}
					}
					return _t3;
				} else {
					 *((intOrPtr*)(__esi)) = __eax;
					 *((intOrPtr*)(__esi + 4)) = GetCurrentThreadId();
					EnterCriticalSection(0x6b172fc8);
					_t6 =  *0x6b172fe0; // 0x0
					 *((intOrPtr*)(__esi + 8)) = _t6;
					 *0x6b172fe0 = __esi;
					LeaveCriticalSection(0x6b172fc8);
					return _t6;
				}
			}

0x6b157dd2
0x6b157dd4
0x6b157e14
0x6b157e1a
0x6b157e1b
0x6b157e1c
0x6b157e1d
0x6b157e1e
0x6b157e1f
0x6b157e22
0x6b157e27
0x6b157e49
0x6b157e3d
0x6b157e3d
0x6b157e42
0x6b157e42
0x00000000
0x6b157e42
0x6b157e2c
0x00000000
0x00000000
0x6b157e36
0x6b157e38
0x00000000
0x6b157e38
0x6b157e36
0x6b157e50
0x6b157dda
0x6b157ddb
0x6b157de9
0x6b157dec
0x6b157df2
0x6b157df7
0x6b157dfb
0x6b157e01
0x6b157e08
0x6b157e08

APIs

GetCurrentThreadId.KERNEL32 ref: 6B157DDD
EnterCriticalSection.KERNEL32(6B172FC8,?,6B150100,?,?,00000000), ref: 6B157DEC
LeaveCriticalSection.KERNEL32(6B172FC8,?,6B150100,?,?,00000000), ref: 6B157E01
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,6B156408,00000000,?,?,6B1544A7,?,?,00000000,50010000,00000000,?,?), ref: 6B157E14

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CriticalSection$CurrentEnterExceptionLeaveRaiseThread
String ID:
API String ID: 2662421713-0
Opcode ID: 4ecd668cbe301aba00e7e9aeb4d08d1791daa08fe4c65040dfb283ebbf9273be
Instruction ID: e7c80ebbb9f9ac16023ebd489111ab926bbe02d10d5e82cdb24eb7fefb4a16c3
Opcode Fuzzy Hash: 4ecd668cbe301aba00e7e9aeb4d08d1791daa08fe4c65040dfb283ebbf9273be
Instruction Fuzzy Hash: EAE09BB0500721FBDF215F3C9D09B05BAB4EB56B02F01452EF951D3244E774C4518A90

Uniqueness

Uniqueness Score: -1.00%

Function 6B13CCD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6B13CCD2(intOrPtr __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t78;
				void* _t83;
				intOrPtr* _t93;
				intOrPtr* _t103;
				intOrPtr* _t104;
				intOrPtr* _t105;
				intOrPtr* _t114;
				signed int _t115;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t126;
				signed int _t127;
				intOrPtr* _t160;
				signed int _t162;
				void* _t164;

				_t132 = __ebx;
				_push(0x24);
				E6B16265B(0x6b16613f, __ebx, __edi, __esi);
				_t162 = 0;
				 *((intOrPtr*)(_t164 - 0x18)) = 0;
				 *(_t164 - 4) = 0;
				 *((intOrPtr*)(_t164 - 0x10)) = 0;
				 *(_t164 - 4) = 1;
				_t78 =  *((intOrPtr*)(_t164 + 0xc));
				_t137 =  *_t78;
				_t152 = _t164 - 0x10;
				_push(_t164 - 0x10);
				_push(_t78);
				if( *((intOrPtr*)( *_t78 + 0x34))() != 0) {
					L17:
					E6B14E8E8(0x6b1379e4, _t162, __eflags);
					 *(_t164 - 4) = 5;
					_t83 = E6B14F143(_t132,  *((intOrPtr*)(_t164 + 0x10)), _t162, __eflags);
					 *(_t164 - 4) = 6;
					E6B13CA39(_t132, _t164 + 8, _t152,  *((intOrPtr*)(_t164 + 0x10)), _t162, __eflags);
					E6B158460( *((intOrPtr*)(_t164 - 0x18)) + 0xfffffff0, _t152);
					 *(_t164 - 4) = 9;
					E6B158460( *((intOrPtr*)(_t164 + 8)) + 0xfffffff0, _t152);
					_t93 = E6B13CAC2(_t132, _t164 - 0x24, _t152,  *((intOrPtr*)(_t164 + 0x10)), _t162, __eflags);
					 *(_t164 - 4) = 0xa;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x14)))) + 4))(_t162,  *_t93, _t164 + 0x10, _t164 - 0x24, _t83, _t164 + 8, _t164 - 0x18, L"schema validation failure:  child element not found - ", _t164 + 8);
					 *(_t164 - 4) = 9;
					__eflags =  *((intOrPtr*)(_t164 + 0x10)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t164 + 0x10)) + 0xfffffff0,  *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x14)))));
					_push(_t164 - 0x24);
					E6B13D170(_t132, _t164 - 0x30,  *((intOrPtr*)(_t164 + 0x10)), _t162, __eflags);
					E6B15DBDB(_t164 - 0x30, 0x6b1682a0);
					L18:
					_t103 =  *((intOrPtr*)(_t164 - 0x14));
					 *((intOrPtr*)(_t164 + 0x10)) = _t162;
					__eflags = _t103 - _t162;
					if(_t103 != _t162) {
						 *((intOrPtr*)( *_t103))(_t103, 0x6b137910, _t164 + 0x10);
						_t103 =  *((intOrPtr*)(_t164 - 0x14));
					}
					_t159 =  *((intOrPtr*)(_t164 + 8));
					 *((intOrPtr*)( *((intOrPtr*)(_t164 + 8)))) =  *((intOrPtr*)(_t164 + 0x10));
					 *((intOrPtr*)(_t164 + 0x10)) = _t162;
					 *(_t164 - 4) = 1;
					__eflags = _t103 - _t162;
					if(_t103 != _t162) {
						 *((intOrPtr*)( *_t103 + 8))(_t103);
					}
					 *(_t164 - 4) = 0;
					_t104 =  *((intOrPtr*)(_t164 - 0x10));
					L5:
					if(_t104 != _t162) {
						 *((intOrPtr*)( *_t104 + 8))(_t104);
					}
					 *(_t164 - 4) =  *(_t164 - 4) | 0xffffffff;
					_t105 =  *((intOrPtr*)(_t164 + 0xc));
					if(_t105 != _t162) {
						 *((intOrPtr*)( *_t105 + 8))(_t105);
					}
					return E6B162709(_t159);
				}
				_t114 = E6B13CCB1(_t137, _t164 - 0x14, _t164 - 0x10);
				 *(_t164 - 4) = 2;
				_t115 = E6B14EB0A( *_t114,  *((intOrPtr*)(_t164 + 0x10)));
				 *(_t164 - 4) = 1;
				asm("sbb bl, bl");
				E6B158460( *((intOrPtr*)(_t164 - 0x14)) + 0xfffffff0, _t152);
				_t132 =  ~_t115 + 1;
				if( ~_t115 + 1 == 0) {
					do {
						 *((intOrPtr*)(_t164 - 0x14)) = _t162;
						 *(_t164 - 4) = 3;
						_t119 =  *((intOrPtr*)(_t164 - 0x10));
						_t148 =  *_t119;
						_t152 = _t164 - 0x14;
						_t120 =  *((intOrPtr*)( *_t119 + 0x40))(_t119, _t164 - 0x14);
						__eflags = _t120 - _t162;
						if(_t120 != _t162) {
							goto L12;
						}
						_t126 = E6B13CCB1(_t148, _t164 - 0x18, _t164 - 0x14);
						 *(_t164 - 4) = 4;
						_t127 = E6B14EB0A( *_t126,  *((intOrPtr*)(_t164 + 0x10)));
						 *(_t164 - 4) = 3;
						asm("sbb bl, bl");
						E6B158460( *((intOrPtr*)(_t164 - 0x18)) + 0xfffffff0, _t152);
						_t132 =  ~_t127 + 1;
						__eflags =  ~_t127 + 1;
						if( ~_t127 + 1 != 0) {
							goto L18;
						}
						L12:
						_t160 =  *((intOrPtr*)(_t164 - 0x14));
						__eflags =  *((intOrPtr*)(_t164 - 0x10)) - _t160;
						if( *((intOrPtr*)(_t164 - 0x10)) != _t160) {
							E6B157D2D(_t160, _t164 - 0x10);
							_t160 =  *((intOrPtr*)(_t164 - 0x14));
							_t162 = 0;
							__eflags = 0;
						}
						 *(_t164 - 4) = 1;
						__eflags = _t160 - _t162;
						if(_t160 != _t162) {
							 *((intOrPtr*)( *_t160 + 8))(_t160);
						}
						__eflags =  *((intOrPtr*)(_t164 - 0x10)) - _t162;
					} while (__eflags != 0);
					goto L17;
				}
				_t104 =  *((intOrPtr*)(_t164 - 0x10));
				 *((intOrPtr*)(_t164 + 0x10)) = 0;
				if(_t104 != 0) {
					 *((intOrPtr*)( *_t104))(_t104, 0x6b137910, _t164 + 0x10);
					_t104 =  *((intOrPtr*)(_t164 - 0x10));
				}
				_t159 =  *((intOrPtr*)(_t164 + 8));
				 *((intOrPtr*)( *((intOrPtr*)(_t164 + 8)))) =  *((intOrPtr*)(_t164 + 0x10));
				 *((intOrPtr*)(_t164 + 0x10)) = _t162;
				 *(_t164 - 4) = 0;
				goto L5;
			}

