Play interactive tour

Edit tour

Analysis Report https://jrsoftware.org/download.php/is.exe?site=1

Overview

General Information

Sample URL:	https://jrsoftware.org/download.php/is.exe?site=1
Analysis ID:	332871
Most interesting Screenshot:

Detection

Score:	10
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contains capabilities to detect virtual machines

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Startup

System is w10x64

cmd.exe (PID: 6036 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 5436 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

innosetup-6.1.2.exe (PID: 4928 cmdline: 'C:\Users\user\Desktop\download\innosetup-6.1.2.exe' MD5: 190F916EB89938F88E47D9AC91E7E012)

innosetup-6.1.2.tmp (PID: 4880 cmdline: 'C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp' /SL5='$24007E,3574925,780800,C:\Users\user\Desktop\download\innosetup-6.1.2.exe' MD5: BDC92B37F3017B7E61D62135DEEDAA1B)

Compil32.exe (PID: 6232 cmdline: 'C:\Program Files (x86)\Inno Setup 6\Compil32.exe' /ASSOC MD5: AC799CDC10229255E7A385A01E590EEA)

Compil32.exe (PID: 2148 cmdline: C:\Program Files (x86)\Inno Setup 6\Compil32.exe MD5: AC799CDC10229255E7A385A01E590EEA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0040AEF4 FindFirstFileW,FindClose,	4_2_0040AEF4
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0040E6A0 FindFirstFileW,FindClose,	5_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0060BC10 FindFirstFileW,GetLastError,	5_2_0060BC10
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_006B76A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	5_2_006B76A0
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_0040B93C FindFirstFileW,FindClose,	21_2_0040B93C
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_0040B370 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	21_2_0040B370
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_004114A2 FindFirstFileW,	21_2_004114A2

Source: unknown

DNS traffic detected: queries for: jrsoftware.org

Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G15VB.tmp.5.dr	String found in binary or memory: http://blogs.msdn.com/b/oldnewthing/archive/2009/06/11/9725386.aspx
Source: wget.exe	String found in binary or memory: http://cert.int-x3.letsencrypt.org/
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0-
Source: wget.exe, 00000002.00000002.213897635.0000000002C5C000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/09
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: wget.exe	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeSta
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	String found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
Source: wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G15VB.tmp.5.dr	String found in binary or memory: http://www.academie-francaise.fr/langue/questions.html#accentuation
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: innosetup-6.1.2.exe, 00000004.00000003.376119732.0000000002280000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.haysoft.org
Source: innosetup-6.1.2.exe, 00000004.00000003.376119732.0000000002280000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371005281.00000000024E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.haysoft.org%1-k
Source: innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp	String found in binary or memory: http://www.innosetup.com
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-I8R84.tmp.5.dr	String found in binary or memory: http://www.innosetup.com/
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-8H1UE.tmp.5.dr	String found in binary or memory: http://www.jrsoftware.org/is3rdparty.php
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, Compil32.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.remobjects.com/psopenU
Source: cmdline.out.2.dr	String found in binary or memory: https://files.jrsoftware.org/is/6/innosetup-6.1.2.exe
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	String found in binary or memory: https://files.jrsoftware.org/is/6/innosetup-6.1.2.exeRpDt
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	String found in binary or memory: https://files.jrsoftware.org/is/6/innosetup-6.1.2.exerpdt
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://github.com/jrsoftware/issrc
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://github.com/jrsoftware/issrc/commit/9e03ea4de5b8639937d2c4024ec8582a7e63b048
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/6q15Ik8.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/9VvbFGJ.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/AnF6qo8.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/IVI2nk3.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/IyJZTZY.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/PpWvzxg.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/TTbESLq.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/VBDuZ7U.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/WeX3T4b.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/YSbzJ5B.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/c9wGM3M.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/deliPb8.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/gz4hlV8.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/iDrhOSs.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://i.imgur.com/wHoJ3FG.png
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.github.io/issrc/Examples/CodeDownloadFiles.iss
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.377102045.0000000002322000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371005281.00000000024E0000.00000004.00000001.sdmp, is-4TT4E.tmp.5.dr, is-G0LGO.tmp.5.dr, is-2HM3J.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org/download.php/is.exe
Source: wget.exe, 00000002.00000002.213333069.0000000000B00000.00000004.00000020.sdmp, cmdline.out.2.dr	String found in binary or memory: https://jrsoftware.org/download.php/is.exe?site=1
Source: wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org/download.php/is.exe?site=1ZpLt
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org/download.php/iscrypt.dll
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/files/is/license.txt
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/files/is6.0-whatsnew.htm
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-GKFVC.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/files/istrans/
Source: innosetup-6.1.2.exe, 00000004.00000003.377102045.0000000002322000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371005281.00000000024E0000.00000004.00000001.sdmp, Compil32.exe, unins000.dat.5.dr, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/isdonate.php
Source: Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://jrsoftware.org/isdonate.phpopenj
Source: innosetup-6.1.2.tmp, 00000005.00000003.370077636.0000000003A8C000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371253295.00000000025F4000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org/isfaq.php
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=admininstallmode
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=compformshortcuts
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=scriptdebug
Source: innosetup-6.1.2.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: innosetup-6.1.2.exe, 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.exe.2.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Compil32.exe	String found in binary or memory: https://jrsoftware.org/isinfo.php
Source: Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://jrsoftware.org/isinfo.phpopen
Source: is-G0LGO.tmp.5.dr	String found in binary or memory: https://jrsoftware.org/ismail.php
Source: Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://jrsoftware.org/ismail.phpopenU
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: https://jrsoftware.org0
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, Compil32.exe, 00000015.00000000.340580476.0000000000657000.00000002.00020000.sdmp, Compil32.exe, 00000018.00000000.369384924.0000000000657000.00000002.00020000.sdmp, is-QSTDR.tmp.5.dr	String found in binary or memory: https://www.innosetup.com
Source: innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, Compil32.exe, Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp, is-SSLRM.tmp.5.dr	String found in binary or memory: https://www.innosetup.com/
Source: innosetup-6.1.2.exe, 00000004.00000003.219653727.00000000025E0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp	String found in binary or memory: https://www.innosetup.com/4https://www.innosetup.com/4https://www.innosetup.com/
Source: innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-QSTDR.tmp.5.dr	String found in binary or memory: https://www.innosetup.com3
Source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.jrsoftware.org/files/istrans/
Source: innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, Compil32.exe, Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp, is-SSLRM.tmp.5.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

4_2_004AF110

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C08CC1	2_3_02C08CC1
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C08CC1	2_3_02C08CC1
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C08CC1	2_3_02C08CC1
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C08CC1	2_3_02C08CC1
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004323DC	4_2_004323DC
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004255DC	4_2_004255DC
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0040E9C4	4_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_006B6128	5_2_006B6128
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0040C938	5_2_0040C938
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_00409ED4	21_2_00409ED4

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: String function: 0060C688 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: String function: 00615D14 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: String function: 005DD7A8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: String function: 005F4B90 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: String function: 005F4E74 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: String function: 00615A90 appears 37 times

Source: innosetup-6.1.2.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-SSLRM.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: innosetup-6.1.2.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: innosetup-6.1.2.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: innosetup-6.1.2.tmp.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: innosetup-6.1.2.tmp.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: innosetup-6.1.2.tmp.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-SSLRM.tmp.5.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-SSLRM.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-SSLRM.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Section loaded: iscmplr.dll			Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Section loaded: iscmplr.dll			Jump to behavior

Source: innosetup-6.1.2.tmp, 00000005.00000003.371216328.00000000025B2000.00000004.00000001.sdmp, unins000.dat.5.dr	Binary or memory string: C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\MyDll.csproj
Source: innosetup-6.1.2.tmp, 00000005.00000003.371193033.0000000002594000.00000004.00000001.sdmp, unins000.dat.5.dr	Binary or memory string: C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\MyDll.sln
Source: innosetup-6.1.2.tmp, 00000005.00000003.371074752.000000000254A000.00000004.00000001.sdmp	Binary or memory string: ?C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\MyDll.sln
Source: innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp	Binary or memory string: B{app}\Examples\MyDll\C#\MyDll.sln
Source: innosetup-6.1.2.tmp, 00000005.00000003.371253295.00000000025F4000.00000004.00000001.sdmp	Binary or memory string: !{app}\Examples\MyDll\C#\MyDll.sln!
Source: innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-TNB2Q.tmp.5.dr	Binary or memory string: Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MyDll", "MyDll.csproj", "{79237A5C-6C62-400A-BBDD-3DA1CA327973}"
Source: innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp	Binary or memory string: H{app}\Examples\MyDll\C#\MyDll.csproj
Source: innosetup-6.1.2.tmp, 00000005.00000003.371074752.000000000254A000.00000004.00000001.sdmp	Binary or memory string: 0C:\Program Files (x86)\Inno Setup 6\Compil32.exel\C#\MyDll.sln
Source: innosetup-6.1.2.tmp, 00000005.00000003.371245495.00000000025E6000.00000004.00000001.sdmp	Binary or memory string: ${app}\Examples\MyDll\C#\MyDll.csproj

Source: classification engine

Classification label: clean10.win@11/101@3/1

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

4_2_004AF110

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_0041A4DC GetDiskFreeSpaceW,

4_2_0041A4DC

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Code function: 5_2_0062C764 GetVersion,CoCreateInstance,

5_2_0062C764

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,

4_2_004AF9F0

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

File created: C:\Program Files (x86)\Inno Setup 6

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Mutant created: \Sessions\1\BaseNamedObjects\InnoSetupCompilerSetupMutex
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Mutant created: \Sessions\1\BaseNamedObjects\InnoSetupCompilerAppMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_01
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Inno-Setup-IDE-Config-Mutex
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\InnoSetupCompilerSetupMutex
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\InnoSetupCompilerAppMutex

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

File created: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp

Jump to behavior

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: innosetup-6.1.2.exe

String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1' > cmdline.out 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1'
Source: unknown	Process created: C:\Users\user\Desktop\download\innosetup-6.1.2.exe 'C:\Users\user\Desktop\download\innosetup-6.1.2.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp 'C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp' /SL5='$24007E,3574925,780800,C:\Users\user\Desktop\download\innosetup-6.1.2.exe'
Source: unknown	Process created: C:\Program Files (x86)\Inno Setup 6\Compil32.exe 'C:\Program Files (x86)\Inno Setup 6\Compil32.exe' /ASSOC
Source: unknown	Process created: C:\Program Files (x86)\Inno Setup 6\Compil32.exe C:\Program Files (x86)\Inno Setup 6\Compil32.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1'	Jump to behavior
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp 'C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp' /SL5='$24007E,3574925,780800,C:\Users\user\Desktop\download\innosetup-6.1.2.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process created: C:\Program Files (x86)\Inno Setup 6\Compil32.exe 'C:\Program Files (x86)\Inno Setup 6\Compil32.exe' /ASSOC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process created: C:\Program Files (x86)\Inno Setup 6\Compil32.exe C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Automated click: I accept the agreement
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Automated click: OK

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Inno Setup License==================Except where otherwise noted all of the documentation and software included in the Inno Setuppackage is copyrighted by Jordan Russell.Copyright (C) 1997-2020 Jordan Russell. All rights reserved.Portions Copyright (C) 2000-2020 Martijn Laan. All rights reserved.This software is provided "as-is" without any express or implied warranty. In no event shall theauthor be held liable for any damages arising from the use of this software.Permission is granted to anyone to use this software for any purpose including commercialapplications and to alter and redistribute it provided that the following conditions are met:1. All redistributions of source code files must retain all copyright notices that are currently in place and this list of conditions without modification.2. All redistributions in binary form must retain all occurrences of the above copyright notice and web site addresses that are currently in place (for example in the About boxes).3. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software to distribute a product an acknowledgment in the product documentation would be appreciated but is not required.4. Modified versions in source or binary form must be plainly marked as such and must not be misrepresented as being the original software.Jordan Russelljr-2020 AT jrsoftware.orghttps://jrsoftware.org/I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Inno Setup License==================Except where otherwise noted all of the documentation and software included in the Inno Setuppackage is copyrighted by Jordan Russell.Copyright (C) 1997-2020 Jordan Russell. All rights reserved.Portions Copyright (C) 2000-2020 Martijn Laan. All rights reserved.This software is provided "as-is" without any express or implied warranty. In no event shall theauthor be held liable for any damages arising from the use of this software.Permission is granted to anyone to use this software for any purpose including commercialapplications and to alter and redistribute it provided that the following conditions are met:1. All redistributions of source code files must retain all copyright notices that are currently in place and this list of conditions without modification.2. All redistributions in binary form must retain all occurrences of the above copyright notice and web site addresses that are currently in place (for example in the About boxes).3. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software to distribute a product an acknowledgment in the product documentation would be appreciated but is not required.4. Modified versions in source or binary form must be plainly marked as such and must not be misrepresented as being the original software.Jordan Russelljr-2020 AT jrsoftware.orghttps://jrsoftware.org/I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe

Window detected: Number of UI elements: 13

Source:	Binary string: F:\scintilla\bin\Scintilla.pdb source: is-51I2J.tmp.5.dr
Source:	Binary string: D:\Keppy\Desktop\issrc-arm64\issrc-arm64\Examples\MyProg\xARM64\Debug\MyProg.pdb source: innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-3LMQQ.tmp.5.dr
Source:	Binary string: c:\zlib-dll\Release\iszlib.pdb8R@ source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp
Source:	Binary string: c:\zlib-dll\Release\iszlib.pdb source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-1D3SP.tmp.5.dr

Source: is-SSLRM.tmp.5.dr

Static PE information: real checksum: 0x2ebb3a should be: 0x2e97dd

Source: innosetup-6.1.2.exe.2.dr	Static PE information: section name: .didata
Source: innosetup-6.1.2.tmp.4.dr	Static PE information: section name: .didata
Source: is-SSLRM.tmp.5.dr	Static PE information: section name: .didata

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CBA8 pushfd ; retn 0000h	2_3_02C0CBAB
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CBA8 pushfd ; retn 0000h	2_3_02C0CBAB
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CC60 pushad ; retn 0078h	2_3_02C0CC9D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CC60 pushad ; retn 0078h	2_3_02C0CC9D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C06869 push ss; iretd	2_3_02C0686A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C06809 push ss; ret	2_3_02C0680A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CBA8 pushfd ; retn 0000h	2_3_02C0CBAB
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CBA8 pushfd ; retn 0000h	2_3_02C0CBAB
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CC60 pushad ; retn 0078h	2_3_02C0CC9D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C0CC60 pushad ; retn 0078h	2_3_02C0CC9D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C06869 push ss; iretd	2_3_02C0686A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02C06809 push ss; ret	2_3_02C0680A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_02C14280 pushad ; ret	2_2_02C14283
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_02C0CC99 pushad ; retn 0078h	2_2_02C0CC9D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_02C0CA6B pushad ; retn 0078h	2_2_02C0CB4D
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004B5000 push 004B50DEh; ret	4_2_004B50D6
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004B5980 push 004B5A48h; ret	4_2_004B5A40
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_00458000 push ecx; mov dword ptr [esp], ecx	4_2_00458005
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0049B03C push ecx; mov dword ptr [esp], edx	4_2_0049B03D
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004A00F8 push ecx; mov dword ptr [esp], edx	4_2_004A00F9
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_00458084 push ecx; mov dword ptr [esp], ecx	4_2_00458089
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004B1084 push 004B10ECh; ret	4_2_004B10E4
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004A1094 push ecx; mov dword ptr [esp], edx	4_2_004A1095
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0041A0B4 push ecx; mov dword ptr [esp], ecx	4_2_0041A0B8
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004270BC push 00427104h; ret	4_2_004270FC
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_00458108 push ecx; mov dword ptr [esp], ecx	4_2_0045810D
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004321C8 push ecx; mov dword ptr [esp], edx	4_2_004321C9
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_004A21D8 push ecx; mov dword ptr [esp], edx	4_2_004A21D9
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0049E1B8 push ecx; mov dword ptr [esp], edx	4_2_0049E1B9
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0049A260 push 0049A378h; ret	4_2_0049A370
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_00455268 push ecx; mov dword ptr [esp], ecx	4_2_0045526C

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\Examples\is-MJ4UB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-2HM3J.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	File created: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-5NAJD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-7CKGF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-3R6IB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-KATRN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-1D3SP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-U06IB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-H6529.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-28ANT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\Examples\is-4LG51.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-51I2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\Examples\is-KPCN0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-RIE67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9JQK6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\Examples\is-3LMQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-SSLRM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-QSTDR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-MCR6E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\Program Files (x86)\Inno Setup 6\is-8O5SV.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Compiler.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Documentation.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Example Scripts.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup FAQ.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Revision History.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_006A52B8 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,	5_2_006A52B8
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_005C7E30 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,	5_2_005C7E30
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_005B82F0 IsIconic,	21_2_005B82F0
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_005B8370 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	21_2_005B8370
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_005ED4AC IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,	21_2_005ED4AC

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\Examples\is-MJ4UB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-2HM3J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-5NAJD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-7CKGF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-3R6IB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-KATRN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-1D3SP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-U06IB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-H6529.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\Examples\is-4LG51.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-28ANT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-51I2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\Examples\is-KPCN0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-RIE67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9JQK6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\Examples\is-3LMQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-SSLRM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-QSTDR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Inno Setup 6\is-MCR6E.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_5-24533
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_21-10844

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0040AEF4 FindFirstFileW,FindClose,	4_2_0040AEF4
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: 4_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0040E6A0 FindFirstFileW,FindClose,	5_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0060BC10 FindFirstFileW,GetLastError,	5_2_0060BC10
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: 5_2_006B76A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	5_2_006B76A0
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_0040B93C FindFirstFileW,FindClose,	21_2_0040B93C
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_0040B370 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	21_2_0040B370
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: 21_2_004114A2 FindFirstFileW,	21_2_004114A2

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

4_2_004AF91C

Source: innosetup-6.1.2.exe, 00000004.00000002.378043119.00000000024B0000.00000002.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000002.373337681.0000000002620000.00000002.00000001.sdmp, Compil32.exe, 00000015.00000002.344613821.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: innosetup-6.1.2.exe, 00000004.00000002.378043119.00000000024B0000.00000002.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000002.373337681.0000000002620000.00000002.00000001.sdmp, Compil32.exe, 00000015.00000002.344613821.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: innosetup-6.1.2.exe, 00000004.00000002.378043119.00000000024B0000.00000002.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000002.373337681.0000000002620000.00000002.00000001.sdmp, Compil32.exe, 00000015.00000002.344613821.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: innosetup-6.1.2.exe, 00000004.00000002.378043119.00000000024B0000.00000002.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000002.373337681.0000000002620000.00000002.00000001.sdmp, Compil32.exe, 00000015.00000002.344613821.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Code function: 5_2_006A4AF0 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

5_2_006A4AF0

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Code function: 5_2_005C78B8 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_005C78B8

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Code function: 5_2_005C6A5C AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

5_2_005C6A5C

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_00405AE0 cpuid

4_2_00405AE0

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	4_2_0040B044
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: GetLocaleInfoW,	4_2_0041E034
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: GetLocaleInfoW,	4_2_0041E080
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: GetLocaleInfoW,	4_2_004AF218
Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040DC78
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Code function: GetLocaleInfoW,	5_2_0060FD58
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	21_2_0040BA8C
Source: C:\Program Files (x86)\Inno Setup 6\Compil32.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	21_2_0040AF14

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp

Code function: 5_2_00625580 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

5_2_00625580

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_0041C3D8 GetLocalTime,

4_2_0041C3D8

Source: C:\Users\user\Desktop\download\innosetup-6.1.2.exe

Code function: 4_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

4_2_004B5114

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter2	Registry Run Keys / Startup Folder1	DLL Side-Loading1	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	System Information Discovery36	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection2	Masquerading2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion1	LSA Secrets	Security Software Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection2	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://jrsoftware.org/download.php/is.exe?site=1	0%	Virustotal		Browse
https://jrsoftware.org/download.php/is.exe?site=1	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Inno Setup 6\Examples\is-3LMQQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\Examples\is-4LG51.tmp	3%	Metadefender	Browse
C:\Program Files (x86)\Inno Setup 6\Examples\is-4LG51.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\Examples\is-KPCN0.tmp	3%	Metadefender	Browse
C:\Program Files (x86)\Inno Setup 6\Examples\is-KPCN0.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\Examples\is-MJ4UB.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\is-1D3SP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\is-28ANT.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\is-2HM3J.tmp	0%	ReversingLabs
C:\Program Files (x86)\Inno Setup 6\is-3R6IB.tmp	2%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://jrsoftware.github.io/issrc/Examples/CodeDownloadFiles.iss	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.haysoft.org	0%	Virustotal		Browse
http://www.haysoft.org	0%	Avira URL Cloud	safe
https://www.innosetup.com3	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	1%	Virustotal		Browse
https://www.remobjects.com/ps	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://www.innosetup.com/	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://jrsoftware.org0	0%	Avira URL Cloud	safe
https://www.innosetup.com/4https://www.innosetup.com/4https://www.innosetup.com/	0%	Avira URL Cloud	safe
http://www.innosetup.com	0%	Avira URL Cloud	safe
http://www.remobjects.com/psopenU	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml	0%	Avira URL Cloud	safe
http://cscasha2.ocsp-certum.com04	0%	Avira URL Cloud	safe
http://www.dk-soft.org/	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe
http://www.haysoft.org%1-k	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeSta	0%	Avira URL Cloud	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
https://www.innosetup.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jrsoftware.org	69.163.232.126	true	false		high
files.jrsoftware.org	69.163.232.126	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	innosetup-6.1.2.exe, 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.exe.2.dr	false		high
https://files.jrsoftware.org/is/6/innosetup-6.1.2.exeRpDt	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	false		high
https://jrsoftware.github.io/issrc/Examples/CodeDownloadFiles.iss	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cscasha2.cer0	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false		high
http://ocsp.sectigo.com0	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i.imgur.com/gz4hlV8.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/ismail.phpopenU	Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	false		high
http://www.jrsoftware.org/is3rdparty.php	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-8H1UE.tmp.5.dr	false		high
http://cert.int-x3.letsencrypt.org/	wget.exe	false		high
https://jrsoftware.org/isdonate.php	innosetup-6.1.2.exe, 00000004.00000003.377102045.0000000002322000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371005281.00000000024E0000.00000004.00000001.sdmp, Compil32.exe, unins000.dat.5.dr, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/isinfo.php	Compil32.exe	false		high
https://i.imgur.com/IyJZTZY.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
http://cps.letsencrypt.org	wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdline	innosetup-6.1.2.exe	false		high
http://www.haysoft.org	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://i.imgur.com/wHoJ3FG.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://i.imgur.com/WeX3T4b.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/ishelp/index.php?topic=scriptdebug	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/download.php/is.exe	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	false		high
https://www.innosetup.com3	innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-QSTDR.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, Compil32.exe, Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp, is-SSLRM.tmp.5.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.innosetup.com/	innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, Compil32.exe, Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp, is-SSLRM.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://files.jrsoftware.org/is/6/innosetup-6.1.2.exe	cmdline.out.2.dr	false		high
https://i.imgur.com/9VvbFGJ.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://sectigo.com/CPS0D	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://jrsoftware.org0	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://files.jrsoftware.org/is/6/innosetup-6.1.2.exerpdt	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	false		high
https://jrsoftware.org/	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.377102045.0000000002322000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371005281.00000000024E0000.00000004.00000001.sdmp, is-4TT4E.tmp.5.dr, is-G0LGO.tmp.5.dr, is-2HM3J.tmp.5.dr	false		high
https://jrsoftware.org/isinfo.phpopen	Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	false		high
https://www.innosetup.com/4https://www.innosetup.com/4https://www.innosetup.com/	innosetup-6.1.2.exe, 00000004.00000003.219653727.00000000025E0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com	innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psopenU	Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/isfaq.php	innosetup-6.1.2.tmp, 00000005.00000003.370077636.0000000003A8C000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371253295.00000000025F4000.00000004.00000001.sdmp	false		high
http://blogs.msdn.com/b/oldnewthing/archive/2009/06/11/9725386.aspx	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G15VB.tmp.5.dr	false		high
http://www.certum.pl/CPS0	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false		high
https://i.imgur.com/AnF6qo8.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
http://cps.root-x1.letsencrypt.org0	wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i.imgur.com/c9wGM3M.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
http://www.innosetup.com/	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-I8R84.tmp.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.academie-francaise.fr/langue/questions.html#accentuation	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G15VB.tmp.5.dr	false		high
http://repository.certum.pl/ctnca.cer09	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false		high
http://cps.letsencrypt.org0	wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false		high
https://i.imgur.com/iDrhOSs.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
http://ocsp.int-x3.letsencrypt.org0/	wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i.imgur.com/TTbESLq.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/ishelp/index.php?topic=compformshortcuts	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://www.certum.pl/CPS0	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false		high
http://127.0.0.1	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/IVI2nk3.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://www.jrsoftware.org/files/istrans/	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	false		high
http://crl.certum.pl/cscasha2.crl0q	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false		high
http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cscasha2.ocsp-certum.com04	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	Avira URL Cloud: safe	unknown
http://www.dk-soft.org/	innosetup-6.1.2.exe, 00000004.00000003.376119732.0000000002280000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.223523265.0000000003500000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.haysoft.org%1-k	innosetup-6.1.2.exe, 00000004.00000003.376119732.0000000002280000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.371005281.00000000024E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://jrsoftware.org/files/is/license.txt	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/files/is6.0-whatsnew.htm	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/ishelp/index.php?topic=admininstallmode	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://i.imgur.com/YSbzJ5B.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
http://cert.int-x3.letsencrypt.org/09	wget.exe, 00000002.00000002.213897635.0000000002C5C000.00000004.00000001.sdmp	false		high
https://github.com/jrsoftware/issrc/commit/9e03ea4de5b8639937d2c4024ec8582a7e63b048	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://github.com/jrsoftware/issrc	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/files/istrans/	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-GKFVC.tmp.5.dr	false		high
https://jrsoftware.org/ismail.php	is-G0LGO.tmp.5.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp, innosetup-6.1.2.exe, 00000004.00000003.220491729.000000007FBC0000.00000004.00000001.sdmp, innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, is-2HM3J.tmp.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://jrsoftware.org/isdonate.phpopenj	Compil32.exe, 00000015.00000000.340348294.0000000000401000.00000020.00020000.sdmp, Compil32.exe, 00000018.00000000.369174266.0000000000401000.00000020.00020000.sdmp	false		high
http://cert.int-x3.letsencrypt.org/0-	wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeSta	wget.exe, 00000002.00000003.213071306.0000000002C52000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/6q15Ik8.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/download.php/is.exe?site=1	wget.exe, 00000002.00000002.213333069.0000000000B00000.00000004.00000020.sdmp, cmdline.out.2.dr	false		high
https://i.imgur.com/VBDuZ7U.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
http://www.remobjects.com/ps	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, Compil32.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i.imgur.com/deliPb8.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://www.innosetup.com	innosetup-6.1.2.tmp, 00000005.00000003.369632804.00000000051F8000.00000004.00000001.sdmp, Compil32.exe, 00000015.00000000.340580476.0000000000657000.00000002.00020000.sdmp, Compil32.exe, 00000018.00000000.369384924.0000000000657000.00000002.00020000.sdmp, is-QSTDR.tmp.5.dr	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org	wget.exe, 00000002.00000002.213886720.0000000002C4A000.00000004.00000001.sdmp	false		high
https://jrsoftware.org/download.php/iscrypt.dll	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp	false		high
https://i.imgur.com/PpWvzxg.png	innosetup-6.1.2.tmp, 00000005.00000003.369463212.0000000004FB0000.00000004.00000001.sdmp, is-G0LGO.tmp.5.dr	false		high
https://jrsoftware.org/download.php/is.exe?site=1ZpLt	wget.exe, 00000002.00000002.213867007.0000000002C0C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.163.232.126	unknown	United States		26347	DREAMHOST-ASUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	332871
Start date:	21.12.2020
Start time:	18:25:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://jrsoftware.org/download.php/is.exe?site=1
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean10.win@11/101@3/1
EGA Information:	Successful, ratio: 60%
HDC Information:	Successful, ratio: 37.2% (good quality ratio 34.7%) Quality average: 78.2% Quality standard deviation: 28.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 13.64.90.137, 51.104.144.132, 23.210.248.85, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 20.54.26.129, 51.11.168.160, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net Execution Graph export aborted for target wget.exe, PID 5436 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\Properties\is-63H9U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1422
Entropy (8bit):	5.025729191734751
Encrypted:	false
SSDEEP:	24:JINebtJwc0YRDh+K+BP++W2t7kn5eRr4XeYhv4DYUc:Jwebt+cJRDhp+P+j2hk5eKuYh6YUc
MD5:	83A2059816ADAA272B3DB49D76A4B59F
SHA1:	F4D492D28587A4ED96DFFC71DFFDAAD555D5B910
SHA-256:	298FD8C4FEED0B5AA00D38BB67BAA547CAB1DC2F58710C5FF9E180A8530A1222
SHA-512:	6A4F8FA023200889E9029430E348CF8A473914682FC1CE54B576A45B2248E8FF8DC67A172E0CAD21F9A0B9E31B0B4E1186F204D1DA4DABA787CE99B001ED95FA
Malicious:	false
Reputation:	low
Preview:	.using System.Reflection;..using System.Runtime.CompilerServices;..using System.Runtime.InteropServices;....// General Information about an assembly is controlled through the following ..// set of attributes. Change these attribute values to modify the information..// associated with an assembly...[assembly: AssemblyTitle("MyDll")]..[assembly: AssemblyDescription("")]..[assembly: AssemblyConfiguration("")]..[assembly: AssemblyCompany("")]..[assembly: AssemblyProduct("MyDll")]..[assembly: AssemblyCopyright("Copyright . 2015")]..[assembly: AssemblyTrademark("")]..[assembly: AssemblyCulture("")]....// Setting ComVisible to false makes the types in this assembly not visible ..// to COM components. If you need to access a type in this assembly from ..// COM, set the ComVisible attribute to true on that type...[assembly: ComVisible(false)]....// The following GUID is for the ID of the typelib if this project is exposed to COM..[assembly: Guid("711cc3c2-07db-46ca-b34b-ba06f4edcbcd")]....

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-73MJU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	143
Entropy (8bit):	5.044193877210262
Encrypted:	false
SSDEEP:	3:JLWMNHU8LdgCjZPKpEZcMuHyUBmWhHUQESAFXEf22Pb:JiMVBdDUpEKMIyUBmcdESAtSx
MD5:	2DEE65A503AE442BBBB0F74CFDE64EAE
SHA1:	24B129DE437808FB7B2B8A86A54A484828B1AD38
SHA-256:	DDCA8ECB97D5F2F30B779EBE6CC28485D4B0002911BA59F9ACD85E6DEE8C4954
SHA-512:	063E0BA2DD2CAD2CD82BF02F1FCA99E16500D5F08F00EE9374576521903245CDE4A046D828F0C180EFCE98EAC13DFE588A7DFFE62A6A9FCE7020F21B99238DF7
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<packages>.. <package id="UnmanagedExports" version="1.2.7" targetFramework="net45" />..</packages>

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-IR6AF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	843
Entropy (8bit):	4.887963983454774
Encrypted:	false
SSDEEP:	12:V/D5+F3iFfsqQCQu9hSFgkrWefX7gkrWefnvGahudQCQu9tz7OqvGahBJCI+azbi:J5s3WfYFk9kr70kr7HlZFomyl0Idmd
MD5:	EB93728F9997D867A58BEA96C9A4CC9D
SHA1:	1D1F867A18BA3428AB74DFA2861E707EAD20B84D
SHA-256:	9E28BEAD7C5361312E8428401B04FCCB738BCDB9B7FACD73A3B2B9596808CD76
SHA-512:	1DA6A1666562B52F17B5BA18363AD2DE0BF376403EF441F5D4CCCAC210C77C05751F1CF185E1D5C61FD4FB377AA51221D600F2A628120F5CE8AC725F54FEF659
Malicious:	false
Reputation:	low
Preview:	.using System;....using System.Runtime.InteropServices;..using RGiesecke.DllExport;....namespace Mydll..{.. public class Mydll.. {.. [DllExport("MyDllFunc", CallingConvention=CallingConvention.StdCall)].. public static void MyDllFunc(IntPtr hWnd, [MarshalAs(UnmanagedType.LPStr)] string text, [MarshalAs(UnmanagedType.LPStr)] string caption, int options).. {.. MessageBox(hWnd, text, caption, options);.. }.... [DllExport("MyDllFuncW", CallingConvention=CallingConvention.StdCall)].. public static void MyDllFuncW(IntPtr hWnd, string text, string caption, int options).. {.. MessageBox(hWnd, text, caption, options);.. }.... [DllImport("user32.dll", CharSet=CharSet.Auto)].. static extern int MessageBox(IntPtr hWnd, String text, String caption, int options);.. }..}..

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-ODESQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3015
Entropy (8bit):	5.332351735490266
Encrypted:	false
SSDEEP:	48:3CWSjNJpu5haWfO13G0Mr14H1LPq/14H1LHA6rXvgqrhfn6B6Kv626HZ6sM6l6AL:DWnpu5ha1TJjD0yrhPE5vBCHMOofJGpj
MD5:	52587AF46EDEA27A2726A19EF3A0981A
SHA1:	83760EB9793360C1BAA37A8B748044DDF5F7CFE4
SHA-256:	1291FF5B355118A033A3F4ECE18DC24091BB7BF94628261035A36D625AAE6CE0
SHA-512:	0AC8DC386AA2502DAE3E0E1ED4E7CE87854EA77B16C279F1D2C85173EC98BE7E1F9823CF2430BA2B973564CADA8D2AFD0C4EEAA61CBC0E627E9FF764CCC83F35
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">.. <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />.. <PropertyGroup>.. <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>.. <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>.. <ProjectGuid>{79237A5C-6C62-400A-BBDD-3DA1CA327973}</ProjectGuid>.. <OutputType>Library</OutputType>.. <AppDesignerFolder>Properties</AppDesignerFolder>.. <RootNamespace>MyDll</RootNamespace>.. <AssemblyName>MyDll</AssemblyName>.. <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>.. <FileAlignment>512</FileAlignment>.. </PropertyGroup>.. <PropertyGroup Condition=" '$(Configuration)\|$(Platform)' == 'Debug\|AnyCPU' ">.. <DebugSymbols>true</DebugSymbols>..

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-TNB2Q.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	978
Entropy (8bit):	5.509243717916247
Encrypted:	false
SSDEEP:	24:pPEkp1Ecmdja6vBKa6D6ja6D2a6J6xa6N8uW:pPT+N5a/arjaFadxav/
MD5:	2AD6484FD263570DBF664CD64C34A444
SHA1:	9BBCBD309B40EB1B03F47A16F66CE09CDADA6076
SHA-256:	DB53EEAEEDE0FFB05627EFCDB29B247B34281D88683E55C11FAC25AFCE6986D4
SHA-512:	14F9ECEAC8B596E2AF15EAB0A2C93CE8CD7C8768454EFBF15FD37F7F709DAEACE8E970D8F85E47ED0F33D131EAFE73BDFC5453DBEDD4CFA3D9D71CD4E22DCB78
Malicious:	false
Reputation:	low
Preview:	...Microsoft Visual Studio Solution File, Format Version 12.00..# Visual Studio 2013..VisualStudioVersion = 12.0.40629.0..MinimumVisualStudioVersion = 10.0.40219.1..Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MyDll", "MyDll.csproj", "{79237A5C-6C62-400A-BBDD-3DA1CA327973}"..EndProject..Global...GlobalSection(SolutionConfigurationPlatforms) = preSolution....Debug\|Any CPU = Debug\|Any CPU....Release\|Any CPU = Release\|Any CPU...EndGlobalSection...GlobalSection(ProjectConfigurationPlatforms) = postSolution....{79237A5C-6C62-400A-BBDD-3DA1CA327973}.Debug\|Any CPU.ActiveCfg = Debug\|Any CPU....{79237A5C-6C62-400A-BBDD-3DA1CA327973}.Debug\|Any CPU.Build.0 = Debug\|Any CPU....{79237A5C-6C62-400A-BBDD-3DA1CA327973}.Release\|Any CPU.ActiveCfg = Release\|Any CPU....{79237A5C-6C62-400A-BBDD-3DA1CA327973}.Release\|Any CPU.Build.0 = Release\|Any CPU...EndGlobalSection...GlobalSection(SolutionProperties) = preSolution....HideSolutionNode = FALSE...EndGlobalSection..EndGlobal..

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-TSD5K.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	4.1219280948873624
Encrypted:	false
SSDEEP:	3:BphJtZn:BphJtZn
MD5:	DAD419ABDF317E563985C3C165FB7CDA
SHA1:	A3B74DD2209FFA53E08265AAAAAA42473F77F557
SHA-256:	0E885B880199A19C38FE3EAE6F17443BB568C1596BD5FE05951C73A09589E90E
SHA-512:	100B5466048CE9285A154A2419C1F317BCAE475EE54B0F8B1A189E18CEF1AB01FF8B501E60DFC065AAB58360445CD7F535B875AE4674ACD41EF7F2AC4D71CF85
Malicious:	false
Reputation:	low
Preview:	EXPORTS.. MyDllFunc

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-TUKB2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2622
Entropy (8bit):	5.457752570518242
Encrypted:	false
SSDEEP:	48:y0izy71M8t+t8h8n1Jl7PdtNUyeiesNBPpzpr+EG+EwgrLXNW8Aff4cQ9ffWifRm:y0ayE+qxnNhNBPBZTGTBNlmHQxWjh
MD5:	1FAEF569A4819FC7B2AA2D228C6C48BB
SHA1:	0B1210BC9C28747F5A5363CEB6D8806904ED264F
SHA-256:	3235009B304C2F08DDB056E08E15F51E321A367DF4D8EC02688400C23093393A
SHA-512:	3290C759BCF1940344BEDFEC89BEBA09D0144B0DCF7E2D9D4D08394086519C98C017C8B5ADADB826DF070D43E3F594B06429FEFE0AECA8B8126BC946F5FE83BF
Malicious:	false
Reputation:	low
Preview:	# Microsoft Developer Studio Project File - Name="MyDll" - Package Owner=<4>..# Microsoft Developer Studio Generated Build File, Format Version 6.00..# DO NOT EDIT ....# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102....CFG=MyDll - Win32 Release..!MESSAGE This is not a valid makefile. To build this project using NMAKE,..!MESSAGE use the Export Makefile command and run..!MESSAGE ..!MESSAGE NMAKE /f "MyDll.mak"...!MESSAGE ..!MESSAGE You can specify a configuration when running NMAKE..!MESSAGE by defining the macro CFG on the command line. For example:..!MESSAGE ..!MESSAGE NMAKE /f "MyDll.mak" CFG="MyDll - Win32 Release"..!MESSAGE ..!MESSAGE Possible choices for configuration are:..!MESSAGE ..!MESSAGE "MyDll - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")..!MESSAGE ....# Begin Project..# PROP AllowPerConfigDependencies 0..# PROP Scc_ProjName ""..# PROP Scc_LocalPath ""..CPP=cl.exe..MTL=midl.exe..RSC=rc.exe..# PROP BASE Use_MFC 0..# PROP BASE Use_Debug_Libraries 0..

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-UQOP6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.081887217075006
Encrypted:	false
SSDEEP:	3:XBAj/1KQAFRvc1Z/yGU+1mkkoQRx4n/oLnKPNs3Gdh0QhYn:RAR+RE1Z6GUzkWxUmKPvdYn
MD5:	DF9C1A41CC74C01557C54B9F17CC2EFE
SHA1:	0321221F36DE8E61CEBAF2D096DB66C0D96E295D
SHA-256:	46B8532187053872F0E10822BD1D3692B6C33CA06B14463036901FBC3C0D9B8B
SHA-512:	00ACF28EC3631E760FB067CA92476364D0192C16D237A8326560FE95AB6E154BFD9A2662BAD632007CB0A2DBA21A86BAFFC8605A0AEBC26EF6D9C3770822A74D
Malicious:	false
Reputation:	low
Preview:	#include <windows.h>....void __stdcall MyDllFunc(HWND hWnd, char lpText, char lpCaption, UINT uType)..{.. MessageBox(hWnd, lpText, lpCaption, uType);..}

C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\Delphi\is-ML3P5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	229
Entropy (8bit):	4.859279784269271
Encrypted:	false
SSDEEP:	6:EOOdEvyowgTZaLp86AcVAUT7fnDgTKxB2dAPgBKZAu0:TOdEvvwPp8unPfsTA6A4BA0
MD5:	229AEAF8DD2B983FF76B9C91E7C980F3
SHA1:	C7B147869AE355D5533DE565C5F5886736373600
SHA-256:	93E27469D273642D584C9A5696BD8F677DF4626FD7CC2A76A07D7F9FA75B02BF
SHA-512:	2199B00520C98DDE5EAC4A48343A32AED8E2A12F568599282333045D752F370DC2DAF08CB40E5F53F40371C1788155DAB3F399267C79C4262B0169D24E78A7BF
Malicious:	false
Reputation:	low
Preview:	library MyDll;....uses.. Windows;....procedure MyDllFunc(hWnd: Integer; lpText, lpCaption: PAnsiChar; uType: Cardinal); stdcall;..begin.. MessageBoxA(hWnd, lpText, lpCaption, uType);..end;....exports MyDllFunc;....begin..end...

C:\Program Files (x86)\Inno Setup 6\Examples\is-0AAB0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.412287435666138
Encrypted:	false
SSDEEP:	3:hMCRLigrOFzly:hPeFg
MD5:	87CD629529803062B029CA962DBB5295
SHA1:	0B701ABA92B7BA03DE6BB04BFA5B2FFD77E81A20
SHA-256:	603CAC0AA33F63B50D12FA7A071A3376499498B9929C1DAB2F2D5DAFF4903313
SHA-512:	AFE389A3130D5C9DE5BD538265F513BC4D2DA2630B8259996C6FA414F98D9B22E2B3DFF02A9D6679637C27900DD975574FAD9D9429F781B75F466C174D5AC2EB
Malicious:	false
Reputation:	low
Preview:	This is the LICENSE file for My Program...