0x6b13ccd2
0x6b13ccd2
0x6b13ccd9
0x6b13ccde
0x6b13cce0
0x6b13cce3
0x6b13cce6
0x6b13cce9
0x6b13cced
0x6b13ccf0
0x6b13ccf2
0x6b13ccf5
0x6b13ccf6
0x6b13ccfc
0x6b13cdfd
0x6b13ce06
0x6b13ce13
0x6b13ce1b
0x6b13ce29
0x6b13ce2d
0x6b13ce38
0x6b13ce3d
0x6b13ce47
0x6b13ce53
0x6b13ce5b
0x6b13ce65
0x6b13ce68
0x6b13ce6f
0x6b13ce72
0x6b13ce7a
0x6b13ce7e
0x6b13ce8c
0x6b13ce91
0x6b13ce91
0x6b13ce94
0x6b13ce97
0x6b13ce99
0x6b13cea7
0x6b13cea9
0x6b13cea9
0x6b13ceaf
0x6b13ceb2
0x6b13ceb4
0x6b13ceb7
0x6b13cebb
0x6b13cebd
0x6b13cec2
0x6b13cec2
0x6b13cec5
0x6b13cec9
0x6b13cd60
0x6b13cd62
0x6b13cd67
0x6b13cd67
0x6b13cd6a
0x6b13cd6e
0x6b13cd73
0x6b13cd78
0x6b13cd78
0x6b13cd82
0x6b13cd82
0x6b13cd0a
0x6b13cd0f
0x6b13cd18
0x6b13cd1f
0x6b13cd28
0x6b13cd2d
0x6b13cd32
0x6b13cd34
0x6b13cd85
0x6b13cd85
0x6b13cd88
0x6b13cd8c
0x6b13cd8f
0x6b13cd91
0x6b13cd96
0x6b13cd99
0x6b13cd9b
0x00000000
0x00000000
0x6b13cda5
0x6b13cdaa
0x6b13cdb3
0x6b13cdba
0x6b13cdc3
0x6b13cdc8
0x6b13cdcd
0x6b13cdcd
0x6b13cdcf
0x00000000
0x00000000
0x6b13cdd5
0x6b13cdd5
0x6b13cdd8
0x6b13cddb
0x6b13cde0
0x6b13cde5
0x6b13cde8
0x6b13cde8
0x6b13cde8
0x6b13cdea
0x6b13cdee
0x6b13cdf0
0x6b13cdf5
0x6b13cdf5
0x6b13cdf8
0x6b13cdf8
0x00000000
0x6b13cd85
0x6b13cd36
0x6b13cd39
0x6b13cd3e
0x6b13cd4c
0x6b13cd4e
0x6b13cd4e
0x6b13cd54
0x6b13cd57
0x6b13cd59
0x6b13cd5c
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 6B13CCD9
__CxxThrowException@8.LIBCMT ref: 6B13CE8C

Strings

schema validation failure: child element not found - , xrefs: 6B13CE0B

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: schema validation failure: child element not found -
API String ID: 3670251406-3859288074
Opcode ID: ea8fc574c5bb591f8ac60e608d47edd45e5a0c87fb614ae8199a4c1503aceb3d
Instruction ID: 20087d86264a8a13966ab736cdcbc314bd5b207896e6e71f68b84e48289e7add
Opcode Fuzzy Hash: ea8fc574c5bb591f8ac60e608d47edd45e5a0c87fb614ae8199a4c1503aceb3d
Instruction Fuzzy Hash: 97717071900269EFCB01CFB8C844AEE7BB9BF49714F244589F421E7390D779AA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B14200C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6B14200C(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr* _t88;
				void* _t98;
				intOrPtr* _t102;
				void* _t109;
				void* _t117;
				void* _t118;

				_t118 = __eflags;
				_t109 = __edx;
				_t105 = __ecx;
				_push(0x38);
				E6B16265B(0x6b166ae9, __ebx, __edi, __esi);
				 *(_t117 - 0x10) =  *(_t117 - 0x10) & 0x00000000;
				 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
				_t102 =  *((intOrPtr*)(_t117 + 8));
				_push(_t117 - 0x14);
				 *_t102 = 0x6b137274;
				E6B14E8E8(L"Name", __esi, _t118);
				 *(_t117 - 4) = 1;
				_t65 = E6B13D6C4( *((intOrPtr*)(_t117 + 0xc)), _t102, _t105, _t117 - 0x2c, _t117 - 0x14);
				_t103 = _t102 + 4;
				_t114 = _t65;
				 *(_t117 - 4) = 2;
				E6B13D76F(_t102 + 4, L"Name", _t65, _t118);
				 *(_t117 - 4) = 4;
				_t67 =  *((intOrPtr*)(_t117 - 0x2c));
				_t119 = _t67;
				if(_t67 != 0) {
					_t105 =  *_t67;
					 *((intOrPtr*)( *_t67 + 8))(_t67);
				}
				 *(_t117 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t117 - 0x14)) + 0xfffffff0, _t109);
				_push(_t117 - 0x1c);
				E6B14E8E8(L"Size", _t114, _t119);
				 *(_t117 - 4) = 6;
				_t76 = E6B13D6C4( *((intOrPtr*)(_t117 + 0xc)), _t103, _t105, _t117 - 0x44, _t117 - 0x1c);
				 *(_t117 - 4) = 7;
				_t120 =  *_t76;
				if( *_t76 == 0) {
					_t77 = 0;
					__eflags = 0;
				} else {
					_push(_t117 - 0x18);
					E6B14E8E8(L"Size", _t114, _t120);
					 *(_t117 - 4) = 8;
					 *(_t117 - 0x10) = 1;
					_t98 = E6B13D6C4( *((intOrPtr*)(_t117 + 0xc)), _t103, _t105, _t117 - 0x38, _t117 - 0x18);
					 *(_t117 - 4) = 9;
					 *(_t117 - 0x10) = 3;
					_push( *((intOrPtr*)(E6B13D76F(_t117 - 0x20, L"Size", _t98, _t120))));
					 *(_t117 - 0x10) = 7;
					_t77 = E6B158E16();
				}
				_t115 =  *((intOrPtr*)(_t117 + 8));
				 *((intOrPtr*)( *((intOrPtr*)(_t117 + 8)) + 8)) = _t77;
				if(( *(_t117 - 0x10) & 0x00000004) != 0) {
					 *(_t117 - 0x10) =  *(_t117 - 0x10) & 0xfffffffb;
					E6B158460( *((intOrPtr*)(_t117 - 0x20)) + 0xfffffff0, _t109);
				}
				 *(_t117 - 4) = 8;
				if(( *(_t117 - 0x10) & 0x00000002) != 0) {
					_t88 =  *((intOrPtr*)(_t117 - 0x38));
					 *(_t117 - 0x10) =  *(_t117 - 0x10) & 0xfffffffd;
					if(_t88 != 0) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
				}
				 *(_t117 - 4) = 7;
				if(( *(_t117 - 0x10) & 0x00000001) != 0) {
					E6B158460( *((intOrPtr*)(_t117 - 0x18)) + 0xfffffff0, _t109);
				}
				 *(_t117 - 4) = 6;
				_t78 =  *((intOrPtr*)(_t117 - 0x44));
				if(_t78 != 0) {
					 *((intOrPtr*)( *_t78 + 8))(_t78);
				}
				E6B158460( *((intOrPtr*)(_t117 - 0x1c)) + 0xfffffff0, _t109);
				return E6B162709(_t115);
			}

0x6b14200c
0x6b14200c
0x6b14200c
0x6b14200c
0x6b142013
0x6b142018
0x6b14201c
0x6b142020
0x6b142026
0x6b14202c
0x6b142032
0x6b142042
0x6b142046
0x6b14204b
0x6b14204e
0x6b142050
0x6b142054
0x6b142059
0x6b14205d
0x6b142060
0x6b142062
0x6b142064
0x6b142067
0x6b142067
0x6b14206a
0x6b142074
0x6b14207c
0x6b142082
0x6b142092
0x6b142096
0x6b14209b
0x6b14209f
0x6b1420a2
0x6b1420f1
0x6b1420f1
0x6b1420a4
0x6b1420a7
0x6b1420a8
0x6b1420b8
0x6b1420bc
0x6b1420c3
0x6b1420c8
0x6b1420d4
0x6b1420e0
0x6b1420e2
0x6b1420e9
0x6b1420ee
0x6b1420f7
0x6b1420fa
0x6b1420fd
0x6b142102
0x6b142109
0x6b142109
0x6b14210e
0x6b142119
0x6b14211b
0x6b14211e
0x6b142124
0x6b142129
0x6b142129
0x6b142124
0x6b14212c
0x6b142137
0x6b14213f
0x6b14213f
0x6b142144
0x6b142148
0x6b14214d
0x6b142152
0x6b142152
0x6b14215b
0x6b142167

APIs

__EH_prolog3.LIBCMT ref: 6B142013

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Strings

Name, xrefs: 6B142027
Size, xrefs: 6B14207D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Name$Size
API String ID: 431132790-481755742
Opcode ID: 5e909c3ef996b2db3da021370c513a4513eb30b7e0dd334e989274221b7e6da7
Instruction ID: 409753cfc29263cd018c70e1f9250d215e06b3812a979a446be5032ed0b784df
Opcode Fuzzy Hash: 5e909c3ef996b2db3da021370c513a4513eb30b7e0dd334e989274221b7e6da7
Instruction Fuzzy Hash: 28412BB1900259EFDF01CBB8C945BDEBBB8AF15328F144184E524F7291D778AA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B157ACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6B157ACF(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				short _v528;
				short _v530;
				short _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				char _v1060;
				void* __edi;
				void* __esi;
				signed int _t17;
				void* _t21;
				intOrPtr _t23;
				long _t34;
				intOrPtr _t35;
				intOrPtr _t40;
				intOrPtr _t41;
				signed int _t43;
				void* _t44;

				_t40 = __edx;
				_t35 = __ebx;
				_t17 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t17 ^ _t43;
				_t19 = _a4;
				_t41 = __ecx;
				if(_a4 != 0) {
					_t21 = E6B159064( &_v528, 0x104, _t19, 0xffffffff);
					_t44 = _t44 + 0x10;
					if(E6B157E20(_t21) == 0x50) {
						goto L4;
					} else {
						goto L6;
					}
				} else {
					_t42 = 0x100;
					_t34 = GetTempPathW(0x100,  &_v528);
					if(_t34 != 0) {
						if(_t34 <= 0x100) {
							L6:
							if(GetTempFileNameW( &_v528, L"TFR", 0,  &_v1048) == 0) {
								goto L2;
							} else {
								_v530 = 0;
								_t42 = _t41 + 8;
								E6B157E20(E6B159064(_t41 + 8, 0x101,  &_v1048, 0xffffffff));
								_v1056 = _v1056 & 0x00000000;
								_v1060 = 0xc;
								_v1052 = 1;
								 *((intOrPtr*)(_t41 + 0x20c)) = 0xc0000000;
								_t23 = E6B157F22(_t41, _t41 + 8, 0xc0000000, 0, 2, 0x2100,  &_v1060);
							}
						} else {
							L4:
							_t23 = 0x80020013;
						}
					} else {
						L2:
						_t23 = E6B157F08();
					}
				}
				return E6B1587C1(_t23, _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x6b157acf
0x6b157acf
0x6b157ada
0x6b157ae1
0x6b157ae4
0x6b157ae9
0x6b157aed
0x6b157b2d
0x6b157b32
0x6b157b3d
0x00000000
0x00000000
0x00000000
0x00000000
0x6b157aef
0x6b157af6
0x6b157afc
0x6b157b04
0x6b157b12
0x6b157b3f
0x6b157b5c
0x00000000
0x6b157b5e
0x6b157b60
0x6b157b70
0x6b157b81
0x6b157b86
0x6b157ba4
0x6b157bae
0x6b157bb8
0x6b157bbe
0x6b157bbe
0x6b157b14
0x6b157b14
0x6b157b14
0x6b157b14
0x6b157b06
0x6b157b06
0x6b157b06
0x6b157b06
0x6b157b04
0x6b157bd0

APIs

GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 6B157AFC

Part of subcall function 6B157F08: GetLastError.KERNEL32(6B157B0B,?,?,?,00000000), ref: 6B157F08

GetTempFileNameW.KERNEL32(?,TFR,00000000,?,?,?,?,00000000), ref: 6B157B54

Strings

TFR, xrefs: 6B157B48

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Temp$ErrorFileLastNamePath
String ID: TFR
API String ID: 3373471080-3081930533
Opcode ID: 83f2e63d084817bb0a7eb80495ca6e4371a130c399b587a8e440ab263dd235d1
Instruction ID: 6a847c39e1c7998da78b7bde771046e823a09e9f7a1021c60d0c5e8d688cbeba
Opcode Fuzzy Hash: 83f2e63d084817bb0a7eb80495ca6e4371a130c399b587a8e440ab263dd235d1
Instruction Fuzzy Hash: 9E219BF2A002187ADB10DB64CC46FDE73ACAB05714F5086A7E634D31C1D778DA948B65

Uniqueness

Uniqueness Score: -1.00%

Function 6B14443D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6B14443D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t42;
				void* _t53;
				intOrPtr* _t58;
				intOrPtr* _t67;
				void* _t80;
				void* _t81;

				_t81 = __eflags;
				_t72 = __edx;
				_t70 = __ecx;
				_push(0x3c);
				E6B16265B(0x6b167200, __ebx, __edi, __esi);
				_t67 =  *((intOrPtr*)(_t80 + 8));
				_t78 = _t67 + 4;
				 *_t67 = 0x6b137438;
				E6B144217(_t67 + 4, _t81);
				 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
				_push(_t80 - 0x10);
				E6B14E8E8(L"SysLink", _t67 + 4, _t81);
				 *(_t80 - 4) = 1;
				_push(E6B13D6C4( *((intOrPtr*)(_t80 + 0xc)), _t67, _t70, _t80 - 0x20, _t80 - 0x10));
				_t68 = _t67 + 0x20;
				_push(_t67 + 0x20);
				 *(_t80 - 4) = 2;
				E6B1427EE(_t67 + 0x20, _t70, __edx, L"SysLink", _t67 + 4, _t81);
				 *(_t80 - 4) = 4;
				_t42 =  *((intOrPtr*)(_t80 - 0x20));
				_t82 = _t42;
				if(_t42 != 0) {
					_t70 =  *_t42;
					 *((intOrPtr*)( *_t42 + 8))(_t42);
				}
				 *(_t80 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t80 - 0x10)) + 0xfffffff0, _t72);
				_push(_t80 - 0x14);
				E6B14E8E8(L"SQMPermissionCheckbox", _t78, _t82);
				 *(_t80 - 4) = 6;
				_push(E6B13D6C4( *((intOrPtr*)(_t80 + 0xc)), _t68, _t70, _t80 - 0x2c, _t80 - 0x14));
				_push(_t80 - 0x48);
				 *(_t80 - 4) = 7;
				_t53 = E6B144247(_t68, _t72, L"SQMPermissionCheckbox", _t78, _t82);
				 *(_t80 - 4) = 8;
				E6B1442CD(_t53, _t78);
				 *((intOrPtr*)(_t80 - 0x40)) = 0x6b136f7c;
				E6B158460( *((intOrPtr*)(_t80 - 0x44)) + 0xfffffff0, _t72);
				 *(_t80 - 4) = 6;
				_t58 =  *((intOrPtr*)(_t80 - 0x2c));
				 *((intOrPtr*)(_t80 - 0x48)) = 0x6b136f7c;
				if(_t58 != 0) {
					 *((intOrPtr*)( *_t58 + 8))(_t58);
				}
				E6B158460( *((intOrPtr*)(_t80 - 0x14)) + 0xfffffff0, _t72);
				return E6B162709( *((intOrPtr*)(_t80 + 8)));
			}

0x6b14443d
0x6b14443d
0x6b14443d
0x6b14443d
0x6b144444
0x6b144449
0x6b14444c
0x6b144451
0x6b144457
0x6b14445c
0x6b144463
0x6b144469
0x6b144479
0x6b144482
0x6b144483
0x6b144486
0x6b144487
0x6b14448b
0x6b144490
0x6b144494
0x6b144497
0x6b144499
0x6b14449b
0x6b14449e
0x6b14449e
0x6b1444a1
0x6b1444ab
0x6b1444b3
0x6b1444b9
0x6b1444c9
0x6b1444d2
0x6b1444d6
0x6b1444d7
0x6b1444db
0x6b1444e2
0x6b1444e6
0x6b1444f6
0x6b1444f9
0x6b1444fe
0x6b144502
0x6b144505
0x6b14450a
0x6b14450f
0x6b14450f
0x6b144518
0x6b144525

APIs

__EH_prolog3.LIBCMT ref: 6B144444

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B1427EE: __EH_prolog3.LIBCMT ref: 6B1427F5

Strings

SQMPermissionCheckbox, xrefs: 6B1444B4
SysLink, xrefs: 6B144464

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: SQMPermissionCheckbox$SysLink
API String ID: 431132790-2543308372
Opcode ID: 2db9ca01f98b21d80c886a72cae7f899e03b56ba2f6c2aa79dbfa7f4eccb1d29
Instruction ID: 85badc44b37b4d6381586e8bb6eaee30cc5dbc3c5d8b9a2c7371d8d73ec6dc66
Opcode Fuzzy Hash: 2db9ca01f98b21d80c886a72cae7f899e03b56ba2f6c2aa79dbfa7f4eccb1d29
Instruction Fuzzy Hash: 7E31F9B2900159FFDF01DBF8C945B9EBBB8AF19218F144185E524FB281DB38AA05CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6B143654 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6B143654(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr* _t39;
				intOrPtr* _t48;
				intOrPtr* _t49;
				signed int _t53;
				intOrPtr* _t60;
				signed int _t61;
				void* _t65;
				intOrPtr _t71;
				void* _t72;
				void* _t73;

				_t73 = __eflags;
				_t65 = __edx;
				_t62 = __ecx;
				_push(0x20);
				E6B16265B(0x6b16693a, __ebx, __edi, __esi);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 8));
				_push(_t72 - 0x10);
				 *_t60 = 0x6b137350;
				E6B14E8E8(L"Text", __esi, _t73);
				_t68 =  *(_t72 + 0xc);
				 *(_t72 - 4) = 1;
				_t37 = E6B13D6C4(_t68, _t60, _t62, _t72 - 0x20, _t72 - 0x10);
				_t61 = _t60 + 4;
				_t70 = _t37;
				 *(_t72 - 4) = 2;
				E6B13D76F(_t61, _t68, _t37, _t73);
				 *(_t72 - 4) = 4;
				_t39 =  *((intOrPtr*)(_t72 - 0x20));
				if(_t39 != 0) {
					_t62 =  *_t39;
					 *((intOrPtr*)( *_t39 + 8))(_t39);
				}
				 *(_t72 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t72 - 0x10)) + 0xfffffff0, _t65);
				_t75 =  *_t68;
				if( *_t68 != 0) {
					_push(_t72 - 0x14);
					_t68 = L"Hide";
					E6B14E8E8(L"Hide", _t70, __eflags);
					 *(_t72 - 4) = 6;
					_t48 = E6B13D6C4( *(_t72 + 0xc), _t61, _t62, _t72 - 0x2c, _t72 - 0x14);
					__eflags =  *_t48;
					_t49 =  *((intOrPtr*)(_t72 - 0x2c));
					_t61 = _t61 & 0xffffff00 |  *_t48 == 0x00000000;
					__eflags = _t49;
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49 + 8))(_t49);
					}
					 *(_t72 - 4) = 5;
					__eflags =  *((intOrPtr*)(_t72 - 0x14)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t72 - 0x14)) + 0xfffffff0, _t65);
					_t53 = _t61;
				} else {
					_t53 = 1;
				}
				_t71 =  *((intOrPtr*)(_t72 + 8));
				 *(_t71 + 8) = _t53;
				 *((char*)(_t71 + 9)) = E6B14372E(_t61,  *(_t72 + 0xc), _t65, _t68, _t71, _t75);
				return E6B162709(_t71);
			}

0x6b143654
0x6b143654
0x6b143654
0x6b143654
0x6b14365b
0x6b143660
0x6b143664
0x6b14366a
0x6b143670
0x6b143676
0x6b14367b
0x6b143688
0x6b14368c
0x6b143691
0x6b143694
0x6b143696
0x6b14369a
0x6b14369f
0x6b1436a3
0x6b1436a8
0x6b1436aa
0x6b1436ad
0x6b1436ad
0x6b1436b0
0x6b1436ba
0x6b1436bf
0x6b1436c2
0x6b1436cb
0x6b1436cc
0x6b1436d1
0x6b1436e1
0x6b1436e5
0x6b1436ea
0x6b1436ed
0x6b1436f0
0x6b1436f3
0x6b1436f5
0x6b1436fa
0x6b1436fa
0x6b1436fd
0x6b143704
0x6b143707
0x6b14370c
0x6b1436c4
0x6b1436c4
0x6b1436c4
0x6b14370e
0x6b143714
0x6b14371c
0x6b143726