C:\Program Files (x86)\Inno Setup 6\Examples\is-1CSB7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4041
Entropy (8bit):	5.144357954667247
Encrypted:	false
SSDEEP:	96:D5xKz6qFCbE/mi+HZJOpxYjowQfAzA0FAHOTGdrL1z/TUV:DK27r54xY0wQI8IUi6LO
MD5:	C909E5F20F876F5A0C502F27C95D96A8
SHA1:	5F079668C98AA0DF4F43C8AB57567C7E6CCAEC15
SHA-256:	E2A3BD397444AF6DBFBE3D10EBFE5BBD8DE0CD870C5C4036E20D94E470816DBD
SHA-512:	117F646974C53F4712E6FF901BA1D2E514B9FA114D34EC0489BB319678EA2487BD83684A0F119D0BAF07257D2D8A4CB655AC518CBA0B3F7913A347770E1B1C99
Malicious:	false
Reputation:	low
Preview:	; -- CodePrepareToInstall.iss --..;..; This script shows how the PrepareToInstall event function can be used to..; install prerequisites and handle any reboots in between, while remembering..; user selections across reboots.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Files]..; Place any prerequisite files here, for example:..; Source: "MyProg-Prerequisite-setup.exe"; Flags: dontcopy..; Place any regular files here, so after all your prerequisites...Source: "MyProg.exe"; DestDir: "{app}";..Source: "MyProg.chm"; DestDir: "{app}";..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme;....[Icons]..Name: "{group}\My Program"; Filename: "{app}\MyProg.exe"....[Code]..const.. (* Customize the following to your own name. *).. RunOnceName = 'My Program Setup restart';.... QuitMessageReboot = 'The installatio

C:\Program Files (x86)\Inno Setup 6\Examples\is-1LDTM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1900
Entropy (8bit):	5.216764572275591
Encrypted:	false
SSDEEP:	48:BrziywuwU0rgrPQ6AtVAiHgUUjRY8uRmR53/Fd:FGorPQ6AtVPHn8P/Fd
MD5:	D8EE33C1A10765D6FE14C29208D029E1
SHA1:	AF9F7A6EBA2BA740120C54C1439D8E3EEE32DF74
SHA-256:	6D570F0CC6150E0B36FB86E3AD838DB967BE5B0F49E61F4AC2C287AA771619BB
SHA-512:	B16B0EE7B3D86F9F549DFE619781848CD90FEC323E9F450BFEBFA8CA64BB169AFE8B7F855CDA4E62EFF42713041AAAC786170A22375389DAEA3485844861C42A
Malicious:	false
Reputation:	low
Preview:	; -- Languages.iss --..; Demonstrates a multilingual installation.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName={cm:MyAppName}..AppId=My Program..AppVerName={cm:MyAppVerName,1.5}..WizardStyle=modern..DefaultDirName={autopf}\{cm:MyAppName}..DefaultGroupName={cm:MyAppName}..UninstallDisplayIcon={app}\MyProg.exe..VersionInfoDescription=My Program Setup..VersionInfoProductName=My Program..OutputDir=userdocs:Inno Setup Examples Output..; Uncomment the following line to disable the "Select Setup Language"..; dialog and have it rely solely on auto-detection...;ShowLanguageDialog=no....[Languages]..Name: en; MessagesFile: "compiler:Default.isl"..Name: nl; MessagesFile: "compiler:Languages\Dutch.isl"..Name: de; MessagesFile: "compiler:Languages\German.isl"....[Messages]..en.BeveledLabel=English..nl.BeveledLabel=Nederlands..de.BeveledLabel=Deutsch....[CustomMessages]..en.MyDescription=My description..en.MyAppName=My Program..en.MyAppVerName=My Program

C:\Program Files (x86)\Inno Setup 6\Examples\is-2HPHT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	12503
Entropy (8bit):	4.02777726356063
Encrypted:	false
SSDEEP:	96:7Ufk0WmqBDxQrR1hhu0XYJFi6uzvfG2sM3kDV+qOwcoX8:7Uf1KB9QF1Lvf370T
MD5:	20BA873FB065DA0AED4A13520820781E
SHA1:	A7945752DA9B0D1E6B32B6C95BA9A8F4F141D5B5
SHA-256:	FC47E3F35CE2F2DB1AD85DC320200424C406A3C7CB9C17FB5FD91AF865644021
SHA-512:	D2C2CD9D2666F3BD1D38AB4AA8FB4326961EAAAD747C12B38BFAD1D65BFB7F2EF9B4F0C28A337017A7265362E8DD29F6F2EDE1421F78BA0A1CD0273C2AB1CFBB
Malicious:	false
Reputation:	low
Preview:	ITSF....`.......4.V........\|.{.......".....\|.{......."..`...............x.......T........................0..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR..~.../#ITBITS..../#STRINGS....3./#SYSTEM....'./#TOPICS...~0./#URLSTR...RG./#URLTBL....$./#WINDOWS..N.L./$FIftiMain..`.../$OBJINST..!.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...../$WWKeywordLinks/..../$WWKeywordLinks/BTree....L./$WWKeywordLinks/Data..f../$WWKeywordLinks/Map..s../$WWKeywordLinks/Property..} ./hh_contents.hhc....D./hh_index.hhk..H.@./styles.css..E.../topic_myprog.htm....=.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..-..,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/

C:\Program Files (x86)\Inno Setup 6\Examples\is-3LMQQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32+ executable (GUI), for MS Windows
Category:	dropped
Size (bytes):	25888
Entropy (8bit):	5.79543574542943
Encrypted:	false
SSDEEP:	384:s6GF+ER8ZpHqGb5higLjF+EEGNGb5hiX8ZpHqez:stF+OiR9riSF+1riXiRr
MD5:	F849C37FB7344385799E4D1DD06CF8FF
SHA1:	7352904D0641076989D4783ACD3764FD4CEBA817
SHA-256:	A630A4188D535D9623CB4F006D7DB1C21E00D610B6FEB7ACDBCDF620043AD516
SHA-512:	D9B678323A164B33839A14985541AEBD4CE0270620716869798553C0CA8E140307A866816C6CC0FC4C4BE0841FAFFB701F7F65DAB8F9B34740EF9C63B8358115
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mv^.............j..............te......te......Rich............PE..d....5.\.........."............................@....................................6.....`................................................. a..P............P.......&.. ?...p.......0..8............................................`.. ............................text............................... ..`.rdata.......0......................@..@.data........@......................@....pdata.......P......................@..@.idata.......`....... ..............@..@.reloc.......p.......$..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\Examples\is-4FHGQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1763
Entropy (8bit):	5.1829614377971645
Encrypted:	false
SSDEEP:	48:jU+GUSK87VHAoenhW0nBFPVXfWARZEMu1R4:sUB8iX3J/
MD5:	9A24F606EF8DFB182554872345E92986
SHA1:	B6C354DC20DF44399D77D58FFA799BF131E78928
SHA-256:	7A0E14B0CB7F05E63F0270FA936C4D7E23F56F04171AD85212B8EC67FDD23579
SHA-512:	25CFDFAAA012D1BDF88AF0893880E9F31C8929B4DB0EB3A4B6FD66CF2B4CF230D721E9571A9912E4C139ED587E827300AF2DA7751B742121F8402DF68246A334
Malicious:	false
Reputation:	low
Preview:	; -- 64BitTwoArch.iss --..; Demonstrates how to install a program built for two different..; architectures (x86 and x64) using a single installer: on a "x86"..; edition of Windows the x86 version of the program will be..; installed but on a "x64" edition of Windows the x64 version will..; be installed.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..WizardStyle=modern..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output..; "ArchitecturesInstallIn64BitMode=x64" requests that the install be..; done in "64-bit mode" on x64, meaning it should use the native..; 64-bit Program Files directory and the 64-bit view of the registry...; On all other architectures it will install in "32-bit mode"...ArchitecturesInstallIn64BitMode=x64..; Note: We don't set ProcessorsAllowed because we want thi

C:\Program Files (x86)\Inno Setup 6\Examples\is-4LG51.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21280
Entropy (8bit):	7.0838696543762065
Encrypted:	false
SSDEEP:	384:NQUHu35GA7F+ER8ZpHqGb5hiwX1xF+E1hyGNGb5hiX8ZpHNWG:VE8OF+OiR9ri4F+ehQriXiRUG
MD5:	C764A9A7AE05399D18F6A1DCCB3272A7
SHA1:	1F54DC1953DE12214EE53E261787340856F16C7A
SHA-256:	4218705B92D2437D265E7787AEAF8552E1683E83D4EEBAAE69113438BA15742F
SHA-512:	1F016A483372176F2EF2FA24A474E540A6747ED85EB8ECE3E7609551E1D7B0DE6BAB998CBCC27C03F82EB0B52FBBB6D8A4FD23C6C0FEBD8E2B5DCF362A74ABAA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|......\|......\|.....Rich............................PE..L...x..R..................................... ....@..........................@............................................... ..P....0.................. ?........................................................... ...............................text...5........................... ..`.rdata..X.... ......................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\Examples\is-77P4E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.244712857688066
Encrypted:	false
SSDEEP:	48:VqN9yHVtAA4eNYuW0nRZ+zer1u1RyP6+eNggyb+eNgSC8f:cOv7f7qe
MD5:	2965632BC3CF91D209C103B26B6009DD
SHA1:	FF93BA618178A781A33DBBE19FBA206334A89D97
SHA-256:	184FB5475D178024CD787CB10E92961C97918905D91D22847635376389E03D73
SHA-512:	DAEC254EC30C81C9800F253C46D5E89B49297E23C28C9D3BE23C45767AC7D9A9E766546E350AB485764863E3B6D1FD5A03679BB4C7F7ADC7308ED87DD3C183F5
Malicious:	false
Reputation:	low
Preview:	; -- 64BitThreeArch.iss --..; Demonstrates how to install a program built for three different..; architectures (x86, x64, ARM64) using a single installer.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output..; "ArchitecturesInstallIn64BitMode=x64 arm64" requests that the install..; be done in "64-bit mode" on x64 & ARM64, meaning it should use the..; native 64-bit Program Files directory and the 64-bit view of the..; registry. On all other architectures it will install in "32-bit mode"...ArchitecturesInstallIn64BitMode=x64 arm64....[Files]..; Install MyProg-x64.exe if running on x64, MyProg-ARM64.exe if..; running on ARM64, MyProg.exe otherwise...; Place all x64 files here..Source: "MyProg-x64.exe"; DestDir: "{app

C:\Program Files (x86)\Inno Setup 6\Examples\is-91EK8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	5.244083740570464
Encrypted:	false
SSDEEP:	24:Tb/Q3kFMUGad8HLzYPYKZP9lqeZwuKhEMqX+vhyNbq2RyKk9A:TjvFMUG9HPYwKNwuGqX+Cu2Rr
MD5:	C241E67589DB8B1AE9856EAA7D2FE9A9
SHA1:	66176F13CDEF37418C46C304DCC5DAC9CCF44731
SHA-256:	B75CE663F3787C64FD8F723C9868E7D8D14412A6FE64D573F61C57043119D43A
SHA-512:	9F409E85A2BE5786546E5BFC13B03BA9F96649B99F14404E5397349DFC47B12A742290053557B5414B0562887D612E450E1BFE40B985CF2486B5B233848DD957
Malicious:	false
Reputation:	low
Preview:	// -- ISPPExample1.iss --..//..// This script shows various basic things you can achieve using Inno Setup Preprocessor (ISPP)...// To enable commented #define's, either remove the '//' or use ISCC with the /D switch...//..#pragma verboselevel 9..//..//#define AppEnterprise..//..#ifdef AppEnterprise.. #define AppName "My Program Enterprise Edition"..#else.. #define AppName "My Program"..#endif..//..#define AppVersion GetVersionNumbersString(AddBackslash(SourcePath) + "MyProg.exe")..//..[Setup]..AppName={#AppName}..AppVersion={#AppVersion}..WizardStyle=modern..DefaultDirName={autopf}\{#AppName}..DefaultGroupName={#AppName}..UninstallDisplayIcon={app}\MyProg.exe..LicenseFile={#file AddBackslash(SourcePath) + "ISPPExample1License.txt"}..VersionInfoVersion={#AppVersion}..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..#ifdef AppEnterprise..Source: "MyProg.chm"; DestDir: "{app}"..#endif..Source: "Readme.txt"; DestDir: "{app}"; \.. Flags: i

C:\Program Files (x86)\Inno Setup 6\Examples\is-AHVLA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6378
Entropy (8bit):	5.223897329555024
Encrypted:	false
SSDEEP:	96:K00XsBNclGZkYEdrnx7idbyJPtB8tAKky:pNOzNK
MD5:	47990A00F7CD4DE46259E26F356A07F3
SHA1:	2014F9285C251BB26DA05211EE4734375BDA6E77
SHA-256:	933BA8D04BB93112B88744E71C2C90F4EF52F9FFD04FA777FC4796C6329C511C
SHA-512:	F56D7556500522E37DC4982D073AD635E120E4A564136CC054D2E922817F1E6FEFB89A00DF34992FA8084C7F1CCA091B88EB28A925C90A05BADB87F55108ED93
Malicious:	false
Reputation:	low
Preview:	; -- CodeExample1.iss --..;..; This script shows various things you can achieve using a [Code] section.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DisableWelcomePage=no..DefaultDirName={code:MyConst}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..InfoBeforeFile=Readme.txt..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"; Check: MyProgCheck; BeforeInstall: BeforeMyProgInstall('MyProg.exe'); AfterInstall: AfterMyProgInstall('MyProg.exe')..Source: "MyProg.chm"; DestDir: "{app}"; Check: MyProgCheck; BeforeInstall: BeforeMyProgInstall('MyProg.chm'); AfterInstall: AfterMyProgInstall('MyProg.chm')..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Icons]..Name: "{group}\My Program"; Filename: "{app}\MyProg.exe"....[Code]..var.. MyProgChecked: Boolean;.. MyProgCheckResult: Boolean;.. FinishedInstall: Boolean;....function InitializeSetup(): Boolean;..begin.. Log('InitializeSe

C:\Program Files (x86)\Inno Setup 6\Examples\is-D3K70.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	871
Entropy (8bit):	5.5668051980790345
Encrypted:	false
SSDEEP:	24:P6LxMN90eprK8AQyNbM/pq2vRyKLFP6Qy:P6+XxAVOpbRNFPvy
MD5:	8CD164C384EF3B484F044E2F9F535F30
SHA1:	212C3C75A667FD903A39E45E5DB714C4C5654DCC
SHA-256:	9E94A05795976B76BBD200BD1AAF799442F3DF93EE0DE7EC0E9D345A30281EF5
SHA-512:	FD5C5BC8DB9CC3162970A8612322E6C4FAA66C0EBD8F077D343DB9099CB0873A65EE2D14BE497E2352082017E2D912FEB0E309F16617047844C2637077662EA4
Malicious:	false
Reputation:	low
Preview:	.; -- UnicodeExample1.iss --..; Demonstrates some Unicode functionality...;..; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=....o.d ....AppVerName=....o.d .. version 1.5..WizardStyle=modern..DefaultDirName={autopf}\....o.d ....DefaultGroupName=....o.d ....UninstallDisplayIcon={app}\.o.d...exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"; DestName: ".o.d...exe"..Source: "MyProg.chm"; DestDir: "{app}"; DestName: ".o.d...chm"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Icons]..Name: "{group}\....o.d .."; Filename: "{app}\.o.d...exe"....[Code]..function InitializeSetup: Boolean;..begin.. MsgBox('....o.d ..', mbInformation, MB_OK);.. Result := True;..end;

C:\Program Files (x86)\Inno Setup 6\Examples\is-DCGJ5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	5.1662904923320685
Encrypted:	false
SSDEEP:	24:Ucnqs7N9rhewKhWyNbQTRMP9AeKT84iCszC6pO3cj8FyrO5Dljj3:FHVcUTRMP9ANwdbo3u8FyydJ3
MD5:	5E4093ECFDDB30700CC4287E824C3168
SHA1:	C7CA5DD32851DC42B2A0721BFDCA459BB7B580CA
SHA-256:	AE37290C5E0E7F445F7062604B9F28D1D7A4DB88A6E4E1B03E88309354924A02
SHA-512:	E751F64019B342916A2D5553D3961C9D83F2EC48EC0C734B14A890332D02DDCD8252682214B4E2C6D886F70B6745E8A115F2DA7DEF8608DF91A1A1C196735940
Malicious:	false
Reputation:	low
Preview:	; -- UninstallCodeExample1.iss --..;..; This script shows various things you can achieve using a [Code] section for Uninstall.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Code]..function InitializeUninstall(): Boolean;..begin.. Result := MsgBox('InitializeUninstall:' #13#13 'Uninstall is initializing. Do you really want to start Uninstall?', mbConfirmation, MB_YESNO) = idYes;.. if Result = False then.. MsgBox('InitializeUninstall:' #13#13 'Ok, bye bye.', mbInformation, MB_OK);..end;....procedure DeinitializeUninstall();..begin.. MsgBox('DeinitializeUninstall:' #13#13 'Bye bye!', mbInformation, MB_OK);..end;....procedure CurUninstallStepChanged(CurUninstallStep

C:\Program Files (x86)\Inno Setup 6\Examples\is-DQ0O8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	622
Entropy (8bit):	5.304255159229296
Encrypted:	false
SSDEEP:	12:UM8Xk8wwPzLJrG7N9Sk4qeYrKhm5W122oel17lD+k6DMduRyKA5SA:UMhyLs7N9rhewKhmAQyNbQTRyKNA
MD5:	CD385F604887EAB2619E7FA7D18A0969
SHA1:	EC69EC5B9AF75A3D9AFF42D5CA4869DA1A8207F1
SHA-256:	51BBE9A848916FBD57D75AFA428B1C74680BF7ED018CBA2B0F8CBE14D0AC105E
SHA-512:	19B70F60D80ED7B3AFF1E67C05D90A03EFB511EFA5B142A544EE7D8A098F96D0598288F44986390EB0EB1C376FF46DFA86A011666D1706CC4289CFD99D86AD7D
Malicious:	false
Reputation:	low
Preview:	; -- Example1.iss --..; Demonstrates copying 3 files and creating an icon.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Icons]..Name: "{group}\My Program"; Filename: "{app}\MyProg.exe"..

C:\Program Files (x86)\Inno Setup 6\Examples\is-FFCO4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10855
Entropy (8bit):	5.287758760801004
Encrypted:	false
SSDEEP:	192:eeu+cswJbLNvvVNvvGbzq4H/4H/mHYwpnlTPyvV7ZI7be2nBl9EGS0nMtVOu0:eoUvk7lBl9E0iVOu0
MD5:	6AA114588E83C93C455C8F492E8886EF
SHA1:	274A73A7FED896282F8B9ECE42B65A6C2466C39E
SHA-256:	3C9E126BB5EDBF3E0162BCCDD8E0FD04C9461B99BE0ABE26EA9568BA408CA5D6
SHA-512:	0748AB36FA4AD0A4B94E2EBD0800237A8DAAE9CC0806D357E449559CE296CB8A6EDFB78036FAC973A7622213A12FC5E76FF8AB52B1847D13C5CDEE917114800E
Malicious:	false
Reputation:	low
Preview:	; -- CodeAutomation2.iss --..;..; This script shows how to use IUnknown based COM Automation objects...;..; Note: some unneeded interface functions which had special types have been replaced..; by dummies to avoid having to define those types. Do not remove these dummies as..; that would change the function indices which is bad. Also, not all function..; protoypes have been tested, only those used by this example.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DisableWelcomePage=no..CreateAppDir=no..DisableProgramGroupPage=yes..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Code]....{--- IShellLink ---}....const.. CLSID_ShellLink = '{00021401-0000-0000-C000-000000000046}';....type.. IShellLinkW = interface(IUnknown).. '{000214F9-0000-0000-C000-000000000046}'.. procedure Dummy;.. procedure Dummy2;.. procedure Dummy3;.. function GetDescription(pszName: String; cchMaxName: Integer)

C:\Program Files (x86)\Inno Setup 6\Examples\is-FI720.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9650
Entropy (8bit):	5.328315313090294
Encrypted:	false
SSDEEP:	192:uesHBli1L/6LAtcV4LGso/BUtbog2/WYWrQuPz+HlV6hi6C:bL/sAtcV2xAyLGlV6hi6C
MD5:	BCC849E064F5404D22B9340979573111
SHA1:	19B02242CE71F5394074ACE75E7CD4C984ECFE5F
SHA-256:	4323F0D70D1CFC7A17CB134BA17215BEA4C729765D927F79705137DC4B69FD83
SHA-512:	E5747B0441779C3CBFB1DB4B9F28F8F166B4A6BACE2BF5F16F1D80FE48AD6ED5AD509F326427AA187E28ED305419D85DDCA9A243A371F24AA672ED533DCAC3EF
Malicious:	false
Reputation:	low
Preview:	; -- CodeAutomation.iss --..;..; This script shows how to use IDispatch based COM Automation objects.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DisableWelcomePage=no..CreateAppDir=no..DisableProgramGroupPage=yes..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Code]....{--- SQLDMO ---}....const.. SQLServerName = 'localhost';.. SQLDMOGrowth_MB = 0;....procedure SQLDMOButtonOnClick(Sender: TObject);..var.. SQLServer, Database, DBFile, LogFile: Variant;.. IDColumn, NameColumn, Table: Variant;..begin.. if MsgBox('Setup will now connect to Microsoft SQL Server ''' + SQLServerName + ''' via a trusted connection and create a database. Do you want to continue?', mbInformation, mb_YesNo) = idNo then.. Exit;.... { Create the main SQLDMO COM Automation object }.... try.. SQLServer := CreateOleObject('SQLDMO.SQLServer');.. except.. RaiseException('Please install Microsoft SQL server con

C:\Program Files (x86)\Inno Setup 6\Examples\is-GG8G7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.304838359283202
Encrypted:	false
SSDEEP:	3:hMCRgCFzly:hkCFg
MD5:	9F832E67D0C2EFEE8AA4AF4C2C72C7BC
SHA1:	705D201122A1784485655511EF12031BAD4E21E9
SHA-256:	95B1274839C0CF1653A31D54610D7E16183DC154FE4B42901FDD262AEC2268C6
SHA-512:	EC8B2A6CE6E203650FECE29FD2EE33C721D0CA98591617B9F404F7A9628DEB158E01BEA506BD05B4E2FA585C22A75985AF72A4EF5291DE88865422B774508471
Malicious:	false
Reputation:	low
Preview:	This is the README file for My Program...

C:\Program Files (x86)\Inno Setup 6\Examples\is-H34CG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	75
Entropy (8bit):	4.512683564091017
Encrypted:	false
SSDEEP:	3:U1FORNsNz4uMbQKzAGdXiNsJEvn:2gRNsNzibQKxdXUsKvn
MD5:	87B6B5C57F824E882B7C185E3F021465
SHA1:	15DB7B5B4F800BF3B183AECE53AB9B2C12DE1B6D
SHA-256:	AD9C38E411D3FAF71C3E2A6C34F8547FF7F215D41D888C04D8C6DC812B838E83
SHA-512:	BE824CD998D814A35954C89DE7D800706172BD57B445B10D9130816BDD7CB4F14C03E0CFF9FEA316DE3594507DD7AB878D14F1B937A76D917D17A6A3CD92B5B9
Malicious:	false
Reputation:	low
Preview:	#pragma option -e+..{#AppName} version {#AppVersion} License....Bla bla bla

C:\Program Files (x86)\Inno Setup 6\Examples\is-HO040.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1271
Entropy (8bit):	5.102456074370108
Encrypted:	false
SSDEEP:	24:U77wNrLs7N9rhewKhWsBy8PCFXgrtkPj8NbFFR9+bwRyKNA:VryHV8By8PCFXgrWPjCxFRzR4
MD5:	61F69CCE251CB0EFF54AF6E2C0BE7CC0
SHA1:	8DD846DE7F9C19FDD382B2AA54BFA1E4D25E9BA6
SHA-256:	8030AED62C63C4D5F626D80CCE475091F19458E0C6DB193DE5E97AA932A3F200
SHA-512:	5E10A100E06597795207A7AE90B81CC62B229A3C3AD2EEC6C0101D0F2EF813DEECDCB844A7DD606F283784B3AF0E5B177D69CBC6C645BD787E9DA7D328950881
Malicious:	false
Reputation:	low
Preview:	; -- Components.iss --..; Demonstrates a components-based installation.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Types]..Name: "full"; Description: "Full installation"..Name: "compact"; Description: "Compact installation"..Name: "custom"; Description: "Custom installation"; Flags: iscustom....[Components]..Name: "program"; Description: "Program Files"; Types: full compact custom; Flags: fixed..Name: "help"; Description: "Help File"; Types: full..Name: "readme"; Description: "Readme File"; Types: full..Name: "readme\en"; Description: "English"; Flags: exclusive..Name: "readme\de"; Description: "German"; Flags: exclusive....[Files]..Source: "MyProg.exe"; DestDir: "{app}"; Components: program..Source: "MyProg.chm"; DestDir: "{app}"; Component

C:\Program Files (x86)\Inno Setup 6\Examples\is-I8R84.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	16065
Entropy (8bit):	5.293370018112652
Encrypted:	false
SSDEEP:	384:wjwfcOUW4RioLoGLT3LoSLoJLo6o3oAHpLGM5hLu2USZR8:vqRE
MD5:	1D02B8CF2BFCFDAE84FA39FD5A38914D
SHA1:	242F32AD2264CA22743D91CE75148AC09665FAC7
SHA-256:	3F247F9F012324D95BD460F8C771541D4CB7732E3D8C543DDCE7859084991B25
SHA-512:	91239242217581713F20603A3AB571DD77C189611CC7418ED0C0F0BEB87C3E3D556440D3C8AEB3E79F09DE4F457317590FD3EDA8D83FB493E706D3F3D3E0D554
Malicious:	false
Reputation:	low
Preview:	; -- CodeClasses.iss --..;..; This script shows how to use the WizardForm object and the various VCL classes.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..CreateAppDir=no..DisableProgramGroupPage=yes..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output..PrivilegesRequired=lowest....; Uncomment the following three lines to test the layout when scaling and rtl are active..;[LangOptions]..;RightToLeft=yes..;DialogFontSize=12....[Files]..Source: compiler:WizModernSmallImage.bmp; Flags: dontcopy....[Code]..procedure ButtonOnClick(Sender: TObject);..begin.. MsgBox('You clicked the button!', mbInformation, mb_Ok);..end;....procedure BitmapImageOnClick(Sender: TObject);..begin.. MsgBox('You clicked the image!', mbInformation, mb_Ok);..end;....procedure FormButtonOnClick(Sender: TObject);..var.. Form: TSetupForm;.. Edit: TNewEdit;.. OKButton, CancelButton: TNewButton;.. W: Integer;..begin.. Form := Creat

C:\Program Files (x86)\Inno Setup 6\Examples\is-J9PGQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3849
Entropy (8bit):	5.213458018077877
Encrypted:	false
SSDEEP:	48:8KyHVtAbVzmibUTRTArHlrnEexJXWgsGTdd9aV4rPMP3jFzLi5fXTSH9hr2ku20h:8KOGLymAUmgJd7auUBzGFXTid4fAA
MD5:	F1468176AE182B060C07CC4506E5E331
SHA1:	964A499E034B3D402D08D2B7DA1F2F7250130234
SHA-256:	4A4026BF857054CF4E842D057F91B9FE9D5C8E9FC9E8ECA263E95F80B76CE5E3
SHA-512:	C7C5DA13C4E20C6CEF44122D8213C98463915ECADF716B8E1EC9D60733DFF895AAD7AC7FAE20647EF43A635750E200BCF6C1553DFE207F339B9FBFD5C9246430
Malicious:	false
Reputation:	low
Preview:	; -- AllPagesExample.iss --..; Same as Example1.iss, but shows all the wizard pages Setup may potentially display....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output....DisableWelcomePage=no..LicenseFile=license.txt..#define Password 'password'..Password={#Password}..InfoBeforeFile=readme.txt..UserInfoPage=yes..PrivilegesRequired=lowest..DisableDirPage=no..DisableProgramGroupPage=no..InfoAfterFile=readme.txt....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Icons]..Name: "{group}\My Program"; Filename: "{app}\MyProg.exe"....[Components]..Name: "component"; Description: "Component";....[Tasks]..Name: "task"; Descri

C:\Program Files (x86)\Inno Setup 6\Examples\is-JN167.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.446974207248478
Encrypted:	false
SSDEEP:	3:iFMWFBzKoahEmM5ZVdKcL:2zKoahNiVdf
MD5:	C3D2DC158A89BB66E1A0E8A2117CD0E3
SHA1:	5C8A63374C0C536B567779EDFF79AE85367CBB2D
SHA-256:	85B0678B9F6879A3FDD0DAFA6A2556EB5DEED3D4C467F10273B5FDEF6ADB9A41
SHA-512:	2E08826B3287E80D1925400DD7C82BD51B3006FF469444BFEF20032A31C3F1241718DAE6AB9E936CDEB581CE1F2C82820B30FC68AD44A4628CD4790DB98F89DC
Malicious:	false
Reputation:	low
Preview:	Dies ist die LIESMICH-Datei f.r "My Program".

C:\Program Files (x86)\Inno Setup 6\Examples\is-KOECR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3390
Entropy (8bit):	5.235557508260413
Encrypted:	false
SSDEEP:	96:Vd1wSW2VL6VwEoILxU6GxMxDhviGxEGEBHRdk:qS9qqqDhthyHnk
MD5:	BFAC6D1542555E14BFE28FDFDF52012B
SHA1:	3FFCC8CB996051C7BC617210911E9085421C7072
SHA-256:	97DC0DC2FDA21018E5CDB2BDBF3AB61A8B9D7DF82E381173F3BF222537928B39
SHA-512:	C4E2BEE40AAF9726FD7902BCF6F673922870783B346247A15953B27EAEE21AF86EDA33E135C3982AB8C54E367614E70FF7029FC5DD1529CCC98837BA285D6F2E
Malicious:	false
Reputation:	low
Preview:	; -- CodeDll.iss --..;..; This script shows how to call functions in external DLLs (like Windows API functions)..; at runtime and how to perform direct callbacks from these functions to functions..; in the script.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DisableProgramGroupPage=yes..DisableWelcomePage=no..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme..; Install our DLL to {app} so we can access it at uninstall time...; Use "Flags: dontcopy" if you don't need uninstall time access...Source: "MyDll.dll"; DestDir: "{app}"....[Code]..const.. MB_ICONINFORMATION = $40;....// Importing a Unicode Windows API function...function MessageBox(hWnd: Integer; lpText, lpCaption: String; uType: Cardinal): Integer;..external 'MessageBoxW@user32.dll stdcall

C:\Program Files (x86)\Inno Setup 6\Examples\is-KPCN0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21792
Entropy (8bit):	6.997468105078541
Encrypted:	false
SSDEEP:	384:wgu35GAbF+ER8ZpHqGb5hiYggEF+EtWClp8GNGb5hiX8ZpHRoi:vE8SF+OiR9riYWF+SflpCriXiRCi
MD5:	8AF36C8ECA16826CF31E64B168AFE935
SHA1:	8B851251A6F0DC32093C24EFFC14E5F1116FF3EB
SHA-256:	FE7598B1D013C3B0084D279E6F236AE2EF82AAEEE5E81801387CAE295E395A6D
SHA-512:	8371381BA5A1AC2DD6BF9225A7346706850D66423DC1FB5892816FD4F7D18B23DCEC40F3E4943A556311751301932AAE37CBC1A6C435156F768446BA4F6275DF
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...............}...............,R......,R......,R......Rich....................PE..d...~..R..........#............................@.............................P...............................................................!..P....@.......0.......... ?........................................................... ..0............................text...E........................... ..`.rdata....... ......................@..@.pdata.......0......................@..@.rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\Examples\is-L5VHC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2013
Entropy (8bit):	5.237927260803597
Encrypted:	false
SSDEEP:	48:sK/UHVU/KRmvfpvo52w2JBBOyg8USEJ/vy:T/pgwcrB1/6
MD5:	67C89ED9ADE5CA14945DA564A7AB7C1B
SHA1:	6489E965335E0E0D7B901FE3F44C862671C82D54
SHA-256:	F6AC4C33BC29365772EFF1DF8F026B17BBF563129A3046D718FD02A8B2F34D66
SHA-512:	5BF9A2A63B8BF67F99B320AA26F48B79975F587E2DF2EA7EF918394302F65CCD6285C2D86FB442C97B33F8BEF26A6400FD96C510A900B46AA5F18C156FC4DFCD
Malicious:	false
Reputation:	low
Preview:	; -- CodeDownloadFiles.iss --..;..; This script shows how the CreateDownloadPage support function can be used to..; download temporary files while showing the download progress to the user.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output....[Files]..; Place any regular files here..Source: "MyProg.exe"; DestDir: "{app}";..Source: "MyProg.chm"; DestDir: "{app}";..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme;..; These files will be downloaded..Source: "{tmp}\innosetup-latest.exe"; DestDir: "{app}"; Flags: external..Source: "{tmp}\ISCrypt.dll"; DestDir: "{app}"; Flags: external....[Icons]..Name: "{group}\My Program"; Filename: "{app}\MyProg.exe"....[Code]..var.. DownloadPage: TDownloadWizardPage;....function OnDownloadProgress(const Url, FileName: String; const Progress, ProgressMax: Int64): Boolean;..begin..

C:\Program Files (x86)\Inno Setup 6\Examples\is-MJ4UB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	21280
Entropy (8bit):	6.86503969096258
Encrypted:	false
SSDEEP:	384:SNVs6F+ER8ZpHqGb5hipTnRF+EspGNGb5hiX8ZpHv3:SNVvF+OiR9riRRF+ZriXiRP
MD5:	481DB69057B79F52F166A2DE3C39DC52
SHA1:	8DB5534E069922583CB665C7C21068F4957C226D
SHA-256:	F4E549EF947C33A61520A38C855583E48CFD1702303815123662F7E2E4E73E09
SHA-512:	BD7DF1C3CBBF8E173D33943E985E7A46BBC6AC836479E8E9D902CECA3F2B65E46B0967168E4ECD648BA12474A2A7D0D000A38B197BDE80F5B2A6714751D4F3EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..V...........!.................&... ...@....... ...............................z....@..........................@..(....&..O....`..X............... ?........................................................... ............... ..H............text........ ...................... ..`.sdata..d....@......................@....rsrc...X....`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\Examples\is-NN5UC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7628
Entropy (8bit):	5.089393195946222
Encrypted:	false
SSDEEP:	192:bGP7evb6WkhpeGZvGVnKxTDNnqUj5jt/00aMKC/:bGP7evb6WkhPZvKeZnj5jKho/
MD5:	0760DCEAE9B85F74419226368FF604F6
SHA1:	6B240025A55D8843AE7E9297A9441D115D07D062
SHA-256:	63A7526A14D5A4D17B635A97083F214385F542BD470FF9E37DEA4432A0125947
SHA-512:	C327EE521EF6FC068B98C4129ADB8B9892C5399327A56D5D1BE26B2EA5CD35422E7A39E9366C333D8EEB2D31FC976A868E41708B856F2A56CFE35C74E11E8D12
Malicious:	false
Reputation:	low
Preview:	; -- CodeDlg.iss --..;..; This script shows how to insert custom wizard pages into Setup and how to handle..; these pages. Furthermore it shows how to 'communicate' between the [Code] section..; and the regular Inno Setup sections using {code:...} constants. Finally it shows..; how to customize the settings text on the 'Ready To Install' page.....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DisableWelcomePage=no..DefaultDirName={autopf}\My Program..DisableProgramGroupPage=yes..UninstallDisplayIcon={app}\MyProg.exe..OutputDir=userdocs:Inno Setup Examples Output..PrivilegesRequired=lowest....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Registry]..Root: HKA; Subkey: "Software\My Company"; Flags: uninsdeletekeyifempty..Root: HKA; Subkey: "Software\My Company\My Program"; Flags: uninsdeletekey..Root: HKA; Subkey: "Software\My Company\My Program\Settings"; ValueType: st

C:\Program Files (x86)\Inno Setup 6\Examples\is-NO8D2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3612
Entropy (8bit):	5.177727533449254
Encrypted:	false
SSDEEP:	96:gkOpWmnmRSPDToJsz2NqHx1W08LN5J4SNX3X6V8:gfWmnmRSIyKIRYRLqStn66
MD5:	F39FCB62E6598EC1346429D877992140
SHA1:	63BAF927F03D0E1DDD4C9E2ADD3683A0CA1B3890
SHA-256:	CC6FF93D795EDF0DFE01F687194BBE173CB807FA44E56FAA271D40D85213EB9B
SHA-512:	A0EFF94EB8FE7F05280E2533A7D5E74280C4462B7CEF618F4112CCB7D3A8BF822441630DD628E6A7B7B56F68EE53921E4811C32417643654C804FF37C1E1007B
Malicious:	false
Reputation:	low
Preview:	; -- Example3.iss --..; Same as Example1.iss, but creates some registry entries too and allows the end..; use to choose the install mode (administrative or non administrative).....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output..ChangesAssociations=yes..UserInfoPage=yes..PrivilegesRequiredOverridesAllowed=dialog....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Icons]..Name: "{group}\My Program"; Filename: "{app}\MyProg.exe"....; NOTE: Most apps do not need registry entries to be pre-created. If you..; don't know what the registry is or if you need to use it, then chances are..; you don't need a [Registry] sectio

C:\Program Files (x86)\Inno Setup 6\Examples\is-NOGMM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	902
Entropy (8bit):	5.223079795162816
Encrypted:	false
SSDEEP:	24:UMR42zKeKLs7N9r7sRGrKhmAQyNbQTRyz5A:DKyH/rtAVUTRH
MD5:	EF78F484A55869DAAFCB7E778580AC2B
SHA1:	3F21E9405BD08E084D07C955F04D1CA47434695E
SHA-256:	B99B691381A3534EDB09C3B3B2580F1A16A6A7E0CDF1725A759AC5921BC3AFCF
SHA-512:	6CA866BC3DC70B01DEAA46BBC4BA9BEFF12B60181AEE53C519916DC516D31EDFEE4C638F45C990265778E1B74622E8E0A7869432661C94E77DCB3024A6A20195
Malicious:	false
Reputation:	low
Preview:	; -- Example2.iss --..; Same as Example1.iss, but creates its icon in the Programs folder of the..; Start Menu instead of in a subfolder, and also creates a desktop icon.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..; Since no icons will be created in "{group}", we don't need the wizard..; to ask for a Start Menu folder name:..DisableProgramGroupPage=yes..UninstallDisplayIcon={app}\MyProg.exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output....[Files]..Source: "MyProg.exe"; DestDir: "{app}"..Source: "MyProg.chm"; DestDir: "{app}"..Source: "Readme.txt"; DestDir: "{app}"; Flags: isreadme....[Icons]..Name: "{autoprograms}\My Program"; Filename: "{app}\MyProg.exe"..Name: "{autodesktop}\My Program"; Filename: "{app}\MyProg.exe"..

C:\Program Files (x86)\Inno Setup 6\Examples\is-OD3BG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.137289825278364
Encrypted:	false
SSDEEP:	3:jW3AVAzI8AWgn:y4Akkg
MD5:	BEABF8BC6CFE92B8FBF356CB95411BBA
SHA1:	15FD65DFA92225900FCF2EDE06EB3766E45E4599
SHA-256:	C1A3C3C9FE7251F290C173EE35E7A76AF68133328D5A3309136D937A60170619
SHA-512:	CF3B37CBC6D417AE72584CAE9831E15BE2095227EA372F38E2EF834CB3BE67116956ED722D8936CBCDC994D8A0C2CF5A54436EC38528A25F5DC470323FD25690
Malicious:	false
Reputation:	low
Preview:	Dit is het Leesmij bestand voor My Program.

C:\Program Files (x86)\Inno Setup 6\Examples\is-U7AAN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1156
Entropy (8bit):	5.2672203898366545
Encrypted:	false
SSDEEP:	24:Ua1nZiwhsOLs7N9rhewKhmAQ5Xn6dm+QLXSeiQ28q+QLNHNYM9FpTRyKNA:JPiwhsOyHVtAAXn68oenqhZFpTR4
MD5:	4CBA2574F1E3CE76BC128637EDB7CC17
SHA1:	5E4A771DE5F3742B9152BF47B6E295DE39CC4B4E
SHA-256:	907E10278187C48D6E818C19343A8E02BB872E32C4573085A2FCBE584AB5D06C
SHA-512:	0FF8E40B5B2A46AAF64A5C98D63E1A71E428F30EF88D7CDEBCC21229266F3F2F98BF3AAE5B4D36001D73ECA79E356C5399D2B1CD833C8C49AAE5CB9425CCCA77
Malicious:	false
Reputation:	low
Preview:	; -- 64Bit.iss --..; Demonstrates installation of a program built for the x64 (a.k.a. AMD64)..; architecture...; To successfully run this installation and the program it installs,..; you must have a "x64" edition of Windows.....; SEE THE DOCUMENTATION FOR DETAILS ON CREATING .ISS SCRIPT FILES!....[Setup]..AppName=My Program..AppVersion=1.5..WizardStyle=modern..DefaultDirName={autopf}\My Program..DefaultGroupName=My Program..UninstallDisplayIcon={app}\MyProg.exe..Compression=lzma2..SolidCompression=yes..OutputDir=userdocs:Inno Setup Examples Output..; "ArchitecturesAllowed=x64" specifies that Setup cannot run on..; anything but x64...ArchitecturesAllowed=x64..; "ArchitecturesInstallIn64BitMode=x64" requests that the install be..; done in "64-bit mode" on x64, meaning it should use the native..; 64-bit Program Files directory and the 64-bit view of the registry...ArchitecturesInstallIn64BitMode=x64....[Files]..Source: "MyProg-x64.exe"; DestDir: "{app}"; DestName: "MyProg.exe"..Source: "M

C:\Program Files (x86)\Inno Setup 6\Languages\is-1SC88.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines
Category:	dropped
Size (bytes):	20982
Entropy (8bit):	5.180168518243147
Encrypted:	false
SSDEEP:	384:GELYC4XIq1eZq3sOwRQ1XqzwqwqyUQlfs00IA67epw5z:GECH1eZVRSXqzwJq46tpw5z
MD5:	6FEFF2F63DF6A2DFDC85CB7B21690778
SHA1:	A3C816DF5661FFEAF188E60C3FAB82045C597B3A
SHA-256:	8CC5B9560F255FE6616DD649CA7F2A9EE8508FC3222596F4BD0E55FE1543E084
SHA-512:	FA181F0BB38439E2E732ABE359F2849B51E6760D82D07C3CAFA0325BA24B060979A0E7DED514DD7E456B372A4D7DC412EAC1F86ECBFE25DFC9DD05378D5D540D
Malicious:	false
Reputation:	low
Preview:	.; * Inno Setup version 6.1.0+ Icelandic messages .;.; Translator: Stef.n .rvar Sigmundsson, eMedia Intellect.; Contact: emi@emi.is.; Date: 2020-07-25..[LangOptions]..LanguageName=<00CD>slenska.LanguageID=$040F.LanguageCodePage=1252..[Messages]..; Application titles.SetupAppTitle=Uppsetning.SetupWindowTitle=Uppsetning - %1.UninstallAppTitle=Ni.urtaka.UninstallAppFullTitle=%1-ni.urtaka..; * Misc. common.InformationTitle=Uppl.singar.ConfirmTitle=Sta.festa.ErrorTitle=Villa..; * SetupLdr messages.SetupLdrStartupMessage=.etta mun uppsetja %1. Vilt .. halda .fram?.LdrCannotCreateTemp=.f.rt um a. skapa t.mabundna skr.. Uppsetningu h.tt.LdrCannotExecTemp=.f.rt um a. keyra skr. . t.mabundna skr.asafninu. Uppsetningu h.tt.HelpTextNote=..; * Startup error messages.LastErrorMessage=%1.%n%nVilla %2: %3.SetupFileMissing=Skr.na %1 vantar .r uppsetningarskr.asafninu. Vinsamlega lei.r.ttu vandam.li. e.a f..u n.tt afrita af forritinu..SetupFileCorrupt=

C:\Program Files (x86)\Inno Setup 6\Languages\is-5FB04.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	22558
Entropy (8bit):	5.2264762403165665
Encrypted:	false
SSDEEP:	384:MhQlxuOOs9MM9wgy1np1rXaOz5eCP2ZXuYvhCeLq4YAs9GWGb4SYQ4ZiPSY8jYMH:MhQlxuOOs9MM9Hqn3rXDpPeXuY5CeLlQ
MD5:	3E95A009F030018CE1B08B1AD6BAB282
SHA1:	F9CA75D9D316B53AEAD1C29A36E796E8D7A6CA5C
SHA-256:	B51C11B6F09B1098284E7962885009F3FE30400B7418080D4315191D144D8CEA
SHA-512:	64F64ACB8F21825EE7AC8FC8A48931C69D1361FCE0C5AEF95D27893771D19F3987ED21A4B63C5B9517D029D86F0E991AF47529521EDCB58A3A8433B12C8918D2
Malicious:	false
Reputation:	low
Preview:	; *****************************************************..; * *..; * Inno Setup version 6.1.0+ Czech messages *..; * *..; * Original Author: *..; * *..; * Ivo Bauer (bauer@ozm.cz) *..; * *..; * Contributors: *..; * *..; * Lubos Stanek (lubek@users.sourceforge.net) *..; * Vitezslav Svejdar (vitezslav.svejdar@cuni.cz) *..; * *..; ***************************************************....[LangOptions]..LanguageName=<010C>e<0161>tina..LanguageID=$0405..LanguageCodePage=1250....[Messages]....; * Application titles..SetupAppTitle=Pr.vodce instalac...SetupWin

C:\Program Files (x86)\Inno Setup 6\Languages\is-6MA2E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	22644
Entropy (8bit):	4.911842969911767
Encrypted:	false
SSDEEP:	384:P5BM9dNgke7b3KYB+7EdGM2ysCXXGzQmro+WHWdb2yFKqRCIX0Z/MidSI2D4ouXC:Af43oszKySInouKpBQucKP/
MD5:	C8AB202F1D789727798DD9D6D473E5EC
SHA1:	A5AD2A05AADDB59B4389EAF523A920071C26346C
SHA-256:	BEAADEA9848F84154E3B83E9D5B3E8569D13BA3E5C014EA6B2781219B2B6F6DE
SHA-512:	249D1836A5359C1148045F674D00A5180BEE42F716AA1BDE79256C2122B4CC75C9FDC6614FB7040910390FFAEA034FEBF60BC5E45334961C381F539BAF731EF4
Malicious:	false
Reputation:	low
Preview:	.; bovirus@gmail.com..; * Inno Setup version 6.1.0+ Italian messages *..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed)...;..; Italian.isl - Last Update: 25.07.2020 by bovirus (bovirus@gmail.com)..;..; Translator name: bovirus..; Translator e-mail: bovirus@gmail.com..; Based on previous translations of Rinaldo M. aka Whiteshark (based on ale5000 5.1.11+ translation)..;..[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=Italiano..LanguageID=$0410..LanguageCodePage=1252..; If the language you are translating to requires special font faces or..; siz

C:\Program Files (x86)\Inno Setup 6\Languages\is-8BUC6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21240
Entropy (8bit):	5.907086299104064
Encrypted:	false
SSDEEP:	384:9uK00E3fAAxFEmuYVxWnmOnqwMDYI9Vl+d+TpyQl9+MR5rNg3MYcsd3ed1HJIDtd:96Mqxd18tpQjA
MD5:	6D80ECCFC60D73E3612DD395E1CF8C25
SHA1:	326949646B420A47038A84A8F3F8418876FE6F50
SHA-256:	AF162FD5F2E76A7E49C3D4ED0DF1E9ACA5491AF9CB73CCCCB5FF9B67C027145D
SHA-512:	E74A67EF6FB92FB8C5C4338329278FE1D0FFB2289199968D78F9F534B3A9A496486D6097870F1D78CA8D01FBFBBC7411648155F242E60FB67E374C5A6B2AD8EE
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Ukrainian messages ..; Author: Dmytro Onyshchuk..; E-Mail: mrlols3@gmail.com..; Please report all spelling/grammar errors, and observations...; Version 2020.08.04....; .......... ........ Inno Setup ... .... 6.1.0 .. ....*..; ..... .........: ...... ........; E-Mail: mrlols3@gmail.com..; .... ....., ........... ... .. ....... ....... .. .............; ..... ......... 2020.08.04....[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=<0423><043A><0440><0430><0457><043D><0441><044C><043A><0430>..LanguageID=$0422..LanguageCodePage=1251..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightFontName=Aria

C:\Program Files (x86)\Inno Setup 6\Languages\is-8H1UE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	20351
Entropy (8bit):	5.019793978400523
Encrypted:	false
SSDEEP:	384:ioo8WyiozAdBbC3r8zlSmGibyID0Cs3PcmN91lt8WA1:NR0zbKr5i+fPv91lt8n1
MD5:	ECC3613E1B17B1B7F0C3A5CF5FB165F2
SHA1:	4B5B79CBC4F57E18DCC57139C606EF4C19882205
SHA-256:	D4C615CC9C0020D1BD118CF12B074D0992EA928855FA81AB8FBFA54AF4929450
SHA-512:	47FD54E306195053331750F70425F8AD918930C946B2170DF3FD3CE481852D1C7C25BC0927761C9BC2CA916092B668646738AFBE4BC2247332691D67A2E70D52
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Slovenian messages ..;..; To download user-contributed translations of this file, go to:..; http://www.jrsoftware.org/is3rdparty.php..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed)...;..; Maintained by Jernej Simoncic (jernej+s-innosetup@eternallybored.org)....[LangOptions]..LanguageName=Slovenski..LanguageID=$0424..LanguageCodePage=1250....DialogFontName=..[Messages]....; Application titles..SetupAppTitle=Namestitev..SetupWindowTitle=Namestitev - %1..UninstallAppTitle=Odstranitev..UninstallAppFullTitle=Odstranitev programa %1....; * Misc. common..InformationTitle=Informacija..ConfirmTitle=Potrditev..ErrorTitle=Napaka....; *** SetupLdr messages..SetupLdrStartupMessage=V ra.unalnik boste namestili program %1. .elite nadaljevati?..LdrCann

C:\Program Files (x86)\Inno Setup 6\Languages\is-8J7K4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	24587
Entropy (8bit):	5.006349722504402
Encrypted:	false
SSDEEP:	384:pAEitpI58fmC3bX6s/T+5ZlHs+OUzbL9gD0Ie5tceTtmnLH11y/aDgvQkDDS3:potpjD/qHlHVxzbLUe5tceBSytQkDDq
MD5:	2D7FD68FBD91CCD3027F42D928C4804A
SHA1:	8750D9801F5F67964F1575A0743C3A94AFDEB891
SHA-256:	8BD0D84AC01CC97ED2B8BD8107E6A4EE3DC085EF3969FEE88FC750FB99FBFEA4
SHA-512:	37817C8799B4909DDCF15D18AE63F061B0D2E26438D60128CC5BA75E9522719E34871CFC873C7438FC0F90239316DB032ABE537C7025AD3C225B338442A04E91
Malicious:	false
Reputation:	low
Preview:	.; ****************************************************..; * *..; * Inno Setup version 6.1.0+ German messages *..; * *..; * Changes 6.0.0+ Author: *..; * *..; * Jens Brand (jens.brand@wolf-software.de) *..; * *..; * Original Authors: *..; * *..; * Peter Stadler (Peter.Stadler@univie.ac.at) *..; * Michael Reitz (innosetup@assimilate.de) *..; * *..; * Contributors: *..; * *..; * Roland Ruder (info@rr4u.de) *..; * Hans Sperber (Hans.Sperber@de.bosch.com) *..; * Lau

C:\Program Files (x86)\Inno Setup 6\Languages\is-8MA5V.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	20909
Entropy (8bit):	4.973796195171125
Encrypted:	false
SSDEEP:	384:yOZJULDquvZ2vBXt5CAi2+tNbcrRx7ZYmvBGu5xV8XkqXFbQ8QA9:xWLDdZuXt5CAirs9lpvB/KX28f
MD5:	06EE884FA819292E78DE41CAF9C9D3B6
SHA1:	F1E4D23D7686D7A992A593ADB7754309601228EB
SHA-256:	FFD55FCC74825C48F7B3CF173B5528A71D55DF5C465CB24E6AC42E2C5F991A13
SHA-512:	1D2EC6B71FA9587894E61FCA077A89C00ACFD58FEB1DF30CC90B2FA39D3DBA1DF457C1DD58942A6177E773ED75E8D933233A263A463BE88ABB8375751FA7EDA6
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Norwegian (bokm.l) messages ..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed)...;..; Norwegian translation currently maintained by Eivind Bakkestuen..; E-mail: eivind.bakkestuen@gmail.com..; Many thanks to the following people for language improvements and comments:..;..; Harald Habberstad, Frode Weum, Morten Johnsen,..; Tore Ottinsen, Kristian Hyllestad, Thomas Kelso, Jostein Christoffer Andersen..;..; $jrsoftware: issrc/Files/Languages/Norwegian.isl,v 1.15 2007/04/23 15:03:35 josander+ Exp $....[LangOptions]..LanguageName=Norsk..LanguageID=$0414..LanguageCodePage=1252....[Messages]....; ** Application titles..SetupAppTitle=Installas

C:\Program Files (x86)\Inno Setup 6\Languages\is-9QHP3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21562
Entropy (8bit):	5.134068567187423
Encrypted:	false
SSDEEP:	384:gEH/GYX0hnycX5slw5ELaAeE7SOWV7ksIibc4bzT9O:13S7slTLaAeE7SOWOL4bI
MD5:	4FFA59161964E9B6F90B5249FC121499
SHA1:	21C2CCC75A500C7A7C82A97A2D8B2D4AC108374D
SHA-256:	B49DDDAAE0AEE32B7141818BD27318A2E49CFBEB7E0D3A8CABB856452C19E88F
SHA-512:	76AD6689B266C5376A12CE0B7B44F3AA828951DA3BE25DB700476B15A9DB02A95D2750CA9046DEDB71653AF4BB13C1E57A0AE02345E2FA78F2CC34167DFDCF1F
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Turkish messages *..; Language."Turkce" Turkish Translate by "Ceviren".Kaya Zeren translator@zeron.net..; To download user-contributed translations of this file, go to:..; https://www.jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed).....[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=T<00FC>rk<00E7>e..LanguageID=$041f..LanguageCodePage=1254..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;Titl

C:\Program Files (x86)\Inno Setup 6\Languages\is-A4AP1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21189
Entropy (8bit):	4.96794878537392
Encrypted:	false
SSDEEP:	384:W47mwM2f5pKmwvAvgW/UmgA89rqiEXGeyuiDSH+k60baGkNbno1jH0nAOMSTotJ4:3SwM2fKj5W/UmpUfeyu/+k60w815tJNK
MD5:	7E08BCFF7D6973DA8F7978BA5C87037D
SHA1:	36626E0F329E40683B0BC09098C40ABECC589544
SHA-256:	16D58FBCA5E559AE8C03E73CE7AB78A5FFE0EA683386B5BE5CCC0314F4BB2521
SHA-512:	FECC0BA3DEE48F8CD2D414D7FAD652A9D8F4790ED0123C1652891C95B7D6D7AD690C9A47658B37D280022C78EE45E5148BD27291F27217240927E20BCD733D6C
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Danish messages ..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed)...;..; ID: Danish.isl,v 6.0.3+ 2020/07/26 Thomas Vedel, thomas@veco.dk..; Parts by scootergrisen, 2015....[LangOptions]..LanguageName=Dansk..LanguageID=$0406..LanguageCodePage=1252....; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightFontName=Arial..;CopyrightFontSize=8....[Messages]..; ** Application titles..SetupAppTitle=Installationsgu

C:\Program Files (x86)\Inno Setup 6\Languages\is-AU5HQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	22651
Entropy (8bit):	5.192315758248488
Encrypted:	false
SSDEEP:	384:rDubffyN0J9NJ2TbZ0Xs8sR5RnjaX2xAhCmV5Pt9QrTbP1FGfmYxF91fQpz/Tgkz:cffyN0JLwZ0X/85u9hCg5Pt9QrTj1DYe
MD5:	4CF6CEA8545A1F26A0F04FD32FD271F0
SHA1:	5BE5683E0BD0EDB346EFEA334CEAD7D7572F3D65
SHA-256:	12A334E80C29D310B2EA79D9B89D0E1ED3287ABB18F82D15AB45728C54FC48AC
SHA-512:	594DB49C5B82F655541670760737707C4E3EF786A4BEDCB38E8500B78BE3EA12DE1F71667141F444D174A4FA9659B006DC70BE6C743D699C546A73C1C2340649
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Polish messages ..; Krzysztof Cynarski <krzysztof at cynarski.net>..; Proofreading, corrections and 5.5.7-6.1.0+ updates:..; .ukasz Abramczuk <lukasz.abramczuk at gmail.com>..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed)...; last update: 2020/07/26 ....[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=Polski..LanguageID=$0415..LanguageCodePage=1250....[Messages]....; ** Application titles..SetupAppTitle=Instalator..SetupWindowTitle=Instalacja - %1..UninstallAppTitle=Dezinstalator..UninstallAppFullTitle=Dezinstalacja - %1.