APIs

__EH_prolog3.LIBCMT ref: 6B14365B

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B13D76F: __EH_prolog3.LIBCMT ref: 6B13D776

Strings

Text, xrefs: 6B14366B
Hide, xrefs: 6B1436CC

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Hide$Text
API String ID: 431132790-3852183071
Opcode ID: 13d719542ee33019420814e296d4ddbcc8ad771433bb8a7e1b0f7e2434e0afc5
Instruction ID: bce22162ddbca92d54cdaf3417cbf6394c533af34f06d241c75708939838ac26
Opcode Fuzzy Hash: 13d719542ee33019420814e296d4ddbcc8ad771433bb8a7e1b0f7e2434e0afc5
Instruction Fuzzy Hash: 87213D72900259EFDF10DBB8C845B9EB7B8AF19358F188095E464AB381D738EA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B1460C9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6B1460C9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t38;
				intOrPtr* _t41;
				void* _t50;
				intOrPtr* _t53;
				void* _t70;
				void* _t71;

				_t71 = __eflags;
				_t64 = __edx;
				_t61 = __ebx;
				_push(0x20);
				E6B16265B(0x6b167ad4, __ebx, __edi, __esi);
				_t69 =  *((intOrPtr*)(_t70 + 8));
				_t62 =  *((intOrPtr*)(_t70 + 0xc));
				E6B14396A(__ebx,  *((intOrPtr*)(_t70 + 0xc)), __edx, __edi,  *((intOrPtr*)(_t70 + 8)), _t71,  *((intOrPtr*)(_t70 + 8)));
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_push(_t70 - 0x10);
				E6B14E8E8(L"Uninstall", _t69, _t71);
				 *(_t70 - 4) = 1;
				_t38 = E6B13D65F( *((intOrPtr*)(_t70 + 0xc)), __ebx, _t70 - 0x20, _t70 - 0x10);
				 *(_t70 - 4) = 2;
				E6B145ECE(_t61,  *((intOrPtr*)(_t70 + 0xc)), __edx, L"Uninstall", _t69, _t71, _t69 + 0x3c, _t38,  *((intOrPtr*)(_t70 + 0x10)));
				 *(_t70 - 4) = 4;
				_t41 =  *((intOrPtr*)(_t70 - 0x20));
				_t72 = _t41;
				if(_t41 != 0) {
					_t62 =  *_t41;
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				 *(_t70 - 4) = 5;
				E6B158460( *((intOrPtr*)(_t70 - 0x10)) + 0xfffffff0, _t64);
				_push(_t70 - 0x14);
				E6B14E8E8(L"UninstallPatch", _t69, _t72);
				 *(_t70 - 4) = 6;
				_t50 = E6B13D65F( *((intOrPtr*)(_t70 + 0xc)), _t61, _t70 - 0x2c, _t70 - 0x14);
				 *(_t70 - 4) = 7;
				E6B145ECE(_t61, _t62, _t64, L"UninstallPatch", _t69, _t72, _t69 + 0x140, _t50,  *((intOrPtr*)(_t70 + 0x10)));
				 *(_t70 - 4) = 6;
				_t53 =  *((intOrPtr*)(_t70 - 0x2c));
				if(_t53 != 0) {
					 *((intOrPtr*)( *_t53 + 8))(_t53);
				}
				E6B158460( *((intOrPtr*)(_t70 - 0x14)) + 0xfffffff0, _t64);
				return E6B162709(_t69);
			}

0x6b1460c9
0x6b1460c9
0x6b1460c9
0x6b1460c9
0x6b1460d0
0x6b1460d5
0x6b1460d8
0x6b1460dc
0x6b1460e1
0x6b1460e8
0x6b1460ee
0x6b1460fe
0x6b146102
0x6b14610a
0x6b146113
0x6b146118
0x6b14611c
0x6b14611f
0x6b146121
0x6b146123
0x6b146126
0x6b146126
0x6b146129
0x6b146133
0x6b14613b
0x6b146141
0x6b146151
0x6b146155
0x6b14615d
0x6b146169
0x6b14616e
0x6b146172
0x6b146177
0x6b14617c
0x6b14617c
0x6b146185
0x6b146191

APIs

__EH_prolog3.LIBCMT ref: 6B1460D0

Part of subcall function 6B14396A: __EH_prolog3.LIBCMT ref: 6B143971

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

Part of subcall function 6B145ECE: __EH_prolog3.LIBCMT ref: 6B145ED5

Strings

UninstallPatch, xrefs: 6B14613C
Uninstall, xrefs: 6B1460E9

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Uninstall$UninstallPatch
API String ID: 431132790-3176843842
Opcode ID: f3c9b82102ed847ce730d71c904c9b3eb17ad0c3133ffd2d7730201207c1e8ea
Instruction ID: 9e65f231a757e25d58a9df3045cd88ae7dce36aad280c8e3e49f0531bff6a00c
Opcode Fuzzy Hash: f3c9b82102ed847ce730d71c904c9b3eb17ad0c3133ffd2d7730201207c1e8ea
Instruction Fuzzy Hash: 802107B2900249EBDF01DBB8C945BDEB7A8AF18218F148495E524F7281D738EA15CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6B15383E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6B15383E(intOrPtr* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __esi;
				void* __ebp;
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t26;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr* _t42;

				_t28 = __ecx;
				_push(__ecx);
				_t42 = __eax;
				_t17 =  *__eax;
				_t26 =  *(_t17 - 0xc);
				_t18 = 0;
				_t38 = _a4 - _t17 >> 1;
				if(_a8 < 0) {
					L1:
					_t18 = E6B1583CE(_t28, 0x80070057);
				}
				if(_a4 != _t18) {
					_t18 = E6B1599BE(_a4, _a8);
				}
				_t28 = 0x7fffffff - _t18;
				_a8 = _t18;
				if(0x7fffffff < _t26) {
					goto L1;
				}
				_v8 = _t18 + _t26;
				_t39 = E6B1582D1(_t42, _t18 + _t26) + _t38 * 2;
				if(_t38 > _t26) {
					_t39 = _a4;
				}
				E6B158923(_t20 + _t26 * 2, _a8 + _a8, _t39, _a8 + _a8);
				return E6B15830D(_v8, _t42);
			}

0x6b15383e
0x6b153843
0x6b15384a
0x6b15384c
0x6b15384e
0x6b153853
0x6b153855
0x6b15385a
0x6b15385c
0x6b153861
0x6b153861
0x6b153869
0x6b153871
0x6b153877
0x6b15387d
0x6b15387f
0x6b153884
0x00000000
0x00000000
0x6b153889
0x6b153893
0x6b153896
0x6b153898
0x6b153898
0x6b1538a7
0x6b1538bd

APIs

_wcsnlen.LIBCMT ref: 6B153871
_memcpy_s.LIBCMT ref: 6B1538A7

Part of subcall function 6B1583CE: __CxxThrowException@8.LIBCMT ref: 6B1583E2

Strings

GetProcessImageFileNameW, xrefs: 6B153845

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s_wcsnlen
String ID: GetProcessImageFileNameW
API String ID: 31407445-2183627785
Opcode ID: 58b44cfe9f597e04b2a58242de80d976cc417e8682e4cb7d5e789503a36fe5f7
Instruction ID: c947d44e16b915da31c110e6cb5dc6650dfa6f5476a1bcc0069fe9d74fe20344
Opcode Fuzzy Hash: 58b44cfe9f597e04b2a58242de80d976cc417e8682e4cb7d5e789503a36fe5f7
Instruction Fuzzy Hash: A20188B3900104FFDB14DF79D845C9D77E9DA84364721862DF42597250EA34EA25CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B13F0C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6B13F0C8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t19;
				WCHAR* _t22;
				int _t26;
				void* _t27;
				signed int _t37;
				void* _t38;
				intOrPtr _t47;
				WCHAR** _t50;
				void* _t51;

				_t38 = __ecx;
				_push(4);
				E6B16265B(0x6b164c4f, __ebx, __edi, __esi);
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				_t4 = E6B1583FD( *((intOrPtr*)(_t51 + 8)) + 0xfffffff0) + 0x10; // 0x10
				_t47 = _t4;
				 *((intOrPtr*)(_t51 - 0x10)) = _t47;
				 *(_t51 - 4) = 1;
				_t19 = E6B158199(0x6b1379e4);
				_t50 =  *(_t51 + 0xc);
				E6B15811C(_t50, _t19, _t38, 0x6b1379e4);
				_t22 =  *_t50;
				_t23 = 0x208;
				_t45 =  *((intOrPtr*)(_t22 - 8)) - 0x208;
				if((1 -  *((intOrPtr*)(_t22 - 4)) |  *((intOrPtr*)(_t22 - 8)) - 0x00000208) < 0) {
					_t23 = E6B15827A(0x208, _t50);
				}
				_push( *_t50);
				_t37 = 0;
				_push(0);
				_push(L"HFI");
				_push(_t47);
				E6B13F0B7();
				if(_t23 != 0) {
					L6B14F1A2(_t23 | 0xffffffff, 0, _t50);
					_t26 = DeleteFileW( *_t50);
					_t11 = _t47 - 0x10; // 0x0
					_t27 = _t11;
					if(_t26 == 0) {
						goto L4;
					} else {
						E6B158460(_t27, _t45);
						_t37 = 1;
					}
				} else {
					_t10 = _t47 - 0x10; // 0x0
					_t27 = _t10;
					L4:
					E6B158460(_t27, _t45);
				}
				E6B158460( *((intOrPtr*)(_t51 + 8)) + 0xfffffff0, _t45);
				return E6B162709(_t37);
			}