C:\Program Files (x86)\Inno Setup 6\Languages\is-EKI7B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	22721
Entropy (8bit):	4.894413246913781
Encrypted:	false
SSDEEP:	384:VPwWH3QW2pVJVfNLUlNyqTH0TbBLDmUnZ0WPw8/C6WdJS7vGyv17rPUf:VPFsV7p+pSPW
MD5:	3F2EE1C74CACA1D7164573767575224A
SHA1:	E8386720B6B84C5744CB7113084FC530ED9B5D52
SHA-256:	8143F1D1BA52E79D39DC703B7D013E35BE87B8B30EDA40551AD918FECEFF73BA
SHA-512:	67DDD47FE38618C5B19E111F535C251B175F407801FCA7663A17D721867638D9478A672AAE5766DF8305F06FEE7C74E43991E7C3BD428B5B9271514BE33B5495
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Spanish messages ..;..; Maintained by Jorge Andres Brugger (jbrugger@ideaworks.com.ar)..; Spanish.isl version 1.5 (20200727)..; Default.isl version 6.1.0..; ..; Thanks to Germ.n Giraldo, Jordi Latorre, Ximo Tamarit, Emiliano Llano, ..; Ram.n Verduzco, Graciela Garc.a, Carles Millan and Rafael Barranco-Droege....[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=Espa<00F1>ol..LanguageID=$0c0a..LanguageCodePage=1252..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightFontName=Arial..;CopyrightFontSize=8....[Messages]....; ** Application titles..SetupAppTitle=Instalar..SetupWindowTitle=Instalar - %1..Uninstal

C:\Program Files (x86)\Inno Setup 6\Languages\is-EQUIL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	6.139628951362008
Encrypted:	false
SSDEEP:	384:T3ZmgB3ny92KeLIbYGyeNr6cqUuLsR3YmHk+PicH7+sTUyCVc:FmgB3nNtLI5Icw5J2gVc
MD5:	1F5C9CCFE75D6E84C3739A26CE4E4246
SHA1:	C523E1705779FF4D5914FAD729BEB4E7A004D4CC
SHA-256:	A723CC48C5AC9009296695DB8484ED0383D092B8DE23CC80E20840D4A0FC44D6
SHA-512:	3D6AFAAF0F6D624537258E5AC74817184C6B1C857F8D1523B6B75529BFC231E0496F30C6D0D1D04C471DA54EA7D5757E126D8C95A6055269C9C9A2BCCFCC8A0B
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Japanese messages ..;..; Maintained by Koichi Shirasuka (shirasuka@eugrid.co.jp)..;..; Translation based on Ryou Minakami (ryou32jp@yahoo.co.jp)..;..; $jrsoftware: issrc/Files/Languages/Japanese.isl,v 1.6 2010/03/08 07:50:01 mlaan Exp $....[LangOptions]..LanguageName=<65E5><672C><8A9E>..LanguageID=$0411..LanguageCodePage=932....[Messages]....; Application titles..SetupAppTitle=.Z.b.g.A.b.v..SetupWindowTitle=%1 .Z.b.g.A.b.v..UninstallAppTitle=.A...C...X.g.[....UninstallAppFullTitle=%1 .A...C...X.g.[......; * Misc. common..InformationTitle=.....ConfirmTitle=.m.F..ErrorTitle=.G...[....; * SetupLdr messages..SetupLdrStartupMessage=%1 ...C...X.g.[........B...s........H..LdrCannotCreateTemp=...t.@.C..............B.Z.b.g.A.b.v...~......B..LdrCannotExecTemp=...t.H..._.[..t.@.C.......s........B.Z.b.g.A.b.v...~......B....; * Startup error messages..LastErrorMessage=%1.%n%n.G...[ %2: %3..SetupFileMissing=.t.@.C.. %1 ...........

C:\Program Files (x86)\Inno Setup 6\Languages\is-G15VB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	25724
Entropy (8bit):	4.959761609757612
Encrypted:	false
SSDEEP:	384:m02EjvpZrMLhoZ1QFiK2ztCF97QSFhusWG1D3h1bOsIVOoZw:Fvp2gQFiK2EzESHL8sIV7S
MD5:	7530A6067C56CEDDD1E585ADCB7F63B1
SHA1:	2E22CBFA2E631386640695FCDE8D68615479C58D
SHA-256:	089A817AB691CF23FFE8139FFE8B4FC300390D6296C4533C23A14F697231B726
SHA-512:	941149B905E03199000CFBDA2B0512E25D894D68F578F8B4342860575C198E8B7C17FE46596A673672C89EAB678862EA0ABD3A94E94EB73037952D605B9030A2
Malicious:	false
Reputation:	low
Preview:	.; * Inno Setup version 6.1.0+ French messages *..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed)...;..; Maintained by Pierre Yager (pierre@levosgien.net)..;..; Contributors : Fr.d.ric Bonduelle, Francis Pallini, Lumina, Pascal Peyrot..;..; Changes :..; + Accents on uppercase letters..; http://www.academie-francaise.fr/langue/questions.html#accentuation (lumina)..; + Typography quotes [see ISBN: 978-2-7433-0482-9]..; http://fr.wikipedia.org/wiki/Guillemet (lumina)..; + Binary units (Kio, Mio) [IEC 80000-13:2008]..; http://fr.wikipedia.org/wiki/Octet (lumina)..; + Reverted to standard units (Ko, Mo) to follow Windows Explorer Standard..; http:

C:\Program Files (x86)\Inno Setup 6\Languages\is-GF7CS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	21089
Entropy (8bit):	4.935328773982594
Encrypted:	false
SSDEEP:	384:9ucU7lSBl14wfHZGuKNTLPv4l58OtguELvejsAeGtRvsmTSlEcjXjSq:YEBl14cHZGbNTL3484pEbejscglNWq
MD5:	CBCAECEBCCD955A24A9A03616E67A5A8
SHA1:	EED53FCCF3BB45AF733F89F4B62854B6EC7970BB
SHA-256:	84E58FA648F4262D1E0EA4EBFF3A8024251AA649FA4CBDCDC6353911C31F3CDC
SHA-512:	29344BA0B043E2FDD807A26F079E20848E70EF6C9EFBD8A6632E72856265E70199A8DE5B106FD0A79BED1E210EB155E4B0E9D29E3FE1C37F820DDBDDEFA26E56
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Catalan messages ..;.; Translated by Carles Millan (email: carles@carlesmillan.cat).;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno...[LangOptions]..LanguageName=Catal<00E0>.LanguageID=$0403.LanguageCodePage=1252..[Messages]..; Application titles.SetupAppTitle=Instal.laci..SetupWindowTitle=Instal.laci. - %1.UninstallAppTitle=Desinstal.laci..UninstallAppFullTitle=Desinstal.la %1..; * Misc. common.InformationTitle=Informaci..ConfirmTitle=Confirmaci..ErrorTitle=Error..; *** SetupLdr messages.SetupLdrStartupMessage=Aquest programa instal.lar. %1. Voleu continuar?.LdrCannotCreateTemp=No s'ha pogut crear un fitxer temporal. Instal.laci. cancel.lada.LdrCannotExecTemp=No s'ha pogut executar el fitxer a la carpeta temporal. Instal.laci. cancel.

C:\Program Files (x86)\Inno Setup 6\Languages\is-GKFVC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	24924
Entropy (8bit):	5.123348048930306
Encrypted:	false
SSDEEP:	384:Iz8k38vU5kCrL2kVegNq/gfWilmFWC8UOgLm1FW3FF:UvyCrX8gfDmFEIFF
MD5:	61CBAAE65457FC2723C457C2E6549D1D
SHA1:	CE39A397A2E80C6B9073026C2227BE425D667BDF
SHA-256:	910C102235F6D6DD723298ED7565D2033E3A3C76D2C1C260FC9A436172EEA221
SHA-512:	BCD49B7CF8E9CFF152E77A112E7193058D28EF6071001117B4E332A5786B2F03ABFB2CD8D47E05854FC7254ADE8BA17A0623D496FB099237CF4DC14C6F84FD21
Malicious:	false
Reputation:	low
Preview:	.; * Inno Setup version 6.1.0+ Corsican messages *..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed).....; Created and maintained by Patriccollu di Santa Maria . Sich...; Schedariu di traduzzione in lingua corsa da Patriccollu..; E-mail: Patrick.Santa-Maria[at]LaPoste.Net..;..; Changes:..; November 14th, 2020 - Changes to current version 6.1.0+..; July 25th, 2020 - Update to version 6.1.0+..; July 1st, 2020 - Update to version 6.0.6+..; October 6th, 2019 - Update to version 6.0.3+..; January 20th, 2019 - Update to version 6.0.0+..; April 9th, 2016 - Changes to current version 5.5.3+..; January 3rd, 2013 - Update to version 5.5.3+..; August 8th, 2012 - Update to v

C:\Program Files (x86)\Inno Setup 6\Languages\is-HKCVQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21097
Entropy (8bit):	4.89200155875569
Encrypted:	false
SSDEEP:	384:G5DweL2IoLwwl0nLFB//Ip2RKTuLMLaLTTrt4qLxLVSilPLIt7/cLD/Id9mc9Pb:GBhB//Ip2ZrttSiTc9T
MD5:	9557883A2B8926ACCE773183F14E55EB
SHA1:	633E8829A731F68C96851FE2F8390F5ADF94BB3A
SHA-256:	03EB6CB740270740844611806F4E7FA6828530C3D62CD3CBD6B6B97A82950980
SHA-512:	B887C8E07D823944EBBD90EABE1CE36003195400937434C6B8F12CA9F90562DB0840F8744A3ECA1A43936CDF94B2DFAC63F40ED6A2210633383AD4A13963F8FD
Malicious:	false
Reputation:	low
Preview:	.; * Inno Setup version 6.1.0+ Dutch messages ..;..; This file is based on user-contributed translations by various authors..;..; Maintained by Martijn Laan (mlaan@jrsoftware.org).. ..[LangOptions] ..LanguageName=Nederlands ..LanguageID=$0413 ..LanguageCodePage=1252....[Messages]....; Application titles..SetupAppTitle=Setup..SetupWindowTitle=Setup - %1..UninstallAppTitle=Verwijderen..UninstallAppFullTitle=%1 verwijderen....; * Misc. common..InformationTitle=Informatie..ConfirmTitle=Bevestigen..ErrorTitle=Fout....; * SetupLdr messages..SetupLdrStartupMessage=Hiermee wordt %1 ge.nstalleerd. Wilt u doorgaan?..LdrCannotCreateTemp=Kan geen tijdelijk bestand maken. Setup wordt afgesloten..LdrCannotExecTemp=Kan een bestand in de tijdelijke map niet uitvoeren. Setup wordt afgesloten....; * Startup error messages..LastErrorMessage=%1.%n%nFout %2: %3..SetupFileMissing=Het bestand %1 ontbreekt in de installatiemap. Corrigee

C:\Program Files (x86)\Inno Setup 6\Languages\is-ISUAK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	22362
Entropy (8bit):	4.949282243664917
Encrypted:	false
SSDEEP:	384:KEjk8hhQZFcD+hsMP9NN//inLhmzNGbUHYVH+v+fI1O9IHPCPBwjYJOc:XdGFcD+hsoNtqnkEUa8YJh
MD5:	1A00257794558D1549B1A17C920FC6F9
SHA1:	B35A339FA92A17601997788E24442A68920FBA2C
SHA-256:	7DF707E304DE71A9A381558E7D849527A9B7D85CF03261E6751B79EAD57FA1C2
SHA-512:	EFD694059F3D1AAF27A7777D75BCB3F098DB78595ED07057A5CE0CFDE89C73D1AFE8D0078B2FB9DB6F2A2FEA5E317A84240797748BB29FCD733B169B24D59DB1
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Brazilian Portuguese messages made by Cesar82 cesar.zanetti.82@gmail.com *..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed).....[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=Portugu.s Brasileiro..LanguageID=$0416..LanguageCodePage=1252..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightF

C:\Program Files (x86)\Inno Setup 6\Languages\is-JVD0M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21433
Entropy (8bit):	5.22487537353206
Encrypted:	false
SSDEEP:	384:Py9neBMioprPo/W9ngfmnoWmXLRCkv2wUU5cYw/J4RYYxcYZYY1BC1DbyW12hNLS:PyN6FopDCmoWmXLRCw2wUjnJ7KciZi4e
MD5:	4C764199BE68757170612BE7F63A6824
SHA1:	70DAF1645A7B2AFB6AC7329E547A246C8F6FF61D
SHA-256:	1E37910CF8A961DF936FF8BBD6281EC56AFB96B3E1B4D50CF1862DA8C212FC7A
SHA-512:	A9E763183D4F28BAE4065C1F067FA64184BD29840B737B767E94C08E40AE1FF2EF0E1C13B6B4C27D028F90A8D2DB165F9A775E68DAEF7E09FE2FE5E19180DA57
Malicious:	false
Reputation:	low
Preview:	; ****************************************************..; * *..; * Inno Setup version 6.1.0+ Slovak messages *..; * *..; * Original Author: *..; * *..; * Milan Potancok (milan.potancok AT gmail.com) *..; * *..; * Contributors: *..; * *..; * Ivo Bauer (bauer AT ozm.cz) *..; * *..; * Tomas Falb (tomasf AT pobox.sk) *..; * Slappy (slappy AT pobox.sk) *..; * *..; * Update: 22.08.2020 *..; * *..; **********

C:\Program Files (x86)\Inno Setup 6\Languages\is-L94VD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21052
Entropy (8bit):	5.903547732671703
Encrypted:	false
SSDEEP:	384:tpvCwCJf6WraPhL8ewaAAbIERl7gAPw77krKkrArMQkwlecfqoHfFFevAw0NgXE/:jyJkP1kg9UIkHCovUEUw
MD5:	0213489F0E9C06E65F67F4C1E64A4C03
SHA1:	B114D8FF44CD6961A84C5F06A0DC4675E187009C
SHA-256:	84201550D67DC6AAA34A848682E4138E5C30C3051771C338D0012DC47934C8EF
SHA-512:	98465367426E504DFCBA322191E65A3440C03089386A3C5FC338981AF58B48B0ED4EB424A9EDCD2B72E13F7A7F73B33B3BD28102F453A64C33CCD3E1E4CFDE5C
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Russian messages ..;..; Translated from English by Dmitry Kann, yktooo at gmail.com..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed).....[LangOptions]..LanguageName=<0420><0443><0441><0441><043A><0438><0439>..LanguageID=$0419..LanguageCodePage=1251....[Messages]....; Application titles..SetupAppTitle=...........SetupWindowTitle=......... . %1..UninstallAppTitle=...............UninstallAppFullTitle=............. . %1....; * Misc. common..InformationTitle=............ConfirmTitle=...............ErrorTitle=..........; *** SetupLdr messages..SetupLdrStartupMessage=...... ......... ......... %1 .. ... ........., ..........?..LdrCannotCreateTemp=.......... ....... ......... ..... ......... ..........LdrCannotExecTemp=.......... ......... .... ..

C:\Program Files (x86)\Inno Setup 6\Languages\is-LQ2D1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	28284
Entropy (8bit):	5.198218326399592
Encrypted:	false
SSDEEP:	384:alxtb6Ynj0C6Weotdvh+DMZUhXAmwHbc5kJzChUjim5sNVVk7D007Z:w2Wlthh+DMgXAmkc5kJmpNVa7Q07Z
MD5:	7B9F018BB9DC566B84F9BF051E6F5DA3
SHA1:	707CED1534D2BD9BEC9B863F67826ACC29C222C7
SHA-256:	7158229F3C6AC82178696578039F87412E9CE55D57C0D365B40F85E63F25839C
SHA-512:	EEBF375A1A69F95B2272F987D4F20AF8B70C74AE16FF6BFB3A6F9BCD265559F59E02969089681B14F901815CB51BF697B3176878A03CE97E6715EA24E4539371
Malicious:	false
Reputation:	low
Preview:	.; * Inno Setup version 6.1.0+ Armenian messages ..;..; Armenian translation by Hrant Ohanyan..; E-mail: h.ohanyan@haysoft.org..; Translation home page: http://www.haysoft.org..; Last modification date: 2020-10-06..;..[LangOptions]..LanguageName=.........LanguageID=$042B..LanguageCodePage=0..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightFontName=Arial..;CopyrightFontSize=8....[Messages]....; Application titles..SetupAppTitle=...........SetupWindowTitle=%1-. ...........UninstallAppTitle=..............UninstallAppFullTitle=%1-. ................; * Misc. common..InformationTitle=..............ConfirmTitle=..........ErrorTitle=........; *** SetupLdr messages..SetupLdr

C:\Program Files (x86)\Inno Setup 6\Languages\is-PQGL1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	19919
Entropy (8bit):	4.956979729848306
Encrypted:	false
SSDEEP:	384:88to9NMSkaHAXRIoSUnjLdqVmtiyyXQHxJbKsumN6HwdWiOXBTSb/otCL:89kaHGjLdq4ACxJbKXmaiyxSb/mCL
MD5:	FC8C86BCACCB0C5D8C33EB50854C1427
SHA1:	5229BC182DCFBB402309273EE8C3C0C34E9EF424
SHA-256:	1A4E769F79F80339C13C37EC02D6F320506FB799BA49FAEE5D799F2DACA05012
SHA-512:	B240432AC3390EC959970AC7A8C5CD99117EF58042F35F816C3F719830A745FFAE30AC928FD484CB6758D66D7D8FCCF0287B3AD0DB177833F6632AF117A5E1EF
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Finnish messages ..;..; Finnish translation by Antti Karttunen..; E-mail: antti.j.karttunen@iki.fi..; Last modification date: 2020-08-02....[LangOptions]..LanguageName=Suomi..LanguageID=$040B..LanguageCodePage=1252....[Messages]....; Application titles..SetupAppTitle=Asennus..SetupWindowTitle=%1 - Asennus..UninstallAppTitle=Asennuksen poisto..UninstallAppFullTitle=%1 - Asennuksen poisto....; * Misc. common..InformationTitle=Ilmoitus..ConfirmTitle=Varmistus..ErrorTitle=Virhe....; * SetupLdr messages..SetupLdrStartupMessage=T.ll. asennusohjelmalla asennetaan %1. Haluatko jatkaa?..LdrCannotCreateTemp=V.liaikaistiedostoa ei voitu luoda. Asennus keskeytettiin..LdrCannotExecTemp=V.liaikaisessa hakemistossa olevaa tiedostoa ei voitu suorittaa. Asennus keskeytettiin....; * Startup error messages..LastErrorMessage=%1.%n%nVirhe %2: %3..SetupFileMissing=Tiedostoa %1 ei l.ydy asennushakemistosta. Korjaa ongelma tai hanki uusi kopio ohjelmasta...SetupFil

C:\Program Files (x86)\Inno Setup 6\Languages\is-RJT56.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	21907
Entropy (8bit):	4.94562465873614
Encrypted:	false
SSDEEP:	192:5j1d+VPcvwphGQZM8XKaoHqvzdPiddzweLn/gggcLIVBDj1wvE8a37ROeR69JTsz:5j1d+VymYQZ0IRO8DG437ROeRBltEK9
MD5:	1A958059196BA77565C9A2AB2827FB4C
SHA1:	AA3FEB0D180C40A6AF49B51F40F2B48954AFC32F
SHA-256:	4F3BD1C2E8BBFBE8628A6D0EEF9A19F9FB891C7302A62951B4BB1B98C82CE0D8
SHA-512:	0032D04FD65324C5BDF4C58054C9085262DAF330A1BB2902744BEF47E8F1356C51905FD2A1173359B2A9F10F4595AF0B202994A235F8B3FC2D9C42E4FA1B375F
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Portuguese (Portugal) messages ..;..; Maintained by Nuno Silva (nars AT gmx.net)....[LangOptions]..LanguageName=Portugu<00EA>s (Portugal)..LanguageID=$0816..LanguageCodePage=1252....[Messages]....; Application titles..SetupAppTitle=Instala..o..SetupWindowTitle=%1 - Instala..o..UninstallAppTitle=Desinstala..o..UninstallAppFullTitle=%1 - Desinstala..o....; * Misc. common..InformationTitle=Informa..o..ConfirmTitle=Confirma..o..ErrorTitle=Erro....; * SetupLdr messages..SetupLdrStartupMessage=Ir. ser instalado o %1. Deseja continuar?..LdrCannotCreateTemp=N.o foi poss.vel criar um ficheiro tempor.rio. Instala..o cancelada..LdrCannotExecTemp=N.o foi poss.vel executar um ficheiro na directoria tempor.ria. Instala..o cancelada..HelpTextNote=....; * Startup error messages..LastErrorMessage=%1.%n%nErro %2: %3..SetupFileMissing=O ficheiro %1 n.o foi encontrado na pasta de instala..o. Corrija o problema ou obtenha uma nova c.pia do programa...SetupFileCo

C:\Program Files (x86)\Inno Setup 6\Languages\is-VAB28.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	17711
Entropy (8bit):	5.75024526928349
Encrypted:	false
SSDEEP:	384:GnOssheYzNCYeAvnS9SIrhKq3+v9jFoT5UXDTHw/6P:ohBYfPaFKXXDTHGy
MD5:	0907A44320853812C9F14FA6AABB0AA3
SHA1:	4BEE245A0D8B45F5B628D17D62366B9108024560
SHA-256:	824A12A15A29962FC478C32922604542CD843BEDF786EE7264C96AB27A07F9D4
SHA-512:	EFA5484320B036B756A3CE35251208186A49D379C1E85EB2513503E612D66CCA5D727370220E7D1114755E3F1E9E19F603F4E9D45C304216ED59A7D8ED568A22
Malicious:	false
Reputation:	low
Preview:	; * Inno Setup version 6.1.0+ Hebrew messages (s_h(at)enativ.com) ..;..; https://jrsoftware.org/files/istrans/..;.Translated by s_h (s_h@enativ.com) (c) 2020..;......[LangOptions]..LanguageName=<05E2><05D1><05E8><05D9><05EA>..LanguageID=$040D..LanguageCodePage=1255..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Tahoma..;WelcomeFontSize=11..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightFontName=Arial..;CopyrightFontSize=8..RightToLeft=yes....[Messages]....; Application titles..SetupAppTitle=.......SetupWindowTitle=..... - %1..UninstallAppTitle=......UninstallAppFullTitle=.... %1....; * Misc. common..InformationTitle=......ConfirmTitle=.......ErrorTitle=.........; *** SetupLdr messages..SetupLdrStartupMessage=..... .. ..... .. %1 .. ...... ... ...... ......?..LdrCannotCreateTemp=..... ... ..... .... ..... ...... .

C:\Program Files (x86)\Inno Setup 6\is-1D3SP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-1QJIG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PC bitmap, Windows 3.x format, 55 x 55 x 4
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	3.277016089908744
Encrypted:	false
SSDEEP:	24:gmT9nFHTfJp6cGKgua5nFqSM6oE1COIt6ZHYXk:gmRnFtp6dKgusF+6RChts
MD5:	D194F28D606F27C8F9AA225122CA2BB8
SHA1:	E30CC5F3B7857124D07F19FA5C4170D0442BFA56
SHA-256:	A7E560D419E85DAF80CCE980BAA124EF7C73197D0F51A59A19F1866EE8EDFE8C
SHA-512:	83D2E6B547D8B3412DA500EBABF70202944F2891B6C229227DCB2B756DBBC0F2360E5C25C305DD915C6BEFCF7B9C6A26628EFB7460F3C244D3D9DED22D6042AB
Malicious:	false
Reputation:	low
Preview:	BMz.......v...(...7...7...............3...3...........................................................................UUUUUUUUUUUUUUUUUUUUUUUUUUUPQ..........................PP..........................PQ..........................PP..........................PQ..........................PP.......#DU....5 ..........PQ......EUDT...%UU!.........PP.....UC#T ...B%.EB........PQ....UR......S.%..%S.......PP...S%......T"R%...$T .....PQ...!B.....5"E!%!....U1....PP..C.P....%@% %UU ....5B...PQ..Q.!....R.A$UUUUB....$T..PP..0. ...S...UUUUUUS.....@.PQ..!.!..E!..UUUU$UUUT!...A.PP.. . .50..EUUR%..UUUU2..P.PQ..!.Q.A..5UUT.%..5UUUUS.Q.PP..@.R...%2UU ....UUUUUU@.PQ..Q..!..R.U1.R....R$UUUU!.PP..$..R."..0.UR....$..UU2..PQ...A.%A.%1.EUR.....!.E1...PP...E .5DSP%UUR.....@.R....PQ....T!.#.Q%UUR.....Q.Q....PP.....E@..P%UUR.....#.0....PQ.....EB!.Q%UUR.......!....PP.....5UUUP%UUR......$.....PQ..........%UUR......U.....PP.....2."""%UUR......T.....PQ.....C.UUUUUUR......D.....PP.....C.UUUUUUR......%.....PQ.....C.UUUUUU

C:\Program Files (x86)\Inno Setup 6\is-28ANT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34592
Entropy (8bit):	7.011437683083258
Encrypted:	false
SSDEEP:	768:S90S/tQBWq7kMkmB/YhOvmRuK2s8dzjF+OiR9riWcEHF+O+riXiRv:lS38dzZRiPWWdll+WXiB
MD5:	8E8BCE6229DDC6458A64E43168EBE169
SHA1:	C4A77F9349726E5C01A59058D7F94A10B23E7920
SHA-256:	14C0D4A2A41572384F8309CDF03DE5C6E7ED46BEF64CCE70D989B2665EFF1A47
SHA-512:	C92C6D2B087C19053A900B77CFB88676431076DBA7F08EFC752648D8296FD8056BF5D6B756A00C3F629EACA718994DBEDD8F426CAB8A41C419A0627EC2E8C6D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............h...h...h...5...h...i...h...7...h...4...h...2...h.Rich..h.........................PE..L......B...........!.....2..........p'.......P....@.................................@F..............................0\..q....[..(....................H.. ?...p.......P...............................................P...............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...<....`.......D..............@....reloc.......p.......F..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-2HM3J.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	88352
Entropy (8bit):	6.796639238094239
Encrypted:	false
SSDEEP:	1536:SFao9EzE9pBi+nvt9TM/ytPhx+3RB8Slbb4x9Jrw3ttIRiPWvgeDkWXi1:h0Bi+nvtBRhx+3JlbkqttIRmfakge
MD5:	226E12D5C3476217529A9F38B924E13E
SHA1:	93AAAE14937B835BF2D1C25204F4A15AEF617B64
SHA-256:	A5C78614504071581052605C5967A564839CF88923DA8237204BDFC26A33DDF0
SHA-512:	1C48DD9F57046E7A97D8226AD37F93E259ED2BE8945FBB8D0B90B17F14EF9AA50070B0CF7DAE853DB641AFCF85216218B5FFF26DFFD493836E601A52206C3697
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8?h.\|^.R\|^.R\|^.R[.{Rm^.R[.hRe^.R[.kR0^.R.Q[R{^.R\|^.R!^.R[.wRu^.R[.~R}^.RRich\|^.R................PE..L... u.K.....................0....................@..........................P.......6......................................\|...P....@.................. ?..........................................@...@...............H............................text...?........................... ..`.rdata........... ..................@..@.data........ ......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-3R6IB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1423672
Entropy (8bit):	6.525364105542699
Encrypted:	false
SSDEEP:	24576:Pds/6vOjJXB+X3jRPDpXXc2PDOX+MH7pnik3hy:PdzaXBkzRhBPD8++7pnfk
MD5:	E710D05954EA53B6D41B562D572752B1
SHA1:	C6EA099A562BEA00A3BC94DA320A439F4989ED19
SHA-256:	C2B1072FC64C7FEFBF6FF409D529B3EBCC15B905169A0EB88750E4945CC9DED2
SHA-512:	33C3871F861805F2787D14C94EC894C92A32F2636E9E8F4329DBC6B07170924F3B34A59C6CAF34139E0D4E59E1CE6A9234C318EE999E28A3292D7C16F7D06B5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................2...D......XO.......P...............................P.......<...............................@...................>...........z..8?...`......................................................(........0.......................text...d .......".................. ..`.itext..x....@.......&.............. ..`.data....I...P...J...6..............@....bss.....l...............................idata..............................@....didata......0......................@....edata.......@......................@..@.rdata..E....P......................@..@.reloc.......`......................@..B.rsrc....>.......>...<..............@..@.............P.......z..............@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-4TT4E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1521
Entropy (8bit):	4.642245779049187
Encrypted:	false
SSDEEP:	24:1kNuleNbe19ccSBYKy3oQvxrAtoKe/fFtKJuhfs6iQN0pzGkeDw3d:1kUlqbWccSby3jvxrAgn3hfO60pzYw3d
MD5:	3BEFF3422330C217A9D4FD78B25F2765
SHA1:	5AD930AD580018D40B9ED8DD671F3C563EB71196
SHA-256:	5E6E93E1FB6338978E6CB9E1C49FDF0C312CBEDA935ABDCE249E2C8C1E0F8591
SHA-512:	1455290AE23F71642374DFAFA63C598F84519AFA4763D6C8226743372314B28FDD0EC9D8ACD22AB31CBAAB73B0F33BFE48CEFBAA4D86872A63593AE3039BE481
Malicious:	false
Reputation:	low
Preview:	Inno Setup License..==================....Except where otherwise noted, all of the documentation and software included in the Inno Setup..package is copyrighted by Jordan Russell.....Copyright (C) 1997-2020 Jordan Russell. All rights reserved...Portions Copyright (C) 2000-2020 Martijn Laan. All rights reserved.....This software is provided "as-is," without any express or implied warranty. In no event shall the..author be held liable for any damages arising from the use of this software.....Permission is granted to anyone to use this software for any purpose, including commercial..applications, and to alter and redistribute it, provided that the following conditions are met:....1. All redistributions of source code files must retain all copyright notices that are currently in.. place, and this list of conditions without modification.....2. All redistributions in binary form must retain all occurrences of the above copyright notice and.. web site addresses that are currently in place

C:\Program Files (x86)\Inno Setup 6\is-51I2J.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	290592
Entropy (8bit):	6.484525296409455
Encrypted:	false
SSDEEP:	6144:iCpoP+TXSmmC5DraI3OF8epVPWsLrmgsyLPAIfvBZ2:iMmzWDWI3OFBNWsLrmgsyL3vG
MD5:	8ED7503A4A911A37B3719050962BCD93
SHA1:	1C8B8D2A8F90C98F2567287197D6A05A0231321D
SHA-256:	7D1C2CC3F4B6A1EEE8EADFFC7991DF534566DFD5E0DAD6E44F2409FF47030A95
SHA-512:	70D8AA132AB20012EE44C5E211BF3B8BB687C97589CEBD3302232395733FF878543877EE1255FA937EB1C7511C54019846AE07921E81B613F12284473E97ACD8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........U............n........P.......P.......P.....n...........O....P.......P.......P.......P......Rich............PE..L...Np.L...........!.....P..........R........`....`..........................P.......S..................................Y.......x.......x............0.. ?... ...!...c..................................@............`..L............................text...*D.......P.................. ..`.rdata..Ik...`...p...`..............@..@.data....0....... ..................@....rsrc...x...........................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-5NAJD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116000
Entropy (8bit):	6.539555247432412
Encrypted:	false
SSDEEP:	1536:4MD7Y1ja9wxiY0qzQkIO/5nMOp/e5w3OJ4B6rRbUQzYSUsLBMvPRiPWX5WXiu:nY1jaWBzFnXG52o4ByvzhLBMnRmw5gr
MD5:	BC0536D56CA39EDB778F801DE23271FC
SHA1:	E398C4B0D83EFA97D59BC8560017A26E13B92060
SHA-256:	1AB1C8FF112D4710738B9CC783DDF9F98219D6E0B16A9933FA0D8137A50AAACA
SHA-512:	2B660F6696DDEBA294945C179E9FB61EAAED0C56021DDC8C5CD935592503FC85188C9B52DC8A94345B1A139999F0B11BC7C6809399374CC118FE8B75659B1C1E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%..;D.R;D.R;D.R...R<D.R...R"D.R...R}D.RM.R<D.R;D.R[D.R...R2D.R...R:D.RRich;D.R........................PE..d...eu.K..........#......,...V......0..........@.............................................................................................i..P....................... ?...........................................................@...............................text...>*.......,.................. ..`.rdata...1...@...2...0..............@..@.data....#...........b..............@....pdata...............t..............@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-7CKGF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-8O5SV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2828600
Entropy (8bit):	6.453682150456565
Encrypted:	false
SSDEEP:	49152:7vwQfPs3HK1UkpgSwrqdEAH/qI6tjbuuTLwv5380E:7vvOHu/J6t/qv5380E
MD5:	AC799CDC10229255E7A385A01E590EEA
SHA1:	A7EF786EE3633263DDCB44D8373BB055B95189D2
SHA-256:	8A0A5B8B2D13978EB0CA38A4F8A77B13793E6B38C3A9D6EAB728724683B4DD08
SHA-512:	DDAF0886160C0305697905F16ED9E71BD6760DD8BE259D6E69E2453FDF67AB4D44E5C88EC5EEB06538A241295B98ACC04508B4F4F877049D1042326330BF3CFF
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...l.._..................#..,........#.......#...@...........................+.......,..........@...................P%.......%.27....%..L.............8?...................................p%.......................%......@%......................text.....#.......#................. ..`.itext..."....#..$....#............. ..`.data.........#.......#.............@....bss.....q....$..........................idata..27....%..8...V$.............@....didata......@%.......$.............@....edata.......P%.......$.............@..@.tls....P....`%..........................rdata..]....p%.......$.............@..@.rsrc....L....%..L....$.............@..@..............+....................@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-9O50A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	391080
Entropy (8bit):	7.9376420339993246
Encrypted:	false
SSDEEP:	6144:6lfQ2DVqNhMwuD7r6QDm3IDUMPf27JHYrewJJScbqJiHF8:oI2DVqMwufGumML3smeD8D8
MD5:	D5056E23A906B8B29F3138B1804EAA0E
SHA1:	8856F47667E11FB20C094F90A5DD9D7B78B26CD8
SHA-256:	4FE40C562EFDA5ECF3CAC44C6D6074108B0C20A7AE53989782A63772E0075118
SHA-512:	46910D2D8460701B6C2C0DA863CFA97BBF68B283D5E8985E18428CB680D93670CD68D9C9E8F9636E5478FB6CFAC3E9B4A0E0272DF48E0BA1DB9CF7D213167D9F
Malicious:	false
Reputation:	low
Preview:	ITSF....`........=.t.......\|.{.......".....\|.{......."..`...............x.......Tp.......p..............................ITSP....T...........................................j..].!......."..T...............PMGLJ................/..../#IDXHDR....../#ITBITS..../#STRINGS..-..\./#SYSTEM..f.:./#TOPICS....@./#URLSTR...R..[./#URLTBL..Z.x./#WINDOWS...A.L./$FIftiMain......../$OBJINST...8.X./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...4../$WWKeywordLinks/..../$WWKeywordLinks/BTree......L./$WWKeywordLinks/Data...Y.A./$WWKeywordLinks/Map.....z./$WWKeywordLinks/Property.... ./hh_generated_contents.hhc...H..../hh_generated_index.hhk...O..'./hh_isppredirect.xhtm......./images/..../images/extlink.png..b.../styles.css..o.^./topic.js...M.t./topic_32vs64bitinstalls.htm...o.t./topic_64bitlimitations.htm...c.j./topic_admininstallmode.htm...x.w./topic_appendnotes.htm...I.>./topic_buildnumnotes.htm...J.../topic_commonparams.htm.....w./topic_compformshortcuts.htm...z.(./topic_compilercmdline.ht

C:\Program Files (x86)\Inno Setup 6\is-G0LGO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	15688
Entropy (8bit):	5.0248366779165
Encrypted:	false
SSDEEP:	192:SUR5+ITv+moyTo9Xld3q4ZQ147cpRR9ULmFD5WLInzDtDLrr471DtD65+Vgu0M50:SuJzuba147cpRR9NFdWklX47CC0dlsuB
MD5:	63004B10996BD67EBDC1D2630BD5DAE5
SHA1:	B3B07B5D842657C83A54061235235AC182CC77C4
SHA-256:	1140130A4DF5C712B28205AA29DB2BB12E5B2BD177286D4B53F67189382DE899
SHA-512:	27C5FB75DA521405675F652328715C041BB1B1C17B29841FB2170B8AC3EE0357AF3603A2CCCBA66238DCAFAB1AA53799FCB16CC6B5600FF5C9D64090EE0750D9
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>..<title>Inno Setup 6 Revision History</title>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />..<style type="text/css">.. body { font: small verdana, arial, sans-serif; color: black; background-color: white }.. a:link { color: #264b99; background-color: white }.. a:active { color: #7799dd; background-color: white }.. a:visited { color: #5e85d7; background-color: white }.. tt { font: small "courier new", monospace }.. li { margin-top: 0.15em; margin-bottom: 0.15em }.. div.bluehead { text-align: center; color: white; background-color: #264b99; padding: 5px; font-weight: bold }.. .date { font-size: x-small; font-weight: bold }.. .head1 { font-size: xx-large }.. .head2 { font-siz

C:\Program Files (x86)\Inno Setup 6\is-H6529.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90400
Entropy (8bit):	6.806225836242268
Encrypted:	false
SSDEEP:	1536:Q8Fao9EFoG9xSbHuBTF+RAspiHrEM3WYltVgRiPWXydWXi/X1:inxSbHuBGlYtVgRm0ydge
MD5:	A3DDC4CD74CC38811CA2AB4C7E51B8F6
SHA1:	07963AC2321779410262FC65EE79395D3E2463A1
SHA-256:	0B2E19E473A47E10578B05A2F3B43AD96603F3EE1E397C06A280C3B7458A76E2
SHA-512:	BAAAFBDA169958B9855394FFC6063034E73BFE54896A05F5E64FC754D1A72D3A45D55D665C6D71E325C9433116DB769BC1913CC83327C6A5394E9D1F3DDEFC17
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(...l...l...l...K..}...K..u...K..$.......o...l...8...K..e...K..m...K..m...Richl...........................PE..L....t.K...........!.........>.................... ..........................P......................................P.......$...(....0...............".. ?...@..........................................@............................................text...O........................... ..`.rdata..............................@..@.data...............................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-H87CK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 8
Category:	dropped
Size (bytes):	52574
Entropy (8bit):	7.331404025376781
Encrypted:	false
SSDEEP:	768:LtFaZMvkt5F+MlTel/ylsW+Z1ZNQnwYu2Nl2S9sLEHe+M:LoMJAlSZ1ZSnPn0LEHe
MD5:	CEAA690E8162485A451066F226035156
SHA1:	8C71DCEF5757419CC95BC8292D14C6FE8EE2A6EF
SHA-256:	1B73DF0B89A2943F34582CF81C2D8ED7B1CE4CFB54D86CE58EBD6DD0E1E05F5D
SHA-512:	71E0DB6BA9B3A9DE9C093D362109A441B53AC023ECD501F05B8FD080E6BDCD1085E9158F494A5BB03DAF09487039673D73DD1E0D189B5A8E335472918C4A2856
Malicious:	false
Reputation:	low
Preview:	BM^.......6...(.......:...........(............................nn.DBB...........}.ia`.............}wv.........................VRQ.....................................n4..X3...8..@...F...B..g=.......b.....N...F....O.=6/.642..........V...R...R...N...L...J...Z....U...`..Z...^...V...R...e...b...V...J..P...k..b...^...Z...w...V......l...b...^...Z...r...l...y&...,../...^........f...b...^...v...l...f...f...b...&..3..Y....TE0..............t...l...j...y......#..,..5..:.uW'..N...h..\..m.I>-......................%..$...$..-..-..d!..<..B..`...p...........$..,..,..,..,..3..4..C..D..K..K.cR1..}.......?;3...........#..$..$..#..,..\|"..3..4..4..;..<..D..S..W...x...s......\|....................$..$..%..-..,..4..0..<..D..?..C..L..L..M..Q..\..a..f...l..l..q...u...}..................-..)..:..5..<..E..E..L..T...W..\...b...d...m...j...t.......................+..4..<..B..m)..O...e.....#.. ..