0x6b13f0c8
0x6b13f0c8
0x6b13f0cf
0x6b13f0d4
0x6b13f0e3
0x6b13f0e3
0x6b13f0e6
0x6b13f0f0
0x6b13f0f4
0x6b13f0fa
0x6b13f101
0x6b13f106
0x6b13f111
0x6b13f116
0x6b13f11a
0x6b13f11e
0x6b13f11e
0x6b13f123
0x6b13f125
0x6b13f127
0x6b13f128
0x6b13f12d
0x6b13f12e
0x6b13f135
0x6b13f144
0x6b13f14b
0x6b13f153
0x6b13f153
0x6b13f156
0x00000000
0x6b13f158
0x6b13f158
0x6b13f15d
0x6b13f15d
0x6b13f137
0x6b13f137
0x6b13f137
0x6b13f13a
0x6b13f13a
0x6b13f13a
0x6b13f165
0x6b13f171

APIs

__EH_prolog3.LIBCMT ref: 6B13F0CF

Part of subcall function 6B14F21D: _wcsnlen.LIBCMT ref: 6B14F1B2

DeleteFileW.KERNEL32(00000000,00000010,HFI,00000000,00000000,6B1379E4,00000004,6B1557E2,?,?,?,?,?,?,00000024,6B13F18B), ref: 6B13F14B

Strings

HFI, xrefs: 6B13F128

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: DeleteFileH_prolog3_wcsnlen
String ID: HFI
API String ID: 1332513528-686494941
Opcode ID: d83d840e9edc5f3cf1e2b7acd0c90a063800687320543b1d4767e462dccfa9db
Instruction ID: c17544e56fa422a9d7180342a50ae184c6feb77667e1b5dbc49a8473553cf569
Opcode Fuzzy Hash: d83d840e9edc5f3cf1e2b7acd0c90a063800687320543b1d4767e462dccfa9db
Instruction Fuzzy Hash: DD11C272710114FFCB009F78C846A6DB7A4AF1535CF004255E471AB390E77C99258791

Uniqueness

Uniqueness Score: -1.00%

Function 6B14372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6B14372E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				signed int _t34;
				intOrPtr* _t37;
				signed int _t41;
				void* _t44;
				intOrPtr* _t48;
				void* _t50;

				_t44 = __edx;
				_t42 = __ecx;
				_push(0x14);
				E6B16265B(0x6b1668ef, __ebx, __edi, __esi);
				_t48 = __ecx;
				if( *__ecx != 0) {
					_push(_t50 - 0x14);
					E6B14E8E8(L"Enable", __ecx, __eflags);
					 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
					_t24 = E6B13D6C4(_t48, __ebx, _t42, _t50 - 0x20, _t50 - 0x14);
					 *(_t50 - 4) = 1;
					E6B13D76F(_t50 - 0x10, L"Enable", _t24, __eflags);
					 *(_t50 - 4) = 3;
					_t26 =  *((intOrPtr*)(_t50 - 0x20));
					_t41 = 0;
					__eflags = _t26;
					if(_t26 != 0) {
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
					 *(_t50 - 4) = 4;
					E6B158460( *((intOrPtr*)(_t50 - 0x14)) + 0xfffffff0, _t44);
					_t30 =  *((intOrPtr*)(_t50 - 0x10));
					__eflags =  *((intOrPtr*)(_t30 - 0xc)) - _t41;
					if( *((intOrPtr*)(_t30 - 0xc)) == _t41) {
						L6:
						_t41 = 1;
					} else {
						_t37 = E6B14EB56(_t50 - 0x10, L"false");
						__eflags = _t37;
						if(_t37 != 0) {
							goto L6;
						}
					}
					__eflags =  *((intOrPtr*)(_t50 - 0x10)) + 0xfffffff0;
					E6B158460( *((intOrPtr*)(_t50 - 0x10)) + 0xfffffff0, _t44);
					_t34 = _t41;
				} else {
					_t34 = 1;
				}
				return E6B162709(_t34);
			}

0x6b14372e
0x6b14372e
0x6b14372e
0x6b143735
0x6b14373a
0x6b14373f
0x6b143748
0x6b14374e
0x6b143753
0x6b143761
0x6b14376b
0x6b14376f
0x6b143774
0x6b143778
0x6b14377b
0x6b14377d
0x6b14377f
0x6b143784
0x6b143784
0x6b143787
0x6b143791
0x6b143796
0x6b143799
0x6b14379c
0x6b1437b0
0x6b1437b0
0x6b14379e
0x6b1437a7
0x6b1437ac
0x6b1437ae
0x00000000
0x00000000
0x6b1437ae
0x6b1437b5
0x6b1437b8
0x6b1437bd
0x6b143741
0x6b143741
0x6b143741
0x6b1437c4

APIs

__EH_prolog3.LIBCMT ref: 6B143735

Strings

Enable, xrefs: 6B143749
false, xrefs: 6B14379E

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Enable$false
API String ID: 431132790-2988405606
Opcode ID: e9cbdeede2b6e0cec2006e223b2ad80c8fbf0ea246233bebe637be0dfab1c6c7
Instruction ID: a73c03b8f17e6d7e4ca57a483bd22acabf18233cad914ec2d4f83d06bdff090a
Opcode Fuzzy Hash: e9cbdeede2b6e0cec2006e223b2ad80c8fbf0ea246233bebe637be0dfab1c6c7
Instruction Fuzzy Hash: E9117CB6900159EFCF10CBF8C884BADB3B86F2471DF1400A4D160EB280E77CAA49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F491 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6B14F491(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				void* _t38;
				void* _t39;
				intOrPtr* _t47;
				signed int _t48;
				void* _t49;
				signed int _t53;

				_t38 = __ebx;
				_push(4);
				E6B16265B(0x6b1654c4, __ebx, __edi, __esi);
				_t47 =  *((intOrPtr*)(__ebx + 0x3c));
				_t39 = 0x40;
				_t41 = _t49 - 0x10;
				E6B14EF5B( *((intOrPtr*)(_t49 + 8)), _t39, _t49 - 0x10);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t43 =  *((intOrPtr*)(_t49 - 0x10));
				_push( *((intOrPtr*)(_t49 - 0x10)));
				_push(0x212);
				_push( *((intOrPtr*)(_t47 + 4)));
				if( *((intOrPtr*)( *_t47 + 0x2c))() != 0) {
					 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
					E6B158460(_t43 - 0x10, _t41);
					_t48 = 0;
					__eflags = 0;
				} else {
					_t34 = GetLastError();
					if(_t34 > 0) {
						_t34 = _t34 & 0x0000ffff | 0x80070000;
						_t53 = _t34;
					}
					 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
					_t48 = _t34;
					E6B158460(_t43 - 0x10, _t41);
				}
				_push(_t49 + 8);
				E6B14E8E8(L"Failed to record Customize", _t48, _t53);
				_push(_t48);
				_push(_t38);
				 *(_t49 - 4) = 1;
				E6B153942(_t38, _t41, _t49 + 8, _t48, _t53);
				return E6B162709(E6B158460( *((intOrPtr*)(_t49 + 8)) + 0xfffffff0, _t41));
			}

0x6b14f491
0x6b14f491
0x6b14f498
0x6b14f4a0
0x6b14f4a5
0x6b14f4a6
0x6b14f4a9
0x6b14f4ae
0x6b14f4b2
0x6b14f4b7
0x6b14f4b8
0x6b14f4bd
0x6b14f4c7
0x6b14f4ed
0x6b14f4f4
0x6b14f4f9
0x6b14f4f9
0x6b14f4c9
0x6b14f4c9
0x6b14f4d1
0x6b14f4d8
0x6b14f4d8
0x6b14f4d8
0x6b14f4dd
0x6b14f4e1
0x6b14f4e6
0x6b14f4e6
0x6b14f4fe
0x6b14f504
0x6b14f509
0x6b14f50a
0x6b14f50e
0x6b14f515
0x6b14f52a

APIs

__EH_prolog3.LIBCMT ref: 6B14F498
GetLastError.KERNEL32(?,?,?,6B15158F,?,000006F5,?,?,?,00000000,?,00000001,?,?,?,6B1486E6), ref: 6B14F4C9

Strings

Failed to record Customize, xrefs: 6B14F4FF

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record Customize
API String ID: 685212868-512773136
Opcode ID: 3206dca2149aa50484fdde1b81c594a7a2fcafb60e51bbed42c09e1bc490554f
Instruction ID: fea65ea8a44ada5c4b184388c2783757b9882ae64f1b619aa9bfe91f17636654
Opcode Fuzzy Hash: 3206dca2149aa50484fdde1b81c594a7a2fcafb60e51bbed42c09e1bc490554f
Instruction Fuzzy Hash: 0411A1B2510219FBCB10DFB4C945B9DBBB4BF10778F104655E969AB2D0E7389A11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B140E35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E6B140E35(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, signed char _a24) {
				signed int _v8;
				signed int _v116;
				intOrPtr _v120;
				void* _v124;
				void* __esi;
				signed int _t14;
				intOrPtr _t31;
				struct HWND__** _t34;
				signed int _t35;

				_t31 = __edx;
				_t14 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t14 ^ _t35;
				_t34 = _a4 + 4;
				E6B150324(_a8, __ecx, _t34, _a12);
				E6B15AF90( &_v124, 0, 0x74);
				_v120 = _a16;
				asm("sbb eax, eax");
				_v124 = 0x74;
				_v116 =  ~(_a24 & 0x000000ff) & _a20;
				return E6B1587C1(SendMessageW( *_t34, 0x444, 1,  &_v124), __ebx, _v8 ^ _t35, _t31, __edi, _t34);
			}

0x6b140e35
0x6b140e3d
0x6b140e44
0x6b140e51
0x6b140e55
0x6b140e62
0x6b140e6a
0x6b140e76
0x6b140e7b
0x6b140e82
0x6b140ea4

APIs

Part of subcall function 6B150324: SendMessageW.USER32(?,00000437,00000000,?), ref: 6B150344

_memset.LIBCMT ref: 6B140E62
SendMessageW.USER32(?,00000444,00000001,00000074), ref: 6B140E92

Strings

t, xrefs: 6B140E7B

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$_memset
String ID: t
API String ID: 1515505866-2238339752
Opcode ID: 094692e7556fd91556597993533ffbaf054550c80202c04d7deb8653e2d1fade
Instruction ID: 34b99ada65a01adc61b464e87ff439a8cd7d42cd84de6ab2f526b228c1b8a07c
Opcode Fuzzy Hash: 094692e7556fd91556597993533ffbaf054550c80202c04d7deb8653e2d1fade
Instruction Fuzzy Hash: 24014F7290021CAFDF10DFB8C842ADE7BF4AF09718F600125F915A7281D779EA24CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6B13CAC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6B13CAC2(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				void* _t22;
				void* _t36;
				void* _t39;
				void* _t46;
				void* _t47;

				_t47 = __eflags;
				_t39 = __edx;
				_push(0xc);
				E6B16265B(0x6b164743, __ebx, __edi, __esi);
				_t45 = __ecx;
				 *(_t46 - 0x18) =  *(_t46 - 0x18) & 0x00000000;
				_t36 = E6B13C9F6(__ecx, _t46 - 0x18);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				_push(L"Invalid XML");
				_push(_t46 - 0x14);
				_t21 = E6B14F143(_t36, __ecx + 8, __ecx, _t47);
				_push(L".\n\nParse error:\n\t");
				_push(_t46 - 0x10);
				 *(_t46 - 4) = 1;
				_t22 = E6B14F0E8(_t36, _t21, _t45, _t47);
				_push(_t36);
				_push( *((intOrPtr*)(_t46 + 8)));
				 *(_t46 - 4) = 2;
				E6B14F092(_t36, _t22, _t45, _t47);
				E6B158460( *((intOrPtr*)(_t46 - 0x10)) + 0xfffffff0, _t39);
				E6B158460( *((intOrPtr*)(_t46 - 0x14)) + 0xfffffff0, _t39);
				E6B158460( *(_t46 - 0x18) + 0xfffffff0, _t39);
				return E6B162709( *((intOrPtr*)(_t46 + 8)));
			}

0x6b13cac2
0x6b13cac2
0x6b13cac2
0x6b13cac9
0x6b13cace
0x6b13cad0
0x6b13cadd
0x6b13cadf
0x6b13cae3
0x6b13caee
0x6b13caef
0x6b13caf4
0x6b13cafc
0x6b13caff
0x6b13cb03
0x6b13cb08
0x6b13cb09
0x6b13cb0e
0x6b13cb12
0x6b13cb1d
0x6b13cb28
0x6b13cb33
0x6b13cb40

APIs

__EH_prolog3.LIBCMT ref: 6B13CAC9

Part of subcall function 6B14F143: __EH_prolog3.LIBCMT ref: 6B14F14A

Part of subcall function 6B14F0E8: __EH_prolog3.LIBCMT ref: 6B14F0EF

Part of subcall function 6B14F092: __EH_prolog3.LIBCMT ref: 6B14F099

Strings

.Parse error:, xrefs: 6B13CAF4
Invalid XML, xrefs: 6B13CAE3

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: .Parse error:$Invalid XML
API String ID: 431132790-1700598720
Opcode ID: 46277701bd27e1a1359044a2c4a0b2e8e52710fb4a842791b9eafd6e4a0fdd3a
Instruction ID: 53f3f20f669b48a9b6460347c43b358f62694eec255034342777bdf4438ff927
Opcode Fuzzy Hash: 46277701bd27e1a1359044a2c4a0b2e8e52710fb4a842791b9eafd6e4a0fdd3a
Instruction Fuzzy Hash: 43016272500109FBDB10D7F8C847BEEB7A4AF5036CF144214E528F7285E77C9A5987A5

Uniqueness

Uniqueness Score: -1.00%

Function 6B151169 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6B151169(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t20;
				void* _t47;
				void* _t48;

				_t48 = __eflags;
				_t32 = __ebx;
				_push(4);
				E6B16265B(0x6b16470b, __ebx, __edi, __esi);
				 *(_t47 - 0x10) =  *(_t47 - 0x10) & 0x00000000;
				_push(_t47 - 0x10);
				E6B14E8E8(L"C:\\", __esi, _t48);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				_t20 =  *(_t47 - 0x10);
				_t40 =  *((intOrPtr*)(_t20 - 8)) - 0x104;
				_t49 = 1 -  *((intOrPtr*)(_t20 - 4)) |  *((intOrPtr*)(_t20 - 8)) - 0x00000104;
				if((1 -  *((intOrPtr*)(_t20 - 4)) |  *((intOrPtr*)(_t20 - 8)) - 0x00000104) < 0) {
					E6B15827A(0x104, _t47 - 0x10);
					_t20 =  *(_t47 - 0x10);
				}
				L6B14F1A2(GetSystemDirectoryW(_t20, 0x104) | 0xffffffff, _t32, _t47 - 0x10);
				_push( *((intOrPtr*)(_t47 + 8)));
				E6B14E8E8( *(_t47 - 0x10), _t47 - 0x10, _t49);
				E6B158460( &(( *(_t47 - 0x10))[0xfffffffffffffff8]), _t40);
				return E6B162709( *((intOrPtr*)(_t47 + 8)));
			}

0x6b151169
0x6b151169
0x6b151169
0x6b151170
0x6b151175
0x6b15117c
0x6b151182
0x6b151187
0x6b15118b
0x6b15119c
0x6b15119e
0x6b1511a0
0x6b1511a7
0x6b1511ac
0x6b1511ac
0x6b1511bd
0x6b1511c2
0x6b1511c8
0x6b1511d3
0x6b1511e0

APIs

__EH_prolog3.LIBCMT ref: 6B151170

Part of subcall function 6B14E8E8: __EH_prolog3.LIBCMT ref: 6B14E8EF

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 6B1511B1

Strings

C:\, xrefs: 6B15117D

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$DirectorySystem
String ID: C:\
API String ID: 105093994-3404278061
Opcode ID: e4c5b997416599f2157c5620e3eac231de66dbbdcbfc6cdc241b46c94955ba33
Instruction ID: 79ea445e2f61162b73925b1ba4978e228dbff63d2f02a41be02f6ec55f6e3902
Opcode Fuzzy Hash: e4c5b997416599f2157c5620e3eac231de66dbbdcbfc6cdc241b46c94955ba33
Instruction Fuzzy Hash: 900162B2E10029EBDF04EBB8CC45AAEB7B5FF14764F544514E521A72D0D7389A15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B162C8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E6B162C8A(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t27;
				void* _t28;

				_t29 = __eflags;
				_t27 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t28 - 0x24));
				E6B16259F(__ebx, __edi, __eflags,  *((intOrPtr*)(_t28 - 0x28)));
				 *((intOrPtr*)(E6B159BE0(__eflags) + 0x88)) =  *((intOrPtr*)(_t28 - 0x2c));
				_t17 = E6B159BE0(_t29);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t28 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t28 - 0x34)) == 0) {
							_t36 =  *((intOrPtr*)(_t28 - 0x1c));
							if( *((intOrPtr*)(_t28 - 0x1c)) != 0) {
								_t17 = E6B162573(_t36,  *((intOrPtr*)(_t27 + 0x18)));
								_t37 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t28 + 0x10)));
									_push(_t27);
									return E6B162A0E(_t37);
								}
							}
						}
					}
				}
				return _t17;
			}

0x6b162c8a
0x6b162c8a
0x6b162c8d
0x6b162c93
0x6b162ca1
0x6b162ca7
0x6b162caf
0x6b162cbb
0x6b162cc3
0x6b162ccb
0x6b162cdf
0x6b162ce1
0x6b162ce5
0x6b162cea
0x6b162cf0
0x6b162cf2
0x6b162cf4
0x6b162cf7
0x00000000
0x6b162cfe
0x6b162cf2
0x6b162ce5
0x6b162cdf
0x6b162ccb
0x6b162cff

APIs

Part of subcall function 6B16259F: __getptd.LIBCMT ref: 6B1625A5
Part of subcall function 6B16259F: __getptd.LIBCMT ref: 6B1625B5

__getptd.LIBCMT ref: 6B162C99

Part of subcall function 6B159BE0: __getptd_noexit.LIBCMT ref: 6B159BE3
Part of subcall function 6B159BE0: __amsg_exit.LIBCMT ref: 6B159BF0

__getptd.LIBCMT ref: 6B162CA7

Strings

csm, xrefs: 6B162CB5

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 40a763ddbc5ae7bd5608cdcd701207f89940e9ad0a743e3e5e4b39aced2a5921
Instruction ID: b6fa74825d7b88f770ab8c92cd3a4c8f35a89f2459167f4c0b57408301dc13d3
Opcode Fuzzy Hash: 40a763ddbc5ae7bd5608cdcd701207f89940e9ad0a743e3e5e4b39aced2a5921
Instruction Fuzzy Hash: 2B016975804205AFDF348F34C450AADB7B5EF20396F2048AEDC9096694FF3886A0EBC1

Uniqueness

Uniqueness Score: -1.00%

Function 6B140D3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6B140D3D(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v112;
				intOrPtr _v120;
				void* _v124;
				void* __esi;
				signed int _t12;
				intOrPtr _t26;
				struct HWND__** _t29;
				signed int _t30;

				_t26 = __edx;
				_t12 =  *0x6b16f0a0; // 0xf69ff218
				_v8 = _t12 ^ _t30;
				_t29 = _a4 + 4;
				E6B150324(_a8, __ecx, _t29, _a12);
				E6B15AF90( &_v124, 0, 0x74);
				_v112 = _a16;
				_v124 = 0x74;
				_v120 = 0x80000000;
				return E6B1587C1(SendMessageW( *_t29, 0x444, 1,  &_v124), __ebx, _v8 ^ _t30, _t26, __edi, _t29);
			}

0x6b140d3d
0x6b140d45
0x6b140d4c
0x6b140d59
0x6b140d5d
0x6b140d6a
0x6b140d75
0x6b140d85
0x6b140d8c
0x6b140da5

APIs

Part of subcall function 6B150324: SendMessageW.USER32(?,00000437,00000000,?), ref: 6B150344

_memset.LIBCMT ref: 6B140D6A
SendMessageW.USER32(?,00000444,00000001,?), ref: 6B140D93