C:\Program Files (x86)\Inno Setup 6\is-KATRN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780800
Entropy (8bit):	6.319759724032233
Encrypted:	false
SSDEEP:	6144:qL005yIIla5e5luLqtq7sVMzBcDcZFCmG0tJk78jSTuBZI+57tPsuqNrCGFwML/k:qL8JhXuLXIQBcDcZFxbPulC0dbWj6aX
MD5:	A4ABD9515BA285ADB6F45281AF7F6C42
SHA1:	8473A0A37F44B67A80B42558C8530E02E753EA81
SHA-256:	7FC32E16574FA3142CC238E5CA46C8C871FFB79C9DCBE1CCA0CBB45F8B82CF03
SHA-512:	43B330AB8833037209E2616784BDDD7D7FB22BE8F743ACF7CCD0FD14DD95DF106C88EC810B0F16CFFC87ABAC97B8A6851B83E5A746A99EE07F29CB6667BB8517
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p....@..............................................@...................@....... ..6....p...H...................................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....H...p...H..................@..@....................................@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-MCR6E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1016120
Entropy (8bit):	6.6552440432798745
Encrypted:	false
SSDEEP:	24576:5drDH1m8Eo9rep60E835vkQKMP/RXUVQh:5d1m+quEVUG
MD5:	F55682CD62090B5EED1FE7813A463760
SHA1:	FA45117F8D817E8C65E8A61B70791106B74496A1
SHA-256:	07942D760809CEA368541B872839682BD1979EBB1088280E3635DDC5FEBD521A
SHA-512:	2F3235E512D666DCB606DE8EFF63535B7178268A31E3415E653338FB2A97FF236EC6320D6C45E20A9285DBC97466BE89354D1C08FB3C9EABD8CA887AC33995ED
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...k.._.................d..........8}....................................... ......................................`.......0...........4...........B..8?.......P...................................................2..h....P.......................text...4T.......V.................. ..`.itext..P....p.......Z.............. ..`.data....;.......<...h..............@....bss.....d...............................idata.......0......................@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc...P.......R..................@..B.rsrc....4.......4..................@..@............. .......B..............@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-NI9BG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	78254
Entropy (8bit):	7.544059172339836
Encrypted:	false
SSDEEP:	1536:KI+sB+smrZUxtL/lkb/EUqrLsnrnQoM4SXjF7UEYEm50OGwfmZQwK:P+sB+s4lL6toMdB7UHT2owK
MD5:	984B09BF51E7611510B6CBB29B652771
SHA1:	48D8BB7C4F97F61F845B202C8C115825AB5E326C
SHA-256:	CED024053EEFC18967E31A88E97FD7D021ED13ECCB150F038E0BC04ED93E92D8
SHA-512:	F0238F59F8FB8B759D30E8F72418DCD263AAA5AB1C3705763EA4E286F046DF4D4C5ED179962EEE99099D720F90E7B65E89958B911EB9A0442A5CDF85ACA4FD08
Malicious:	false
Reputation:	low
Preview:	ITSF....`........zq.......\|.{.......".....\|.{......."..`...............x.......T0.......0...............1..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR... .../#ITBITS..../#STRINGS...p.H./#SYSTEM..~.B./#TOPICS... .@./#URLSTR...P. ./#URLTBL...`.p./#WINDOWS...}.L./$FIftiMain......../$OBJINST.....S./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...../$WWKeywordLinks/..../$WWKeywordLinks/BTree...I.L./$WWKeywordLinks/Data.....K./$WWKeywordLinks/Map...`./$WWKeywordLinks/Property.... ./hh_generated_contents.hhc...S.~./hh_generated_index.hhk...Q..U./styles.css...+.^./topic.js.....t./topic_addbackslash.htm...K.../topic_append.htm...+.#./topic_builtinsiss.htm.....&./topic_changefileext.htm...S.../topic_comparepackedversion.htm...q.U./topic_copy.htm...F.&./topic_copyfile.htm...l.o./topic_current-translation.htm...[.../topic_decodever.htm...b.../topic_define.htm.../.H./topic_defined.htm...l.1./topic_dele

C:\Program Files (x86)\Inno Setup 6\is-QL42I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	20665
Entropy (8bit):	4.952134313189583
Encrypted:	false
SSDEEP:	384:WE2SxRcq9qufsvEfffFF1AjzKgryfo5iYlFHw6UJ76ZKwJ:Wm39lnffFF1azKgr4YOFi
MD5:	83A5ECF4D623E7D8531916B678808D7E
SHA1:	0145A5A34BC44D41220AC810829B84CD8329C8D8
SHA-256:	179DA3422D7BBB65BB2052F9C0B370AB66DDD6F24693D90ACCBD7D7D73D4F1A4
SHA-512:	34D2773BCD702A1B7652FE82893EB06DA3BF76DC6D7E15672C465AE351623BF0E5E612963E86691FD446C65B6E18F064B842637ED681D4772C6B5BBEEB7A8708
Malicious:	false
Reputation:	low
Preview:	.; * Inno Setup version 6.1.0+ English messages ..;..; To download user-contributed translations of this file, go to:..; https://jrsoftware.org/files/istrans/..;..; Note: When translating this text, do not add periods (.) to the end of..; messages that didn't have them already, because on those messages Inno..; Setup adds the periods automatically (appending a period would result in..; two periods being displayed).....[LangOptions]..; The following three entries are very important. Be sure to read and ..; understand the '[LangOptions] section' topic in the help file...LanguageName=English..LanguageID=$0409..LanguageCodePage=0..; If the language you are translating to requires special font faces or..; sizes, uncomment any of the following entries and change them accordingly...;DialogFontName=..;DialogFontSize=8..;WelcomeFontName=Verdana..;WelcomeFontSize=12..;TitleFontName=Arial..;TitleFontSize=29..;CopyrightFontName=Arial..;CopyrightFontSize=8....[Messages]....; ** Applicatio

C:\Program Files (x86)\Inno Setup 6\is-QSTDR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	873272
Entropy (8bit):	6.457736067545796
Encrypted:	false
SSDEEP:	24576:f4wpMgurJoZlmqQvT3GTAB2wHmjyst5mbjq6QVN:rMgCo2qQb3GTAB2wUys
MD5:	A75562BD7010F5373494B01BFE603FB5
SHA1:	786333F77C21B563723D1CB4BE50845CAABFCC5B
SHA-256:	E0D28A77AA6CBA5C0E4E4A36CB5F6872112E53A69000AABF434D823E88881A27
SHA-512:	DFB8EFBE130116E35DACFBBBED47DFC4B462256E97E140B960AD5AE69C6B3140C41B413D649ACE86570D3B9B2582DCCB4F6B4C4AA529C216905414A7F9098091
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...m.._.....................^....................@..................................7...........@......................................................8?...........................................................................................text...D........................... ..`.itext.............................. ..`.data...`7.......8..................@....bss.....d...............................idata..............................@....didata.............................@....edata..............................@..@.tls.....................................rdata..]...........................@..@.rsrc...............................@..@....................................@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-RIE67.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3014144
Entropy (8bit):	6.393831618691684
Encrypted:	false
SSDEEP:	49152:+LJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu:awSi0b67zeCzt0+yO3kS
MD5:	B4C53633F2F2E88FA8CF77C02733A96C
SHA1:	854592F762189A607370C12559F3847C7B94ED9E
SHA-256:	E2BB346ABF79ED6469D843CE4DA057693690A41A42E2BE7F449D21F061D34E0A
SHA-512:	E4FFB081A2788FB42CA7683ACDCB62027FC49C20093284C3E8C385769D76B3B2833B89707C18922CA000CE42E246BFF1BD710D77CC65CC44CA56706D1538C08A
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@..............................................@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-SSLRM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3030332
Entropy (8bit):	6.405342322627461
Encrypted:	false
SSDEEP:	49152:oLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvus:kwSi0b67zeCzt0+yO3kSh
MD5:	4DB7980824FE1C46258999F7B3E47ADA
SHA1:	CFEDF273F0A924F9D107FCC87E1AD54CEDE3892A
SHA-256:	FCD44883D132E0FE347CC19DCE906EE464005B4CAA3AB15CCDC33E55A87EDC2B
SHA-512:	39C3B29E745C855D7EFCB79FBF74E73AD248A43F4C7246218C5F8CE0F93C502CA8339B9283E915DD0A04A2F265F34701F8DD98EC87D95D4AE906968E65896273
Malicious:	false
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.................................:.....@......@....................-......`-.49....-...............-.8?....................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

C:\Program Files (x86)\Inno Setup 6\is-T4A9A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10153
Entropy (8bit):	5.30131505225972
Encrypted:	false
SSDEEP:	192:ZwRjZd8+HcBNsskhqpMkFFaK/1UFzE5ogc48/T8ZEF2PH12sroki+iIoJsmsmU:ZYZi05hqpMkFFaKNUFzsG/wH12srokxN
MD5:	3FA68793E80D6A984D5DA0DBFF2BD1A2
SHA1:	3137BB30FFE4619D3A702EEFF34E8C20CA1BFD15
SHA-256:	F6A88D62704F7577188B85C8272A477C858ADB1F57240C99CCD4D0890BA05BE1
SHA-512:	32DA379D7A34EA031308FD0E66E54027E35CA36599159BFEFFBE599AB8C6ECE8ED6325856E4424D81D7DB89EB6EDB569F21632FFCF0AB2B554FF9067E69F45E8
Malicious:	false
Reputation:	low
Preview:	// Inno Setup Preprocessor..//..// Inno Setup (C) 1997-2020 Jordan Russell. All Rights Reserved...// Portions Copyright (C) 2000-2020 Martijn Laan. All Rights Reserved...// Portions Copyright (C) 2001-2004 Alex Yackimoff. All Rights Reserved...//..// See the ISPP help file for more documentation of the functions defined by this file..//..#if defined(ISPP_INVOKED) && !defined(_BUILTINS_ISS_)..//..#if PREPROCVER < 0x01000000..# error Inno Setup Preprocessor version is outdated..#endif..//..#define _BUILTINS_ISS_..//..#ifdef __OPT_E__..# define private EnableOptE..# pragma option -e-..#endif....#ifndef __POPT_P__..# define private DisablePOptP..#else..# pragma parseroption -p-..#endif....#define NewLine "\n"..#define Tab "\t"....#pragma parseroption -p+....#pragma spansymbol "\"....#define True 1..#define False 0..#define Yes True..#define No........ False....#define MaxInt 0x7FFFFFFFFFFFFFFFL..#define MinInt

C:\Program Files (x86)\Inno Setup 6\is-TVV66.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PC bitmap, Windows 3.x format, 55 x 55 x 8
Category:	dropped
Size (bytes):	4158
Entropy (8bit):	7.363905559462423
Encrypted:	false
SSDEEP:	96:9qhlKrtdcv3Is4xE4QYFigWTNsHIewdGWh+PI:9qKkIdxHQYwg6dr
MD5:	7BC0B44D3436036541CFB00429FCC69A
SHA1:	83060DC13FA8016CF247497CF1F80B8968D03DB5
SHA-256:	AE94CD61179BC1869D0082B1FA8C189F8487D106712B48A2A6C6A035D370BFB4
SHA-512:	449BC9D39B9A0EE0799D149B33F16886EEE6929082096CA5E4E83D8BBB17776DC77DFACC1E09ACEEF8395996F24544B6E1B735AD0541E47D029C82433DC8B626
Malicious:	false
Reputation:	low
Preview:	BM>.......6...(...7...7...............................................SPP.........................qoo..........rq.mgf.............`\[.........................mX.....643..Z..y,..f?..\|"..u5...m.......4.zbQ......C..@..e...U...K..E.@?>.......\...P..R...Z...X...W...R...O..._...U...V...T...Y....i.....e...Z...T...g...b...`...^...W...c...c...\...^...[...Z...^....u.............~...t......y...o...^...i...b...b...l...f...e...h....e..................w...}...y...s....8..i...............\|...z...v...s...z...z....+.lS%..V..R..................................~....................................... ..%...m.XH)..g.....w..............................................................................................*..5..<..I..W..]...{...............................................2..?..N..j...u.D>/......................................#..q$....MJA...........................8.......GD5...........0...........

C:\Program Files (x86)\Inno Setup 6\is-U06IB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39200
Entropy (8bit):	6.955030838373646
Encrypted:	false
SSDEEP:	768:I/maJzKOIrThgIrnSnImN23ANF+OiR9riIF+rriXiRf:I/mZrdn3a8uRiPWysWXix
MD5:	92F336A0DE562E95589470D335E18D8D
SHA1:	3866C94AD1E0B2AF143ED1F379EA0F51C3C78EE5
SHA-256:	8072E83385AFC4A84006271A87A11FC0A22B149CBD77322669CA56C470D28CED
SHA-512:	A4F227EFB4FCC99A460C4EFE4ACCB91C0DAC30837096DE1F1DF1D741DD7BA61A56EDE9AA9E1FDFCE9C9AA43A4D5CE29C847489CA0546FE38A63194A414B7EF7B
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....D...........R.......`.......................................................................`.......`..(....................Z.. ?......8....................................................`...............................text...*B.......D.................. ..`.rdata.......`.......H..............@..@.data...8....p.......J..............@....reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Inno Setup 6\is-V6FES.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.965343074460436
Encrypted:	false
SSDEEP:	24:4iuNtLy6yu6xzmYxfqjri+jFWUZY5gSmHW/8ts7REd61:iNly6MxNUFjFWL5gSmHWEi7yd61
MD5:	B6310FAFF75FB733769FE62EBEEBFFB3
SHA1:	E5BC498C59A8F7DFEE8D9D841F4A7CD5FDD3B37E
SHA-256:	D148DC2569E9ABC4B4DA650B1920EF1FFDC10BBD6BC2E20A97CE44B1F9F78AEA
SHA-512:	6BFF0D58CDAA48A827F36602623B53FCBD5F0912B4E2219DB4153A03A02C52ED6DC4DE5F4B3843AF13E22F4E51DAAFD9057B3C5FD6992C6ED1DEE79963646C30
Malicious:	false
Reputation:	low
Preview:	BM~g......v...(.......:............g......................9...........................................................""" """""" """""""""" """"""""" .."""....""""""........................................""""""""""...."""""""""........"" """""" """"""""" """""""""" "..""...."""""""......................................""""""""""....""""""""""......".." """""" """""""""" """""""""" """..".....""""""......................................"""""""""....."""""""""......""".. """""" """""""""" """""""""" """"......."""""".....................................""""""""""...."""""""""".....""""".. """""" """""""""" """"""""" """""".......""""""...................................."""""""""....""""""""""......"""""".. """"""

C:\Program Files (x86)\Inno Setup 6\isfaq.url Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows 95 Internet shortcut text (URL=<https://jrsoftware.org/isfaq.php>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.620214616820316
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2f9SQ2vn:HRYFVm49tIn
MD5:	D66B65A190BF20A966A1BB5770FC281F
SHA1:	7F6AC7CFAF322ADE56156773CC0B580B411F0683
SHA-256:	F699CE64C194310524CA1DCA5BFC996151619CC5C6731FBC5FA150B59C9D3C72
SHA-512:	F3E178974DE12C6E6F746BBE5D945BECCEA5CA59C69EFC8F5F2EA31A62F491556FC5D5DF6B07B8E5150D0F7A42751C24017D2A31A573989EF2791D60AABA0969
Malicious:	false
Reputation:	low
Preview:	[InternetShortcut]..URL=https://jrsoftware.org/isfaq.php..

C:\Program Files (x86)\Inno Setup 6\unins000.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	data
Category:	dropped
Size (bytes):	24843
Entropy (8bit):	3.7991822556433137
Encrypted:	false
SSDEEP:	192:fx14RtlJwRsjuEpwbP4DSmGb6GEoUgJgJoUv9r8ffr/gHOL:fxWJkUuEpwbPIGbFs9wffr/gHOL
MD5:	71D141135CA39E08F901100CD3F17D5D
SHA1:	B4C7EF7486E459750E261E6DE6088E565E162E3B
SHA-256:	706A7BEF45B85094B67EFD660BA032E5B54B79A5B4311A7605659800BBD994C2
SHA-512:	69ABF1A4C17F6C4A19C831057F5C846CD1D03F7319E13F2A302D45730FFA41BCC6EF20A5902CF261D72CDB1825AC94A067E96939723517DB7F8F0864E9FCB6EB
Malicious:	false
Reputation:	low
Preview:	...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................n...............6.0.9.2.9.0......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6..................0.... ..............IFPS........%....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TOBJECT....TOBJECT.........TEXECWAIT.........TBITMA

C:\Program Files (x86)\Inno Setup 6\unins000.msg Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	data
Category:	dropped
Size (bytes):	24175
Entropy (8bit):	3.277937755294408
Encrypted:	false
SSDEEP:	192:K1EjNSCkf3SCqsTr6CCPanAG1tzPL7VF+Iqfc51U5YQDztXfbKJG/BAvo:K1EK6CHr6faX+7Q1U5YQDztB/BIo
MD5:	2ADF05B0ACBE9C567051F3F7A954D8D0
SHA1:	DA90FD36B1D5EE890707AB7AEC1809CF6E4432C2
SHA-256:	827F5E1B6A3CF2EB080638ED7AE194F9A0697C2572673D97F83F27ED3609EB5C
SHA-512:	3C7E40414BBD42DA95E82D206130068B918ABC1BFAE3BD37CE320233D299EF422A80D9189AB9426B81A4BD2870B05A2C70A8346031082A02E53A9CB87772845E
Malicious:	false
Reputation:	low
Preview:	Inno Setup Messages (6.0.0) (u)....................................."^.....s.\|.C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Compiler.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 22 01:27:48 2020, mtime=Tue Dec 22 01:27:48 2020, atime=Sat Nov 14 23:00:00 2020, length=2828600, window=hide
Category:	dropped
Size (bytes):	1211
Entropy (8bit):	4.665733970148016
Encrypted:	false
SSDEEP:	24:8mYgDUhaidOEY15k0O5zcLWlDyAffO6dkLWlfdUUUzkBhbgI7aBt3lwm:8mYQUhaidORk/Aql9H1dkqlfdh6k7yB8
MD5:	F0BF115B89E7F0255108FC80F3FD6509
SHA1:	D5FE68DE1DBFB3BE93C473EC52A54F4AC9DA0844
SHA-256:	5146C5A81B04C590C71AC7CDDED07A7FC4AE023B88F66098A1B79D4A40AF2D00
SHA-512:	3C4BB036DFE5E18656431C0F0532E27CD8FD91DB42A760F815E28D3275EB5F454973DF1C3D50C804AEFBA4B66875F4FC86F7DE295AB823144C1FA7AB67542695
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....[5......ZT......@.B...8)+..........................P.O. .:i.....+00.../C:\.....................1.....>Qvx..PROGRA~2.........L..QO.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......Qy...INNOSE~1..J......Qy..Qy......R......................;.I.n.n.o. .S.e.t.u.p. .6.....f.2.8)+.oQ.. .Compil32.exe..J......Qy..Qy......h........................C.o.m.p.i.l.3.2...e.x.e......._...............-.......^............6.>.....C:\Program Files (x86)\Inno Setup 6\Compil32.exe..?.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.\.C.o.m.p.i.l.3.2...e.x.e.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.........*................@Z\|...K.J.........`.......X.......609290...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.'...........1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Documentation.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 22 01:27:48 2020, mtime=Tue Dec 22 01:27:48 2020, atime=Sat Nov 14 23:00:00 2020, length=391080, window=hide
Category:	dropped
Size (bytes):	1114
Entropy (8bit):	4.661561667267645
Encrypted:	false
SSDEEP:	24:8mAA/zHR/mabdOEY15k0jX5tARfSdY7dUUUzkXhNB7aB6m:8mAA/zx/mabdORkapmRSdY7dh6kXhNss
MD5:	63CC6C5B9C7AA8D670D78B4308F7A025
SHA1:	389ACB5C6BB6905482300464538BD3E3CCD4C12D
SHA-256:	19117CB733B54B8474E5AB94AE25F1881ECBA1EA5A9CACCCDFCE00E4CD38AF35
SHA-512:	1FAC804C8185ED889DC1739EFCE23944AE5A583F8D6D76C3F1CBF82042E9B35875F6E44A688091D4B15C7441A1BF54C2C42A0CA8F4BA69D704D8BC993AFC23E2
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....0......[5......@.B................................P.O. .:i.....+00.../C:\.....................1......Qy...PROGRA~2.........L..Qy.....................V.....V...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......Qy...INNOSE~1..J......Qy..Qy......R......................;.I.n.n.o. .S.e.t.u.p. .6.....`.2.....oQ.. .ISetup.chm..F......Qy..Qy.....yh........................I.S.e.t.u.p...c.h.m.......]...............-.......\............6.>.....C:\Program Files (x86)\Inno Setup 6\ISetup.chm..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.\.I.S.e.t.u.p...c.h.m.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.........*................@Z\|...K.J.........`.......X.......609290...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Example Scripts.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Directory, ctime=Tue Dec 22 01:27:49 2020, mtime=Tue Dec 22 01:27:49 2020, atime=Tue Dec 22 01:27:49 2020, length=8192, window=hide
Category:	dropped
Size (bytes):	1102
Entropy (8bit):	4.661949651200419
Encrypted:	false
SSDEEP:	24:8mtNhzHR/mabdOEY15k0tw5yPl8AbfPd1lJdUUUzk8S7aB6m:8mXhzx/mabdORkKqyPl77Pd1lJdh6k8g
MD5:	B775F0D4142AAC4B772482ED829F2645
SHA1:	121965C88F0AAF89A2CEF335C0D005F51FA9A5CA
SHA-256:	D4A91B49A60864AD7B12520B993662F8E182B462E90D78DF12A61C31ECF6562C
SHA-512:	7CFF88AC8B7691AC63F43B9AAADBAB3E8C83047137F1A3229766E37085ED4A3D1202F7673F3DB973E9468FFF08ED2465CC21AC533F04478815DEBB4DF88FD091
Malicious:	false
Reputation:	low
Preview:	L..................F.................\|.......\|....... ...........................P.O. .:i.....+00.../C:\.....................1......Qy...PROGRA~2.........L..Qy.....................V.....V...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......Qy...INNOSE~1..J......Qy..Qy......R......................;.I.n.n.o. .S.e.t.u.p. .6.....Z.1......Qy...Examples..B......Qy..Qy......z......................J.E.x.a.m.p.l.e.s.......[...............-.......Z............6.>.....C:\Program Files (x86)\Inno Setup 6\Examples..;.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.\.E.x.a.m.p.l.e.s.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.........*................@Z\|...K.J.........`.......X.......609290...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup FAQ.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	836
Entropy (8bit):	3.4134870436193254
Encrypted:	false
SSDEEP:	12:8wl0xa/ledp8wX1RjcQobdpYGfeSbdpYGfYQ/CNUvH4t2Y+xIBjK:8NdOEF8di2dLOUF7aB
MD5:	967AC84988CE3BDD0D55296A7D5081F6
SHA1:	3C436AC383123DD3759F873E6F8EFB9E4D547255
SHA-256:	668033536EC1FE447B31220A6152CE29D8F8EB427B4DF4A4853EF82748D01609
SHA-512:	73105F4D12077766A0E0D2F90932EFB23965F40A41DD05A7F5379465952BFE0FC86D147FDEB5BCD53DA7B3FFA2749BA90D9AB34A409665AAD8E404BA577AC10D
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................k....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".f.1...........Inno Setup 6..J............................................I.n.n.o. .S.e.t.u.p. .6.....\.2...........isfaq.url.D............................................i.s.f.a.q...u.r.l.......<.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.\.i.s.f.a.q...u.r.l.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.........*................@Z\|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inno Setup 6\Inno Setup Revision History.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 22 01:27:49 2020, mtime=Tue Dec 22 01:27:49 2020, atime=Sat Nov 14 23:00:00 2020, length=15688, window=hide
Category:	dropped
Size (bytes):	1126
Entropy (8bit):	4.654360896689818
Encrypted:	false
SSDEEP:	24:8m9Nu9zHR/mabdOEY15k0y54XyAffmdWTLdUUUzk1hvB7aB6m:8mgzx/mabdORkHkHmdW/dh6k/UB6
MD5:	3DD8B639EF31D6A5A02024280A2591CA
SHA1:	B1338CA5E6A8812A2955F36310C5EA80EA823508
SHA-256:	4FEE5A2D0420211AEB1AAAE21A969E06F052C7DA3BD6702C1F86391869075FB7
SHA-512:	6E8F165AB3ACE361BE6A878EAD01BEEB6B9B8909ADD27472A0C15F1FA36EF47633A20419910AB4A0D297FA8A7B6D6AFF3966124331E8B4B7ABA4C401D4A93A6D
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....................@.B...H=...........................P.O. .:i.....+00.../C:\.....................1......Qy...PROGRA~2.........L..Qy.....................V.....V...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......Qy...INNOSE~1..J......Qy..Qy......R......................;.I.n.n.o. .S.e.t.u.p. .6.....f.2.H=..oQ.. .whatsnew.htm..J......Qy..Qy......z........................w.h.a.t.s.n.e.w...h.t.m......._...............-.......^............6.>.....C:\Program Files (x86)\Inno Setup 6\whatsnew.htm..?.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.\.w.h.a.t.s.n.e.w...h.t.m.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.n.o. .S.e.t.u.p. .6.........*................@Z\|...K.J.........`.......X.......609290...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-

C:\Users\user\AppData\Local\Temp\is-9JQK6.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-9JQK6.tmp\isdonate.bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PC bitmap, Windows 3.x format, 62 x 31 x 8
Category:	dropped
Size (bytes):	3062
Entropy (8bit):	4.168602678066724
Encrypted:	false
SSDEEP:	24:akfQ36oDe/qXKkzN7JpCvH/Nq1HltgjjaNp:ake6KrBCvfN6FtgfKp
MD5:	6239A3BF88132514BF3D879352639195
SHA1:	791FD8C25C136BA10666787A46F9C23052030321
SHA-256:	C925160C8686390A4420FF9C35DED0654E2B7D4B432B0BF18290B843FC2E5B12
SHA-512:	183D62E09DF1D349320B1281596E26166ED1AEB45AF7EB177EE1079617C6E2B12BFF221013521C6FF2B85F530C8484860AD27D003913064C5B9C29DA3187A46E
Malicious:	false
Reputation:	low
Preview:	BM........6...(...>.......................................f3..o?..M6".p@..yL..sH$.yM ..X,..W2..Y0..d;..f3..o>..f@..nN..p@..pI..sP..}X..xJ..yM...U...Y...`...g...h...a...f...l...p...u.......x.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-9JQK6.tmp\ismail.bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
File Type:	PC bitmap, Windows 3.x format, 62 x 31 x 8
Category:	dropped
Size (bytes):	3062
Entropy (8bit):	4.112358572968621
Encrypted:	false
SSDEEP:	24:3i9+Z/8W6+hpk+rSl2l2lpcl4l0l2l2lhEP9gbp5b6jrh:3KQrhpkeSggoSOggvcubmh
MD5:	16DC5EBB122AF9248C3C5993FD0ABF22
SHA1:	DCEAB3D80A5187D09F3261EEE55A0E52C42B4180
SHA-256:	D1FDA1C1367616FECB4436CE14E693E49F5AE596BF2AD6B518035BC2E07732A2
SHA-512:	4D8AF76D687FE6FCA0E4324724DF019DA135B2F26B86C740D64D6BDA2F58FB45BDB9694CD1C6EA6C4917F150E297E9D9866659634B2987EC0AE6B79272A6192F
Malicious:	false
Reputation:	low
Preview:	BM........6...(...>.......................................]..._/..Q,..S,..T-..`/..a/..b/..c/..c3..d0..d2..f2..g3..i6..j6..n:..f;..k:..m:..o;..n<..o=..p<..q=..q?..r>..s?..M6".t@..uA..zF..sH$..[7..[*..[)..]+..^...^-..^,..^,..W2..]2..[6..[6..\4..^0..`...c:..d7..d6..d6..e5..e4..e4..e3..d8..nN...P...P...S...T...[...[...h..n..~..\|.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp Download File
Process:	C:\Users\user\Desktop\download\innosetup-6.1.2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3030328
Entropy (8bit):	6.405341551816351
Encrypted:	false
SSDEEP:	49152:oLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvuE:kwSi0b67zeCzt0+yO3kSB
MD5:	BDC92B37F3017B7E61D62135DEEDAA1B
SHA1:	7EC3A55830CA0592E0E70D6383FCB532A4CE4618
SHA-256:	7CBD8CF249233DE6CEB10390F8B195B8C37453DF162ADD9E82D685C1E5490929
SHA-512:	429F83FA0E50AC650C3B7B508507D0F1E8D0807BB3FB0DE1A8C55C0654A5943622659D5517B97B37AAFC8D6973AA936CF3A3D3C40578A720C644E3CF6D64571D
Malicious:	false
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.................................:.....@......@....................-......`-.49....-...............-.8?....................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

C:\Users\user\Desktop\cmdline.out Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	7745
Entropy (8bit):	2.7307851090363666
Encrypted:	false
SSDEEP:	48:I7+D6EjD3RaGPUzIGoYC/Q6kOd73t4F35qIBZBfN8Ppz5SMzWcEax:EZl/g73mF35qI5fN4pNBW2
MD5:	9E0DE6CC8170E7843F0C722C15377648
SHA1:	53CEA7E9FDE61AC4952E13C834ED7B30C93D90BE
SHA-256:	F1995E16DFB651420B6E3926605D479F84B1054923E546E33E3AD27154FE9B70
SHA-512:	0E6D9E71C095398FD81432C870D58677F61C064BA2D9369AA1BA1618A6E53A81A18EF752078C861D6E28FC8E2B9042F15C2ABF7BF9C25930C0CB1CD08967091F
Malicious:	false
Reputation:	low
Preview:	--2020-12-21 18:26:44-- https://jrsoftware.org/download.php/is.exe?site=1..Resolving jrsoftware.org (jrsoftware.org)... 69.163.232.126..Connecting to jrsoftware.org (jrsoftware.org)\|69.163.232.126\|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://files.jrsoftware.org/is/6/innosetup-6.1.2.exe [following]..--2020-12-21 18:26:45-- https://files.jrsoftware.org/is/6/innosetup-6.1.2.exe..Resolving files.jrsoftware.org (files.jrsoftware.org)... 69.163.232.126..Connecting to files.jrsoftware.org (files.jrsoftware.org)\|69.163.232.126\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 4516136 (4.3M) [application/x-msdos-program]..Saving to: 'C:/Users/user/Desktop/download/innosetup-6.1.2.exe'.... 0K .......... .......... .......... .......... .......... 1% 151K 29s.. 50K .......... .......... .......... .......... .......... 2% 279K 22s.. 100K .......... .......... .......... .......... .......... 3% 301K 19s.. 1

C:\Users\user\Desktop\download\innosetup-6.1.2.exe Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4516136
Entropy (8bit):	7.8958955461400615
Encrypted:	false
SSDEEP:	98304:jSipig6nVdCZBtT6qktO+0Wbx+JPkI0Jb5ADhIXLnJR2RlM:9igELCZLMXOCJbODhWLnJUjM
MD5:	190F916EB89938F88E47D9AC91E7E012
SHA1:	3F9F46B2A4FF8CCD141370D5CEF6ED0E91D42F6F
SHA-256:	A3CE1C40EF9C71A92691AAFF0F413F530C8C9E3C766BE481BC63CA7CC74E35E7
SHA-512:	EA6E276479011C0C90F58A68E95E79CF3273E0E5D6794749942493E5EEA5B99B4A3F2EC881EF14CF7231DBC902408D3A29D8225CF3228C9B0DE266CD7E02582A
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p....@.................................'.D...@......@...................@....... ..6....p...H...........D.8?...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....H...p...H..................@..@....................................@..@........................................................