Strings

t, xrefs: 6B140D85

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: MessageSend$_memset
String ID: t
API String ID: 1515505866-2238339752
Opcode ID: 2f94181c326e880649ce6bee3e8ccaeec41a81cd39988f2dbb813d60f85fd698
Instruction ID: 86c8fdc0244892c2d60344231554820e9784c15fd4b8d8ec9a5c9dcaadd529b0
Opcode Fuzzy Hash: 2f94181c326e880649ce6bee3e8ccaeec41a81cd39988f2dbb813d60f85fd698
Instruction Fuzzy Hash: F7F03171904208BFDF10DFA8C845BCE77B8EF09718F600019F915AB281D775AA24CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6B14F532 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6B14F532(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t21;
				void* _t23;
				intOrPtr* _t24;
				void* _t25;
				signed int _t30;
				void* _t31;
				signed int _t35;

				_t25 = __edx;
				_t23 = __ebx;
				_push(0);
				E6B16265B(0x6b164090, __ebx, __edi, __esi);
				_push( *((intOrPtr*)(_t31 + 8)));
				_t24 =  *((intOrPtr*)(__ebx + 0x3c));
				_push(0x1ba);
				_push( *((intOrPtr*)(_t24 + 4)));
				if( *((intOrPtr*)( *_t24 + 0x14))() != 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t21 = GetLastError();
					if(_t21 > 0) {
						_t21 = _t21 & 0x0000ffff | 0x80070000;
						_t35 = _t21;
					}
					_t30 = _t21;
				}
				_push(_t31 + 8);
				E6B14E8E8(L"Failed to record current state name", _t30, _t35);
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				_push(_t30);
				_push(_t23);
				E6B153942(_t23, _t25, _t31 + 8, _t30, _t35);
				return E6B162709(E6B158460( *((intOrPtr*)(_t31 + 8)) + 0xfffffff0, _t25));
			}

0x6b14f532
0x6b14f532
0x6b14f532
0x6b14f539
0x6b14f53e
0x6b14f541
0x6b14f546
0x6b14f54b
0x6b14f553
0x6b14f56d
0x6b14f56d
0x6b14f555
0x6b14f555
0x6b14f55d
0x6b14f564
0x6b14f564
0x6b14f564
0x6b14f569
0x6b14f569
0x6b14f572
0x6b14f578
0x6b14f57d
0x6b14f581
0x6b14f582
0x6b14f586
0x6b14f59b

APIs

__EH_prolog3.LIBCMT ref: 6B14F539
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6B16677E,000000FF), ref: 6B14F555

Strings

Failed to record current state name, xrefs: 6B14F573

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record current state name
API String ID: 685212868-828805506
Opcode ID: 9656f46c1924a20c3965ca8b9582b3593d451752b638ed683a28953888e8b8c9
Instruction ID: 03d00a25fa9aedfee76bd454bdb7c3aa200abe2fe3d7571620e3c683bd0bac92
Opcode Fuzzy Hash: 9656f46c1924a20c3965ca8b9582b3593d451752b638ed683a28953888e8b8c9
Instruction Fuzzy Hash: 8DF090B6A00114BBDB10DF74C841B8A7B64AF227A9F114160F82DEF290E77DD6518B90

Uniqueness

Uniqueness Score: -1.00%

Function 6B146615 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B146615(struct HWND__* __eax, intOrPtr* __edi) {
				struct HWND__* _t4;
				signed int _t7;
				int _t8;

				_t8 = _t7 ^ _t7;
				 *((intOrPtr*)(__edi)) = __eax;
				_t4 = CreateWindowExW(8, L"tooltips_class32", _t8, 0x80000003, 0x80000000, 0x80000000, 0x80000000, 0x80000000, __eax, _t8, _t8, _t8);
				 *(__edi + 4) = _t4;
				return SetWindowPos(_t4, 0xffffffff, _t8, _t8, _t8, _t8, 0x13);
			}

0x6b146618
0x6b14661e
0x6b146636
0x6b146645
0x6b14664f

APIs

CreateWindowExW.USER32 ref: 6B146636
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,6B1472CF), ref: 6B146648

Strings

tooltips_class32, xrefs: 6B14662F

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: Window$Create
String ID: tooltips_class32
API String ID: 870168347-1918224756
Opcode ID: 4501fa251968b6030ff27b4f25f564c1cb2e996363c50418234dd29bb7d5892e
Instruction ID: 693fe2cebd551815472dcd00d60a092bcf0ae9610ae1c2faabb326a8b4fdc0ef
Opcode Fuzzy Hash: 4501fa251968b6030ff27b4f25f564c1cb2e996363c50418234dd29bb7d5892e
Instruction Fuzzy Hash: 63E042B1547131BEE6705A6BAC0CFE76E9DEF4B6B1F214214792CE2180DA249A20C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 6B149A1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6B149A1E(intOrPtr* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t24;
				char* _t28;
				intOrPtr* _t29;
				void* _t30;

				_t29 = __esi;
				_t24 = __ebx;
				_push(4);
				E6B16265B(0x6b16470b, __ebx, __edi, __esi);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_t32 =  *((char*)(__ebx + 4));
				_t28 = L"IDS_FILE_VERIFICATION_PROGRESS_BAR_HEADER";
				if( *((char*)(__ebx + 4)) == 0) {
					_t28 = L"IDS_DOWNLOAD_PROGRESS_BAR_HEADER";
				}
				E6B14E8E8(_t28, _t29, _t32);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *_t29 = E6B1583FD( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t24))))(_t30 - 0x10, _t30 - 0x10))) - 0x10) + 0x10;
				E6B158460( *(_t30 - 0x10) + 0xfffffff0, _t30 - 0x10);
				return E6B162709(_t29);
			}

0x6b149a1e
0x6b149a1e
0x6b149a1e
0x6b149a25
0x6b149a2a
0x6b149a2e
0x6b149a32
0x6b149a37
0x6b149a39
0x6b149a39
0x6b149a42
0x6b149a47
0x6b149a62
0x6b149a6a
0x6b149a76

APIs

__EH_prolog3.LIBCMT ref: 6B149A25

Strings

IDS_FILE_VERIFICATION_PROGRESS_BAR_HEADER, xrefs: 6B149A32
IDS_DOWNLOAD_PROGRESS_BAR_HEADER, xrefs: 6B149A39

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: IDS_DOWNLOAD_PROGRESS_BAR_HEADER$IDS_FILE_VERIFICATION_PROGRESS_BAR_HEADER
API String ID: 431132790-2780475424
Opcode ID: bab7cbccc3751b5a291638fccc04e56941e1d0a8f203c72d0bcec0eeaffc4038
Instruction ID: 50d2848cca9c3b070ae439268e05aaff7653746f8f9e235d114bcaeb19dc4133
Opcode Fuzzy Hash: bab7cbccc3751b5a291638fccc04e56941e1d0a8f203c72d0bcec0eeaffc4038
Instruction Fuzzy Hash: F5F05EB2900115AFDF10DBB8C849B6DB3B0AF15759F544948D150AB284E77DD505CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B13C224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6B13C224(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t12;
				void* _t22;
				char* _t24;
				void* _t27;

				_t22 = __ecx;
				_push(4);
				E6B16265B(0x6b163da8, __ebx, __edi, __esi);
				_t26 =  *((intOrPtr*)(_t27 + 8));
				 *(_t27 - 0x10) =  *(_t27 - 0x10) & 0x00000000;
				E6B1583B4( *((intOrPtr*)(_t27 + 8)));
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				_t12 =  *((intOrPtr*)(_t27 + 0xc)) - 0x13ec;
				 *(_t27 - 0x10) = 1;
				if(_t12 == 0) {
					_t24 = L"A StopBlock was hit or a System Requirement was not met.";
					goto L4;
				} else {
					if(_t12 == 1) {
						_t24 = L"An internal or user error was encountered.";
						L4:
						E6B15811C(_t26, E6B158199(_t24), _t22, _t24);
					}
				}
				return E6B162709(_t26);
			}

0x6b13c224
0x6b13c224
0x6b13c22b
0x6b13c230
0x6b13c233
0x6b13c237
0x6b13c23c
0x6b13c243
0x6b13c248
0x6b13c24f
0x6b13c25b
0x00000000
0x6b13c251
0x6b13c252
0x6b13c254
0x6b13c260
0x6b13c26c
0x6b13c26c
0x6b13c252
0x6b13c278

APIs

__EH_prolog3.LIBCMT ref: 6B13C22B

Strings

A StopBlock was hit or a System Requirement was not met., xrefs: 6B13C25B
An internal or user error was encountered., xrefs: 6B13C254, 6B13C269

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: A StopBlock was hit or a System Requirement was not met.$An internal or user error was encountered.
API String ID: 431132790-2578323181
Opcode ID: 2366c5cedc2c37f2707e76a96967d3e7645c258fd5005c9a2d5737ee75dd8393
Instruction ID: ce731abac1c910e6354618fbf610641c1baecb6a88ee1b510c65d1cb8d1fbfbe
Opcode Fuzzy Hash: 2366c5cedc2c37f2707e76a96967d3e7645c258fd5005c9a2d5737ee75dd8393
Instruction Fuzzy Hash: BAE09BF2610234FBDB009BFCC48176DB2606F6075AF004000E514AF340E7BC8E6687C9

Uniqueness

Uniqueness Score: -1.00%

Function 6B141F81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6B141F81(void* __edi, void* __esi, void* __eflags) {
				void* _t16;
				intOrPtr* _t27;
				void* _t28;

				_push(0);
				E6B16265B(0x6b166e4a, _t16, __edi, __esi);
				_t27 =  *((intOrPtr*)(_t28 + 8));
				_t2 = _t28 - 4;
				 *_t2 =  *(_t28 - 4) & 0x00000000;
				_t30 =  *_t2;
				 *_t27 = 0x6b13725c;
				 *((intOrPtr*)(_t27 + 4)) = E6B141EB5(_t16, "X", __edi, __edi, _t27,  *_t2);
				 *((intOrPtr*)(_t27 + 8)) = E6B141EB5(_t16, "Y", __edi, __edi, _t27,  *_t2);
				 *((intOrPtr*)(_t27 + 0xc)) = E6B141EB5(_t16, L"Width", __edi, __edi, _t27,  *_t2);
				 *((intOrPtr*)(_t27 + 0x10)) = E6B141EB5(_t16, L"Height", __edi, __edi, _t27, _t30);
				return E6B162709(_t27);
			}