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/21/20-18:26:47.876988	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2020 18:26:45.980103970 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:46.156554937 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.156790972 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:46.162647009 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:46.338908911 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.354368925 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.354403019 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.354414940 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.354681015 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:46.357707024 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:46.535140038 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.536864996 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:46.715296984 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:46.767040014 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:47.807688951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:47.985165119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:47.985301018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:47.992475033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.169368982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.184881926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.184962034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.184997082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.185173988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.193042040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.370455027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.372215986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.550736904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.550802946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.550839901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.550879002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.550916910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.550954103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.550990105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.551018953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.551026106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.551065922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.551075935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.551120043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.551122904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.551199913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.556725979 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.578224897 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.648850918 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.648919106 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.649161100 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.649238110 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.728133917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728158951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728188992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728205919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728220940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728235006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728250027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728265047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728282928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728298903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728313923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728327990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728343964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728358030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728372097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728387117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728404045 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728420973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728431940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728437901 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.728446960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.728553057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.754566908 CET	443	49713	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.754653931 CET	49713	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.905653000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905709028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905738115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905786037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905827999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905864954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905903101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905940056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.905961990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.905977964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906017065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906054020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906070948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906101942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906131029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906142950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906181097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906182051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906219006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906255960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906255960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906292915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906331062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906333923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906368017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906404972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906414986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906457901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906495094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906533003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906533957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906572104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906606913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906608105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906646967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906657934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906685114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906712055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906733036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906774044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906809092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906814098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906847000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906876087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906883955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906919956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906955957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.906958103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.906992912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.907016039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.907040119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.907082081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.907116890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.907126904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.907155037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.907183886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:48.907192945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:48.907265902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084145069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084258080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084307909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084323883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084337950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084362030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084377050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084392071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084393978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084403038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084419012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084428072 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084434986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084451914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084466934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084481955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084487915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084497929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084517002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084532976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084548950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084563017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084590912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084599018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084614038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084630013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084631920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084645033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084666014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084681034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084682941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084701061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084717035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084731102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084745884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084748983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084762096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084777117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084794998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084806919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084810972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084827900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084842920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084857941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084872007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084876060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084889889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084904909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084923029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084938049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084940910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.084954023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084969044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084983110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.084996939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.085011959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.085012913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.085028887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.085047960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.085100889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.085159063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.261842012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.261928082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.261981010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262023926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262061119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262068033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262099028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262114048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262140036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262176037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262201071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262212992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262252092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262284994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262296915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262340069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262346983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262377024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262414932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262424946 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262454033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262492895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262502909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262532949 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262572050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262612104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262619019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262662888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262691021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262698889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262737036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262739897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262774944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262810946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262825012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262850046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262887955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262901068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.262936115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.262959003 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263000965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263042927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263079882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263086081 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263118982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263154984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263165951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263191938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263227940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263236046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263264894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263294935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263310909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263354063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263390064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263427973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263428926 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263465881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263504028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263515949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263544083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263571024 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263580084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263622046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263627052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263669014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263709068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263709068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263746977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263783932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.263787985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.263897896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.440707922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440762043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440809965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440851927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440888882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440924883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440929890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.440963030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.440973997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441003084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441040993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441070080 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441078901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441122055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441128016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441169977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441179037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441209078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441246986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441262960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441284895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441319942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441334009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441356897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441437960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441443920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441515923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441544056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441556931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441596031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441632986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441653013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441679955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441721916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441737890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441760063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441797972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441827059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441834927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441870928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441870928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441909075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441946983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.441966057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.441992998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442034960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442050934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442073107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442111015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442147017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442164898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442183971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442222118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442246914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442259073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442306042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442321062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442348003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442361116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442384958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442423105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442447901 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442460060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442498922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442522049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442537069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442574024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442591906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442620993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442662001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.442699909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.442770958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.619581938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619638920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619671106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619713068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619766951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619822979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619874001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619930029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619946957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.619987965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.619987965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620050907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620053053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620106936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620126963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620187998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620242119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620280981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620296955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620352983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620384932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620405912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620460033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620493889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620515108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620579958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620601892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620637894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620692015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620728970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620747089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620800972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620831966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620857000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620910883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.620949030 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.620969057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621030092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621061087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621088028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621140957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621180058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621196032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621251106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621293068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621303082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621359110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621404886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621530056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621591091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621623039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621649027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621705055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621741056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621761084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621813059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621849060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621867895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621921062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.621967077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.621979952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622037888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622082949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622090101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622147083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622196913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622200012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622253895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622303009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622308969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622363091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622416019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622423887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622500896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622530937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622558117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622612953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622649908 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622668982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622721910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622759104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622776031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622829914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622872114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.622889996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622947931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.622997046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623002052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623058081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623109102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623111963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623166084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623205900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623220921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623275995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623316050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623337030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623395920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623415947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623449087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623505116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623527050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623565912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623620987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623646975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623675108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623729944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623753071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.623790026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.623867989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.635390997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.800780058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.800832033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.800870895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.800909042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.800944090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.800981998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801014900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801018000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801065922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801106930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801139116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801145077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801183939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801193953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801220894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801250935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801256895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801295996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801315069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801333904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801379919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801403046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801460981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801486969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801532984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801572084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801609993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801618099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801662922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801696062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801701069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801739931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801776886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801796913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801812887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801851988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801862955 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.801891088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801943064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.801944971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802000046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802000046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802052975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802095890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802125931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802133083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802170038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802206039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802220106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802243948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802283049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802289963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802330971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802362919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802367926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802407026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802443027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802479029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802484035 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802517891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802558899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802565098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802607059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802624941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802649021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802680016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802685022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802723885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802759886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802771091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802795887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802834034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802850008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802870989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802917004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802925110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.802959919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.802995920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.803009987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.803034067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.803071022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.803103924 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.803106070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.803143978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.803144932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.803231001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.808123112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812310934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812357903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812386990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812416077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812444925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812484026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812517881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812520027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812531948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812535048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812561989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812599897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812617064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812637091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812674999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812686920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812712908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812758923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812772989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812800884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812836885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812851906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.812874079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.812925100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.815360069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980062008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980128050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980189085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980243921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980309963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980353117 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980370998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980422974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980431080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980487108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980493069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980551004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980606079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980662107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980667114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980716944 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980717897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980782986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980832100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.980840921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980896950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.980948925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981005907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981043100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981059074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981116056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981120110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981172085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981214046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981235027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981287956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981296062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981352091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981450081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981486082 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981520891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981585026 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981585979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981640100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981693983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981714964 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981748104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981791019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981801033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981856108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981908083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.981951952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.981969118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982026100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982054949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982083082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982119083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982136965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982191086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982209921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982242107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982294083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982343912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982393026 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982403994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982460022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982506037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982517004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982574940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982577085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982631922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982675076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982685089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982741117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982788086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982795954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982856035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982909918 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.982913017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.982968092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983022928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983023882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983077049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983120918 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983129978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983186007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983227015 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983238935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983300924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983341932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983357906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983412981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983442068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983469009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983524084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983575106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983580112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983638048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983669043 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983691931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983752966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983772993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983808994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983864069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983895063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.983917952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.983972073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984003067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984026909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984081984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984105110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984136105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984196901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984216928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984253883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984308004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984337091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984364033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984417915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984446049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984472036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984528065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984556913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984582901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984647989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984668016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984707117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984761953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984788895 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984819889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984874010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984906912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.984927893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.984982967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985008955 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985038042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985097885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985116959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985155106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985208988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985241890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985268116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985321045 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985346079 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985377073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985460997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985461950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985517025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985569954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985644102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985651970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985698938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985718966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985752106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985805035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985856056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985898972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.985914946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.985972881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986026049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986071110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986082077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986135960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986188889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986218929 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986243010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986295938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986319065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986356020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986380100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986412048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986466885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986505985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986520052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986577988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986610889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986634016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986689091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986742973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.986767054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.986875057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.989649057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.989717007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.989772081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.989819050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.989826918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.989881992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.989921093 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.989943981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990004063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990031958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990060091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990114927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990147114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990170956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990225077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990262985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990281105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990334034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990367889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990396976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990452051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990490913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990505934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990561962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990596056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990619898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990673065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990701914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990729094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990782022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990817070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990844011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990901947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.990928888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.990958929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991014957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991045952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.991074085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991128922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991162062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.991185904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991240978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991269112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.991302013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991358995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991384983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.991411924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:49.991488934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:49.999881029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.164320946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164391041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164446115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164509058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164566994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164607048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.164623022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164684057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164700031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.164738894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164788961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.164794922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164849997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164858103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.164902925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164963007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.164963961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165019989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165061951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165075064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165129900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165195942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165206909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165261984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165304899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165318012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165371895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165416002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165467978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165527105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165563107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165589094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165643930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165677071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165699959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165752888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165791988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.165815115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165868044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165913105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165967941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.165968895 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166023016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166076899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166084051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166132927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166147947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166201115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166254997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166263103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166310072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166332960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166362047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166414976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166469097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166497946 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166528940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166590929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166594028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166645050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166701078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166704893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166804075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166826963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166883945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166937113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.166989088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.166990042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167051077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167098999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167109013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167161942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167201996 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167216063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167270899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167313099 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167325020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167380095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167423010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167433023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167495012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167543888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167555094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167612076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167643070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167669058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167723894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167752028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167778015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167831898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167864084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.167886019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167948008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.167970896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168004036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168060064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168096066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168113947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168169975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168199062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168225050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168279886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168307066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168333054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168394089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168415070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168451071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168505907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168543100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168560982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168617964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168649912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168672085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168728113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168762922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168781996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168844938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168864965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.168901920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168955088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.168982029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.169009924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.169053078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.169114113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.169133902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.169172049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.169223070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.169225931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.169393063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.176742077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176772118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176805019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176835060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176862955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176881075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.176892996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176923990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176948071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.176950932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.176974058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.176980019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177011013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177031040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177043915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177077055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177086115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177107096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177135944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177162886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177164078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177194118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177206039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177222013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177249908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177280903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177294016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177311897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177328110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177341938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177372932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177412987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177422047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177440882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177452087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177480936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177509069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177526951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177537918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177572966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177580118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177603960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177632093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177648067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177661896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177691936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177692890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177720070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177750111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177759886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177779913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177813053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177826881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177843094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177872896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177886009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177905083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177932978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177947044 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.177961111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.177989960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178009033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178018093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178050995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178066015 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178081036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178109884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178122997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178139925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178169012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178188086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178198099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178226948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178246021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178255081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178287983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178303957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178318024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178347111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178361893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178375006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178406000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178421974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178433895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178463936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178479910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178497076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178529024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178544044 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178560972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178589106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178596973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178618908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178647995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178653955 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178675890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178704977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178726912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178734064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178767920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178774118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178797960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178828001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178833961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178857088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178888083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178903103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178920031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178949118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.178960085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.178978920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179011106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179022074 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.179044962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179074049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179089069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.179101944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179131031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179143906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.179160118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179188013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179202080 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.179215908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.179255962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.179982901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180017948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180046082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180068016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.180077076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180107117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180123091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.180136919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180165052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180192947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180208921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.180227041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180257082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180259943 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.180285931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.180293083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.180357933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.182111025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346199036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346224070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346245050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346268892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346290112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346309900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346330881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346366882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346376896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346427917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346435070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346441984 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346585035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346607924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346631050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346654892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346677065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346692085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346700907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346710920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346725941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346765995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346777916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346807957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346829891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346848011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346851110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346873999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346887112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346894979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346915960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346930981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346939087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346961975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.346976995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.346982956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347006083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347023964 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347026110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347049952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347060919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347074032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347095966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347111940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347120047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347142935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347146988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347165108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347186089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347193956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347207069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347234011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347239017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347255945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347276926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347286940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347302914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347325087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347340107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347347975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347369909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347383976 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347390890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347413063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347426891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347434044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347457886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347474098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347481012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347505093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347518921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347527027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347548962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347562075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347572088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347594976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347606897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347615004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347637892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347652912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347661018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347685099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347700119 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347707033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347728014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347744942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347748995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347770929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347784996 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347791910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347814083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347827911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347837925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347861052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347862959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347882986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347903967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347925901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347927094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347948074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347969055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.347975016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.347992897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348011971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348018885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348042011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348057985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348062992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348084927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348099947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348108053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348129988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348143101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348150969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348174095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348187923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348196983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348222017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348226070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348243952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348264933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348283052 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348288059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348309994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348325014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348331928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348352909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348372936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348378897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348403931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348412037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348424911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348464012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348485947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348489046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348507881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348509073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348532915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348555088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348579884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348581076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348594904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348604918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348628998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348651886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348670006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348673105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348696947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348710060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348718882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348743916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348752022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348771095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348797083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348798037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348819017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348840952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348862886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348862886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348887920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348901033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348911047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348932981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348957062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.348969936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.348980904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349004030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349006891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349028111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349041939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349050999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349072933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349087954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349095106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349117994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349134922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349143028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349168062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349179029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349190950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349215031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349227905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349240065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349262953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349267006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349287033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349308014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349327087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349332094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349355936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349378109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349406004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349421978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349441051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349447966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349472046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349483967 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349494934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349519014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349535942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349539995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349565029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349581003 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349586964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349612951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349631071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349636078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349659920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349680901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349684000 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349704981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349723101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349728107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349750996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349772930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349781990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349797964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349816084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349821091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349844933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349857092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349867105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349889994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349911928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349919081 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349936008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349942923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.349958897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.349982977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350001097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.350007057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350059986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.350784063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350812912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350835085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350856066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350858927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.350878954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350899935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350903034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.350924015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350946903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.350950956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.350987911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.350999117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351032019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351052999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351070881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.351073027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351094961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351115942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351130962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.351140022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351161957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351164103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.351185083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.351202965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.351258039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.356858969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357291937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357321978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357342958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357367992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357388973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357408047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357422113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357446909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357460022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357467890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357492924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357500076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357516050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357538939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357563019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357564926 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357588053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357609034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357613087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357629061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357636929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357651949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357661009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357683897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357696056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357707024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357717991 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357729912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357753038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357768059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357775927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357785940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357801914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357825994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357839108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357850075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357872963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357876062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357896090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357914925 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357917070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357940912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357963085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.357965946 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.357989073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358011007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358016014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358031988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358033895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358057022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358072042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358079910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358093023 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358103037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358127117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358143091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358149052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358175039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358197927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358216047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358221054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358239889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358246088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358268976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358285904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358292103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358315945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358330965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358338118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358352900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358364105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358386993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358396053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358412027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358433962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358433008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358457088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358470917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358479023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358503103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358520031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358525038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358550072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358556986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358575106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358577013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358597994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358618021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358619928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358629942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358642101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358664989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358688116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358700037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358709097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358726978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358735085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358761072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358771086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358783007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358804941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358819008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358828068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358844995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358851910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358875990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358889103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358897924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358923912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358932972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358948946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358963013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.358973026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.358994961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359016895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359018087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359040022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359060049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359062910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359081984 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359086037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359111071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359124899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359134912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359158039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359172106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359179974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359194040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359204054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359225035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359239101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359247923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359270096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359287024 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359294891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359302998 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359318018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359337091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359359026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359370947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359383106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359409094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359431982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359451056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359455109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359478951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359489918 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359503031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359517097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359527111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359550953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359559059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359575033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359600067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359600067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359622955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359637022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359644890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359668970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359677076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359692097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359693050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359713078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359735966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359756947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359759092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359783888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359792948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359808922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359814882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359831095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359853029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359855890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359874964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359889030 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359899044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359921932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359935999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359946012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359952927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.359972000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.359996080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360007048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360018015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360027075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360043049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360119104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360122919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360127926 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360148907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360172033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360186100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360193014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360194921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360241890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360253096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360258102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360291958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360310078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360315084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360340118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360353947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360363007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360366106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360388041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360410929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360433102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360433102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360455036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360456944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360475063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360500097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360517979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360522032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360547066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360562086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360569954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360593081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360599041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360615015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360629082 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360637903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360658884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360683918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360699892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360708952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360717058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360733032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360749960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360758066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360784054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360788107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360816956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360824108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360847950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360853910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360867023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360888004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360889912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360914946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.360932112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.360969067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361013889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361733913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361758947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361780882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361804008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361819029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361826897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361850977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361872911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361872911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361895084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361915112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361921072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361936092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361944914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361967087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.361985922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.361989021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362014055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362037897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362050056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362060070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362082958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362082958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362098932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362107992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362132072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362147093 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362153053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362169981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362176895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362200022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362220049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362222910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362246037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362261057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362267971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362284899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362293959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362318039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362329960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362339973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362361908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362366915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362385988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362406969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362407923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362431049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362447977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362453938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362478971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362479925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.362523079 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.362556934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.523947954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524013042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524050951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524091959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524127960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524144888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524178028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524183989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524189949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524194002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524198055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524221897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524245024 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524265051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524302959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524343014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524374008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524379015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524383068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524389982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524394989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524418116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524439096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524456024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524471998 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524504900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524512053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524549007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524559975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524590969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524605036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524629116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524647951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524667978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524682999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524705887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524724960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524744034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.524764061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.524796963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.527843952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.527894974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.527932882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.527945042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.527955055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.527972937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.527995110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528011084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528028965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528048992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528067112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528089046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528105974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528127909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528141975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528178930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528181076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528223038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528238058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528260946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528279066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528301954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528316021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528341055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528356075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528378963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528394938 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528417110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528454065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528454065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528476954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528501034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528501034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528543949 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528582096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528599977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528608084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528621912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528645992 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528660059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528678894 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528697968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528712034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528737068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528759956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528774977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528794050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528821945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528837919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528865099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528878927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528902054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528918982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528942108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528955936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.528981924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.528995991 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529019117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529036999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529058933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529079914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529095888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529114962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529144049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529150009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529186964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529200077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529223919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529241085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529263020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529282093 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529303074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529316902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529340982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529359102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529378891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529392958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529449940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529464006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529489994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529511929 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529527903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529547930 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529567003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529589891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529606104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529654980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529683113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529690027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529697895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529706001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529736042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529757023 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529774904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529792070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529813051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529830933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529850960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529870033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529889107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529903889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529927015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529946089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.529974937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.529983044 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530016899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530030966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530054092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530073881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530092001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530107975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530129910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530147076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530167103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530183077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530206919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530220985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530244112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530261040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530292034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530299902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530334949 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530349016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530373096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530395031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530411005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530426025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530450106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530462027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530487061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530504942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530530930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530545950 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530569077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530586004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530616999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530632019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530659914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530675888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530699968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530736923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530766964 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530776024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530777931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530785084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530814886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530833006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530853987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530869007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530891895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530906916 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530939102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530942917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.530982018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.530992985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531022072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531035900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531061888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531075001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531099081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531116009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531136036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531152010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531173944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531188965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531213045 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531227112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531259060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531265020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531301022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531316042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531337976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531354904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531377077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531389952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531414032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531430006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531450987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531466007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531488895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531503916 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531527042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531542063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531584024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531599998 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531626940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531641006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531662941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531680107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531712055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531723022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531754971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531769991 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531793118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531831026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531867027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531867981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531876087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531882048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531904936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531923056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531943083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531956911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.531980038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.531994104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532027006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532032013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532068968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532083035 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532105923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532121897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532161951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532171011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532203913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532217979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532242060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532269001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532283068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532299042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532320976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532358885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532360077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532397032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532397985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532423019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532438040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532459021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532485008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532500982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532527924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532537937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532566071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532588005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532605886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532632113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532644033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532670975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532682896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532717943 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532721043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532757044 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532757998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532773018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532804966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532807112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532846928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532862902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532883883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532924891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532948017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.532963991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.532991886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533003092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533031940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533041000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533051014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533080101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533118010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533126116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533139944 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533169985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533183098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533205986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533226967 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533243895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533262968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533282042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533296108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533318996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533343077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533354998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533381939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533421993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533463955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533464909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533480883 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533510923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533526897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533552885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533575058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533591986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533613920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533629894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533638000 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533668995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533684969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533706903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533721924 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533745050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533760071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533782005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533797979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533828974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533833981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533870935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533885956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533909082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533926010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533946991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.533962965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.533984900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534002066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534020901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534041882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534060955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534089088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534115076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534145117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534172058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534185886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534188032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534213066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534221888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534246922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534260035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534265041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534297943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534316063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534344912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534356117 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534388065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534401894 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534425020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534440994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534462929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534480095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534501076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534524918 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534537077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534562111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534576893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534593105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534615993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534638882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534663916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.534672976 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.534718990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.537139893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.537184954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.537221909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.537223101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.537244081 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.537269115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.537589073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.537738085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539175034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539247036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539295912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539346933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539397001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539422989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539433002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539458990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539489031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539558887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539599895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539655924 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539664984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539715052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539756060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539773941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539792061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539813995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539829969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539849043 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539866924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539896011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539904118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539921045 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539942026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.539966106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539988995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.539994955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540071964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540108919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540127039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540201902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540273905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540359974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540425062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540443897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540482998 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540538073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540591002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540592909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540644884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540671110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540730953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540726900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540786982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540790081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540827036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540864944 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540878057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540889978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540930033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540946007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.540966988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.540983915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541003942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541035891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541040897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541078091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541105032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541124105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541166067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541166067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541191101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541202068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541223049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541240931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541253090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541279078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541295052 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541313887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541344881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541352034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541366100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541404009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541414976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541459084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541472912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541498899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541515112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541537046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541553974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541583061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541595936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541620016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541635036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541657925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541675091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541693926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.541709900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.541747093 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.542356014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.542407990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.542619944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.542674065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.542747021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.542809010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.542912006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.542973042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543020964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543073893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543075085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543112993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543128014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543149948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543163061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543186903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543200970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543222904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543240070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543279886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543282032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543333054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543564081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543606997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543622971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543646097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543663025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543701887 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543797970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543839931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543853998 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543879032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543891907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543915033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.543930054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543967009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.543967962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544007063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544020891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544042110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544058084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544090033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544104099 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544131994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544145107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544167995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544183016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544204950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544219971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544241905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544262886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544277906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544296026 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544316053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544328928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544353008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544368029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544399023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544404984 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544440985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544452906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544476032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544493914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544513941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544531107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544550896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544569016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544589043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544604063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544625998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544646978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544663906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544692993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544709921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544732094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544751883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544765949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544789076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544806004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544826031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544842958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544863939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544881105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544899940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544922113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544936895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544954062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.544974089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.544989109 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545032024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545044899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545072079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545084000 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545108080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545125961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545154095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545169115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545196056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545211077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545233011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545250893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545270920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545285940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545309067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545325994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545345068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545358896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545399904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545406103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545447111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545460939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545485020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545500994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545531988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545538902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545584917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545600891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545624971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545659065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545661926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545697927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545700073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545713902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545737028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545753002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545774937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545799017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545811892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545833111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545857906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545861006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545902967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545918941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545938969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545954943 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.545975924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.545989037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546014071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.546030998 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546051025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.546080112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546087980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.546113014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546127081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.546139002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546176910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.546181917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546219110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.546232939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.546272993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.701781034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.701843023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.701914072 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.701942921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.701956987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702014923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702020884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702061892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702081919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702099085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702119112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702136993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702157974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702173948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702188969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702210903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702229977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702249050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702286005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702297926 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702307940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702332973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702347994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702374935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702393055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702411890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.702433109 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.702467918 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.711528063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.711594105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.711628914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.711657047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714164019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714282990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714320898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714363098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714399099 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714452982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714464903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714545012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714675903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714750051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714752913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714823008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714864969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.714936972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.714962006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715032101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715331078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715373993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715399981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715415955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715435028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715471029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715715885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715786934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715862989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715903997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715929031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715941906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715972900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.715981960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.715985060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716073036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716231108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716294050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716298103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716336966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716351032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716373920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716392994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716412067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716434956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716470957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716514111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716579914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716763973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716809034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716823101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716849089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716866016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716886044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716906071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716932058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716941118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.716973066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.716988087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717010975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717026949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717048883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717067003 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717087030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717111111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717123032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717133045 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717160940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717179060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717199087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717215061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717246056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717255116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717288017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717302084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717324972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717339993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717361927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717375994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717432976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717433929 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717473030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717493057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717509031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717526913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717546940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717583895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717590094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717607021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717633009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717639923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717674971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717689037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717711926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717729092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717752934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717788935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717789888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717807055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717828989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717854977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717866898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717885017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717905998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717924118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717952013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.717967033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.717993975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718029976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718036890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718050003 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718066931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718085051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718103886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718127012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718139887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718154907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718178988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718200922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718214989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718238115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718282938 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718295097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718353033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718415022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718472958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718483925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718542099 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718560934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718619108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718669891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718725920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718729973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718790054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718799114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718835115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718856096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718887091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718888998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718926907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718940973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.718962908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.718978882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719008923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719013929 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719050884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719064951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719086885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719106913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719125032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719146013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719163895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719178915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719198942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719237089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719274044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719315052 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719320059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719364882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719388008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719399929 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719400883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719439030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719444036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719459057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719475985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719481945 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719511986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719531059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719548941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719564915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719587088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719603062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719635010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719640017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719676971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719691992 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719713926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719737053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719750881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719786882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719788074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719801903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719825029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719840050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719861984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719877958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719898939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719914913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719945908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.719960928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.719986916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720001936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720025063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720040083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720062971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720077038 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720099926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720117092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720139980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720155954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720177889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720194101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720215082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720232010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720262051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720268011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720303059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720319033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720339060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720359087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720376015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720391035 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720412016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720448017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720454931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720484972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720504999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720523119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720560074 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720571041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720597029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720614910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720640898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720668077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720704079 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720715046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720716953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720757961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720772028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720794916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720813036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720832109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720853090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720870018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720892906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720905066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720927954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720942974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720961094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.720978975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.720995903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721026897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721031904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721066952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721102953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721115112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721127987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721141100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721157074 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721178055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721204042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721216917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721242905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721255064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721278906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721292019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.721306086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.721347094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.722135067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.722948074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723017931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723020077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723076105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723165035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723207951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723228931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723246098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723273993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723309040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723376989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723448038 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723462105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723521948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723543882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723608017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723670006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723727942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723737955 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723766088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723783970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723803997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723819017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723839998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723858118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723887920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723896027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723928928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723944902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.723965883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.723982096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724030018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724178076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724234104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724292040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724348068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724379063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724435091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724522114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724565983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724582911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724620104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724730015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724792957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724847078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.724900007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.724998951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725054026 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725198984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725240946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725258112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725277901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725303888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725313902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725339890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725351095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725372076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725405931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725418091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725466967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725476980 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725508928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725523949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725545883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725578070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725584030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725600004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725624084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725645065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725661039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725681067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725698948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725718975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725735903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725755930 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725784063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725789070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725824118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725837946 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725860119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725877047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725898027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725914955 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725936890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725955963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.725972891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.725996017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726010084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726026058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726047039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726066113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726093054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726099014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726135015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726151943 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726171017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726207972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726207972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726227045 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726248980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726264000 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726284981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726301908 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726322889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726339102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726360083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726381063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726406097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726413012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726448059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726460934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726484060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726500988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726525068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726542950 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726562977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726583958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726598978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726638079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726644993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726655006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726674080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726691008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726721048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726725101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726762056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726797104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726802111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726835012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726835012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726855993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726872921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726890087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726908922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726927996 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.726947069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726983070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.726988077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727001905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727029085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727044106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727071047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727086067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727117062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727133989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727149963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727154016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727164030 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727168083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727185965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727200985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727202892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727224112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727233887 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727242947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727252007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727261066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727277994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727291107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727298021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727305889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727315903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727334976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727340937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727353096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727370977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727372885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727387905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727400064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727417946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727422953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727436066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727452993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727469921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727473974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727487087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727504015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727507114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727519989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727521896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727541924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727554083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727561951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.727585077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.727617979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879436016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879527092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879585981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879631996 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879698992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879769087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879770041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879826069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879837990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879879951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879893064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879916906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879940987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879955053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.879972935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.879995108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880012035 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880031109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880049944 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880072117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880109072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880135059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880155087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880177975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880198956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880213022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880235910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880249977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880275011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880290031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880312920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880336046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880348921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880378008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880387068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880409956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880424976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880443096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880472898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880474091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880516052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.880532980 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.880573034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.888473034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.888537884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.888556957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.888595104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.898591995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898647070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898684978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898740053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.898771048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.898777008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.898782969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898847103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.898885965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898940086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898941040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.898977995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.898994923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899024963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899024963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899089098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899210930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899266005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899316072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899354935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899370909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899394035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899418116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899437904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899466991 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899496078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899552107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899595022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899610043 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899632931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899656057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899671078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899686098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899708986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899727106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899770975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899828911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899868011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899883032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899905920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899914980 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899960995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.899974108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.899997950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900022030 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900033951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900048971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900072098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900094986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900109053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900124073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900156021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900161028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900197983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900212049 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900234938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900254011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900271893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900285959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900310040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900322914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900345087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900358915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900382996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900392056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900419950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900434971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900460958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900468111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900509119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900523901 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900546074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900559902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900583982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900599957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900624037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.900638103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.900676012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.905638933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.905711889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.905822039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.905885935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.905919075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.905960083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.905997992 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906008959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906080961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906141043 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906267881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906308889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906346083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906357050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906367064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906383038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906404972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906433105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906440973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906476974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906486988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906516075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906537056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906553984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906569004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906593084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906610012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906631947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906637907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906671047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906683922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906708002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906724930 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906757116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906774044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906822920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906830072 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906864882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906878948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906902075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906907082 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906939030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.906954050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.906976938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907000065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907013893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907040119 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907052994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907067060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907090902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907104969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907134056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907138109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907181025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907195091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907217026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907232046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907255888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907272100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907294035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907320023 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907330036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907349110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907371044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907386065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907407999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907437086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907454967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907474995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907497883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907514095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907533884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907551050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907572031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907591105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907609940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907639027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907649040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907665014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907686949 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907704115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907723904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907741070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907766104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907772064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907814026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907825947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907850027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907865047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907887936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907924891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907960892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.907960892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907995939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.907999039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908016920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908037901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908051014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908083916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908092022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908126116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908142090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908163071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908176899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908200979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908220053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908238888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908273935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908274889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908284903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908313036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908333063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908350945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908365011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908399105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908406019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908441067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908454895 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908478022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908490896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908515930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908533096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908554077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908567905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908591032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908607960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908628941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908643007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908665895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908683062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908714056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908721924 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908760071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908772945 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908780098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908799887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908818007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908818007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908837080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908855915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908855915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908874989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908893108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908900976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908905029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908922911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908941031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908943892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908961058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908961058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908982038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.908997059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.908999920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909019947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909039021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909050941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909060955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909065962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909082890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909094095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909106970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909126997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909140110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909141064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909157991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909172058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909176111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909189939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909193993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909214020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:50.909226894 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909252882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:50.909288883 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.058626890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058689117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058727026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058763027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058809996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058850050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058886051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058923006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058940887 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.058960915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.058981895 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.058988094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.058993101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.058998108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.058999062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059015989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059037924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059065104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059073925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059098959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059122086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059139013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059164047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059179068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059200048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059225082 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059237957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059259892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059274912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059292078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059310913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059336901 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059348106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059369087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059386015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059402943 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059433937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059441090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059482098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059504986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059545040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059557915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059581041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059611082 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059619904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059659958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059705973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059747934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059782982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059820890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059859037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059879065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.059896946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059935093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.059971094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060015917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060046911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060056925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060094118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060131073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060129881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060167074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060188055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060203075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060240030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060261011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060276031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060323000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060353041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060364962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060401917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060426950 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060440063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060476065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060498953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060512066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060549021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060569048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060585022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060631990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060647964 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060674906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060710907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060734987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060791016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060831070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060853958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060867071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060904980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060928106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.060941935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.060977936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061000109 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061016083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061053038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061073065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061099052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061139107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061160088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061176062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061213017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061232090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061249971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061285973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061311007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061322927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061359882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061381102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061464071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061503887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061527014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061541080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061578989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061613083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061635017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061676979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061703920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061712980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061760902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061769962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061803102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061839104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061860085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061876059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061913013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061942101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.061949968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.061986923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.062011003 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.062024117 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.062071085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.062086105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.062113047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.062150002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.062170982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.065534115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.065597057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.065630913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.077722073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.077816010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.077852011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.077898979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.077910900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.077933073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.077945948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.077997923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078006029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078074932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078120947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078128099 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078151941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078195095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078203917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078250885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078305960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078309059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078360081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078413010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078416109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078454971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078484058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078504086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078512907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078553915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078567982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078582048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078612089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078634024 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078641891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078679085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078695059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078711987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078739882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078761101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078769922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078799009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078821898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078828096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078857899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078882933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078885078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078922033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.078938007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.078989029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079018116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079044104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.079070091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079121113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.079122066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079169989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079202890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079226017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.079251051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079288006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079303026 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.079325914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.079380989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.085964918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086415052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086479902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.086606979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086671114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086709023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086729050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.086745977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086785078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.086807966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.086961985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087003946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087016106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.087160110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087212086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.087244987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087306023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087361097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.087385893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087652922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087697983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087711096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.087734938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087794065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.087951899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.087995052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088032007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088048935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088068008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088104010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088120937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088140965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088186979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088192940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088227987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088263988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088279963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088300943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088337898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088359118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088376045 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088413000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088428020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088449955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088496923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088505030 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088537931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088573933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088589907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088610888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088649988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088664055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088685989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088721991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088741064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088758945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088804960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088814020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088845968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088882923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088897943 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088920116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088957071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.088970900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.088993073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089030027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089046001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089066029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089112997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089117050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089154959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089190960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089207888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089226961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089263916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089286089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089299917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089335918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089353085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089371920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089442968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089457035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089504957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089545965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089565039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089581966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089627028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089647055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089658976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089689016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089720011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089729071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089752913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089778900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089792967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089828968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089844942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089859009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089905024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089922905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089937925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089967966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.089986086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.089998960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090029955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090053082 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090061903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090101004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090115070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090135098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090164900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090189934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090198040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090230942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090254068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090260983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090291977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090310097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090322971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090362072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090377092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090396881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090428114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090459108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090465069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090491056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090512037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090522051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090553999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090584993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090589046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090625048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090639114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.090661049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090707064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.090730906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.142512083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.146996975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.155014038 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.239335060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.239486933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.239551067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.239588976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.239635944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.239633083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.239680052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.239684105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.239738941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.239905119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240072012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240128994 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.240206957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240283966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240348101 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.240587950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240631104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240668058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240686893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.240835905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240880966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240896940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.240919113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240956068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.240972042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.240993977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241029024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241048098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241065979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241102934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241122961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241151094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241192102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241206884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241228104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241265059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241277933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241302013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241337061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241357088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241374016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241434097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241446018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241482019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241527081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241534948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241569042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241605043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241627932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241652966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241691113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241709948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241727114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241766930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241782904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241812944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241849899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241872072 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241887093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241925001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.241940975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.241971016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242012024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242026091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242048979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242085934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242101908 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242122889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242158890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242175102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242197037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242254019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242259979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242321014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242357969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242381096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242403984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242464066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242468119 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242502928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242537975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242558002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242575884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242613077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242630005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242651939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242688894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242707014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242726088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242772102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242779970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242814064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242850065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242867947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242887020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242923975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242939949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.242960930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.242997885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243021011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243035078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243081093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243096113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243123055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243159056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243181944 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243196011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243233919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243248940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243269920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243307114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243325949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243344069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243390083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243402004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243432999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243469000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243486881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243505001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243541956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243561029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243577957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243617058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243642092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243654966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243700981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243716002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243741989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243778944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243798971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.243815899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243853092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.243872881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.246277094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256290913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256366968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256448030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256475925 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256500959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256531000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256534100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256558895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256597042 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256637096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256700993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256706953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256742954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256772041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256798983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256809950 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256828070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256858110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256869078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256923914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.256925106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256952047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.256979942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257005930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257008076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257033110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257059097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257066965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257086992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257118940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257121086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257150888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257178068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257179022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257205009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257231951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257231951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257260084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257287025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257287979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257313967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257343054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257349014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257379055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257404089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257431030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257458925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257483959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257484913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257513046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257538080 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257546902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257576942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257599115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257603884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257631063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257658005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257659912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257687092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257713079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257714987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.257740974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.257778883 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.258816004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.267446995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.267488956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.267525911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.267563105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.267565966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.267606020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.267843962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.267906904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.267946005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268100977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268161058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268162012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268199921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268246889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268255949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268289089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268325090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268343925 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268362045 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268405914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268414021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268505096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268558025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268558979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268596888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268632889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268652916 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268737078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268774033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268790007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268810987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268865108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.268868923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.268944979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269006014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269045115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269083023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269119978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269135952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269155979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269210100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269220114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269298077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269335985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269364119 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269464016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269510031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269532919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269617081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269681931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269699097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269723892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269759893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269778967 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269798040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.269897938 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.269936085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270102978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270169020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270237923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270278931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270315886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270354033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270402908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270447016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270484924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270483017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270524025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270574093 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270581961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270586014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270612001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270656109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270693064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270730019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270735025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270768881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270806074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270809889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270843983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270898104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270937920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270944118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.270952940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.270987988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271027088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271063089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271105051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271110058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271142006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271177053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271181107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271219015 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271219969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271269083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271316051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271353006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271322966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271390915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271428108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271429062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271467924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271502018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271507025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271544933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271548033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271591902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271639109 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271651983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271694899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271733046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271733046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271771908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271810055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271847963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271848917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271884918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271889925 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271933079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.271971941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.271975994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272027016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272064924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272070885 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.272104979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272141933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272146940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.272181034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272219896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272259951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.272268057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272310972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272315025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.272350073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272387028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272425890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.272428989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.272495985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.288847923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.331885099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.377036095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.420806885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.420864105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.420900106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.420998096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421094894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421120882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421170950 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421197891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421273947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421318054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421372890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421488047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421488047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421565056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421657085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421677113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421720982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421799898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421816111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421873093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421911955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.421961069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.421977997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422041893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422058105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422107935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422189951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422233105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422339916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422424078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422424078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422507048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422545910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422581911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422596931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422619104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422657013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422694921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422698975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422740936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422782898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422816992 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422820091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422857046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422884941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422894955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422930002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.422950983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.422967911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423005104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423022032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423051119 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423089981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423091888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423130035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423151016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423166990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423203945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423238993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423257113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423275948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423314095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423360109 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423361063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423403978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423439980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423480034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423496962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423517942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423553944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423590899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423625946 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423626900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423676968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423707962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423717976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423755884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423779011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423793077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423829079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423866034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423882961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423902988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423939943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.423981905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.423985958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424027920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424063921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424101114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424115896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424139023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424175024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424206018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424211979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424249887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424268007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424295902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424338102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424339056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424375057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424396038 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424412012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424467087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424501896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424516916 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424540043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424577951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424612999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424624920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424668074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424670935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424705029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424741030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424742937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424777985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424801111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424813986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424850941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424886942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424905062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.424932957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.424973965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425004005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.425010920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425049067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425065041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.425086975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425122023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425132036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.425159931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425196886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.425199032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.425256968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.432830095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.434581995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434628010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434683084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434714079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434727907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.434760094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434766054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.434819937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434824944 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.434887886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434942007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.434950113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435017109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435081005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435086966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435133934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435199976 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435201883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435247898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435277939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435307026 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435317993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435348034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435375929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435404062 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435404062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435432911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435453892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435487032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435502052 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435527086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435556889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435592890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435592890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435626030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435652018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435653925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435687065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435715914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435728073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435745001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435775042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435786963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435806036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435842037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435844898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435873985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435903072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435915947 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435933113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435961962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.435969114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.435991049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436021090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436023951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.436049938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436080933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.436088085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436122894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436151981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436181068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436196089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.436209917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436209917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.436239004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.436278105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.445601940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.449803114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.449903011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450037956 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450067997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450082064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450170994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450201988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450206041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450241089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450263977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450273991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450316906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450330973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450354099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450408936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450712919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450829983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450875998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450906038 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450911999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450948000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.450973988 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.450982094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451015949 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451041937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451049089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451083899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451116085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451117039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451167107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451185942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451205969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451237917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451272011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451284885 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451304913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451332092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451338053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451373100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451397896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451406956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451448917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451463938 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451486111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451519966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451544046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451554060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451587915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451612949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451621056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451682091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451704979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451719046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451766968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451786041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451814890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451852083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451872110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451889992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451926947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451952934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.451961994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.451999903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452019930 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452037096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452083111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452104092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452125072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452162027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452182055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452214003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452250957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452281952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452286959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452325106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452359915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452382088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452406883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452430010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452449083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452485085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452512980 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452523947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452560902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452583075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452604055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452645063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452663898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452686071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452732086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452748060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452773094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452809095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452836990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452847958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452892065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452908993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.452928066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452965021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.452992916 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453001976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453047991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453057051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453089952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453125954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453151941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453162909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453200102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453222990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453234911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453274012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453295946 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453309059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453356981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453372002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453425884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453468084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453504086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453505993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453540087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453567028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453577042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453624010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453638077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453665018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453702927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453735113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453738928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453777075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453799963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453813076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453850031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453870058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453886986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453933001 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.453952074 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.453974962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.454010963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.454034090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.463582039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.554037094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.554090977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.554341078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.602883101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.602936983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.602974892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603010893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603049040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603085995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603132963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603194952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603198051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603244066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603245974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603252888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603281975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603318930 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603319883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603358030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603420973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603439093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603523970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603560925 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603657961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603673935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603744030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603811979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603827953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603851080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603888988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603924036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.603946924 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.603961945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604012966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604027987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604106903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604185104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604226112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604264021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604300022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604345083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604346991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604388952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604435921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604482889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604497910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604587078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604628086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604662895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604669094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604711056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604753017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604759932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604789972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604826927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604856968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604866028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604902029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604918957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.604939938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.604976892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605000973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605024099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605067015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605070114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605103970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605140924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605153084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605195999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605232000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605268955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605284929 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605307102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605341911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605379105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605385065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605460882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605465889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605504036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605541945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605577946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605613947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605629921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605652094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605690956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605731010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605736971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605779886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605815887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605853081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605875969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605890036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605926037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605962992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.605983019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.605999947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606046915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606049061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606089115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606116056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606126070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606163979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606200933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606236935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606257915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606273890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606312037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606358051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606360912 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606400013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606436968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606473923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606492043 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606512070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606548071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606585026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606590033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606621981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606667995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606710911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606713057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606748104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606786013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606815100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606822014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606858969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606875896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606897116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606934071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.606949091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.606981039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.607008934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.607021093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.607058048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.607074022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.607172012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613014936 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613095999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613162041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613210917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613284111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613322020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613342047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613358021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613373041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613452911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613461971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613535881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613537073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613600016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613653898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613671064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613694906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613720894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613758087 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613768101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613816023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613826036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613853931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613883972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613909960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613917112 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.613939047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613965034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.613966942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614006996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614013910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614065886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614095926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614129066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614130974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614159107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614185095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614196062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614248037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614274025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614305019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614330053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614363909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614372015 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614394903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614420891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614433050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614449024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614476919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614479065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614504099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614531040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614538908 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614558935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614588976 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614593029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614623070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614650011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614664078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614679098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614706993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614717960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614732981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614759922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.614768028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.614823103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.616846085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.623219013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.623260975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.623348951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.630763054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.630850077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.630887032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.630937099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.630975008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631036043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631056070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631091118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631092072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631102085 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631155968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631217003 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631238937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631292105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631326914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631346941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631359100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631402016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631412029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631439924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631473064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631494045 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631505966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631556988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631558895 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631592035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631623983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631642103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631665945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631700993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631722927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631751060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631786108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631817102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.631937981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.631994963 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.632173061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632239103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632272959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632297039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.632395029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632466078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.632594109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632632017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632673025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632698059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.632781982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.632853031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.632965088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633037090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633071899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633110046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633121014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633158922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633184910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633194923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633234024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633259058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633270979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633317947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633335114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633358955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633421898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633423090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633460999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633497953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633527040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633553982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633589983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633620977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633626938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633671999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633690119 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633740902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633783102 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633800983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633819103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633857012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633883953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633893967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633929968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.633953094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.633966923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634005070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634025097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634051085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634092093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634114981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634128094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634166002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634191990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634202003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634238005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634258032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634274960 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634310961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634336948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634356022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634397030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634416103 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634434938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634470940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634494066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634507895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634543896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634572029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634581089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634618998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634641886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634665012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634720087 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634737968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634757042 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634802103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634814024 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634844065 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634880066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634907961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634917974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634954929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.634979010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.634990931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635029078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635046959 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.635066032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635112047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635128021 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.635153055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635190010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635217905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.635229111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635266066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635293007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.635303020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635340929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635363102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.635377884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.635441065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.647599936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.731735945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.731801033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.731988907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.783893108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784063101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784118891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784153938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784187078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.784275055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.784315109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784435987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784532070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.784552097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784738064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.784832001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.784965992 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.785196066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.785293102 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.785345078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786034107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786092043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786123037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786128044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786165953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786201954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786206961 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786248922 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786271095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786289930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786326885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786358118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786364079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786402941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786437988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786442041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786474943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786511898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786513090 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786557913 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786587000 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786598921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786636114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786673069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786674976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786715984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786751032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786752939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786787987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786823988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786839962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786870956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786911011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786916971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.786947966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786984921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.786995888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787024021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787060022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787096024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787132025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787180901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787184954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787219048 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787223101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787225962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787288904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787318945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787348986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787389040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787426949 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787432909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787465096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787503958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787508011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787543058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787590027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787628889 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787632942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787669897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787676096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787710905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787714005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787749052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787786961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787822008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787825108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787863016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787908077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.787909985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787952900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787991047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.787991047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788028955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788034916 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788068056 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788108110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788113117 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788146973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788186073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788230896 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788232088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788276911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788315058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788352966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788391113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788395882 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788428068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788466930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788471937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788484097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788487911 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788505077 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788551092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788592100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788600922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788629055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788666010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788675070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788707018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788743019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788749933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788780928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788817883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788825989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788866043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788907051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788913012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.788944006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788980961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.788984060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.789017916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789052963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789060116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.789089918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789127111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789128065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.789172888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789207935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.789215088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789251089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789288044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.789293051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.789369106 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.791533947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.791599989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.791722059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.791723967 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.791867018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.791959047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.791979074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792114973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792157888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792196035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792211056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792232037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792268991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792299986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792360067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792371988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792454958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792525053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792597055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792663097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792706966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792742014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792743921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792788029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792814970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792845011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792920113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792922974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.792962074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.792998075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793035030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793049097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793071985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793092012 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793107033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793143988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793180943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793212891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793226004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793267965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793281078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793303967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793340921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793349981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793378115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793411016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793432951 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793481112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793507099 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793521881 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793559074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793596029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793596983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793634892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793669939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793670893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793710947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793746948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793745995 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793793917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793812990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793818951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793831110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793847084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793863058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793879032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.793879986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793916941 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.793930054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.799453020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.800024986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.800041914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.800117016 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812182903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812210083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812230110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812252998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812269926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812302113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812325954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812347889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812381983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812382936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812407017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812407970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812412024 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812432051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812453985 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812473059 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812474966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812515974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812608957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812638044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812680960 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812688112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812720060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812741995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812751055 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812777996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812805891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812807083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812828064 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812860012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812865019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812886953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812913895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812917948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812936068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.812978029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.812982082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813026905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813043118 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813080072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813141108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813174009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813237906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813270092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813291073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813296080 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813314915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813349962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813358068 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813375950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813416004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813419104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813446999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813471079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813472986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813493967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813515902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813522100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813538074 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813559055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813577890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813595057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813617945 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813618898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813644886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813677073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813679934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813736916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813741922 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813771009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813822031 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813828945 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813863039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813921928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.813934088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.813960075 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814028025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814039946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814068079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814096928 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814115047 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814126968 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814177990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814181089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814239979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814268112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814291954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814296961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814332962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814354897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814426899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814481020 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814508915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814685106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814719915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814745903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814749002 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814779043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814807892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814817905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814837933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814862013 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814872980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814905882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814929008 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814934969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814965963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.814995050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.814996004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815025091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815052032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815053940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815083981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815119028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815119982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815152884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815181017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815187931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815210104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815238953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815246105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815268040 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815296888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815306902 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815327883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815352917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815365076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815397978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815426111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815428972 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815455914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815478086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815486908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815515995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815542936 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.815545082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.815603018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.824553013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.836124897 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.909137011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.955015898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.966567993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.966624975 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.966717005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.966717958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.966833115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.966907978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.966931105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.966974020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967021942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967063904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.967135906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967206001 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.967386007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967572927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967645884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.967669010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967736006 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967778921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967820883 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.967889071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.967968941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968014002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968017101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968063116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968100071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968106985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968170881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968172073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968214035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968250036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968287945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968323946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968327999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968363047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968368053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968410969 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968413115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968457937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968501091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968537092 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968538046 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968580008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968610048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968636036 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968658924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968677044 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968702078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968739986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968761921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968776941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968813896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968848944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968869925 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968885899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968914032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.968923092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968970060 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.968991041 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969012022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969047070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969064951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969084978 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969122887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969140053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969157934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969194889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969216108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969234943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969281912 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969290018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969324112 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969360113 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969402075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969434023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969472885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969489098 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969508886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969544888 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969564915 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969583035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969619036 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969636917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969666004 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969707012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969724894 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969744921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969783068 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969801903 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969819069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969855070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969873905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969892025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969928026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.969948053 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.969974995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970016003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970051050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970057011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970088959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970110893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970125914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970161915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970179081 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970199108 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970235109 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970252037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970282078 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970324039 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970336914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970360041 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970402956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970438957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970443010 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970493078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970515013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970611095 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970649958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970668077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970709085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970747948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970762968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970784903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970822096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970849037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970858097 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970920086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.970923901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.970973015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971014023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971034050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.971050024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971108913 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.971333027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971390009 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971426964 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971446991 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.971465111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971502066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971537113 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.971843958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971884012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971916914 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.971920967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971963882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.971983910 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972009897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972050905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972074986 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972088099 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972126007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972146034 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972162962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972198963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972218990 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972235918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972271919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972290039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972317934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972358942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972388983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972394943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972433090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972455978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972469091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972505093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972541094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972542048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972580910 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972599983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972629070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972668886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972683907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972704887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972744942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972759962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972781897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972817898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972836018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972855091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972891092 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972913980 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.972938061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972980022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.972994089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973016977 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973053932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973069906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973090887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973125935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973145962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973162889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973200083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973216057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973247051 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973289013 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973304987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973325014 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973362923 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973381996 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973422050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973459959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973481894 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973495007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973532915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973555088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973568916 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973615885 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973630905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973658085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973692894 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973711014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973736048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973772049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973803043 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.973807096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.973865032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.976809025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.976830959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.976888895 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.977026939 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.989213943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.989250898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.989275932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.989301920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.989320040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.989326954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.989357948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.989358902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.989422083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.992182016 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992208958 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992269993 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.992320061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992361069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992388010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992413044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992425919 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.992474079 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.992680073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992913961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.992989063 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993012905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993118048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993177891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993240118 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993311882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993345976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993370056 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993483067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993531942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993556023 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993558884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993585110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993617058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993629932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993644953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993670940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993673086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993695974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993725061 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993738890 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993772030 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993779898 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993834972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993879080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.993880987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.993964911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994030952 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994035959 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994066000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994091988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994117022 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994127035 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994148970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994170904 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994177103 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994201899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994226933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994240046 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994252920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994277954 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994288921 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994303942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994328976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994333029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994360924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994389057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994389057 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994415998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994441032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994445086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994467020 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994491100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994498014 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994515896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994540930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994543076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994573116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994595051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994602919 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994628906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994653940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994663000 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994678974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994704962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994719028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994731903 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994756937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994771004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994787931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994817019 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994824886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994842052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994867086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994875908 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994894981 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994920015 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994929075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.994946957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994971991 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.994982958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995003939 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995024920 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995033979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995059967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995084047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995094061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995110035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995134115 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995136976 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995158911 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995184898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995187044 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995217085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995238066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995244980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995270967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995295048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995301962 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995325089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995348930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995362997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995374918 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995399952 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995413065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995431900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995456934 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995460033 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995486021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995511055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995518923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995537043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995560884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995567083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995587111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995611906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:51.995611906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:51.995666027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.013009071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.013050079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.013132095 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.021286011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.150872946 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.150930882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.150969982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151015997 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151128054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151132107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151207924 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151209116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151256084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151271105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151313066 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151352882 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151391029 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151428938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151457071 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151467085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151490927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151505947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151519060 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151544094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151591063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151592970 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151633024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151669025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151715040 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151717901 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151756048 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151773930 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.151792049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.151844025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.152476072 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.152564049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.152600050 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.152622938 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.152781963 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.152827024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.152844906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.152872086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.152936935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.152937889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153000116 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153053045 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.153069973 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153321028 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153362989 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153431892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.153433084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153476000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153541088 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.153620005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153695107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.153702021 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153821945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153858900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153923988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.153984070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154040098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154062033 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154097080 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154164076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154220104 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154225111 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154268980 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154305935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154342890 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154378891 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154424906 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154438019 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154465914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154520035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154542923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154548883 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154556990 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154594898 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154630899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154633999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154675007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154678106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154719114 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154742002 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154757023 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154794931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154830933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154870987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154921055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.154922009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.154959917 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155005932 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155019045 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155024052 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155046940 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155076027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155082941 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155118942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155174017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155210018 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155246973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155323982 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155328035 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155338049 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155397892 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155550957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155591011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155606985 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155641079 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155680895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155716896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155771971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155775070 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155812979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155849934 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155854940 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.155888081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155929089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.155960083 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156047106 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156054974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156152010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156157017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156254053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156286955 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156315088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156328917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156351089 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156383038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156393051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156414986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156445026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156465054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156472921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156502008 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156531096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156547070 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156559944 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156599998 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156631947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156652927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156661987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156693935 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156723976 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156752110 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156752110 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156759977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156783104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156810999 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156847000 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156852007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156879902 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156908035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156936884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156936884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156940937 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.156965971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.156995058 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157023907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157042980 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157052994 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157088995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157120943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157140017 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157145023 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157149076 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157150984 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157155037 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157181025 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157208920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157237053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157250881 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157255888 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157258987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157268047 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157296896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157332897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157346964 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157354116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157357931 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157361031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157367945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157417059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157445908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157463074 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157468081 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157470942 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157474995 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157505035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157532930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157561064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157562017 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157567978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157572031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157593012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157628059 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.157665968 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157671928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157763004 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157768011 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157771111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.157773018 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166254044 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166295052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166333914 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166342974 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166358948 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166371107 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166384935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166400909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166419029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166431904 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166454077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166460037 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166471958 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166491032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.166510105 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.166541100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.169075012 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.169132948 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.169162035 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.169190884 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.169219971 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.169230938 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.169248104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.169261932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.169267893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.169272900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.169277906 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.169320107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.170013905 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172272921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172302961 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172363043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172391891 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172420979 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172425032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172427893 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172457933 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172487974 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172491074 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172509909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172561884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172633886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172663927 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172684908 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172728062 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172749996 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172806025 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172833920 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172892094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172898054 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172920942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172950029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172950983 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.172966957 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.172981024 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173000097 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173019886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173033953 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173053026 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173074007 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173080921 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173106909 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173110962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173134089 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173141956 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173161983 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173171043 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173202038 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173201084 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173217058 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173230886 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173258066 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173294067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173373938 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173435926 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173449039 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173489094 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173638105 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173672915 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173713923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173752069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173825979 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173860073 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173885107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173932076 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.173934937 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.173993111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174007893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174045086 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174072027 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174077034 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174097061 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174159050 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174160957 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174213886 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174228907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174261093 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174283028 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174303055 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174310923 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174345970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174380064 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174416065 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174478054 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174540997 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174578905 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174642086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174721003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174755096 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174783945 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174786091 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174813032 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174823999 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174839973 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174849987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174884081 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174891949 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174913883 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174930096 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174942970 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174947977 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174963951 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.174973011 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.174990892 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175002098 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175031900 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175036907 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175054073 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175060987 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175086975 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175097942 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175121069 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175131083 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175159931 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175163031 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175184965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175189972 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175206900 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175220966 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175250053 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175254107 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175266981 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175280094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175302029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175309896 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175335884 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175347090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175358057 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175381899 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175406933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175410986 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175426006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175441027 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175471067 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175471067 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175498962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175512075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175529003 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175548077 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175558090 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175585032 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175595045 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175625086 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175627947 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175642967 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175657988 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175681114 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175688982 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175717115 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175718069 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175749063 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175750971 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175775051 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175779104 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175808907 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175823927 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175843954 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175844908 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175877094 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175889969 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175904989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175905943 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175921917 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175935984 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175965071 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.175970078 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.175987005 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.176003933 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.190268993 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.190311909 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.190351009 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.190398932 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.335807085 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.335999966 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336035967 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336083889 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336112022 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336121082 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336184978 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336257935 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336288929 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336335897 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336371899 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336373091 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336411953 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336415052 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336450100 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336463928 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336486101 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336502075 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336524010 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336560965 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336560965 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336608887 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336647987 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336649895 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336687088 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336714029 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336725950 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336766005 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336801052 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336802006 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336838007 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336874962 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336877108 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336918116 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336921930 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336965084 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.336985111 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.336999893 CET	443	49716	69.163.232.126	192.168.2.3
Dec 21, 2020 18:26:52.337047100 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.337280989 CET	49716	443	192.168.2.3	69.163.232.126
Dec 21, 2020 18:26:52.819883108 CET	49716	443	192.168.2.3	69.163.232.126

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2020 18:26:40.118257999 CET	58361	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:40.142906904 CET	53	58361	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:40.768302917 CET	63492	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:40.795502901 CET	53	63492	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:41.781184912 CET	60831	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:41.808317900 CET	53	60831	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:42.553375959 CET	60100	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:42.580533028 CET	53	60100	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:43.499001026 CET	53195	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:43.523283005 CET	53	53195	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:45.604991913 CET	50141	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:45.640453100 CET	53	50141	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:45.935240984 CET	53023	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:45.972706079 CET	53	53023	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:46.448302031 CET	49563	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:46.473129034 CET	53	49563	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:46.729326963 CET	51352	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:47.265894890 CET	59349	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:47.290119886 CET	53	59349	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:47.736458063 CET	51352	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:47.802263975 CET	53	51352	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:47.876918077 CET	53	51352	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:48.128508091 CET	57084	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:48.161456108 CET	53	57084	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:49.016043901 CET	58823	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:49.048739910 CET	53	58823	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:49.839714050 CET	57568	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:49.864161968 CET	53	57568	8.8.8.8	192.168.2.3
Dec 21, 2020 18:26:50.707792044 CET	50540	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:26:50.734780073 CET	53	50540	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:13.317308903 CET	54366	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:13.342185020 CET	53	54366	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:16.020639896 CET	53034	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:16.229147911 CET	53	53034	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:19.424324989 CET	57762	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:19.458297968 CET	53	57762	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:29.462865114 CET	55435	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:29.496979952 CET	53	55435	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:31.167972088 CET	50713	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:31.218848944 CET	53	50713	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:48.419850111 CET	56132	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:48.447191954 CET	53	56132	8.8.8.8	192.168.2.3
Dec 21, 2020 18:27:53.284015894 CET	58987	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:27:53.317847013 CET	53	58987	8.8.8.8	192.168.2.3
Dec 21, 2020 18:28:23.758583069 CET	56579	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:28:23.782934904 CET	53	56579	8.8.8.8	192.168.2.3
Dec 21, 2020 18:28:26.594937086 CET	60633	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:28:26.619266033 CET	53	60633	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:32.941464901 CET	61292	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:32.978789091 CET	53	61292	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:33.964984894 CET	63619	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:33.999528885 CET	53	63619	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:35.124053955 CET	64938	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:35.156861067 CET	53	64938	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:36.474616051 CET	61946	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:36.501926899 CET	53	61946	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:37.004018068 CET	64910	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:37.036840916 CET	53	64910	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:39.774065971 CET	52123	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:39.809814930 CET	53	52123	8.8.8.8	192.168.2.3
Dec 21, 2020 18:29:40.595695972 CET	56130	53	192.168.2.3	8.8.8.8
Dec 21, 2020 18:29:40.631869078 CET	53	56130	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 21, 2020 18:26:47.876987934 CET	192.168.2.3	8.8.8.8	d007	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 21, 2020 18:26:45.935240984 CET	192.168.2.3	8.8.8.8	0x48ad	Standard query (0)	jrsoftware.org	A (IP address)	IN (0x0001)
Dec 21, 2020 18:26:46.729326963 CET	192.168.2.3	8.8.8.8	0x14de	Standard query (0)	files.jrsoftware.org	A (IP address)	IN (0x0001)
Dec 21, 2020 18:26:47.736458063 CET	192.168.2.3	8.8.8.8	0x14de	Standard query (0)	files.jrsoftware.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 21, 2020 18:26:45.972706079 CET	8.8.8.8	192.168.2.3	0x48ad	No error (0)	jrsoftware.org	69.163.232.126	A (IP address)	IN (0x0001)
Dec 21, 2020 18:26:47.802263975 CET	8.8.8.8	192.168.2.3	0x14de	No error (0)	files.jrsoftware.org	69.163.232.126	A (IP address)	IN (0x0001)
Dec 21, 2020 18:26:47.876918077 CET	8.8.8.8	192.168.2.3	0x14de	No error (0)	files.jrsoftware.org	69.163.232.126	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 21, 2020 18:26:46.354414940 CET	69.163.232.126	443	192.168.2.3	49713	CN=jrsoftware.org CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Dec 01 20:53:44 CET 2020 Thu Mar 17 17:40:46 CET 2016	Mon Mar 01 20:53:44 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13,29-23-25-24,0-1-2	807fca46d9d0cf63adf4e5e80e414bbe
Dec 21, 2020 18:26:46.354414940 CET	69.163.232.126	443	192.168.2.3	49713	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		807fca46d9d0cf63adf4e5e80e414bbe
Dec 21, 2020 18:26:48.184997082 CET	69.163.232.126	443	192.168.2.3	49716	CN=files.jrsoftware.org CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Nov 26 05:30:49 CET 2020 Thu Mar 17 17:40:46 CET 2016	Wed Feb 24 05:30:49 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13,29-23-25-24,0-1-2	807fca46d9d0cf63adf4e5e80e414bbe
Dec 21, 2020 18:26:48.184997082 CET	69.163.232.126	443	192.168.2.3	49716	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		807fca46d9d0cf63adf4e5e80e414bbe

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6036 Parent PID: 4824

General

Start time:	18:26:43
Start date:	21/12/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1' > cmdline.out 2>&1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4464 Parent PID: 6036

General

Start time:	18:26:43
Start date:	21/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wget.exe PID: 5436 Parent PID: 6036

General

Start time:	18:26:44
Start date:	21/12/2020
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://jrsoftware.org/download.php/is.exe?site=1'
Imagebase:	0x400000
File size:	3895184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: innosetup-6.1.2.exe PID: 4928 Parent PID: 5596

General

Start time:	18:26:54
Start date:	21/12/2020
Path:	C:\Users\user\Desktop\download\innosetup-6.1.2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\download\innosetup-6.1.2.exe'
Imagebase:	0x400000
File size:	4516136 bytes
MD5 hash:	190F916EB89938F88E47D9AC91E7E012
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: innosetup-6.1.2.tmp PID: 4880 Parent PID: 4928

General

Start time:	18:26:55
Start date:	21/12/2020
Path:	C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-GSHBC.tmp\innosetup-6.1.2.tmp' /SL5='$24007E,3574925,780800,C:\Users\user\Desktop\download\innosetup-6.1.2.exe'
Imagebase:	0x400000
File size:	3030328 bytes
MD5 hash:	BDC92B37F3017B7E61D62135DEEDAA1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: Compil32.exe PID: 6232 Parent PID: 4880

General

Start time:	18:27:50
Start date:	21/12/2020
Path:	C:\Program Files (x86)\Inno Setup 6\Compil32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Inno Setup 6\Compil32.exe' /ASSOC
Imagebase:	0x400000
File size:	2828600 bytes
MD5 hash:	AC799CDC10229255E7A385A01E590EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: Compil32.exe PID: 2148 Parent PID: 4880

General

Start time:	18:28:04
Start date:	21/12/2020
Path:	C:\Program Files (x86)\Inno Setup 6\Compil32.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Inno Setup 6\Compil32.exe
Imagebase:	0x400000
File size:	2828600 bytes
MD5 hash:	AC799CDC10229255E7A385A01E590EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: wget.exe PID: 5436 Parent PID: 6036 wget.exeCOMMON

Executed Functions

Non-executed Functions

Function 02C08CC1, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.213083414.0000000002C05000.00000004.00000001.sdmp, Offset: 02C08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2c05000_wget.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec30eb8b8490622721d18f72b87b3bebc1a206c6381ea30d87e971e922510d4
Instruction ID: 75bdb3a7f5876b10151f009eaf17586f79f86f606754b337cf526e59e5a459ea
Opcode Fuzzy Hash: cec30eb8b8490622721d18f72b87b3bebc1a206c6381ea30d87e971e922510d4
Instruction Fuzzy Hash: A4E1D995A0E7C16FE30387789C68AA23FB16F13215B0E42DBC4C4CF5E3D298191AD362

Uniqueness

Uniqueness Score: -1.00%

Function 02C08CC1, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.213083414.0000000002C05000.00000004.00000001.sdmp, Offset: 02C05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2c05000_wget.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec30eb8b8490622721d18f72b87b3bebc1a206c6381ea30d87e971e922510d4
Instruction ID: 75bdb3a7f5876b10151f009eaf17586f79f86f606754b337cf526e59e5a459ea
Opcode Fuzzy Hash: cec30eb8b8490622721d18f72b87b3bebc1a206c6381ea30d87e971e922510d4
Instruction Fuzzy Hash: A4E1D995A0E7C16FE30387789C68AA23FB16F13215B0E42DBC4C4CF5E3D298191AD362

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: innosetup-6.1.2.exe PID: 4928 Parent PID: 5596 innosetup-6.1.2.exeCOMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	837
Total number of Limit Nodes:	31

Executed Functions

Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

0x004b5115
0x004b5117
0x004b511c
0x004b511c
0x004b511e
0x004b5120
0x004b5120
0x004b5128
0x004b5129
0x004b512e
0x004b5131
0x004b5134
0x004b513b
0x004b536d
0x004b536f
0x004b5372
0x004b5375
0x004b5387
0x004b5141
0x004b514b
0x004b514d
0x004b5154
0x004b515a
0x004b5167
0x004b516b
0x004b5172
0x004b5177
0x004b5179
0x004b5179
0x004b516b
0x004b517c
0x004b5188
0x004b518f
0x004b5196
0x004b5196
0x004b519b
0x004b51a8
0x004b51b4
0x004b51ba
0x004b51c1
0x004b51c6
0x004b51c6
0x004b51d4
0x004b51e0
0x004b51e0
0x004b51f3
0x004b51fb
0x004b520e
0x004b5216
0x004b5229
0x004b5231
0x004b5244
0x004b524c
0x004b525f
0x004b5267
0x004b527a
0x004b5282
0x004b5295
0x004b529d
0x004b52b0
0x004b52b8
0x004b52cb
0x004b52d3
0x004b52e6
0x004b52ee
0x004b5301
0x004b5309
0x004b531c
0x004b5324
0x004b5337
0x004b533f
0x004b533f
0x004b51b4
0x004b534a
0x004b5351
0x004b5358
0x004b5358
0x004b5360
0x004b5367
0x004b536b
0x004b536b
0x00000000
0x004b5367

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

SetSearchPathMode, xrefs: 004B5344
setupapi.dll, xrefs: 004B521E
cryptbase.dll, xrefs: 004B528A
SetDefaultDllDirectories, xrefs: 004B515C
dwmapi.dll, xrefs: 004B526F
profapi.dll, xrefs: 004B52DB
SetProcessDEPPolicy, xrefs: 004B535A
clbcatq.dll, xrefs: 004B5311
version.dll, xrefs: 004B52C0
ntmarta.dll, xrefs: 004B532C
hK, xrefs: 004B51A3
userenv.dll, xrefs: 004B5203
uxtheme.dll, xrefs: 004B51E8
comres.dll, xrefs: 004B52F6
kernel32.dll, xrefs: 004B5141
oleacc.dll, xrefs: 004B52A5
hK, xrefs: 004B51D6
propsys.dll, xrefs: 004B5254
SetDllDirectoryW, xrefs: 004B5182
apphelp.dll, xrefs: 004B5239

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x004af920
0x004af923
0x004af926
0x004af92f
0x004af93b
0x004af942
0x004af9ee
0x004af9ee
0x004af948
0x004af9db
0x004af9db
0x004af9e1
0x00000000
0x00000000
0x004af954
0x004af9c7
0x004af9d2
0x004af9d9
0x00000000
0x00000000
0x00000000
0x004af95c
0x004af95c
0x004af961
0x004af967
0x004af986
0x004af98d
0x004af98f
0x004af98f
0x004af98d
0x004af994
0x004af9a5
0x004af99c
0x004af9a1
0x004af9a1
0x004af9af
0x004af9c2
0x004af9c2
0x00000000
0x004af9af
0x004af954
0x00000000
0x004af9db

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

0x0040b04a
0x0040b04d
0x0040b050
0x0040b053
0x0040b055
0x0040b05b
0x0040b062
0x0040b063
0x0040b068
0x0040b06b
0x0040b070
0x0040b076
0x0040b07f
0x0040b08f
0x0040b09c
0x0040b0a3
0x0040b0aa
0x0040b0ac
0x0040b0bd
0x0040b0ca
0x0040b0d1
0x0040b0d8
0x0040b0dc
0x0040b0dc
0x0040b0d8
0x0040b0e3
0x0040b0e6
0x0040b0e9
0x0040b0f6
0x0040b103

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040ab19
0x0040ab1b
0x0040ab22
0x0040ab24
0x0040ab2a
0x0040ab31
0x0040ab32
0x0040ab37
0x0040ab3a
0x0040ab41
0x0040ab6d
0x0040ab43
0x0040ab51
0x0040ab51
0x0040ab7a
0x0040ad27
0x0040ad29
0x0040ad2c
0x0040ad2f
0x0040ad3c
0x0040ab80
0x0040ab82
0x0040ab9a
0x0040aba1
0x0040ac41
0x0040ac43
0x0040ac44
0x0040ac49
0x0040ac4c
0x0040ac5a
0x0040ac7b
0x0040acca
0x0040acd4
0x0040acec
0x0040acf6
0x0040acf6
0x0040ac7d
0x0040ac85
0x0040ac9f
0x0040aca9
0x0040aca9
0x0040acfd
0x0040ad00
0x0040ad03
0x0040ad0c
0x0040ad11
0x0040ad11
0x0040ad1f
0x0040aba7
0x0040abbc
0x0040abc3
0x00000000
0x0040abc5
0x0040abda
0x0040abe1
0x00000000
0x0040abe3
0x0040abf8
0x0040abff
0x00000000
0x0040ac01
0x0040ac16
0x0040ac1d
0x00000000
0x0040ac1f
0x0040ac34
0x0040ac3b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac3b
0x0040ac1d
0x0040abff
0x0040abe1
0x0040abc3
0x0040aba1

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\Borland\Delphi\Locales, xrefs: 0040AC2A
Software\Borland\Locales, xrefs: 0040AC0C
Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x0040426c
0x0040426c
0x00404275
0x0040427b
0x00404364
0x00404367
0x00404454
0x00404455
0x00404458
0x00403cf8
0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d40
0x00403d42
0x00403d4a
0x00403d57
0x00403d5c
0x00403d5e
0x00403d60
0x00403d63
0x00403d63
0x00403d65
0x00403d69
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a
0x0040445e
0x00404463
0x00404463
0x00000000
0x00000000
0x00000000
0x00404281
0x00404281
0x00404283
0x00404285
0x004042e8
0x004042e8
0x004042ed
0x004042f1
0x00000000
0x00000000
0x004042f3
0x004042f5
0x004042fc
0x00000000
0x004042fe
0x00404302
0x00404307
0x00404308
0x00404309
0x0040430e
0x00404312
0x0040431c
0x00404321
0x00404322
0x00000000
0x00404322
0x00404312
0x00000000
0x004042fc
0x004042e8
0x00404287
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428e
0x004042bc
0x004042be
0x004042d3
0x004042d3
0x004042c0
0x004042c0
0x004042c3
0x004042c6
0x004042c9
0x004042cc
0x004042ce
0x004042d1
0x00000000
0x00000000
0x004042d1
0x004042d6
0x004042d8
0x004042da
0x004042dd
0x0040436d
0x00404370
0x00404372
0x00404374
0x00404375
0x00404377
0x00404328
0x00404328
0x0040432d
0x00404335
0x00000000
0x00000000
0x00404337
0x00404339
0x00404340
0x00000000
0x00404342
0x00404344
0x00404349
0x0040434e
0x00404356
0x0040435a
0x00000000
0x0040435a
0x00404356
0x00000000
0x00404340
0x00404328
0x00404379
0x00404379
0x00404381
0x00404385
0x004043bc
0x004043bf
0x004043c2
0x004043c4
0x004043ca
0x004043cc
0x004043cc
0x00404387
0x00404387
0x00404387
0x0040438a
0x0040438a
0x0040438e
0x00404392
0x004043d4
0x004043d7
0x004043d9
0x004043db
0x004043e1
0x004043e5
0x004043e5
0x004043e1
0x00404394
0x0040439a
0x004043ec
0x004043f6
0x00404424
0x0040442a
0x0040442f
0x00404436
0x00404440
0x00404446
0x0040444d
0x00404451
0x004043f8
0x004043f8
0x004043fb
0x004043fd
0x00404400
0x00404403
0x00404405
0x00404414
0x00404419
0x0040441c
0x00404420
0x00404420
0x0040439c
0x0040439f
0x004043a2
0x004043aa
0x004043af
0x004043b6
0x004043ba
0x004043ba
0x00404290
0x00404290
0x00404292
0x00404298
0x0040429b
0x004042a4
0x004042a7
0x004042aa
0x004042ad
0x004042b0
0x004042b3
0x004042b6
0x004042b6
0x004042b8
0x004042b9
0x0040429d
0x0040429d
0x0040429d
0x0040429f
0x004042a1
0x004042a2
0x004042a2
0x0040429b
0x0040428e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x24007e
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x24007e
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4ca924
				_t4 = _t26 + 0x20; // 0x368c8d
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4ca924
				_t7 = _t28 + 0x24; // 0xbea00
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x24007e
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x18
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a3
0x004b63a6
0x004b63d3
0x004b63da
0x004b63e0
0x004b6407
0x004b640c
0x004b6418
0x004b6423
0x004b642c
0x004b6431
0x004b6434
0x004b6438
0x004b643d
0x004b6440
0x004b6443
0x004b6447
0x004b644c
0x004b644f
0x004b6452
0x004b6463
0x004b6468
0x004b646b
0x004b6471
0x004b6479
0x004b647e
0x004b6489
0x004b6496
0x004b649b
0x004b64a7
0x004b64a9
0x004b64ae
0x004b64ae
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32 ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(0024007E,004B6554), ref: 004B6514

Strings

STATIC, xrefs: 004B6400
/SL5="$%x,%d,%d,, xrefs: 004B645E
InnoSetupLdrWindow, xrefs: 004B63FB

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92); // executed
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

0x004af733
0x004af736
0x004af738
0x004af73a
0x004af73e
0x004af73f
0x004af744
0x004af747
0x004af74a
0x004af74f
0x004af750
0x004af755
0x004af75e
0x004af76d
0x004af772
0x004af798
0x004af79d
0x004af79f
0x004af7a5
0x004af7a5
0x004af7ae
0x004af7b3
0x004af7b3
0x004af7cc
0x004af7d1
0x004af7db
0x004af7e4
0x004af7eb
0x004af7ee
0x004af7f1
0x004af7fe

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

0x004b5a90
0x004b5a93
0x004b5a95
0x004b5a97
0x004b5a9b
0x004b5a9c
0x004b5aa1
0x004b5aa4
0x004b5aa7
0x004b5aae
0x004b5ac9
0x004b5ae3
0x004b5aef
0x004b5afa
0x004b5afe
0x004b5afe
0x004b5afe
0x004b5b00
0x004b5b08
0x004b5b13
0x004b5b20
0x004b5b2d
0x004b5b3a
0x004b5b3a
0x004b5b41
0x004b5b44
0x004b5b47
0x004b5b59

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4
shell32.dll, xrefs: 004B5B1B
Wow64RevertWow64FsRedirection, xrefs: 004B5ACE

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x289d230
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x289d230
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x289d250
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00403ee8
0x00403ef4
0x00403efa
0x00404148
0x0040414d
0x00404260
0x00404261
0x00404263
0x00403c94
0x00403c98
0x00403c9a
0x00403ca4
0x00403cb4
0x00403cb9
0x00403cbd
0x00403cbf
0x00403cc1
0x00403cc7
0x00403cca
0x00403ccf
0x00403cd4
0x00403cda
0x00403ce0
0x00403ce3
0x00403ce5
0x00403cec
0x00403cec
0x00403cf5
0x00404269
0x00404269
0x0040426b
0x0040426b
0x00404153
0x00404153
0x0040415f
0x00404162
0x00404164
0x0040410c
0x00404111
0x00404119
0x00000000
0x00000000
0x0040411b
0x0040411d
0x00404124
0x00000000
0x00404126
0x00404128
0x00404132
0x0040413a
0x0040413e
0x00000000
0x0040413e
0x0040413a
0x00000000
0x00404124
0x0040410c
0x00404166
0x00404166
0x00404166
0x0040416e
0x00404171
0x0040417b
0x0040417b
0x00404182
0x00404195
0x00404199
0x0040419f
0x004041b8
0x004041be
0x004041be
0x004041c0
0x004041de
0x004041c2
0x004041c2
0x004041c7
0x004041c9
0x004041ce
0x004041d7
0x004041d7
0x004041e3
0x004041eb
0x004041a1
0x004041a1
0x004041ab
0x004041b3
0x00000000
0x004041b3
0x00404184
0x00404187
0x0040418a
0x004041ec
0x004041ec
0x004041ed
0x004041ee
0x004041f5
0x004041f8
0x004041fb
0x004041fe
0x00404200
0x00404202
0x00404209
0x0040420b
0x0040420b
0x0040420b
0x00404212
0x00404214
0x00404214
0x00404212
0x00404220
0x00404225
0x00404225
0x00404227
0x00404248
0x00404248
0x00404248
0x00404229
0x00404229
0x0040422f
0x00404232
0x00404236
0x0040423c
0x0040423e
0x0040423e
0x0040423c
0x0040424d
0x00404250
0x00404253
0x0040425f
0x0040425f
0x00404182
0x00403f00
0x00403f00
0x00403f02
0x00403f02
0x00403f09
0x00403f10
0x00403f68
0x00403f68
0x00403f6d
0x00403f71
0x00000000
0x00000000
0x00403f73
0x00403f73
0x00403f76
0x00403f7b
0x00403f7f
0x00403f81
0x00403f81
0x00403f84
0x00403f89
0x00403f8d
0x00403f8f
0x00403f92
0x00403f94
0x00403f9b
0x00000000
0x00403f9d
0x00403f9f
0x00403fa4
0x00403fa9
0x00403fad
0x00403fb5
0x00000000
0x00403fb5
0x00403fad
0x00403f9b
0x00403f8d
0x00000000
0x00403f7f
0x00403f68
0x00403f12
0x00403f12
0x00403f15
0x00403f18
0x00403f1d
0x00403f1f
0x00403f38
0x00403f3b
0x00403f3f
0x00403f41
0x00403f44
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fc5
0x00403fc7
0x00403fc7
0x00403fcc
0x00403fd4
0x00000000
0x00000000
0x00403fd6
0x00403fd8
0x00403fdf
0x00000000
0x00403fe1
0x00403fe3
0x00403fe8
0x00403fed
0x00403ff5
0x00403ff9
0x00000000
0x00403ff9
0x00403ff5
0x00000000
0x00403fdf
0x00403fc7
0x00404000
0x00404004
0x00404004
0x0040400a
0x0040407c
0x00404080
0x00404086
0x00404088
0x004040b0
0x004040b4
0x004040b6
0x004040bb
0x004040bd
0x004040bf
0x00000000
0x004040c1
0x004040c1
0x004040c6
0x004040c8
0x004040c9
0x004040ca
0x004040cb
0x004040cb
0x0040408a
0x0040408a
0x00404090
0x00404094
0x0040409a
0x0040409c
0x0040409e
0x0040409e
0x004040a0
0x004040a2
0x004040a8
0x00000000
0x004040a8
0x0040400c
0x0040400c
0x0040400f
0x00404016
0x0040401d
0x00404020
0x00404023
0x0040402a
0x0040402d
0x00404030
0x00404033
0x00404035
0x00404037
0x00404039
0x0040403e
0x00404040
0x00404040
0x00404040
0x00404047
0x00404049
0x00404049
0x00404047
0x00404050
0x00404055
0x00404058
0x0040405e
0x004040cc
0x004040cc
0x004040cc
0x00404060
0x00404060
0x00404062
0x00404066
0x00404068
0x0040406b
0x0040406e
0x00404071
0x00404075
0x00404075
0x004040d1
0x004040d1
0x004040d1
0x004040d4
0x004040d7
0x004040d9
0x004040de
0x004040e0
0x004040e3
0x004040ea
0x004040ed
0x004040ed
0x004040f0
0x004040f4
0x004040f7
0x004040fa
0x004040fc
0x004040fc
0x004040fe
0x00404101
0x00404104
0x00404107
0x00404108
0x00404109
0x0040410a
0x0040410a
0x00403f46
0x00403f46
0x00403f46
0x00403f46
0x00403f4a
0x00403f4d
0x00403f50
0x00403f53
0x00403f54
0x00403f54
0x00403f21
0x00403f21
0x00403f25
0x00403f25
0x00403f28
0x00403f2b
0x00403f2e
0x00403f58
0x00403f5b
0x00403f5e
0x00403f61
0x00403f64
0x00403f65
0x00403f30
0x00403f30
0x00403f33
0x00403f34
0x00403f34
0x00403f2e
0x00403f1f

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4ca924
					_t15 = _t37 + 0x14; // 0x385cf4
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4ca924
					_t16 = _t44 + 0x18; // 0x2e3d38
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4ca924
					_t17 = _t47 + 0x18; // 0x2e3d38
					_t86 =  *0x4c1de0; // 0x7fbc0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4ca924
					_t18 = _t55 + 0x18; // 0x2e3d38
					_t56 =  *0x4c1de4; // 0x28ad360
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x28ad360
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x24007e
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x18
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

0x004b60e8
0x004b60e8
0x004b60e8
0x004b60ea
0x004b60ec
0x004b60ed
0x004b610d
0x004b6119
0x004b613e
0x004b614b
0x004b6150
0x004b6156
0x004b615c
0x004b615f
0x004b6169
0x004b6181
0x004b6183
0x004b618d
0x004b618d
0x004b6181
0x004b6192
0x004b619a
0x004b61a7
0x004b61af
0x004b61b4
0x004b61c4
0x004b61cc
0x004b61d0
0x004b61d5
0x004b61e2
0x004b61e3
0x004b61ed
0x004b61f3
0x004b61f8
0x004b61fd
0x004b6200
0x004b6205
0x004b620c
0x004b620d
0x004b6212
0x004b6215
0x004b621a
0x004b6232
0x004b6237
0x004b623e
0x004b623f
0x004b6244
0x004b6247
0x004b624a
0x004b624f
0x004b6257
0x004b625c
0x004b6261
0x004b6264
0x004b626e
0x004b6275
0x004b6276
0x004b627b
0x004b627e
0x004b6281
0x004b6287
0x004b6294
0x004b6299
0x004b62a0
0x004b62a1
0x004b62a6
0x004b62a9
0x004b62ac
0x004b62b1
0x004b62b6
0x004b62bb
0x004b62c2
0x004b62c5
0x004b62c8
0x004b62cd
0x004b62d7
0x004b611b
0x004b611b
0x004b6120
0x004b6126
0x004b612d
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549
0x004b6549

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(0024007E,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

.tmp, xrefs: 004B61BF
0MB, xrefs: 004B6281

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: .tmp$0MB
API String ID: 3858953238-176122739
Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

0x0040774a
0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

0x004b5005
0x004b5006
0x004b500b
0x004b500e
0x004b5011
0x004b5018
0x004b501e
0x004b5023
0x004b502d
0x004b5032
0x004b5037
0x004b503e
0x004b5048
0x004b5052
0x004b505e
0x004b5063
0x004b5072
0x004b5077
0x004b5080
0x004b5089
0x004b5097
0x004b50a1
0x004b50ab
0x004b50b0
0x004b50bf
0x004b50c4
0x004b50c4
0x004b50cb
0x004b50ce
0x004b50d1
0x004b50d6

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

0x004aefe8
0x004aefe8
0x004aefe9
0x004aefeb
0x004aeff0
0x004aeff0
0x004aeff2
0x004aeff4
0x004aeff4
0x004aeff7
0x004aeff8
0x004aeffa
0x004aeffc
0x004aeffe
0x004aefff
0x004af004
0x004af007
0x004af00a
0x004af011
0x004af019
0x004af020
0x004af030
0x004af037
0x00000000
0x00000000
0x004af03e
0x004af040
0x004af046
0x004af056
0x004af05e
0x004af06a
0x004af072
0x004af07a
0x004af082
0x004af091
0x004af096
0x004af0a0
0x004af0a5
0x004af0a5
0x004af046
0x004af0b4
0x004af0b9
0x004af0bb
0x004af0be
0x004af0c1
0x004af0ce
0x004af0e0

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

STATIC, xrefs: 0040E48D
InnoSetupLdrWindow, xrefs: 0040E453

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004af1b4
0x004af1bb
0x004af1be
0x004af1c2
0x004af1c5
0x004af213
0x004af213
0x004af213
0x004af1c7
0x004af1c8
0x004af1ca
0x004af1ca
0x004af1cd
0x004af1da
0x004af1dd
0x004af1e3
0x004af1e3
0x004af1cf
0x004af1d3
0x004af1d3
0x004af1ed
0x004af1f4
0x00000000
0x00000000
0x004af1f6
0x004af1fe
0x00000000
0x00000000
0x004af200
0x004af208
0x00000000
0x00000000
0x004af20a
0x004af20b
0x004af20c
0x00000000
0x00000000
0x00000000
0x004af20c
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

0x0041ff95
0x0041ff97
0x0041ff9f
0x0041ffa2
0x0041ffa4
0x0041ffaa
0x0041ffab
0x0041ffb0
0x0041ffb3
0x0041ffb6
0x0041ffbf
0x0041ffc7
0x0041ffd9
0x0041ffde
0x0041ffe2
0x00420080
0x00420083
0x00420086
0x00420093
0x0041ffe8
0x0041ffef
0x0041fff4
0x0041fff5
0x0041fffa
0x0041fffd
0x00420012
0x00420019
0x00420041
0x0042004a
0x0042005b
0x0042005d
0x0042005d
0x00420063
0x00420066
0x00420069
0x00420076
0x00420076

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040b110
0x0040b110
0x0040b113
0x0040b115
0x0040b117
0x0040b119
0x0040b11b
0x0040b11d
0x0040b11f
0x0040b120
0x0040b121
0x0040b123
0x0040b126
0x0040b12c
0x0040b134
0x0040b13b
0x0040b13c
0x0040b141
0x0040b144
0x0040b149
0x0040b152
0x0040b20c
0x0040b20e
0x0040b211
0x0040b214
0x0040b226
0x0040b226
0x0040b15e
0x0040b163
0x0040b168
0x0040b16d
0x0040b16d
0x0040b16f
0x0040b174
0x0040b19b
0x0040b1a1
0x0040b1aa
0x0040b1bb
0x0040b1c3
0x0040b1d0
0x0040b1d5
0x0040b1d8
0x0040b1da
0x0040b1e1
0x0040b1e3
0x0040b1eb
0x0040b1f8
0x0040b1f8
0x0040b1e1
0x0040b1fd
0x0040b200
0x0040b207
0x0040b207
0x0040b1ac
0x0040b1b4
0x0040b1b4
0x00000000
0x0040b1aa
0x0040b176
0x0040b196
0x0040b197
0x0040b199
0x00000000
0x00000000
0x00000000
0x0040b199
0x0040b185
0x0040b18f
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

0x0040b241
0x0040b247
0x0040b24d
0x0040b250
0x0040b254
0x0040b255
0x0040b25a
0x0040b25d
0x0040b270
0x0040b27d
0x0040b288
0x0040b29a
0x0040b2a8
0x0040b2a9
0x0040b2b2
0x0040b2c1
0x0040b2c6
0x0040b2ca
0x0040b2cd
0x0040b2d0
0x0040b2e0
0x0040b2ed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00427155
0x00427157
0x0042716c
0x00427177
0x00427178
0x0042717d
0x00427180
0x0042718b
0x00427190
0x00427198
0x0042719d
0x004271a0
0x004271a3
0x004271b0
0x0042716e
0x00427170
0x004271c9
0x004271c9

APIs

DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698

Uniqueness

Uniqueness Score: -1.00%

Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00421231
0x00421233
0x00421237
0x0042123a
0x0042123f
0x00421244
0x00421245
0x0042124a
0x0042124d
0x00421250
0x00421255
0x00421256
0x0042125b
0x0042125e
0x00421269
0x0042126e
0x00421273
0x00421276
0x00421279
0x0042127e
0x00421280
0x00421283

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

0x004052e2
0x004052f9
0x004052e7
0x004052f2
0x004052f7
0x004052f7
0x004052fd
0x00405302
0x00405307
0x00405309
0x0040530e
0x00405311
0x0040531a
0x0040531d
0x00405320
0x00405320
0x00405323
0x00405325
0x00405328
0x0040532d
0x00405332
0x00405332
0x00405334
0x00405336
0x00405336
0x00405339
0x0040533c
0x0040533c
0x00405341
0x00405352
0x00405357
0x00405359
0x0040535e
0x00405375
0x00405363
0x0040536e
0x00405373
0x00405373
0x00405379
0x0040537b
0x00405382

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}

0x00422a1b
0x00422a22
0x00422a23
0x00422a28
0x00422a2b
0x00422a33
0x00422a41
0x00422a4a
0x00422a4d
0x00422a50
0x00422a5d

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}

0x00423ed9
0x00423edf
0x00423ee6
0x00000000
0x00423eea
0x00423ef0

APIs

SetEndOfFile.KERNEL32(?,7FBC0010,004B6358,00000000), ref: 00423EDF

Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00403bce
0x00403bd0
0x00403be3
0x00403bea
0x00403c3c
0x00403c45
0x00403bec
0x00403bec
0x00403bf2
0x00403bf4
0x00403bfa
0x00403bff
0x00403c02
0x00403c06
0x00403c11
0x00403c1e
0x00403c26
0x00403c28
0x00403c35
0x00403c39
0x00403c39

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}

0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d42
0x00403d4a
0x00403d5e
0x00000000
0x00000000
0x00403d65
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d60
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040a934
0x0040a937
0x0040a93d
0x0040a94a
0x0040a94e
0x0040a98d
0x0040a994
0x0040a9d4
0x00000000
0x0040a996
0x0040a99e
0x0040a9af
0x0040a9b5
0x0040a9bb
0x0040a9c3
0x0040a9c9
0x0040a9d7
0x0040a9d9
0x0040a9dc
0x0040a9de
0x0040a9e0
0x0040a9e0
0x0040a9e3
0x0040a9eb
0x0040a9fc
0x0040aac3
0x0040aa0e
0x0040aa12
0x0040aa14
0x0040aa16
0x0040aa18
0x0040aa18
0x0040aa23
0x0040aa33
0x0040aa37
0x0040aa39
0x0040aa3b
0x0040aa3d
0x0040aa3d
0x0040aa43
0x0040aa5b
0x0040aa62
0x0040aa68
0x0040aa84
0x0040aa86
0x0040aaad
0x0040aabf
0x0040aac1
0x00000000
0x0040aac1
0x0040aa84
0x0040aa62
0x00000000
0x0040aa23
0x0040aad9
0x0040aad9
0x0040a9eb
0x0040a9c9
0x0040a9b5
0x0040a99e
0x0040a950
0x0040a95b
0x0040a95f
0x00000000
0x0040a961
0x0040a961
0x0040a96c
0x0040a970
0x0040a975
0x00000000
0x0040a977
0x0040a983
0x0040a983
0x0040a975
0x0040a95f
0x0040aade
0x0040aae7

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

GetLongPathNameW, xrefs: 0040A950
\, xrefs: 0040AA86
kernel32.dll, xrefs: 0040A940

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CC, Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

0x0040a4cc
0x0040a4d7
0x0040a4da
0x0040a4e0
0x0040a4e6
0x0040a4ec
0x0040a4ef
0x0040a4f3
0x0040a4f4
0x0040a4f9
0x0040a4fc
0x0040a502
0x0040a507
0x0040a50e
0x0040a510
0x0040a517
0x0040a519
0x0040a520
0x0040a526
0x0040a528
0x0040a52d
0x0040a537
0x0040a53e
0x0040a546
0x0040a558
0x0040a548
0x0040a549
0x00000000
0x0040a549
0x0040a539
0x0040a53b
0x00000000
0x0040a53b
0x00000000
0x0040a55f
0x0040a55f
0x0040a528
0x0040a526
0x0040a517
0x0040a564
0x0040a56a
0x0040a58e
0x0040a592
0x0040a5a3
0x0040a5b9
0x0040a5be
0x0040a5c4
0x0040a5da
0x0040a5df
0x0040a5e5
0x0040a5fb
0x0040a600
0x0040a60e
0x0040a60e
0x0040a615
0x0040a618
0x0040a61b
0x0040a630

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DC, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x0041a4e3
0x0041a4e8
0x0041a4ea
0x0041a4ea
0x0041a4fd
0x0041a50c
0x0041a50f
0x0041a51c
0x0041a51f
0x0041a524
0x0041a527
0x0041a529
0x0041a536
0x0041a539
0x0041a53e
0x0041a541
0x0041a543
0x0041a54c

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E034, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}

0x0041e03f
0x0041e041
0x0041e052
0x0041e057
0x0041e059
0x00000000
0x0041e071
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E080, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x0041e083
0x0041e084
0x0041e09a
0x0041e0a2
0x0041e09c
0x0041e09c
0x0041e09c
0x0041e0a8

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x004af22e
0x004af235
0x00000000
0x004af23c
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D8, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x0041c3dc
0x0041c3e8

APIs

GetLocalTime.KERNEL32 ref: 0041C3DC

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Uniqueness

Uniqueness Score: -1.00%

Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

0x00427882
0x00427896
0x004278ac
0x004278c2
0x004278d8
0x004278ee
0x00427904
0x0042791a
0x00427930
0x00427946
0x0042795c
0x00427972
0x00427988
0x0042799e
0x004279b4
0x004279ca
0x004279e0
0x004279f6
0x00427a0c
0x00427a22
0x00427a38
0x00427a4e
0x00427a5e
0x00427a64
0x00427a6b

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarBoolFromStr, xrefs: 00427A17
VarXor, xrefs: 0042797D
VarDateFromStr, xrefs: 004279EB
VarI4FromStr, xrefs: 004279A9
VarBstrFromDate, xrefs: 00427A43
VariantChangeTypeEx, xrefs: 0042788B
VarCmp, xrefs: 00427993
VarBstrFromCy, xrefs: 00427A2D
VarNeg, xrefs: 004278A1
VarAdd, xrefs: 004278CD
oleaut32.dll, xrefs: 00427878
VarMul, xrefs: 004278F9
VarDiv, xrefs: 0042790F
VarOr, xrefs: 00427967
VarNot, xrefs: 004278B7
VarCyFromStr, xrefs: 00427A01
VarBstrFromBool, xrefs: 00427A59
VarR4FromStr, xrefs: 004279BF
VarSub, xrefs: 004278E3
VarMod, xrefs: 0042793B
VarIdiv, xrefs: 00427925
VarAnd, xrefs: 00427951
VarR8FromStr, xrefs: 004279D5

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

0x0041e7cc
0x0041e7cc
0x0041e7cc
0x0041e7cd
0x0041e7cf
0x0041e7d4
0x0041e7d7
0x0041e7da
0x0041e7dd
0x0041e7e1
0x0041e7e2
0x0041e7e7
0x0041e7ea
0x0041e7ed
0x0041e7f2
0x0041e7f5
0x0041e7f9
0x0041e7f9
0x0041e80b
0x0041e812
0x0041e813
0x0041e818
0x0041e81b
0x0041e820
0x0041e826
0x0041e837
0x0041e83c
0x0041e84f
0x0041e861
0x0041e86b
0x0041e8c8
0x0041e8cb
0x0041e8d6
0x0041e8dc
0x0041e8ed
0x0041e8f2
0x0041e8ff
0x0041e90b
0x0041e90e
0x0041e913
0x0041e91a
0x0041e92d
0x0041e937
0x0041e93a
0x0041e93d
0x0041e945
0x0041e948
0x0041e957
0x0041e95c
0x0041e961
0x0041e963
0x0041e965
0x0041e965
0x0041e968
0x0041e968
0x0041e96c
0x0041e96d
0x0041e96f
0x0041e971
0x0041e976
0x0041e97f
0x0041e987
0x0041e988
0x0041e988
0x0041e988
0x0041e976
0x0041e999
0x0041e999
0x0041e86d
0x0041e87b
0x0041e880
0x0041e887
0x0041e88c
0x0041e88c
0x0041e890
0x0041e893
0x0041e895
0x0041e896
0x0041e898
0x0041e8a1
0x0041e8a9
0x0041e8aa
0x0041e8aa
0x0041e898
0x0041e8bb
0x0041e8bb
0x0041e9a3
0x0041e9a7
0x0041e9ac
0x0041e9ac
0x0041e9ae
0x0041e9c2
0x0041e9ca
0x0041e9d1
0x0041e9d6
0x0041e9d6
0x0041e9da
0x0041e9dd
0x0041e9df
0x0041e9e0
0x0041e9e2
0x0041e9e2
0x0041e9fa
0x0041ea00
0x0041ea05
0x0041ea06
0x0041ea06
0x0041e9e2
0x0041ea0e
0x0041ea14
0x0041ea19
0x0041ea20
0x0041ea25
0x0041ea25
0x0041ea27
0x0041ea2e
0x0041ea30
0x0041ea31
0x0041ea34
0x0041ea43

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

B.C., xrefs: 0041E8FA
K, xrefs: 0041E8DD
K, xrefs: 0041EA09
ToA, xrefs: 0041E9BC
K, xrefs: 0041E827

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

GetThreadUILanguage, xrefs: 0040A2B4
SetThreadPreferredUILanguages, xrefs: 0040A29A
GetThreadPreferredUILanguages, xrefs: 0040A280
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

0x0041e0ac
0x0041e0ac
0x0041e0ad
0x0041e0af
0x0041e0b4
0x0041e0b4
0x0041e0b6
0x0041e0b8
0x0041e0b8
0x0041e0bd
0x0041e0be
0x0041e0c0
0x0041e0c4
0x0041e0c5
0x0041e0ca
0x0041e0cd
0x0041e0d3
0x0041e0d8
0x0041e0da
0x0041e0e1
0x0041e0e1
0x0041e0e9
0x0041e0ef
0x0041e0f8
0x0041e101
0x0041e10a
0x0041e11c
0x0041e126
0x0041e13b
0x0041e14a
0x0041e15d
0x0041e16c
0x0041e182
0x0041e199
0x0041e1b0
0x0041e1bf
0x0041e1d2
0x0041e1d4
0x0041e1d8
0x0041e1e9
0x0041e1f4
0x0041e1fd
0x0041e20e
0x0041e219
0x0041e22e
0x0041e242
0x0041e24d
0x0041e262
0x0041e26d
0x0041e275
0x0041e27d
0x0041e292
0x0041e29c
0x0041e2a1
0x0041e2a3
0x0041e2bc
0x0041e2a5
0x0041e2ad
0x0041e2ad
0x0041e2d1
0x0041e2db
0x0041e2e0
0x0041e2e2
0x0041e2f4
0x0041e305
0x0041e31e
0x0041e307
0x0041e30f
0x0041e30f
0x0041e305
0x0041e323
0x0041e326
0x0041e329
0x0041e32e
0x0041e339
0x0041e33e
0x0041e341
0x0041e344
0x0041e349
0x0041e354
0x0041e369
0x0041e36d
0x0041e378
0x0041e37b
0x0041e37e
0x0041e390

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

AMPM, xrefs: 0041E30A
m/d/yy, xrefs: 0041E1DD
:mm:ss, xrefs: 0041E344
:mm, xrefs: 0041E329
mmmm d, yyyy, xrefs: 0041E202
AMPM , xrefs: 0041E319
2, xrefs: 0041E36D
ToA, xrefs: 0041E0E9

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

0x0040a7e4
0x0040a7e7
0x0040a7e9
0x0040a7ea
0x0040a7eb
0x0040a7ed
0x0040a7f1
0x0040a7f2
0x0040a7f7
0x0040a7fa
0x0040a802
0x0040a80e
0x0040a835
0x0040a83c
0x0040a84e
0x0040a857
0x0040a868
0x0040a86d
0x0040a875
0x0040a87a
0x0040a883
0x0040a883
0x0040a888
0x0040a890
0x0040a89a
0x0040a89a
0x0040a859
0x0040a85d
0x0040a85d
0x0040a857
0x0040a8a4
0x0040a8a9
0x0040a8c3
0x0040a8cd
0x0040a810
0x0040a81c
0x0040a826
0x0040a826
0x0040a8d4
0x0040a8d7
0x0040a8da
0x0040a8e7

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

0x00423022
0x00423025
0x00423028
0x0042302d
0x0042302e
0x00423033
0x00423036
0x00423049
0x00423050
0x00423063
0x004230b8
0x004230c5
0x004230ce
0x004230ce
0x00423065
0x00423080
0x0042308d
0x00423096
0x00423096
0x00423080
0x004230de
0x004230e9
0x004230f4
0x004230f4
0x00423052
0x00423052
0x00423054
0x004230fa
0x004230fd
0x00423100
0x00423108
0x00423115

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

kernel32.dll, xrefs: 0042303E
Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
GetUserDefaultUILanguage, xrefs: 00423039
.DEFAULT\Control Panel\International, xrefs: 0042306D
Locale, xrefs: 00423085

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040d22c
0x0040d232
0x0040d234
0x0040d237
0x0040d244
0x0040d251
0x0040d25e
0x0040d26b
0x0040d278
0x0040d285
0x0040d28e
0x0040d29c
0x0040d29e
0x0040d29f
0x0040d2a5
0x0040d2ab
0x0040d2b2
0x0040d2b4
0x0040d2ba
0x0040d2c0
0x0040d2d0
0x00000000
0x0040d2d5
0x0040d2e2
0x0040d2e7
0x0040d2e9
0x0040d2eb
0x0040d2eb
0x0040d2f1
0x0040d2f4
0x0040d2fc
0x0040d306
0x0040d309
0x0040d30e
0x0040d329
0x0040d310
0x0040d31c
0x0040d31c
0x0040d32c
0x0040d335
0x0040d34e
0x0040d350
0x0040d412
0x0040d412
0x0040d41c
0x0040d42a
0x0040d42a
0x0040d42e
0x0040d47b
0x0040d47d
0x0040d484
0x0040d48e
0x0040d49c
0x0040d49c
0x0040d4a0
0x0040d4a2
0x0040d4a7
0x0040d4ad
0x0040d4bd
0x0040d4c2
0x0040d4c2
0x0040d4a0
0x00000000
0x0040d430
0x0040d434
0x0040d46f
0x0040d479
0x00000000
0x0040d43c
0x0040d43f
0x0040d447
0x00000000
0x0040d460
0x0040d466
0x0040d46b
0x00000000
0x00000000
0x0040d4c5
0x0040d4c8
0x00000000
0x0040d4c8
0x0040d447
0x0040d434
0x0040d42e
0x0040d35d
0x0040d36b
0x0040d36b
0x0040d36f
0x0040d37a
0x0040d37a
0x0040d37e
0x0040d3cb
0x0040d3d7
0x0040d40d
0x0040d3d9
0x0040d3dd
0x0040d3e3
0x0040d3e8
0x0040d3ed
0x0040d3f4
0x0040d3fa
0x0040d3ff
0x0040d404
0x0040d404
0x0040d3ed
0x0040d3dd
0x00000000
0x0040d380
0x0040d385
0x0040d38f
0x0040d39d
0x0040d39d
0x0040d3a1
0x00000000
0x0040d3a3
0x0040d3a3
0x0040d3a8
0x0040d3ae
0x0040d3be
0x00000000
0x0040d3c3
0x0040d3a1
0x0040d337
0x0040d343
0x0040d347
0x00000000
0x0040d349
0x0040d4ca
0x0040d4d1
0x0040d4d5
0x0040d4d8
0x0040d4db
0x0040d4e4
0x0040d4e4
0x00000000
0x0040d4ea
0x0040d347

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004047b0
0x004047b3
0x004047b5
0x004047be
0x00404821
0x00404826
0x00404827
0x00404828
0x0040482a
0x004047c0
0x004047c9
0x004047d8
0x004047e4
0x004047e9
0x004047ef
0x004047fd
0x0040480b
0x0040481a
0x0040481a
0x00404832

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

0x0041f0fd
0x0041f0fe
0x0041f101
0x0041f106
0x0041f107
0x0041f10c
0x0041f10f
0x0041f122
0x0041f124
0x0041f12c
0x0041f1ca
0x0041f1cf
0x0041f1de
0x0041f1f8
0x0041f132
0x0041f132
0x0041f13c
0x0041f15a
0x0041f15c
0x0041f16b
0x0041f188
0x0041f1a0
0x0041f1ba
0x0041f1ba
0x0041f1ff
0x0041f202
0x0041f205
0x0041f20d
0x0041f218

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00404464
0x00404464
0x00404464
0x0040446c
0x0040446e
0x004044fc
0x004044ff
0x0040476c
0x0040476d
0x0040476e
0x00404771
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dac
0x00403db5
0x00403dba
0x00403ea1
0x00403ea3
0x00403eb6
0x00403eb8
0x00403eba
0x00403ebc
0x00403ec2
0x00403ec6
0x00403ec6
0x00403ec9
0x00403ec9
0x00403ed2
0x00403ed9
0x00403ed9
0x00403ea5
0x00403ea5
0x00403eaa
0x00403eaa
0x00403dc0
0x00403dc9
0x00403dcf
0x00403dcb
0x00403dcb
0x00403dcb
0x00403ddb
0x00403dea
0x00403df7
0x00403e67
0x00403e6e
0x00403e70
0x00403e72
0x00403e74
0x00403e7a
0x00403e7e
0x00403e7e
0x00403e81
0x00403e81
0x00403e91
0x00403e98
0x00403e98
0x00403df9
0x00403df9
0x00403e05
0x00403e0b
0x00000000
0x00403e0d
0x00403e1e
0x00403e22
0x00403e24
0x00403e24
0x00403e3a
0x00000000
0x00403e52
0x00403e54
0x00403e57
0x00403e60
0x00403e63
0x00403e63
0x00403e3a
0x00403e0b
0x00403df7
0x00403ee7
0x00404777
0x00404777
0x00404779
0x00404779
0x00404505
0x00404507
0x0040450a
0x0040450b
0x0040450e
0x00404511
0x00404514
0x00404516
0x00404517
0x0040462c
0x0040462f
0x00404631
0x00404724
0x0040472f
0x00404736
0x00404738
0x0040473b
0x00404740
0x00404741
0x00404743
0x00000000
0x00404745
0x00404745
0x0040474b
0x0040474d
0x0040474d
0x00404750
0x00404758
0x0040475f
0x0040476a
0x0040476a
0x00404637
0x00404637
0x0040463a
0x0040463d
0x0040463f
0x00000000
0x00404645
0x00404645
0x0040464c
0x004046a9
0x004046a9
0x004046ae
0x004046b4
0x004046b9
0x004046ba
0x004046ba
0x004046c6
0x004046d7
0x004046dd
0x004046dd
0x004046df
0x004046ec
0x004046f3
0x004046f7
0x004046f9
0x004046ff
0x00404701
0x00404703
0x00404703
0x004046e1
0x004046e1
0x004046e5
0x004046e5
0x00404708
0x00404708
0x0040470a
0x0040470d
0x00404714
0x00404716
0x0040471a
0x0040464e
0x0040464e
0x00404653
0x0040465b
0x00000000
0x00000000
0x0040465d
0x0040465f
0x00404666
0x00000000
0x00404668
0x0040466c
0x00404671
0x00404672
0x00404678
0x00404680
0x00404686
0x0040468b
0x0040468c
0x00000000
0x0040468c
0x00404680
0x00000000
0x00404666
0x00404695
0x00404698
0x0040469b
0x0040469d
0x0040471d
0x0040471d
0x00000000
0x0040469f
0x0040469f
0x004046a2
0x004046a5
0x004046a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004046a7
0x0040469d
0x0040464c
0x0040463f
0x0040451d
0x00404520
0x00404522
0x0040452c
0x00404532
0x00404549
0x00404549
0x00404555
0x0040455b
0x0040455d
0x00404564
0x00404566
0x0040456b
0x00404573
0x00000000
0x00000000
0x00404575
0x00404577
0x0040457e
0x00000000
0x00404580
0x00404583
0x00404588
0x0040458e
0x00404596
0x0040459b
0x004045a0
0x00000000
0x004045a0
0x00404596
0x00000000
0x0040457e
0x004045a9
0x004045a9
0x004045a9
0x004045ae
0x004045b1
0x004045b3
0x004045b6
0x004045b9
0x004045c4
0x004045c6
0x004045c9
0x004045cb
0x004045cd
0x004045d3
0x004045d5
0x004045d5
0x004045bb
0x004045be
0x004045be
0x004045da
0x004045e0
0x004045e4
0x004045ea
0x004045f1
0x004045f1
0x004045f6
0x00404603
0x00404534
0x00404534
0x0040453a
0x00404604
0x00404608
0x0040460d
0x0040460f
0x00404611
0x00404619
0x00404620
0x00404625
0x00404625
0x0040462b
0x00404540
0x00404540
0x00404545
0x00404547
0x00000000
0x00000000
0x00000000
0x00000000
0x00404547
0x0040453a
0x00404524
0x00404524
0x00404528
0x00404528
0x00404522
0x00404517
0x00404474
0x00404474
0x00404476
0x0040447a
0x0040447d
0x0040447f
0x004044b8
0x004044bc
0x004044bd
0x004044bf
0x004044c1
0x004044c3
0x004044c6
0x004044c8
0x004044ca
0x004044cf
0x004044d1
0x004044d3
0x004044d9
0x004044db
0x004044db
0x004044e2
0x004044e2
0x004044e5
0x004044e7
0x004044f0
0x004044f5
0x004044f5
0x004044f7
0x004044f8
0x004044f9
0x004044fa
0x00404481
0x00404481
0x00404488
0x0040448a
0x00404490
0x00404492
0x00404494
0x00404499
0x0040449b
0x0040449d
0x0040449f
0x004044a1
0x004044ac
0x004044b1
0x004044b1
0x004044b3
0x004044b4
0x004044b5
0x0040448c
0x0040448c
0x0040448d
0x0040448e
0x0040448e
0x0040448a
0x0040447f

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

0x0041f7a0
0x0041f7a1
0x0041f7ad
0x0041f7b3
0x0041f7b9
0x0041f7bf
0x0041f7c5
0x0041f7ca
0x0041f7cb
0x0041f7d0
0x0041f7d3
0x0041f7df
0x0041f7df
0x0041f7e2
0x0041f7f0
0x0041f7f5
0x0041f7e4
0x0041f7e4
0x0041f7ff
0x0041f804
0x0041f7e6
0x0041f7e9
0x0041f80e
0x0041f813
0x0041f7eb
0x0041f81d
0x0041f822
0x0041f822
0x0041f7e9
0x0041f7e4
0x0041f82d
0x0041f840
0x0041f845
0x0041f84e
0x0041f86c
0x0041f871
0x0041f873
0x00000000
0x0041f879
0x0041f882
0x0041f888
0x0041f8a0
0x0041f8b1
0x0041f8bc
0x0041f8c2
0x0041f8cc
0x0041f8d2
0x0041f8d9
0x0041f8df
0x0041f8ec
0x0041f8f5
0x0041f8fa
0x0041f90c
0x0041f911
0x0041f915
0x0041f915
0x0041f91e
0x0041f924
0x0041f92e
0x0041f934
0x0041f93b
0x0041f941
0x0041f94e
0x0041f957
0x0041f95c
0x0041f96e
0x0041f973
0x0041f977
0x0041f97a
0x0041f97d
0x0041f988
0x0041f998
0x0041f9a5

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

H@, xrefs: 0041F81D
0@, xrefs: 0041F7F0
8@, xrefs: 0041F7FF
@@, xrefs: 0041F80E

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x0040668f
0x00406691
0x00406693
0x00406696
0x00406696
0x0040669d
0x004066a4
0x00000000
0x00000000
0x004066b2
0x004066b9
0x00406751
0x00406751
0x00406751
0x00406755
0x00000000
0x00000000
0x00406760
0x00406766
0x00000000
0x00000000
0x00000000
0x00000000
0x00406768
0x00406768
0x0040676d
0x00406773
0x0040677a
0x00406784
0x00406789
0x00406790
0x00406797
0x004067a5
0x004067b3
0x004067a7
0x004067af
0x004067af
0x004067a5
0x004067b9
0x004067db
0x004067e4
0x004067e8
0x004067ec
0x00000000
0x004067bb
0x004067bb
0x004067c0
0x00000000
0x00000000
0x004067cc
0x004067d2
0x00000000
0x00000000
0x004067d4
0x00000000
0x004067d4
0x004067bb
0x004067f1
0x004067f1
0x00406800
0x00406807
0x0040680a
0x0040680a
0x00000000
0x00406800
0x00000000
0x00406751
0x004066c4
0x004066ca
0x004066d0
0x0040672c
0x0040672f
0x00000000
0x00000000
0x00406736
0x0040673e
0x00406744
0x0040674f
0x00000000
0x0040674f
0x00406746
0x00000000
0x00406746
0x00000000
0x004066d2
0x004066d5
0x00000000
0x004066e4
0x004066e4
0x004066e4
0x00000000
0x004066ed
0x004066f0
0x00000000
0x00000000
0x004066f5
0x0040671e
0x00406722
0x00406727
0x0040672a
0x00000000
0x00000000
0x00000000
0x0040672a
0x004066fe
0x00406704
0x00000000
0x00000000
0x0040670b
0x0040670e
0x00406715
0x00000000
0x00406715
0x00406811
0x0040681c

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

0x004971ac
0x004971ac
0x004971ac
0x004971ad
0x004971af
0x004971b6
0x004971bb
0x004971bd
0x004971c0
0x004971c0
0x004971c5
0x004971c7
0x004971ca
0x004971ce
0x004971cf
0x004971d4
0x004971d7
0x004971de
0x004971e3
0x004971e9
0x004971ee
0x004971f6
0x004971fa
0x004971fa
0x004971fa
0x004971fc
0x00497203
0x00497284
0x0049728c
0x00497205
0x00497209
0x0049722c
0x0049723e
0x0049720b
0x00497211
0x00497224
0x00497224
0x00497245
0x00497251
0x00497259
0x0049725c
0x00497266
0x00497273
0x00497278
0x00497278
0x00497245
0x00497291
0x00497294
0x00497297
0x004972a4

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

l@, xrefs: 00497266
0@G, xrefs: 0049726E
XtI, xrefs: 00497214, 0049722F

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00406425
0x00406427
0x0040642c
0x00406446
0x004064d9
0x004064d9
0x00000000
0x0040644c
0x0040644c
0x0040644f
0x00406450
0x00406452
0x00406459
0x00000000
0x00406465
0x0040646d
0x00406472
0x00406473
0x00406478
0x0040647b
0x00406481
0x00406485
0x00406486
0x0040648b
0x00406492
0x004064bc
0x004064be
0x004064c1
0x004064c4
0x004064d1
0x00406494
0x00406494
0x004064af
0x004064b2
0x004064ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ba
0x004064a5
0x004064a8
0x004064e0
0x004064e6
0x004064e6
0x00406492
0x00406459
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

@, xrefs: 004064D9
kernel32.dll, xrefs: 00406434
GetLogicalProcessorInformation, xrefs: 0040642F

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Error, xrefs: 0040772A
Runtime error at 00000000, xrefs: 004076EA, 0040772F

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

RtlCompareUnicodeString, xrefs: 0042054F
NTDLL.DLL, xrefs: 00420554
kernel32.dll, xrefs: 00420539
CompareStringOrdinal, xrefs: 00420534

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0042931c
0x00429328
0x0042932e
0x00429334
0x00429344
0x0042934b
0x0042934b
0x00429356
0x00429364
0x004294ef
0x004294f6
0x004294f7
0x00000000
0x0042936a
0x0042936d
0x0042938b
0x0042936f
0x0042937a
0x0042937a
0x0042939a
0x004293a6
0x004293a9
0x00429416
0x0042941c
0x0042941d
0x00429423
0x00429424
0x00429426
0x0042942b
0x0042942f
0x00429431
0x00429431
0x0042943c
0x00429447
0x00429452
0x0042945b
0x0042945e
0x0042947a
0x00429481
0x0042948c
0x004294a3
0x004294a8
0x004294bc
0x004294c1
0x004294d4
0x004294d4
0x004294dd
0x00429460
0x00429460
0x00429461
0x00429467
0x0042946d
0x0042946f
0x00429471
0x00429474
0x00429477
0x00429477
0x0042947a
0x00000000
0x00000000
0x00000000
0x0042947a
0x004293ab
0x004293ab
0x004293ac
0x004293ae
0x004293b4
0x004293b6
0x004293c5
0x004293c6
0x004293d0
0x004293d1
0x004293d6
0x004293e1
0x004293e2
0x004293ec
0x004293ed
0x004293f2
0x0042940d
0x0042940f
0x00429410
0x00429413
0x00429413
0x00000000
0x004293b4
0x004293a9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

0x004afa44
0x004afa44
0x004afa47
0x004afa49
0x004afa4c
0x004afa50
0x004afa51
0x004afa56
0x004afa59
0x004afa63
0x004afa77
0x004afa65
0x004afa6d
0x004afa6d
0x004afa7c
0x004afa81
0x004afa84
0x004afa85
0x004afa8a
0x004afa97
0x004afaae
0x004afab5
0x004afab8
0x004afabb
0x004afacd

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
Setup, xrefs: 004AFA9E
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

0x0042f9b8
0x0042f9b8
0x0042f9b9
0x0042f9bb
0x0042f9bf
0x0042f9c2
0x0042f9c5
0x0042f9c8
0x0042f9cf
0x0042f9dc
0x0042fb6d
0x0042fb73
0x0042fb8a
0x0042fbac
0x0042fbbb
0x0042fbc7
0x0042fbce
0x0042fc88
0x0042fc95
0x0042fd0a
0x0042fd19
0x0042fd25
0x0042fd2c
0x0042fde0
0x00000000
0x0042fd32
0x0042fd3c
0x0042fdd6
0x0042fddb
0x00000000
0x0042fd3e
0x0042fd41
0x0042fd42
0x0042fd49
0x0042fd4a
0x0042fd4f
0x0042fd52
0x0042fd55
0x0042fd5f
0x0042fd6c
0x0042fd6e
0x0042fd6e
0x0042fd92
0x0042fd97
0x0042fd9c
0x0042fd9f
0x0042fda2
0x0042fdaf
0x0042fdaf
0x0042fd3c
0x0042fd0c
0x0042fd0c
0x00000000
0x0042fd0c
0x0042fc97
0x0042fc9a
0x0042fc9b
0x0042fca2
0x0042fca3
0x0042fca8
0x0042fcab
0x0042fcb1
0x0042fcba
0x0042fcc9
0x0042fccb
0x0042fccb
0x0042fcde
0x0042fce3
0x0042fce6
0x0042fce9
0x0042fcf6
0x0042fcf6
0x0042fbd4
0x0042fbde
0x0042fc78
0x0042fc7d
0x00000000
0x0042fbe0
0x0042fbe3
0x0042fbe4
0x0042fbeb
0x0042fbec
0x0042fbf1
0x0042fbf4
0x0042fbf7
0x0042fc01
0x0042fc0e
0x0042fc10
0x0042fc10
0x0042fc34
0x0042fc39
0x0042fc3e
0x0042fc41
0x0042fc44
0x0042fc51
0x0042fc51
0x0042fbde
0x0042fbae
0x0042fbae
0x00000000
0x0042fbae
0x0042fb8c
0x0042fb98
0x00000000
0x0042fb98
0x0042fb75
0x0042fb7e
0x00000000
0x0042fb7e
0x0042f9e2
0x0042f9e5
0x0042f9fc
0x0042fa22
0x0042fa31
0x0042fa3d
0x0042fa44
0x0042fb02
0x0042fb03
0x0042fb0a
0x0042fb0b
0x0042fb10
0x0042fb13
0x0042fb19
0x0042fb22
0x0042fb35
0x0042fb37
0x0042fb37
0x0042fb4a
0x0042fb4f
0x0042fb52
0x0042fb55
0x0042fb62
0x0042fa4a
0x0042fa54
0x0042faf2
0x0042faf7
0x00000000
0x0042fa56
0x0042fa59
0x0042fa5a
0x0042fa61
0x0042fa62
0x0042fa67
0x0042fa6a
0x0042fa6d
0x0042fa77
0x0042fa88
0x0042fa8a
0x0042fa8a
0x0042faae
0x0042fab3
0x0042fab8
0x0042fabb
0x0042fabe
0x0042facb
0x0042facb
0x0042fa54
0x0042fa24
0x0042fa24
0x00000000
0x0042fa24
0x0042f9fe
0x0042fa0a
0x00000000
0x0042fa0a
0x0042f9e7
0x0042f9f0
0x0042fde5
0x0042fded
0x0042fded
0x0042f9e5

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

0x0041c79d
0x0041c7a0
0x0041c7a2
0x0041c7a6
0x0041c7a7
0x0041c7ac
0x0041c7af
0x0041c7b4
0x0041c7c0
0x0041c7cb
0x0041c7d6
0x0041c7dd
0x0041c7f6
0x0041c7df
0x0041c7e7
0x0041c7e7
0x0041c80a
0x0041c823
0x0041c832
0x0041c838
0x0041c842
0x0041c846
0x0041c84b
0x0041c84b
0x0041c858
0x0041c858
0x0041c838
0x0041c85f
0x0041c862
0x0041c865
0x0041c872

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

0x0041ef0a
0x0041ef10
0x0041ef13
0x0041ef15
0x0041ef19
0x0041ef1a
0x0041ef1f
0x0041ef22
0x0041ef2f
0x0041ef3e
0x0041ef6e
0x0041ef7a
0x0041ef7f
0x0041ef85
0x0041ef85
0x0041efa7
0x0041efac
0x0041efb1
0x0041efb8
0x0041efc5
0x0041efcf
0x0041efd3
0x0041efda
0x0041efe4
0x0041efe4
0x0041efda
0x0041eff5
0x0041effa
0x0041f009
0x0041f016
0x0041f021
0x0041f027
0x0041f034
0x0041f03a
0x0041f044
0x0041f04a
0x0041f051
0x0041f057
0x0041f05e
0x0041f064
0x0041f080
0x0041f088
0x0041f091
0x0041f094
0x0041f097
0x0041f0a7

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

0x0040a6d0
0x0040a6d2
0x0040a6d6
0x0040a6e2
0x0040a6ec
0x0040a6ef
0x0040a6f1
0x0040a6f8
0x0040a6fb
0x0040a70c
0x0040a712
0x0040a715
0x0040a718
0x0040a71b
0x0040a721
0x0040a727
0x0040a737
0x0040a737
0x0040a740
0x0040a745
0x0040a749
0x0040a74e
0x0040a753
0x0040a755
0x0040a756
0x0040a75d
0x0040a765
0x0040a76a
0x0040a76a
0x0040a770
0x0040a773
0x0040a773
0x0040a75d
0x0040a77a
0x0040a781
0x0040a781
0x0040a78a
0x0040a794
0x0040a7a2
0x0040a7aa
0x0040a7c7
0x0040a7c7
0x0040a7cf
0x00000000
0x0040a7d7
0x0040a7e1

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

kernel32.dll, xrefs: 00420BD9
GetDiskFreeSpaceExW, xrefs: 00420BE9

Memory Dump Source

Source File: 00000004.00000002.377785743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.377775970.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377840561.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377847455.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377853038.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377858813.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: innosetup-6.1.2.tmp PID: 4880 Parent PID: 4928 innosetup-6.1.2.tmpCOMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	1718
Total number of Limit Nodes:	90

Executed Functions

Function 005C6A5C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E005C6A5C(long __eax) {
				signed char _v5;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				void* _v28;
				struct _SID_IDENTIFIER_AUTHORITY* _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t89;
				long _t97;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				void* _t107;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t115;
				intOrPtr _t116;

				_t113 = _t115;
				_t116 = _t115 + 0xffffffe4;
				_push(_t107);
				_t97 = __eax;
				if(E00429D10() == 2) {
					_v5 = 0;
					_v32 = 0x6cbcdc;
					if(AllocateAndInitializeSid(_v32, 2, 0x20, _t97, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t113);
						_push(0x5c6c47);
						_push( *[fs:eax]);
						 *[fs:eax] = _t116;
						_t99 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_t99 = E00414020(0, _t107, GetModuleHandleW(L"advapi32.dll"), L"CheckTokenMembership");
						}
						if(_t99 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v20) != 0) {
								L13:
								_push(_t113);
								_push(0x5c6c29);
								_push( *[fs:eax]);
								 *[fs:eax] = _t116;
								_v24 = 0;
								_t14 =  &_v24; // 0x6b750a
								if(GetTokenInformation(_v20, 2, 0, 0, _t14) != 0 || GetLastError() == 0x7a) {
									_t16 =  &_v24; // 0x6b750a
									_v28 = E00406F0C( *_t16);
									_t18 =  &_v24; // 0x6b750a
									_t19 =  &_v24; // 0x6b750a
									if(GetTokenInformation(_v20, 2, _v28,  *_t19, _t18) != 0) {
										_t110 =  *_v28 - 1;
										if(_t110 >= 0) {
											_t111 = _t110 + 1;
											_t100 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t100 * 8)) == 0 || ( *(_v28 + 8 + _t100 * 8) & 0x00000014) != 4) {
												_t100 = _t100 + 1;
												_t111 = _t111 - 1;
												if(_t111 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t105);
										 *[fs:eax] = _t105;
										_push(E005C6C30);
										E00406F28(_v28);
										return CloseHandle(_v20);
									} else {
										E004099B8();
										E004099B8();
										goto L26;
									}
								} else {
									E004099B8();
									E004099B8();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E004099B8();
										goto L26;
									}
								} else {
									E004099B8();
									goto L26;
								}
							}
						} else {
							_t89 =  *_t99(0, _v12,  &_v16); // executed
							if(_t89 != 0) {
								asm("sbb eax, eax");
								_v5 = _t89 + 1;
							}
							_pop(_t106);
							 *[fs:eax] = _t106;
							_push(E005C6C4E);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5 & 0x000000ff;
				}
			}

0x005c6a5d
0x005c6a5f
0x005c6a63
0x005c6a64
0x005c6a6e
0x005c6a79
0x005c6a82
0x005c6aa5
0x00000000
0x005c6aab
0x005c6aad
0x005c6aae
0x005c6ab3
0x005c6ab6
0x005c6ab9
0x005c6ac9
0x005c6ae0
0x005c6ae0
0x005c6ae4
0x005c6b0b
0x005c6b23
0x005c6b5a
0x005c6b5c
0x005c6b5d
0x005c6b62
0x005c6b65
0x005c6b6a
0x005c6b6d
0x005c6b82
0x005c6b9d
0x005c6ba5
0x005c6ba8
0x005c6bac
0x005c6bc1
0x005c6bd4
0x005c6bd7
0x005c6bd9
0x005c6bda
0x005c6bdc
0x005c6c06
0x005c6c07
0x005c6c08
0x00000000
0x00000000
0x00000000
0x005c6c08
0x005c6c00
0x005c6c00
0x005c6c0a
0x005c6c0c
0x005c6c0f
0x005c6c12
0x005c6c1a
0x005c6c28
0x005c6bc3
0x005c6bc3
0x005c6bc8
0x00000000
0x005c6bc8
0x005c6b8e
0x005c6b8e
0x005c6b93
0x00000000
0x005c6b93
0x005c6b25
0x005c6b2f
0x005c6b4e
0x00000000
0x005c6b50
0x005c6b50
0x00000000
0x005c6b50
0x005c6b31
0x005c6b31
0x00000000
0x005c6b31
0x005c6b2f
0x005c6ae6
0x005c6af0
0x005c6af4
0x005c6afe
0x005c6b01
0x005c6b01
0x005c6c32
0x005c6c35
0x005c6c38
0x005c6c46
0x005c6c46
0x005c6ae4
0x005c6a70
0x005c6a70
0x005c6c4e
0x005c6c57
0x005c6c57

APIs

AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6A9E
GetVersion.KERNEL32(00000000,005C6C47,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6ABB
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C6C47,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6AD5
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C6C47,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6AF0
FreeSid.ADVAPI32(00000000,005C6C4E,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6C41

Strings

CheckTokenMembership, xrefs: 005C6ACB
advapi32.dll, xrefs: 005C6AD0
uk, xrefs: 005C6B6D, 005C6B9D, 005C6BA8, 005C6BAC, 005C6B70, 005C6BAB, 005C6BAF

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: uk$CheckTokenMembership$advapi32.dll
API String ID: 2691416632-2919004508
Opcode ID: b3ab592c6d3b77795c6210e45c7292bb221422b1da33b3da0a73a47ef1160433
Instruction ID: 9b09fa211300e1720079580cda0a6c70b4ecc7476fc6e1156ca500a6c4762d8e
Opcode Fuzzy Hash: b3ab592c6d3b77795c6210e45c7292bb221422b1da33b3da0a73a47ef1160433
Instruction Fuzzy Hash: EC515171A04309AEDB10EAE69D46FFE7BACFB08709F10446EF540E6182D678DE418765

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040E7F0(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t61);
				_push(0x40e8b0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L0040524C();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040B318( &_v20, 4,  &_v16);
				E0040B4C8(_t44, _v20, _v8);
				_t29 = E0040E6A0( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040B318( &_v24, 4,  &_v16);
					E0040B4C8(_t44, _v24, _v8);
					_t40 = E0040E6A0( *_t44, _t44); // executed
					if(_t40 == 0) {
						E0040A1C8(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040E8B7);
				E0040A228( &_v24, 2);
				return E0040A1C8( &_v8);
			}

0x0040e7f6
0x0040e7f9
0x0040e7fc
0x0040e7ff
0x0040e801
0x0040e807
0x0040e80e
0x0040e80f
0x0040e814
0x0040e817
0x0040e81c
0x0040e822
0x0040e82b
0x0040e83b
0x0040e848
0x0040e84f
0x0040e856
0x0040e858
0x0040e869
0x0040e876
0x0040e87d
0x0040e884
0x0040e888
0x0040e888
0x0040e884
0x0040e88f
0x0040e892
0x0040e895
0x0040e8a2
0x0040e8af

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B

Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0062C764, Relevance: 3.1, APIs: 2, Instructions: 52
comCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0062C764(void* __ebx) {
				void* _v8;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr* _t22;
				intOrPtr* _t25;
				intOrPtr _t34;
				intOrPtr _t38;

				_push(0);
				_push(_t38);
				_push(0x62c7fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				if( *0x6d53b0 != 0) {
					L6:
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(0x62c801);
					return E0040EC28( &_v8);
				}
				if(GetVersion() >= 0x601) {
					_push(E0040EC28( &_v8));
					_t20 =  *0x6cd1b4; // 0x6cc0d4
					_push(_t20);
					_push(1);
					_push(0);
					_t21 =  *0x6ccac0; // 0x6cc0c4
					_push(_t21); // executed
					L0043C1E4(); // executed
					if(_t21 == 0) {
						_t22 = _v8;
						_push(_t22);
						if( *((intOrPtr*)( *_t22 + 0xc))() == 0) {
							_t25 = _v8;
							 *((intOrPtr*)( *_t25 + 4))(_t25);
							E0040EC40(0x6d53b4, _v8);
						}
					}
				}
				 *0x6d53b0 = 1;
				goto L6;
			}

0x0062c767
0x0062c76c
0x0062c76d
0x0062c772
0x0062c775
0x0062c77f
0x0062c7da
0x0062c7e6
0x0062c7e9
0x0062c7ec
0x0062c7f9
0x0062c7f9
0x0062c78c
0x0062c796
0x0062c797
0x0062c79c
0x0062c79d
0x0062c79f
0x0062c7a1
0x0062c7a6
0x0062c7a7
0x0062c7ae
0x0062c7b0
0x0062c7b3
0x0062c7bb
0x0062c7bd
0x0062c7c3
0x0062c7ce
0x0062c7ce
0x0062c7bb
0x0062c7ae
0x0062c7d3
0x00000000

APIs

GetVersion.KERNEL32(00000000,0062C7FA,?,00000000,00000000,?,0062C810,?,0068D41B), ref: 0062C781
CoCreateInstance.OLE32(006CC0C4,00000000,00000001,006CC0D4,00000000,00000000,0062C7FA,?,00000000,00000000,?,0062C810,?,0068D41B), ref: 0062C7A7

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 9826e4937534814f267a7b16ad82e7de6b6462802ce031e4cc7d27e7ee827f45
Instruction ID: f353ce4d6a1a39ca338ca05349e2663bd9ced637506b69c883bbb80cf5210214
Opcode Fuzzy Hash: 9826e4937534814f267a7b16ad82e7de6b6462802ce031e4cc7d27e7ee827f45
Instruction Fuzzy Hash: F8112231688A04AFEB00EB66DC46F5E77EAEB04320F4204BAF005D7AA1D7B5AD008F14

Uniqueness

Uniqueness Score: -1.00%

Function 0060BC10, Relevance: 3.0, APIs: 2, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0060BC10(void* __eax, struct _WIN32_FIND_DATAW* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v16;
				long _v20;
				void* _t13;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E0060B8D4(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x60bc73);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_t13 = FindFirstFileW(E0040B278(__edx), __ecx); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060BC7A);
					return E0060B910( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}

0x0060bc11
0x0060bc13
0x0060bc2b
0x0060bc38
0x0060bc39
0x0060bc3e
0x0060bc41
0x0060bc4d
0x0060bc52
0x0060bc5a
0x0060bc5f
0x0060bc62
0x0060bc65
0x0060bc72
0x0060bc2d
0x0060bc2d
0x0060bc8c
0x0060bc8c

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0060BC73,?,?,?,00000000), ref: 0060BC4D
GetLastError.KERNEL32(00000000,?,00000000,0060BC73,?,?,?,00000000), ref: 0060BC55

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: b918b46556d871619cdd9246c2fbab89cac114e1fcc0c097a6a622e8dd6eb99f
Instruction ID: 40d973860cf52e6d4e709199d75ee7f73fef1ce7e5283feda8d773f7ac4b311a
Opcode Fuzzy Hash: b918b46556d871619cdd9246c2fbab89cac114e1fcc0c097a6a622e8dd6eb99f
Instruction Fuzzy Hash: 09F0F931A84608ABDB14DF799C4149EB7ADDB8672075186BBF814D32D1DB754E018298

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040E6A0(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t27);
				_push(0x40e6fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E0040B278(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040E705);
				return E0040A1C8( &_v8);
			}

0x0040e6a9
0x0040e6aa
0x0040e6b0
0x0040e6b7
0x0040e6b8
0x0040e6bd
0x0040e6c0
0x0040e6d3
0x0040e6e0
0x0040e6e3
0x0040e6e3
0x0040e6ea
0x0040e6ed
0x0040e6f0
0x0040e6fd

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C

Uniqueness

Uniqueness Score: -1.00%

Function 005C78B8, Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C78B8(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				void* _t17;
				void* _t18;
				intOrPtr _t19;

				_t18 = __eax;
				InitializeSecurityDescriptor( &_v36, 1);
				SetSecurityDescriptorDacl( &_v36, 0xffffffff, 0, 0);
				_v16 = 0xc;
				_v12 = _t19;
				_v8 = 0;
				_t17 = E00413E90( &_v16, 0, E0040B278(_t18)); // executed
				return _t17;
			}

0x005c78bc
0x005c78c5
0x005c78d5
0x005c78da
0x005c78e4
0x005c78ea
0x005c78fd
0x005c7906

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C78C5
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C78D5

Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,00000001,00000000,?,006B7A93,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000), ref: 00413EA6

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 391db7979e0a7feafb2bea05ce39d5209b2ece6bcb1cb4e9c9e64372f6bbe8fb
Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
Opcode Fuzzy Hash: 391db7979e0a7feafb2bea05ce39d5209b2ece6bcb1cb4e9c9e64372f6bbe8fb
Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040E2C4(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t112);
				_push(0x40e4e9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040DAF8( &_v542, E0040B278(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040E4F0);
					return E0040A1C8( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40e4cc);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040E0D4( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040E5DC, 0, 0, 0,  &_v20) == 0) {
								_v12 = E00406F0C(_v20);
								RegQueryValueExW(_v16, E0040E5DC, 0, 0, _v12,  &_v20);
								E0040B2DC(_t97, _v12);
							}
						} else {
							_v12 = E00406F0C(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E0040B2DC(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040E4D3);
						if(_v12 != 0) {
							E00406F28(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040e2c5
0x0040e2c7
0x0040e2ce
0x0040e2d0
0x0040e2d6
0x0040e2dd
0x0040e2de
0x0040e2e3
0x0040e2e6
0x0040e2ed
0x0040e319
0x0040e2ef
0x0040e2fd
0x0040e2fd
0x0040e326
0x0040e4d3
0x0040e4d5
0x0040e4d8
0x0040e4db
0x0040e4e8
0x0040e32c
0x0040e32e
0x0040e346
0x0040e34d
0x0040e3ed
0x0040e3ef
0x0040e3f0
0x0040e3f5
0x0040e3f8
0x0040e406
0x0040e427
0x0040e476
0x0040e480
0x0040e498
0x0040e4a2
0x0040e4a2
0x0040e429
0x0040e431
0x0040e44b
0x0040e455
0x0040e455
0x0040e4a9
0x0040e4ac
0x0040e4af
0x0040e4b8
0x0040e4bd
0x0040e4bd
0x0040e4cb
0x0040e353
0x0040e368
0x0040e36f
0x00000000
0x0040e371
0x0040e386
0x0040e38d
0x00000000
0x0040e38f
0x0040e3a4
0x0040e3ab
0x00000000
0x0040e3ad
0x0040e3c2
0x0040e3c9
0x00000000
0x0040e3cb
0x0040e3e0
0x0040e3e7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e3e7
0x0040e3c9
0x0040e3ab
0x0040e38d
0x0040e36f
0x0040e34d

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6

Strings

Software\CodeGear\Locales, xrefs: 0040E37C, 0040E39A
Software\Borland\Delphi\Locales, xrefs: 0040E3D6
Software\Embarcadero\Locales, xrefs: 0040E33C, 0040E35E
Software\Borland\Locales, xrefs: 0040E3B8

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 006AAC44, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E006AAC44(void* __ebx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				void* _t54;
				intOrPtr _t65;
				intOrPtr _t73;
				unsigned int _t77;
				void* _t80;
				char _t82;
				char _t84;
				intOrPtr _t89;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t112;
				intOrPtr _t118;
				void* _t129;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t174;
				intOrPtr _t182;
				intOrPtr _t183;

				_t128 = __ebx;
				_t182 = _t183;
				_t129 = 7;
				do {
					_push(0);
					_push(0);
					_t129 = _t129 - 1;
					_t184 = _t129;
				} while (_t129 != 0);
				_push(_t182);
				_push(0x6aaf8e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				E005C61AC( &_v12);
				E0040A5A8(0x6d5510, _v12);
				E005C61D8( &_v16);
				E0040A5A8(0x6d5514, _v16);
				E005C6204( &_v20, __esi, _t182, _t184);
				E0040A5A8(0x6d5518, _v20);
				E005C62AC( *0x6d57b9 & 0x000000ff, __ebx,  &_v24, __esi);
				E0040A5A8(0x6d551c, _v24);
				_t54 = E00429D10();
				_t185 = _t54 - 2;
				if(_t54 != 2) {
					E0040A1C8(0x6d5520);
				} else {
					E005C5AD8(L"SystemDrive", _t129,  &_v28, _t185);
					E0040A5A8(0x6d5520, _v28);
				}
				if( *0x6d5520 == 0) {
					_t118 =  *0x6d5510; // 0x0
					E005C51FC(_t118,  &_v32);
					E0040A5A8(0x6d5520, _v32);
					_t187 =  *0x6d5520;
					if( *0x6d5520 == 0) {
						E0040A5A8(0x6d5520, 0x6aafcc);
					}
				}
				E006AAAD8(1, L"ProgramFilesDir", _t187); // executed
				E0040A5A8(0x6d5524, _v36);
				_t188 =  *0x6d5524;
				if( *0x6d5524 == 0) {
					_t174 =  *0x6d5520; // 0x0
					E0040B4C8(0x6d5524, L"\\Program Files", _t174);
				}
				E006AAAD8(1, L"CommonFilesDir", _t188); // executed
				E0040A5A8(0x6d5528, _v40);
				if( *0x6d5528 == 0) {
					_t112 =  *0x6d5524; // 0x0
					E005C4D00(_t112,  &_v44);
					E0040B4C8(0x6d5528, L"Common Files", _v44);
				}
				_t190 =  *0x6d57b9;
				if( *0x6d57b9 != 0) {
					E006AAAD8(2, L"ProgramFilesDir", _t190); // executed
					E0040A5A8(0x6d552c, _v48);
					_t191 =  *0x6d552c;
					if( *0x6d552c == 0) {
						E0060C688(L"Failed to get path of 64-bit Program Files directory", _t128);
					}
					E006AAAD8(2, L"CommonFilesDir", _t191); // executed
					E0040A5A8(0x6d5530, _v52);
					if( *0x6d5530 == 0) {
						E0060C688(L"Failed to get path of 64-bit Common Files directory", _t128);
					}
				}
				if( *0x6d5888 == 0) {
					L25:
					__eflags =  *0x6d57b8;
					if( *0x6d57b8 == 0) {
						_t65 =  *0x6d5510; // 0x0
						E005C4D00(_t65,  &_v60);
						E0040B4C8(0x6d5540, L"COMMAND.COM", _v60); // executed
					} else {
						_t73 =  *0x6d5514; // 0x0
						E005C4D00(_t73,  &_v56);
						E0040B4C8(0x6d5540, L"cmd.exe", _v56);
					}
					E006AAB88(); // executed
					__eflags = 0;
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(E006AAF95);
					return E0040A228( &_v60, 0xd);
				} else {
					_t77 =  *0x6d57cc; // 0xa0042ee
					if(_t77 >> 0x10 < 0x600) {
						goto L25;
					} else {
						_t80 =  *0x6d5888(0x6cc7e4, 0x8000, 0,  &_v8); // executed
						if(_t80 != 0) {
							_t82 =  *0x6d5888(0x6cc7f4, 0x8000, 0,  &_v8); // executed
							__eflags = _t82;
							if(_t82 != 0) {
								_t84 =  *0x6d5888(0x6cc804, 0x8000, 0,  &_v8); // executed
								__eflags = _t84;
								if(_t84 != 0) {
									goto L25;
								} else {
									_push(_t182);
									_push(0x6aaf1e);
									_push( *[fs:eax]);
									 *[fs:eax] = _t183;
									E0040C8BC();
									__eflags = 0;
									_pop(_t163);
									 *[fs:eax] = _t163;
									_push(E006AAF25);
									_t89 = _v8;
									_push(_t89);
									L0043C20C();
									return _t89;
								}
							} else {
								_push(_t182);
								_push(0x6aaecb);
								_push( *[fs:eax]);
								 *[fs:eax] = _t183;
								E0040C8BC();
								__eflags = 0;
								_pop(_t165);
								 *[fs:eax] = _t165;
								_push(E006AAED2);
								_t94 = _v8;
								_push(_t94);
								L0043C20C();
								return _t94;
							}
						} else {
							_push(_t182);
							_push(0x6aae78);
							_push( *[fs:eax]);
							 *[fs:eax] = _t183;
							E0040C8BC();
							_pop(_t167);
							 *[fs:eax] = _t167;
							_push(E006AAE7F);
							_t99 = _v8;
							_push(_t99);
							L0043C20C();
							return _t99;
						}
					}
				}
			}

0x006aac44
0x006aac45
0x006aac47
0x006aac4c
0x006aac4c
0x006aac4e
0x006aac50
0x006aac50
0x006aac50
0x006aac55
0x006aac56
0x006aac5b
0x006aac5e
0x006aac64
0x006aac71
0x006aac79
0x006aac86
0x006aac8e
0x006aac9b
0x006aacaa
0x006aacb7
0x006aacbc
0x006aacc1
0x006aacc4
0x006aace7
0x006aacc6
0x006aacce
0x006aacdb
0x006aacdb
0x006aacf3
0x006aacf8
0x006aacfd
0x006aad0a
0x006aad0f
0x006aad16
0x006aad22
0x006aad22
0x006aad16
0x006aad31
0x006aad3e
0x006aad43
0x006aad4a
0x006aad56
0x006aad5c
0x006aad5c
0x006aad6b
0x006aad78
0x006aad84
0x006aad89
0x006aad8e
0x006aada0
0x006aada0
0x006aada5
0x006aadac
0x006aadb8
0x006aadc5
0x006aadca
0x006aadd1
0x006aadd8
0x006aadd8
0x006aade7
0x006aadf4
0x006aae00
0x006aae07
0x006aae07
0x006aae00
0x006aae13
0x006aaf25
0x006aaf25
0x006aaf2c
0x006aaf52
0x006aaf57
0x006aaf69
0x006aaf2e
0x006aaf31
0x006aaf36
0x006aaf48
0x006aaf48
0x006aaf6e
0x006aaf73
0x006aaf75
0x006aaf78
0x006aaf7b
0x006aaf8d
0x006aae19
0x006aae19
0x006aae26
0x00000000
0x006aae2c
0x006aae3c
0x006aae44
0x006aae8f
0x006aae95
0x006aae97
0x006aaee2
0x006aaee8
0x006aaeea
0x00000000
0x006aaeec
0x006aaeee
0x006aaeef
0x006aaef4
0x006aaef7
0x006aaf02
0x006aaf07
0x006aaf09
0x006aaf0c
0x006aaf0f
0x006aaf14
0x006aaf17
0x006aaf18
0x006aaf1d
0x006aaf1d
0x006aae99
0x006aae9b
0x006aae9c
0x006aaea1
0x006aaea4
0x006aaeaf
0x006aaeb4
0x006aaeb6
0x006aaeb9
0x006aaebc
0x006aaec1
0x006aaec4
0x006aaec5
0x006aaeca
0x006aaeca
0x006aae46
0x006aae48
0x006aae49
0x006aae4e
0x006aae51
0x006aae5c
0x006aae63
0x006aae66
0x006aae69
0x006aae6e
0x006aae71
0x006aae72
0x006aae77
0x006aae77
0x006aae44
0x006aae26

APIs

SHGetKnownFolderPath.SHELL32(006CC7E4,00008000,00000000,?,00000000,006AAF8E,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6), ref: 006AAE3C
CoTaskMemFree.OLE32(?,006AAE7F,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAE72
SHGetKnownFolderPath.SHELL32(006CC7F4,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAE8F
CoTaskMemFree.OLE32(?,006AAED2,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEC5

Strings

Common Files, xrefs: 006AAD9B
\Program Files, xrefs: 006AAD51
COMMAND.COM, xrefs: 006AAF64
cmd.exe, xrefs: 006AAF43
SystemDrive, xrefs: 006AACC9
CommonFilesDir, xrefs: 006AAD64, 006AADE0
ProgramFilesDir, xrefs: 006AAD2A, 006AADB1
Failed to get path of 64-bit Common Files directory, xrefs: 006AAE02
Failed to get path of 64-bit Program Files directory, xrefs: 006AADD3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 696bb485f508fd4fc235287d8c56ccdf96c541909d852cd50d0c8d5b81ec93a6
Instruction ID: fe51c0427e94c168f709ef2f052c82e6a7ec7b866c045d3231fd400451090af3
Opcode Fuzzy Hash: 696bb485f508fd4fc235287d8c56ccdf96c541909d852cd50d0c8d5b81ec93a6
Instruction Fuzzy Hash: 36819270A016089FDB15FFD4E841BAE7BA3EB4A300F90556BF401A6B91D7389D01CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00410BF4(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t133;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x6c4c50, 8 << 2);
				_pop(_t194);
				_v56 =  *0x6c4c50;
				_v52 = E004110A4( *0x006C4C54);
				_v48 = E004110B4( *0x006C4C58);
				_v44 = E004110C4( *0x006C4C5C);
				_v40 = E004110D4( *0x006C4C60);
				_v36 = E004110D4( *0x006C4C64);
				_v32 = E004110D4( *0x006C4C68);
				_v28 =  *0x006C4C6C;
				memcpy( &_v92, 0x6c4c70, 9 << 2);
				_t196 = _t194;
				_v88 = 0x6c4c70;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x6c4c94; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E004110E4( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x6d1644 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x6d1644 != 0) {
							_t191 =  *0x6d1644(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x6d1648 != 0) {
									_t191 =  *0x6d1648(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x6c4c9c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x6d1644 != 0) {
						_t142 =  *0x6d1644(1,  &_v92);
					}
					if(_t142 == 0) {
						_t133 = LoadLibraryA(_v80); // executed
						_t142 = _t133;
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0041057C(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x6c4c4c; // 0x0
									 *_v20 = _t126;
									 *0x6c4c4c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x6d1648 != 0) {
							_t142 =  *0x6d1648(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x6c4c98; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x6d1644(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x6d1644 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x6d1644(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x00410c08
0x00410c0e
0x00410c10
0x00410c13
0x00410c20
0x00410c2d
0x00410c3a
0x00410c47
0x00410c54
0x00410c61
0x00410c6a
0x00410c78
0x00410c7a
0x00410c7b
0x00410c81
0x00410c87
0x00410c8e
0x00410c90
0x00410c96
0x00410c9c
0x00410cac
0x00000000
0x00410cb1
0x00410cbe
0x00410cc3
0x00410cc5
0x00410cc7
0x00410cc7
0x00410ccd
0x00410cd0
0x00410cd8
0x00410ce2
0x00410ce5
0x00410cea
0x00410d05
0x00410cec
0x00410cf8
0x00410cf8
0x00410d08
0x00410d11
0x00410d2a
0x00410d2c
0x00410dee
0x00410dee
0x00410df8
0x00410e06
0x00410e06
0x00410e0a
0x00410e57
0x00410e59
0x00410e60
0x00410e6a
0x00410e78
0x00410e78
0x00410e7c
0x00410e7e
0x00410e83
0x00410e89
0x00410e99
0x00410e9e
0x00410e9e
0x00410e7c
0x00000000
0x00410e0c
0x00410e10
0x00410e4b
0x00410e55
0x00000000
0x00410e18
0x00410e1b
0x00410e23
0x00000000
0x00410e3c
0x00410e42
0x00410e47
0x00000000
0x00000000
0x00410ea1
0x00410ea4
0x00000000
0x00410ea4
0x00410e23
0x00410e10
0x00410e0a
0x00410d39
0x00410d47
0x00410d47
0x00410d4b
0x00410d51
0x00410d56
0x00410d56
0x00410d5a
0x00410da7
0x00410db3
0x00410de9
0x00410db5
0x00410db9
0x00410dbf
0x00410dc4
0x00410dc9
0x00410dd0
0x00410dd6
0x00410ddb
0x00410de0
0x00410de0
0x00410dc9
0x00410db9
0x00000000
0x00410d5c
0x00410d61
0x00410d6b
0x00410d79
0x00410d79
0x00410d7d
0x00000000
0x00410d7f
0x00410d7f
0x00410d84
0x00410d8a
0x00410d9a
0x00000000
0x00410d9f
0x00410d7d
0x00410d13
0x00410d1f
0x00410d23
0x00000000
0x00410d25
0x00410ea6
0x00410ead
0x00410eb1
0x00410eb4
0x00410eb7
0x00410ec0
0x00410ec0
0x00000000
0x00410ec6
0x00410d23

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC

Strings

PLl, xrefs: 00410C09
pLl, xrefs: 00410C6E

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ExceptionRaise
String ID: PLl$pLl
API String ID: 3997070919-4186446801
Opcode ID: 680169fcd532cac4d69c46f1a411d0c4da8965a060f4a2cecfd24daada8743fe
Instruction ID: 89124adebdcc93ff81c3ba781c85106882e461d72a0ecd66a84e58e39c90ae7a
Opcode Fuzzy Hash: 680169fcd532cac4d69c46f1a411d0c4da8965a060f4a2cecfd24daada8743fe
Instruction Fuzzy Hash: 1EA17F75A01309AFDB24CFD5D981BEEBBB6AB48310F14451AE505AB390DBB4E9C0CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0060E9CC, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0060E9CC(signed char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, signed short _a12, signed char _a16, char _a20) {
				char _v8;
				signed char _v9;
				short _v32;
				intOrPtr _v36;
				char _v80;
				void* _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t75;
				intOrPtr _t107;
				char _t114;
				intOrPtr _t132;
				void* _t142;
				intOrPtr* _t144;
				void* _t147;

				_t116 = __ecx;
				_v116 = 0;
				_v120 = 0;
				_v108 = 0;
				_v112 = 0;
				_v104 = 0;
				_v100 = 0;
				_v8 = 0;
				_t114 = __ecx;
				_t142 = __edx;
				_v9 = __eax;
				_t144 = _a4;
				E0040A2AC(_a20);
				_push(_t147);
				_push(0x60ebce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147 + 0xffffff8c;
				E0040B660(_t142, 0x60ebec);
				if(0 != 0) {
					_push(0x60ebfc);
					_push(_t142);
					_push(0x60ebfc);
					E0040B550( &_v8, _t114, 3, _t142, _t144);
					__eflags = _t114;
					if(_t114 != 0) {
						_push(_v8);
						_push(0x60ec0c);
						_push(_t114);
						E0040B550( &_v8, _t114, 3, _t142, _t144);
					}
					E005C522C(_t142,  &_v100);
					_t63 = E00422360(_v100, _t116, L".bat");
					__eflags = _t63;
					if(_t63 == 0) {
						L6:
						_t64 = E005C6564();
						__eflags = _t64;
						if(_t64 == 0) {
							_push(0x60ebfc);
							E005C61AC( &_v120);
							E005C4D00(_v120,  &_v116);
							_push(_v116);
							_push(L"COMMAND.COM\" /C ");
							_push(_v8);
							E0040B550( &_v8, _t114, 4, _t142, _t144);
						} else {
							_push(0x60ebfc);
							E005C61D8( &_v112);
							E005C4D00(_v112,  &_v108);
							_push(_v108);
							_push(L"cmd.exe\" /C \"");
							_push(_v8);
							_push(0x60ebfc);
							E0040B550( &_v8, _t114, 5, _t142, _t144);
						}
						goto L9;
					} else {
						E005C522C(_t142,  &_v104);
						_t107 = E00422360(_v104, _t116, L".cmd");
						__eflags = _t107;
						if(_t107 != 0) {
							L9:
							__eflags = _a20;
							if(_a20 == 0) {
								E005C51D4(_t142, _t116,  &_a20);
							}
							goto L11;
						}
						goto L6;
					}
				} else {
					E0040A5F0( &_v8, _t114);
					L11:
					E00407760( &_v80, 0x44);
					_v80 = 0x44;
					_v36 = 1;
					_v32 = _a12 & 0x0000ffff;
					_t150 = _a20;
					if(_a20 == 0) {
						E005C61D8( &_a20);
					}
					_t75 = E0040B278(_a20);
					E0060B998(_v9 & 0x000000ff, E0040B278(_v8), 0, _t150,  &_v96,  &_v80, _t75, 0, 0x4000000, 0, 0, 0); // executed
					asm("sbb ebx, ebx");
					_t115 = _t114 + 1;
					if(_t114 + 1 != 0) {
						CloseHandle(_v92);
						E0060E938(_v96, _t115, _a16 & 0x000000ff, _t142, _t144, _t144); // executed
					} else {
						 *_t144 = GetLastError();
					}
					_pop(_t132);
					 *[fs:eax] = _t132;
					_push(E0060EBD5);
					E0040A228( &_v120, 6);
					E0040A1C8( &_v8);
					return E0040A1C8( &_a20);
				}
			}

0x0060e9cc
0x0060e9d7
0x0060e9da
0x0060e9dd
0x0060e9e0
0x0060e9e3
0x0060e9e6
0x0060e9e9
0x0060e9ec
0x0060e9ee
0x0060e9f0
0x0060e9f3
0x0060e9f9
0x0060ea00
0x0060ea01
0x0060ea06
0x0060ea09
0x0060ea13
0x0060ea18
0x0060ea29
0x0060ea2e
0x0060ea2f
0x0060ea3c
0x0060ea41
0x0060ea43
0x0060ea45
0x0060ea48
0x0060ea4d
0x0060ea56
0x0060ea56
0x0060ea60
0x0060ea6d
0x0060ea72
0x0060ea74
0x0060ea91
0x0060ea91
0x0060ea96
0x0060ea98
0x0060ead1
0x0060ead9
0x0060eae4
0x0060eae9
0x0060eaec
0x0060eaf1
0x0060eafc
0x0060ea9a
0x0060ea9a
0x0060eaa2
0x0060eaad
0x0060eab2
0x0060eab5
0x0060eaba
0x0060eabd
0x0060eaca
0x0060eaca
0x00000000
0x0060ea76
0x0060ea7b
0x0060ea88
0x0060ea8d
0x0060ea8f
0x0060eb01
0x0060eb01
0x0060eb05
0x0060eb0c
0x0060eb0c
0x00000000
0x0060eb05
0x00000000
0x0060ea8f
0x0060ea1a
0x0060ea1f
0x0060eb11
0x0060eb1b
0x0060eb20
0x0060eb27
0x0060eb32
0x0060eb36
0x0060eb3a
0x0060eb3f
0x0060eb3f
0x0060eb54
0x0060eb72
0x0060eb7a
0x0060eb7c
0x0060eb7f
0x0060eb8e
0x0060eb9e
0x0060eb81
0x0060eb86
0x0060eb86
0x0060eba5
0x0060eba8
0x0060ebab
0x0060ebb8
0x0060ebc0
0x0060ebcd
0x0060ebcd

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060EBFC,0060EBFC,?,0060EBFC,00000000), ref: 0060EB81
CloseHandle.KERNEL32(006B66D7,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060EBFC,0060EBFC,?,0060EBFC), ref: 0060EB8E

Part of subcall function 0060E938: WaitForInputIdle.USER32 ref: 0060E964
Part of subcall function 0060E938: MsgWaitForMultipleObjects.USER32 ref: 0060E986
Part of subcall function 0060E938: GetExitCodeProcess.KERNEL32 ref: 0060E997
Part of subcall function 0060E938: CloseHandle.KERNEL32(00000001,0060E9C4,0060E9BD,?,?,?,00000001,?,?,0060ED66,?,00000000,0060ED7C,?,?,?), ref: 0060E9B7

Strings

COMMAND.COM" /C , xrefs: 0060EAEC
.bat, xrefs: 0060EA68
cmd.exe" /C ", xrefs: 0060EAB5
.cmd, xrefs: 0060EA83
D, xrefs: 0060EB20

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 1c7a33d7b2778019ab7e0f0bc9f17923504f4bbfec8c97e2ebba7ca72006c8a8
Instruction ID: 07a5d6622b0d651e74d63e867ec204be8bf58b8f6432d8305f3226309c39c408
Opcode Fuzzy Hash: 1c7a33d7b2778019ab7e0f0bc9f17923504f4bbfec8c97e2ebba7ca72006c8a8
Instruction Fuzzy Hash: 95514F34A8031DAADB04EFE5C982ADEBBB6FF44304F60447AF805A72C1D7769A05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E005B85F0(void* __eax, void* __ecx, struct tagMSG* __edx) {
				char _v19;
				int _t10;
				char _t12;
				int _t13;
				void* _t14;
				int _t30;
				int _t32;
				MSG* _t43;
				void* _t44;
				char* _t46;

				_t43 = __edx;
				_t44 = __eax;
				_t32 = 0;
				_t10 = PeekMessageW(__edx, 0, 0, 0, 0); // executed
				if(_t10 != 0) {
					_v19 = _t12;
					if(_v19 == 0) {
						_t13 = PeekMessageA(_t43, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t13 + 1;
					} else {
						_t30 = PeekMessageW(_t43, 0, 0, 0, 1); // executed
						asm("sbb eax, eax");
						_t14 = _t30 + 1;
					}
					if(_t14 != 0) {
						_t32 = 1;
						if(_t43->message == 0x12) {
							 *((char*)(_t44 + 0xbc)) = 1;
						} else {
							 *_t46 = 0;
							if( *((short*)(_t44 + 0x122)) != 0) {
								 *((intOrPtr*)(_t44 + 0x120))();
							}
							if(E005BA368(_t44, _t43) == 0 && E005B8488(_t44, _t43) == 0 &&  *_t46 == 0 && E005B8340(_t44, _t43) == 0 && E005B8390(_t44, _t43) == 0 && E005B82F8(_t44, _t43) == 0) {
								TranslateMessage(_t43);
								if(_v19 == 0) {
									DispatchMessageA(_t43);
								} else {
									DispatchMessageW(_t43); // executed
								}
							}
						}
					}
				}
				return _t32;
			}

0x005b85f5
0x005b85f7
0x005b85f9
0x005b8604
0x005b860b
0x005b8627
0x005b8630
0x005b8651
0x005b8659
0x005b865b
0x005b8632
0x005b863b
0x005b8643
0x005b8645
0x005b8645
0x005b865e
0x005b8664
0x005b866a
0x005b86f2
0x005b8670
0x005b8670
0x005b867c
0x005b8688
0x005b8688
0x005b8699
0x005b86d6
0x005b86e0
0x005b86eb
0x005b86e2
0x005b86e3
0x005b86e3
0x005b86e0
0x005b8699
0x005b866a
0x005b865e
0x005b8700

APIs

PeekMessageW.USER32 ref: 005B8604
IsWindowUnicode.USER32 ref: 005B8618
PeekMessageW.USER32 ref: 005B863B
PeekMessageA.USER32 ref: 005B8651
TranslateMessage.USER32 ref: 005B86D6
DispatchMessageW.USER32 ref: 005B86E3
DispatchMessageA.USER32 ref: 005B86EB

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: be14539378901f34a9f73cd4942952708fe83c9efa75b6763ce22da6b5766406
Instruction ID: 7850c8a41d1bda1102247ae3eba297ae2e53e2ccedf434ab9455d22e2f6bc662
Opcode Fuzzy Hash: be14539378901f34a9f73cd4942952708fe83c9efa75b6763ce22da6b5766406
Instruction Fuzzy Hash: F621F83034478065EA312D2A1C16BFE9F8D6FF1B48F14545EF58197182CEA9F846C21E

Uniqueness

Uniqueness Score: -1.00%

Function 006AB2D4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E006AB2D4(long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char* _t40;
				intOrPtr _t41;
				int _t47;
				intOrPtr _t77;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t94;
				intOrPtr _t107;
				intOrPtr _t108;

				_t105 = __esi;
				_t104 = __edi;
				_t79 = __ebx;
				_t107 = _t108;
				_t80 = 6;
				do {
					_push(0);
					_push(0);
					_t80 = _t80 - 1;
				} while (_t80 != 0);
				_push(_t80);
				_push(__ebx);
				_push(_t107);
				_push(0x6ab42a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				E0060CE90( &_v20, __ebx, __edx, __edi, __esi); // executed
				E0040A5A8(0x6d550c, _v20);
				_t81 =  *0x6d550c; // 0x0
				E0040B4C8( &_v24, _t81, L"Created temporary directory: ");
				E00615A90(_v24, _t79, __edi, __esi);
				_t40 =  *0x6ccfc4; // 0x6d52e0
				if( *_t40 != 0) {
					_t77 =  *0x6d550c; // 0x0
					E0061519C(_t77);
				}
				_t41 =  *0x6d550c; // 0x0
				E005C4D00(_t41,  &_v28);
				E0040B4C8( &_v8, L"_isetup", _v28);
				_t47 = CreateDirectoryW(E0040B278(_v8), 0); // executed
				if(_t47 == 0) {
					_t79 = GetLastError();
					E005CC284(0x3d,  &_v48, _v8);
					_v44 = _v48;
					E00423024( &_v52, _t61, 0);
					_v40 = _v52;
					E005C72F8(_t79,  &_v56);
					_v36 = _v56;
					E005CC254(0x81, 2,  &_v44,  &_v32);
					E00429000(_v32, 1);
					E004098C4();
				}
				E00625378( &_v12);
				_t113 = _v12;
				if(_v12 != 0) {
					E0040B4C8( &_v16, L"\\_setup64.tmp", _v8);
					E006AB27C(_v12, _t79, _v16, _t104, _t105, _t113); // executed
					E006253D0(_v16);
				}
				_pop(_t94);
				 *[fs:eax] = _t94;
				_push(E006AB431);
				E0040A228( &_v56, 3);
				return E0040A228( &_v32, 7);
			}

0x006ab2d4
0x006ab2d4
0x006ab2d4
0x006ab2d5
0x006ab2d7
0x006ab2dc
0x006ab2dc
0x006ab2de
0x006ab2e0
0x006ab2e0
0x006ab2e3
0x006ab2e4
0x006ab2e7
0x006ab2e8
0x006ab2ed
0x006ab2f0
0x006ab2f6
0x006ab303
0x006ab30b
0x006ab316
0x006ab31e
0x006ab323
0x006ab32b
0x006ab32d
0x006ab332
0x006ab332
0x006ab33a
0x006ab33f
0x006ab34f
0x006ab35f
0x006ab366
0x006ab36d
0x006ab37d
0x006ab385
0x006ab391
0x006ab399
0x006ab3a1
0x006ab3a9
0x006ab3b8
0x006ab3c7
0x006ab3cc
0x006ab3cc
0x006ab3d4
0x006ab3d9
0x006ab3dd
0x006ab3ea
0x006ab3f5
0x006ab3fd
0x006ab3fd
0x006ab404
0x006ab407
0x006ab40a
0x006ab417
0x006ab429

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006AB42A,?,?,00000005,00000000,00000000,?,006B7B71,00000000,006B7D26,?,00000000,006B7D8A), ref: 006AB35F
GetLastError.KERNEL32(00000000,00000000,00000000,006AB42A,?,?,00000005,00000000,00000000,?,006B7B71,00000000,006B7D26,?,00000000,006B7D8A), ref: 006AB368

Strings

_isetup, xrefs: 006AB34A
Created temporary directory: , xrefs: 006AB311
\_setup64.tmp, xrefs: 006AB3E2
Rm, xrefs: 006AB323

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup$Rm
API String ID: 1375471231-619888300
Opcode ID: 184f87e886625dbb871829819008579bdfdecec8b70b72511a305179fb1b08d0
Instruction ID: adf2f5543b26c1b87df2d6ea404a84bc2f58e6883483325e64833120cf8cc648
Opcode Fuzzy Hash: 184f87e886625dbb871829819008579bdfdecec8b70b72511a305179fb1b08d0
Instruction Fuzzy Hash: B0411F34A001099BDB01FBA5D882AEEB7B6EF49304F50557AE401A7792DB74AE058F64

Uniqueness

Uniqueness Score: -1.00%

Function 005C8044, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E005C8044(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t10;
				intOrPtr _t17;
				intOrPtr _t24;
				intOrPtr* _t27;
				struct HWND__* _t33;
				void* _t42;
				intOrPtr _t44;
				void* _t49;
				intOrPtr _t51;
				struct HWND__* _t52;
				intOrPtr _t54;
				intOrPtr _t55;

				_t50 = __esi;
				_t42 = __edx;
				_t54 = _t55;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(__edx != 0) {
					_t55 = _t55 + 0xfffffff0;
					_t10 = E00408A40(_t10, _t54);
				}
				_t49 = _t10;
				_push(_t54);
				_push(0x5c8156);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55;
				E00408414(0);
				 *((intOrPtr*)(_t49 + 0xc)) = GetActiveWindow();
				 *((intOrPtr*)(_t49 + 0x10)) = GetFocus();
				_t17 = E005ABB4C(0, _t42, _t49, _t50); // executed
				 *((intOrPtr*)(_t49 + 0x14)) = _t17;
				if( *0x6d480e == 0) {
					 *0x6d480e = RegisterClassW(0x6cbd08);
				}
				if( *0x6d480e != 0) {
					_t24 = E00414D98(0, L"TWindowDisabler-Window", 0,  *0x6d1634, 0, 0, 0, 0, 0, 0, 0x88000000); // executed
					_t51 = _t24;
					 *((intOrPtr*)(_t49 + 8)) = _t51;
					if(_t51 != 0) {
						_t5 = _t49 + 8; // 0x4134a000
						_t27 =  *0x6cceac; // 0x6d479c
						E005B8044( *_t27,  &_v8);
						E0040B278(_v8);
						_t33 = E00414D98(0, L"TWindowDisabler-Window", 0,  *0x6d1634, 0,  *_t5, 0, 0, 0, 0, 0x80000000); // executed
						_t52 = _t33;
						 *(_t49 + 4) = _t52;
						if(_t52 != 0) {
							ShowWindow(_t52, 8); // executed
						}
					}
				}
				SetFocus(0);
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E005C815D);
				return E0040A1C8( &_v8);
			}

0x005c8044
0x005c8044
0x005c8045
0x005c8047
0x005c8049
0x005c804a
0x005c804b
0x005c804e
0x005c8050
0x005c8053
0x005c8053
0x005c805a
0x005c805e
0x005c805f
0x005c8064
0x005c8067
0x005c806e
0x005c8078
0x005c8080
0x005c8085
0x005c808a
0x005c8095
0x005c80a1
0x005c80a1
0x005c80af
0x005c80da
0x005c80df
0x005c80e1
0x005c80e6
0x005c80f5
0x005c8106
0x005c810d
0x005c8115
0x005c8123
0x005c8128
0x005c812a
0x005c812f
0x005c8134
0x005c8134
0x005c812f
0x005c80e6
0x005c813b
0x005c8142
0x005c8145
0x005c8148
0x005c8155

APIs

GetActiveWindow.USER32 ref: 005C8073
GetFocus.USER32 ref: 005C807B
RegisterClassW.USER32 ref: 005C809C
ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C8134
SetFocus.USER32(00000000,00000000,005C8156,?,?,00000000,00000001,00000000,?,00624CD7,006D479C,?,00000000,006B7D0C,?,00000001), ref: 005C813B

Strings

TWindowDisabler-Window, xrefs: 005C80D3, 005C811C

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: f91cd026eb05f25d33a6d8af840a27a0896b23e2d12ba556de4d8f1fb83d8f0a
Instruction ID: 5ab169a57db71ca83144016e7fa3c4a7aa592af68df439750d62b7863cf9535f
Opcode Fuzzy Hash: f91cd026eb05f25d33a6d8af840a27a0896b23e2d12ba556de4d8f1fb83d8f0a
Instruction Fuzzy Hash: 7D218070A41600AFD710EBA69C02F6ABBE5FB85B40F15452AF500AB291DB74AC4587D8

Uniqueness

Uniqueness Score: -1.00%

Function 006C3650, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			_entry_() {
				intOrPtr* _t10;
				signed int _t13;
				intOrPtr _t19;
				intOrPtr* _t20;
				intOrPtr* _t25;
				intOrPtr* _t28;
				intOrPtr* _t32;
				intOrPtr _t33;
				intOrPtr* _t58;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t83;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t91;
				void* _t92;

				E00410BA8(0x6b8354);
				_t10 =  *0x6cceac; // 0x6d479c
				_t13 = GetWindowLongW( *( *_t10 + 0x188), 0xffffffec);
				_t73 =  *0x6cceac; // 0x6d479c
				SetWindowLongW( *( *_t73 + 0x188), 0xffffffec, _t13 & 0xffffff7f); // executed
				_push(_t87);
				_push(0x6c36d4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t88;
				SetErrorMode(1); // executed
				E006B80BC(_t89);
				_t19 =  *0x6b7f7c; // 0x6b7fd4
				_t20 =  *0x6cceac; // 0x6d479c
				E005B8740( *_t20, E006B8014, _t19);
				E006B812C(_t62, _t83, _t85, _t89, _t92);
				_pop(_t76);
				 *[fs:eax] = _t76;
				_t25 =  *0x6cceac; // 0x6d479c
				E005B8250( *_t25, L"Setup", _t89);
				_t28 =  *0x6cceac; // 0x6d479c
				ShowWindow( *( *_t28 + 0x188), 5);
				_t32 =  *0x6cceac; // 0x6d479c
				_t33 =  *_t32;
				_t78 =  *0x6a58fc; // 0x6a5954
				 *((intOrPtr*)(_t33 + 0x10c)) = _t78;
				 *((intOrPtr*)(_t33 + 0x108)) = 0x6b2350;
				_push(_t87);
				_push(0x6c377d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t88;
				E005B881C(); // executed
				L006AF3B8(_t62, _t83, _t85, _t92);
				L005B8834( *((intOrPtr*)( *0x6cceac)), _t62,  *0x6ccaa0,  *0x6a58fc, _t83, _t85);
				L006B2520(_t89, _t92);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(_t87);
				_push(0x6c3800);
				_push( *[fs:eax]);
				 *[fs:eax] = _t88;
				L005B8990( *((intOrPtr*)( *0x6cceac)), _t62, _t83, _t85);
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(_t87);
				_push(0x6c3837);
				_push( *[fs:eax]);
				 *[fs:eax] = _t88;
				L006B146C( *0x6cccc0 & 0xffffff00 |  *( *0x6cccc0) == 0x00000000, _t62, _t83, _t85,  *( *0x6cccc0));
				_pop(_t82);
				 *[fs:eax] = _t82;
				_t58 = E0040A028( *( *0x6cccc0));
				E00409EF8();
				 *_t58 =  *_t58 + _t58;
				asm("invalid");
				asm("invalid");
				 *_t87 =  *_t87 + 4 +  *4 + 0x53000000;
				_t91 =  *_t87;
				if (_t91 == 0) goto L5;
				if (_t91 != 0) goto L6;
				if (_t91 < 0) goto 0x6c3872;
			}

0x006c365e
0x006c3663
0x006c3673
0x006c3678
0x006c368f
0x006c3696
0x006c3697
0x006c369c
0x006c369f
0x006c36a4
0x006c36a9
0x006c36ae
0x006c36b9
0x006c36c0
0x006c36c5
0x006c36cc
0x006c36cf
0x006c36ed
0x006c36f9
0x006c3700
0x006c370e
0x006c3713
0x006c3718
0x006c371a
0x006c3720
0x006c3726
0x006c3732
0x006c3733
0x006c3738
0x006c373b
0x006c3745
0x006c374a
0x006c3762
0x006c376e
0x006c3775
0x006c3778
0x006c37de
0x006c37df
0x006c37e4
0x006c37e7
0x006c37f1
0x006c37f8
0x006c37fb
0x006c3811
0x006c3812
0x006c3817
0x006c381a
0x006c3828
0x006c382f
0x006c3832
0x006c384d
0x006c3855
0x006c385a
0x006c3860
0x006c3862
0x006c3869
0x006c3869
0x006c386c
0x006c386e
0x006c3870

APIs

Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C3663), ref: 00410BB4

GetWindowLongW.USER32(?,000000EC), ref: 006C3673
SetWindowLongW.USER32 ref: 006C368F
SetErrorMode.KERNEL32(00000001,00000000,006C36D4,?,?,000000EC,00000000), ref: 006C36A4

Part of subcall function 006B80BC: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C36AE,00000001,00000000,006C36D4,?,?,000000EC,00000000), ref: 006B80C6

Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006C36D4,?,?,000000EC,00000000), ref: 006C370E

Strings

TYj, xrefs: 006C371A
Setup, xrefs: 006C36F4

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
String ID: Setup$TYj
API String ID: 1533765661-222076697
Opcode ID: 5768e0d582e52e8d6d168eb6fadb8a8827a4ce1f72d3aeffb140806789636c9b
Instruction ID: e9fc4baf4b40b491f8675e1572dec19425dd6fa1bf8a55e0520f1f642e799667
Opcode Fuzzy Hash: 5768e0d582e52e8d6d168eb6fadb8a8827a4ce1f72d3aeffb140806789636c9b
Instruction Fuzzy Hash: D3213E74204600AFC341EB69DC82DA67BFAEB8F7107518565F914877A1CB75A840CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00423A18, Relevance: 7.5, APIs: 5, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00423A18(void* __eax) {
				signed char _t10;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t17;
				WCHAR* _t18;

				_t17 = __eax;
				_t18 = E0040B278(__eax);
				DeleteFileW(_t18); // executed
				asm("sbb ebx, ebx");
				_t15 = _t14 + 1;
				if(_t15 == 0) {
					_t16 = GetLastError();
					_t10 = GetFileAttributesW(_t18); // executed
					if(_t10 == 0xffffffff || (_t10 & 0x00000004) == 0 || (_t10 & 0x00000010) == 0) {
						SetLastError(_t16);
					} else {
						RemoveDirectoryW(E0040B278(_t17));
						asm("sbb ebx, ebx");
						_t15 = _t15 + 1;
					}
				}
				return _t15;
			}

0x00423a1c
0x00423a25
0x00423a28
0x00423a30
0x00423a32
0x00423a35
0x00423a3c
0x00423a3f
0x00423a47
0x00423a68
0x00423a52
0x00423a5a
0x00423a62
0x00423a64
0x00423a64
0x00423a47
0x00423a73

APIs

DeleteFileW.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A28
GetLastError.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A37
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A3F
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000), ref: 00423A5A
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000), ref: 00423A68

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: a7d48c479effa99c13726cd06c9a81b40db213f168e3472006e923150bc3a552
Instruction ID: 6af4817109388cbf865bbcb6c057fea4a38b610039f66ef5cc830b203be569cf
Opcode Fuzzy Hash: a7d48c479effa99c13726cd06c9a81b40db213f168e3472006e923150bc3a552
Instruction Fuzzy Hash: 0CF0A061340224199D203DBF2889EBF125CC9827EFB54077BF990E22D2DA2E5F87426D

Uniqueness

Uniqueness Score: -1.00%

Function 005C6570, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E005C6570(void* __eax, void* __ebx, char __ecx, short* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				char _v8;
				short* _v12;
				char _v16;
				int _v20;
				int _v24;
				long _t46;
				signed int _t58;
				char _t66;
				intOrPtr _t82;
				void* _t87;
				signed int _t93;
				void* _t96;

				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t87 = __eax;
				_push(_t96);
				_push(0x5c66a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffffec;
				while(1) {
					_v24 = 0;
					_t46 = RegQueryValueExW(_t87, _v12, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 != 0) {
						break;
					}
					_t9 =  &_a8; // 0x5c6e6a
					if(_v20 ==  *_t9 || _v20 == _a4) {
						if(_v24 != 0) {
							__eflags = _v24 - 0x70000000;
							if(__eflags >= 0) {
								E00428FF4();
							}
							_t80 = _v24 + 1 >> 1;
							E0040A350( &_v8, _v24 + 1 >> 1, 0, __eflags);
							_t58 = RegQueryValueExW(_t87, _v12, 0,  &_v20, E0040A774( &_v8),  &_v24); // executed
							__eflags = _t58 - 0xea;
							if(_t58 == 0xea) {
								continue;
							} else {
								__eflags = _t58;
								if(_t58 != 0) {
									break;
								}
								_t22 =  &_a8; // 0x5c6e6a
								__eflags = _v20 -  *_t22;
								if(_v20 ==  *_t22) {
									L12:
									_t93 = _v24 >> 1;
									while(1) {
										__eflags = _t93;
										if(_t93 == 0) {
											break;
										}
										_t66 = _v8;
										__eflags =  *((short*)(_t66 + _t93 * 2 - 2));
										if( *((short*)(_t66 + _t93 * 2 - 2)) == 0) {
											_t93 = _t93 - 1;
											__eflags = _t93;
											continue;
										}
										break;
									}
									__eflags = _v20 - 7;
									if(_v20 == 7) {
										__eflags = _t93;
										if(_t93 != 0) {
											_t93 = _t93 + 1;
											__eflags = _t93;
										}
									}
									E0040B3F0( &_v8, _t80, _t93);
									__eflags = _v20 - 7;
									if(_v20 == 7) {
										__eflags = _t93;
										if(_t93 != 0) {
											(E0040A774( &_v8))[_t93 * 2 - 2] = 0;
										}
									}
									_t37 =  &_v16; // 0x5c6e6a
									E0040A5A8( *_t37, _v8);
									break;
								}
								__eflags = _v20 - _a4;
								if(_v20 != _a4) {
									break;
								}
								goto L12;
							}
						} else {
							_t13 =  &_v16; // 0x5c6e6a
							E0040A1C8( *_t13);
							break;
						}
					} else {
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E005C66AD);
				return E0040A1C8( &_v8);
			}

0x005c657b
0x005c657e
0x005c6581
0x005c6584
0x005c6588
0x005c6589
0x005c658e
0x005c6591
0x005c6596
0x005c6598
0x005c65ac
0x005c65b3
0x00000000
0x00000000
0x005c65bc
0x005c65bf
0x005c65d1
0x005c65e2
0x005c65e9
0x005c65eb
0x005c65eb
0x005c65f9
0x005c65fd
0x005c661a
0x005c661f
0x005c6624
0x00000000
0x005c662a
0x005c662a
0x005c662c
0x00000000
0x00000000
0x005c6631
0x005c6631
0x005c6634
0x005c663e
0x005c6641
0x005c6646
0x005c6646
0x005c6648
0x00000000
0x00000000
0x005c664a
0x005c664d
0x005c6653
0x005c6645
0x005c6645
0x00000000
0x005c6645
0x00000000
0x005c6653
0x005c6655
0x005c6659
0x005c665b
0x005c665d
0x005c665f
0x005c665f
0x005c665f
0x005c665d
0x005c6665
0x005c666a
0x005c666e
0x005c6670
0x005c6672
0x005c667c
0x005c667c
0x005c6672
0x005c6683
0x005c6689
0x00000000
0x005c668e
0x005c6639
0x005c663c
0x00000000
0x00000000
0x00000000
0x005c663c
0x005c65d3
0x005c65d3
0x005c65d6
0x00000000
0x005c65db
0x00000000
0x00000000
0x00000000
0x005c65bf
0x005c6692
0x005c6695
0x005c6698
0x005c66a5

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C66A6,?,006AD078,00000000,00000000), ref: 005C65AC
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C66A6,?,006AD078), ref: 005C661A

Strings

jn\, xrefs: 005C65BC, 005C6631
jn\, xrefs: 005C6683, 005C65D3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: QueryValue
String ID: jn\$jn\
API String ID: 3660427363-2382671196
Opcode ID: 3e48dd5595439cec9071c1e48ee77c5669d35979900cfc549d71363e24bad7b2
Instruction ID: 8bceae826fb58f5cc1abe10999adb5643ee7cb9af79bc91dae7968670a065b85
Opcode Fuzzy Hash: 3e48dd5595439cec9071c1e48ee77c5669d35979900cfc549d71363e24bad7b2
Instruction Fuzzy Hash: C0411871900219AFDB20DFD5C981EAEBBB9FB44704F61446EE800FB280D734AF848B95

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00409EF8() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x6c4004 != 0) {
					E00409DD8();
					E00409E60(_t46);
					 *0x6c4004 = 0;
				}
				if( *0x6d0bd0 != 0 && GetCurrentThreadId() ==  *0x6d0bf8) {
					E00409B30(0x6d0bcc);
					E00409E34(0x6d0bcc);
				}
				if( *0x006D0BC4 != 0 ||  *0x6ce058 == 0) {
					L8:
					if( *((char*)(0x6d0bc4)) == 2 &&  *0x6c4000 == 0) {
						 *0x006D0BA8 = 0;
					}
					if( *((char*)(0x6d0bc4)) != 0) {
						L14:
						E00409B58(); // executed
						if( *((char*)(0x6d0bc4)) <= 1 ||  *0x6c4000 != 0) {
							_t15 =  *0x006D0BAC;
							if( *0x006D0BAC != 0) {
								E0040EBB8(_t15);
								_t31 =  *((intOrPtr*)(0x6d0bac));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00409B30(0x6d0b9c);
						if( *((char*)(0x6d0bc4)) == 1) {
							 *0x006D0BC0();
						}
						if( *((char*)(0x6d0bc4)) != 0) {
							E00409E34(0x6d0b9c);
						}
						if( *0x6d0b9c == 0) {
							if( *0x6ce038 != 0) {
								 *0x6ce038();
							}
							ExitProcess( *0x6c4000); // executed
						}
						memcpy(0x6d0b9c,  *0x6d0b9c, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x6c4000 = 0x6c4000;
						0x6d0b9c = 0x6d0b9c;
						goto L8;
					} else {
						_t20 = E00406FD0();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00408444(_t44);
							_t23 = E00406FD0();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x6ce058; // 0x0
						 *0x6ce058 = 0;
						 *_t33();
					} while ( *0x6ce058 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00409f0c
0x00409f0e
0x00409f13
0x00409f1a
0x00409f1a
0x00409f26
0x00409f3a
0x00409f44
0x00409f44
0x00409f4d
0x00409f71
0x00409f75
0x00409f7e
0x00409f7e
0x00409f85
0x00409fa4
0x00409fa4
0x00409fad
0x00409fb4
0x00409fb9
0x00409fbb
0x00409fc0
0x00409fc3
0x00409fc3
0x00409fc6
0x00409fc9
0x00409fd0
0x00409fd0
0x00409fc9
0x00409fb9
0x00409fd7
0x00409fe0
0x00409fe2
0x00409fe2
0x00409fe9
0x00409fed
0x00409fed
0x00409ff5
0x00409ffe
0x0040a000
0x0040a000
0x0040a009
0x0040a009
0x0040a01b
0x0040a01b
0x0040a01d
0x0040a01e
0x00000000
0x00409f87
0x00409f87
0x00409f8c
0x00409f90
0x00000000
0x00000000
0x00000000
0x00000000
0x00409f92
0x00409f92
0x00409f94
0x00409f99
0x00409f9e
0x00409fa0
0x00000000
0x00409f92
0x00409f58
0x00409f58
0x00409f58
0x00409f61
0x00409f66
0x00409f68
0x00000000
0x00409f71
0x00000000
0x00409f71

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 6b04fe895df515a821d09e547ffe5bfc8ba40b00724ca42204d1de2ed8c9432c
Instruction ID: 014c5f1a4e041581483faaf8c6c30c3af58183677a5e41c876bcbf2d6f0d04a1
Opcode Fuzzy Hash: 6b04fe895df515a821d09e547ffe5bfc8ba40b00724ca42204d1de2ed8c9432c
Instruction Fuzzy Hash: 08316F20A016428AE720EB7A9484B2777E6AB44328F14053FE449E32E3DBBDDC84C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00409EF0() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x6c4004 != 0) {
					E00409DD8();
					E00409E60(_t50);
					 *0x6c4004 = 0;
				}
				if( *0x6d0bd0 != 0 && GetCurrentThreadId() ==  *0x6d0bf8) {
					E00409B30(0x6d0bcc);
					E00409E34(0x6d0bcc);
				}
				if( *0x006D0BC4 != 0 ||  *0x6ce058 == 0) {
					L9:
					if( *((char*)(0x6d0bc4)) == 2 &&  *0x6c4000 == 0) {
						 *0x006D0BA8 = 0;
					}
					if( *((char*)(0x6d0bc4)) != 0) {
						L15:
						E00409B58(); // executed
						if( *((char*)(0x6d0bc4)) <= 1 ||  *0x6c4000 != 0) {
							_t18 =  *0x006D0BAC;
							if( *0x006D0BAC != 0) {
								E0040EBB8(_t18);
								_t34 =  *((intOrPtr*)(0x6d0bac));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00409B30(0x6d0b9c);
						if( *((char*)(0x6d0bc4)) == 1) {
							 *0x006D0BC0();
						}
						if( *((char*)(0x6d0bc4)) != 0) {
							E00409E34(0x6d0b9c);
						}
						if( *0x6d0b9c == 0) {
							if( *0x6ce038 != 0) {
								 *0x6ce038();
							}
							ExitProcess( *0x6c4000); // executed
						}
						memcpy(0x6d0b9c,  *0x6d0b9c, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x6c4000 = 0x6c4000;
						0x6d0b9c = 0x6d0b9c;
						goto L9;
					} else {
						_t23 = E00406FD0();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00408444(_t48);
							_t26 = E00406FD0();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x6ce058; // 0x0
						 *0x6ce058 = 0;
						 *_t36();
					} while ( *0x6ce058 != 0);
					L9:
					while(1) {
					}
				}
			}

0x00409ef2
0x00409f0c
0x00409f0e
0x00409f13
0x00409f1a
0x00409f1a
0x00409f26
0x00409f3a
0x00409f44
0x00409f44
0x00409f4d
0x00409f71
0x00409f75
0x00409f7e
0x00409f7e
0x00409f85
0x00409fa4
0x00409fa4
0x00409fad
0x00409fb4
0x00409fb9
0x00409fbb
0x00409fc0
0x00409fc3
0x00409fc3
0x00409fc6
0x00409fc9
0x00409fd0
0x00409fd0
0x00409fc9
0x00409fb9
0x00409fd7
0x00409fe0
0x00409fe2
0x00409fe2
0x00409fe9
0x00409fed
0x00409fed
0x00409ff5
0x00409ffe
0x0040a000
0x0040a000
0x0040a009
0x0040a009
0x0040a01b
0x0040a01b
0x0040a01d
0x0040a01e
0x00000000
0x00409f87
0x00409f87
0x00409f8c
0x00409f90
0x00000000
0x00000000
0x00000000
0x00000000
0x00409f92
0x00409f92
0x00409f94
0x00409f99
0x00409f9e
0x00409fa0
0x00000000
0x00409f92
0x00409f58
0x00409f58
0x00409f58
0x00409f61
0x00409f66
0x00409f68
0x00000000
0x00409f71
0x00000000
0x00409f71

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: bc5cc9c885041f3e0416e36a86510f2d3f0a1f0eb85ab9a766e2f376309b75d0
Instruction ID: efb01f5a50f6461e4192e351dbf5a863323bf4e3968e843dfa2323db1f55653e
Opcode Fuzzy Hash: bc5cc9c885041f3e0416e36a86510f2d3f0a1f0eb85ab9a766e2f376309b75d0
Instruction Fuzzy Hash: 38316020A057824AE721EB769484B2777E26F14318F14447FE049E62E3DBBDDC84C75E

Uniqueness

Uniqueness Score: -1.00%

Function 004785F0, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004785F0(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSW _v44;
				WCHAR* _t8;
				int _t10;
				void* _t11;
				struct HWND__* _t15;
				long _t17;
				WCHAR* _t20;
				struct HWND__* _t22;
				WCHAR* _t24;

				 *0x6c6aa8 =  *0x6d1634;
				_t8 =  *0x6c6abc; // 0x4785d4
				_t10 = GetClassInfoW( *0x6d1634, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00414778 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t20 =  *0x6c6abc; // 0x4785d4
						UnregisterClassW(_t20,  *0x6d1634);
					}
					RegisterClassW(0x6c6a98);
				}
				_t24 =  *0x6c6abc; // 0x4785d4
				_t15 = E00414D98(0x80, _t24, 0,  *0x6d1634, 0, 0, 0, 0, 0, 0, 0x80000000); // executed
				_t22 = _t15;
				if(_a6 != 0) {
					_t17 = E00478454(_a4, _a8); // executed
					SetWindowLongW(_t22, 0xfffffffc, _t17);
				}
				return _t22;
			}

0x004785fc
0x00478605
0x00478611
0x00478619
0x0047861b
0x0047861e
0x0047862c
0x00478634
0x0047863a
0x0047863a
0x00478644
0x00478644
0x00478667
0x00478672
0x00478677
0x0047867e
0x00478686
0x0047868f
0x0047868f
0x0047869a

APIs

GetClassInfoW.USER32 ref: 00478611
UnregisterClassW.USER32 ref: 0047863A
RegisterClassW.USER32 ref: 00478644
SetWindowLongW.USER32 ref: 0047868F

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: e2fbedc3dc89719e5dd2976349d3016b2513452d0a3c721afe5b6b3b40081790
Instruction ID: 76cbbdd911646a042e8386dfe44f4c7e199d23327d7aedec1f7355223984a46f
Opcode Fuzzy Hash: e2fbedc3dc89719e5dd2976349d3016b2513452d0a3c721afe5b6b3b40081790
Instruction Fuzzy Hash: 0C0184716411047BCB50EB98EC85FEA739EE749318F14D21BF508EB392DA79D8418798

Uniqueness

Uniqueness Score: -1.00%

Function 0060E938, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 0060E964
MsgWaitForMultipleObjects.USER32 ref: 0060E986
GetExitCodeProcess.KERNEL32 ref: 0060E997
CloseHandle.KERNEL32(00000001,0060E9C4,0060E9BD,?,?,?,00000001,?,?,0060ED66,?,00000000,0060ED7C,?,?,?), ref: 0060E9B7

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: e330c7493221ce4801be0012b8e2f4e5f8f74b65f70e9419a546d88eb9f8795d
Instruction ID: b0ec01102f1d6a048394a8bbdf14247bb0d5afa7f8636e75558ea4907a3e5d2e
Opcode Fuzzy Hash: e330c7493221ce4801be0012b8e2f4e5f8f74b65f70e9419a546d88eb9f8795d
Instruction Fuzzy Hash: 5B012870A803147EEB24DBA68D06FEBBBADDF45720F510916F604C32C1D5759D40C665

Uniqueness

Uniqueness Score: -1.00%

Function 006AB4C4, Relevance: 6.0, APIs: 4, Instructions: 34
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E006AB4C4(signed char __eax, void* __ecx, void* __edx, void* __eflags) {
				long _t7;
				void* _t9;
				void* _t14;
				void* _t15;
				signed char* _t16;

				_t17 = __eflags;
				_push(__ecx);
				_t14 = __ecx;
				_t15 = __edx;
				 *_t16 = __eax;
				while(1) {
					E0060BAB8( *_t16 & 0x000000ff, _t15, _t17); // executed
					asm("sbb ebx, ebx");
					_t9 = _t9 + 1;
					if(_t9 != 0 || GetLastError() == 2 || GetLastError() == 3) {
						break;
					}
					_t7 = GetTickCount();
					_t17 = _t7 - _t14 - 0x7d0;
					if(_t7 - _t14 < 0x7d0) {
						Sleep(0x32);
						continue;
					}
					break;
				}
				return _t9;
			}

0x006ab4c4
0x006ab4c7
0x006ab4c8
0x006ab4ca
0x006ab4cc
0x006ab4cf
0x006ab4d5
0x006ab4dd
0x006ab4df
0x006ab4e2
0x00000000
0x00000000
0x006ab4f8
0x006ab4ff
0x006ab504
0x006ab508
0x00000000
0x006ab508
0x00000000
0x006ab504
0x006ab515

APIs

GetLastError.KERNEL32 ref: 006AB4E4
GetLastError.KERNEL32 ref: 006AB4EE
GetTickCount.KERNEL32 ref: 006AB4F8
Sleep.KERNEL32(00000032), ref: 006AB508

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 73d7597179e9c752d4ec2b904b4b685f0a1b899d7ee572b5c5bd2ed4d478076e
Instruction ID: 2fff96d873347bd790470967934f41cc3c5b953411b1929c54c424c1fdffd6dc
Opcode Fuzzy Hash: 73d7597179e9c752d4ec2b904b4b685f0a1b899d7ee572b5c5bd2ed4d478076e
Instruction Fuzzy Hash: B5E02BA27083911882257DAE18855BE598ACFC375DF28193FF094C2143C6088D854626

Uniqueness

Uniqueness Score: -1.00%

Function 0060CE90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0060CE90(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x60cf89);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E005C6360( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E0060CBF4(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E0040B278(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E005CC284(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00423024( &_v36, _t54, 0);
						_v24 = _v36;
						E005C72F8(_t54,  &_v40);
						_v20 = _v40;
						E005CC254(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E00429000(_v16, 1);
						E004098C4();
					}
				}
				E0040A5A8(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E0060CF90);
				E0040A228( &_v40, 3);
				return E0040A228( &_v16, 3);
			}

0x0060ce90
0x0060ce90
0x0060ce91
0x0060ce93
0x0060ce98
0x0060ce98
0x0060ce9a
0x0060ce9c
0x0060ce9c
0x0060ce9f
0x0060cea0
0x0060cea2
0x0060cea4
0x0060cea6
0x0060cea7
0x0060ceac
0x0060ceaf
0x0060ceb2
0x0060ceb9
0x0060cec1
0x0060cec8
0x0060ced8
0x0060cedf
0x00000000
0x00000000
0x0060cee6
0x0060cee8
0x0060ceee
0x0060cefe
0x0060cf06
0x0060cf12
0x0060cf1a
0x0060cf22
0x0060cf2a
0x0060cf39
0x0060cf3e
0x0060cf48
0x0060cf4d
0x0060cf4d
0x0060ceee
0x0060cf5c
0x0060cf61
0x0060cf63
0x0060cf66
0x0060cf69
0x0060cf76
0x0060cf88

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060CF89,?,006D479C,?,00000003,00000000,00000000,?,006AB2FB,00000000,006AB42A), ref: 0060CED8
GetLastError.KERNEL32(00000000,00000000,?,00000000,0060CF89,?,006D479C,?,00000003,00000000,00000000,?,006AB2FB,00000000,006AB42A), ref: 0060CEE1

Strings

.tmp, xrefs: 0060CEC1

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 1990292899e41e678343515c0d89d56f152e79c03e827f697b231b302f2421b6
Instruction ID: bd18ce1fa3822070f52fa9210757cddfa10fef4474c97575e6730c1523ad4e06
Opcode Fuzzy Hash: 1990292899e41e678343515c0d89d56f152e79c03e827f697b231b302f2421b6
Instruction Fuzzy Hash: EE216575A402099FDB04EBE1C842EEFB7BAEF88304F10457AE501A3781DA749E058AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0060B998, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
processCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0060B998(void* __eax, WCHAR* __ecx, WCHAR* __edx, void* __eflags, struct _PROCESS_INFORMATION* _a4, struct _STARTUPINFOW* _a8, char _a12, void* _a16, long _a20, int _a24, struct _SECURITY_ATTRIBUTES* _a28, struct _SECURITY_ATTRIBUTES* _a32) {
				int _v8;
				char _v16;
				long _v20;
				int _t27;
				intOrPtr _t42;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff0;
				if(E0060B8D4(__eax,  &_v16) != 0) {
					_push(_t50);
					_push(0x60ba12);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t5 =  &_a12; // 0x624b6a
					_t27 = CreateProcessW(__edx, __ecx, _a32, _a28, _a24, _a20, _a16,  *_t5, _a8, _a4); // executed
					_v8 = _t27;
					_v20 = GetLastError();
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E0060BA19);
					return E0060B910( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0060b999
0x0060b99b
0x0060b9b3
0x0060b9be
0x0060b9bf
0x0060b9c4
0x0060b9c7
0x0060b9d2
0x0060b9ec
0x0060b9f1
0x0060b9f9
0x0060b9fe
0x0060ba01
0x0060ba04
0x0060ba11
0x0060b9b5
0x0060b9b7
0x0060ba2b
0x0060ba2b

APIs

CreateProcessW.KERNEL32 ref: 0060B9EC
GetLastError.KERNEL32(00000000,00000000,006D479C,?,?,00624B84,00000000,jKb,?,00000000,00000000,0060BA12,?,?,00000000,00000001), ref: 0060B9F4

Strings

jKb, xrefs: 0060B9D2, 0060B9D5

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: jKb
API String ID: 2919029540-170918238
Opcode ID: c1b916c59321e3fa91579aeb3cdac3cd55d30723fa64c6d9926a0ea5d314481d
Instruction ID: f0c62e7812bfd872003ae221291c5b02b096b3c9bac239c5ed21538e2c768951
Opcode Fuzzy Hash: c1b916c59321e3fa91579aeb3cdac3cd55d30723fa64c6d9926a0ea5d314481d
Instruction Fuzzy Hash: 