0x6b141f81
0x6b141f88
0x6b141f8d
0x6b141f90
0x6b141f90
0x6b141f90
0x6b141f9b
0x6b141fad
0x6b141fbc
0x6b141fcb
0x6b141fd3
0x6b141fdd

APIs

__EH_prolog3.LIBCMT ref: 6B141F88

Part of subcall function 6B141EB5: __EH_prolog3.LIBCMT ref: 6B141EBC

Strings

Width, xrefs: 6B141FB5
Height, xrefs: 6B141FC4

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Height$Width
API String ID: 431132790-1965321196
Opcode ID: 494c7c42854036d4d4de103c6ef51138b08b639dbb097b81a0977d3e9af645c0
Instruction ID: 6b2e4f0e4776bd22f2278a7b71ed46ac73ac21af15ba5823c095c6e81bdc4f8c
Opcode Fuzzy Hash: 494c7c42854036d4d4de103c6ef51138b08b639dbb097b81a0977d3e9af645c0
Instruction Fuzzy Hash: FDF01C64F00760B7C6259FB5811220AFAE36F91684B20C97AC046BF344EF7D98218B91

Uniqueness

Uniqueness Score: -1.00%

Function 6B14A051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B14A051(struct HWND__* _a4) {
				struct HWND__** _t3;
				struct HWND__** _t7;

				_t3 = GetPropW(_a4, L"RotatingIconDisplayTHIS");
				_t7 = _t3;
				if(_t7 != 0) {
					return SendMessageW( *_t7, 0x172, 1,  *(E6B149CD5(_t7[1])));
				}
				return _t3;
			}

0x6b14a05f
0x6b14a065
0x6b14a069
0x00000000
0x6b14a07e
0x6b14a086

APIs

GetPropW.USER32 ref: 6B14A05F

Part of subcall function 6B149CD5: GetTickCount.KERNEL32 ref: 6B149CDC

SendMessageW.USER32(00000000,00000172,00000001,00000000), ref: 6B14A07E

Strings

RotatingIconDisplayTHIS, xrefs: 6B14A057

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: CountMessagePropSendTick
String ID: RotatingIconDisplayTHIS
API String ID: 85587915-353257254
Opcode ID: a4791b1fde5bf498314aa53427e5a5f2c5a87a53e538b329cdf28f9418857a7e
Instruction ID: 4b8456067d3796b74b910689ba1ee530d55554d56caba75377f01927a4003f53
Opcode Fuzzy Hash: a4791b1fde5bf498314aa53427e5a5f2c5a87a53e538b329cdf28f9418857a7e
Instruction Fuzzy Hash: 71E0C231000224BBCB212B14CC09E867FA5EB42BB1B000420F5499A161D762CC20D680

Uniqueness

Uniqueness Score: -1.00%

Function 6B151E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6B151E15(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t10;
				void* _t20;
				void* _t23;
				void* _t24;

				_t24 = __eflags;
				_t22 = __esi;
				_t21 = __edi;
				_t20 = __edx;
				_t14 = __ebx;
				_push(0x18);
				E6B16265B(0x6b165cb0, __ebx, __edi, __esi);
				_t8 = E6B13BE03(__ebx, GetCommandLineW(), _t20, __edi, __esi, _t24, _t23 - 0x24);
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				_push(0);
				_t9 = _t8 + 4;
				_push(_t8 + 4);
				_t10 = E6B13B9A7(_t14, L"showfinalerror", _t20, _t21, _t22, _t9);
				E6B13C137(_t23 - 0x24, _t20);
				return E6B162709(_t10);
			}

0x6b151e15
0x6b151e15
0x6b151e15
0x6b151e15
0x6b151e15
0x6b151e15
0x6b151e1c
0x6b151e2d
0x6b151e32
0x6b151e36
0x6b151e38
0x6b151e3b
0x6b151e41
0x6b151e4b
0x6b151e57

APIs

__EH_prolog3.LIBCMT ref: 6B151E1C
GetCommandLineW.KERNEL32(00000018,6B14B187,00000000,?,?,6B14AC46,?), ref: 6B151E21

Part of subcall function 6B13BE03: __EH_prolog3.LIBCMT ref: 6B13BE0A

Part of subcall function 6B13B9A7: __EH_prolog3.LIBCMT ref: 6B13B9AE

Strings

showfinalerror, xrefs: 6B151E3C

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: showfinalerror
API String ID: 1384747822-3200933950
Opcode ID: 10b862963d6a143d0fcf2b2315a51c4c7e4301a3d2ac7075a9619bb1eb5242a6
Instruction ID: 283475011bfe1abd98e21842176a0ca79ec2d050c4a386f8fb37e78df110f35c
Opcode Fuzzy Hash: 10b862963d6a143d0fcf2b2315a51c4c7e4301a3d2ac7075a9619bb1eb5242a6
Instruction Fuzzy Hash: 21E0C2B5A00128BBDF04E7B88912BDD73E06B2A34CF800018D101B72C0FF2C9A09ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B151DCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6B151DCD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t10;
				void* _t20;
				void* _t23;
				void* _t24;

				_t24 = __eflags;
				_t22 = __esi;
				_t21 = __edi;
				_t20 = __edx;
				_t14 = __ebx;
				_push(0x18);
				E6B16265B(0x6b165cb0, __ebx, __edi, __esi);
				_t8 = E6B13BE03(__ebx, GetCommandLineW(), _t20, __edi, __esi, _t24, _t23 - 0x24);
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				_push(0);
				_t9 = _t8 + 4;
				_push(_t8 + 4);
				_t10 = E6B13B9A7(_t14, L"passive", _t20, _t21, _t22, _t9);
				E6B13C137(_t23 - 0x24, _t20);
				return E6B162709(_t10);
			}

0x6b151dcd
0x6b151dcd
0x6b151dcd
0x6b151dcd
0x6b151dcd
0x6b151dcd
0x6b151dd4
0x6b151de5
0x6b151dea
0x6b151dee
0x6b151df0
0x6b151df3
0x6b151df9
0x6b151e03
0x6b151e0f

APIs

__EH_prolog3.LIBCMT ref: 6B151DD4
GetCommandLineW.KERNEL32(00000018,6B14B178,00000000,?,?,6B14AC46,?), ref: 6B151DD9

Part of subcall function 6B13BE03: __EH_prolog3.LIBCMT ref: 6B13BE0A

Part of subcall function 6B13B9A7: __EH_prolog3.LIBCMT ref: 6B13B9AE

Strings

passive, xrefs: 6B151DF4

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: passive
API String ID: 1384747822-1995439567
Opcode ID: d9ac4317ebe68ab99d93c9b39617ae3a5aa1c3dea2f77273e6894fa0eb65fda2
Instruction ID: e0cea1d93971045df01b0bd1b23e71db9ea92cb855fc5f3c6a084f567aace043
Opcode Fuzzy Hash: d9ac4317ebe68ab99d93c9b39617ae3a5aa1c3dea2f77273e6894fa0eb65fda2
Instruction Fuzzy Hash: F9E0CDB5A00114F7DF04E7B48912BDD73D05B2634CF800018D101B71C0FF1C9A099B61

Uniqueness

Uniqueness Score: -1.00%

Function 6B14A027 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6B14A027(struct HWND__** __esi) {
				void* _t3;
				void* _t5;

				if(__esi[2] == 0) {
					KillTimer( *__esi, 2);
					_t5 = RemovePropW( *__esi, L"RotatingIconDisplayTHIS");
					__esi[2] = 1;
					return _t5;
				}
				return _t3;
			}

0x6b14a02b
0x6b14a031
0x6b14a03e
0x6b14a044
0x00000000
0x6b14a044
0x6b14a04b

APIs

KillTimer.USER32(00000125,00000002), ref: 6B14A031
RemovePropW.USER32 ref: 6B14A03E

Strings

RotatingIconDisplayTHIS, xrefs: 6B14A037

Memory Dump Source

Source File: 00000009.00000002.425566562.000000006B131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6B130000, based on PE: true

Associated: 00000009.00000002.425559198.000000006B130000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425607606.000000006B16F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425616824.000000006B170000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425623563.000000006B172000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000009.00000002.425629796.000000006B175000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b130000_Setup.jbxd

Similarity

API ID: KillPropRemoveTimer
String ID: RotatingIconDisplayTHIS
API String ID: 3686338637-353257254
Opcode ID: 5180e33dd487d0826158ba3f7562f13ca7c77fef03c870e874e05b293f420e52
Instruction ID: f65e2b5f901f211ad818c472d9584e4177d063b3a995a5852f0fd0394f22b2a9
Opcode Fuzzy Hash: 5180e33dd487d0826158ba3f7562f13ca7c77fef03c870e874e05b293f420e52
Instruction Fuzzy Hash: D1D01238400210FFEB302F04C84CB41BBB0BF26746FA0C86CF182508B0D7BA84A4CB00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

53aa1b.rbf (copy)

C:\Config.Msi\53aa18.rbs

C:\Users\user\AppData\Local\Temp\4lkjz0m3.ncq\vcredist_x86_2010.exe

C:\Users\user\AppData\Local\Temp\HFI5FB1.tmp.html

C:\Users\user\AppData\Local\Temp\HFI88B8.tmp.html

C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230414_113914468-MSI_vc_red.msi.txt

C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230414_113914468.html

C:\Users\user\AppData\Local\Temp\Setup_20230414_113905902.html

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\Downloads\808b5fc3-82f6-495c-aad1-e6a77861a814.tmp

C:\Users\user\Downloads\vcredist_x86_2010.zip (copy)

C:\Users\user\Downloads\vcredist_x86_2010.zip.crdownload

C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\CacheSize.txt

C:\Windows\Installer\MSIAAE2.tmp

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF0DAC30E2917274D7.TMP

C:\Windows\Temp\~DF141E45E6E145673A.TMP

C:\Windows\Temp\~DF30A36F5A7EF87F94.TMP

Windows Analysis Report
http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zip

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre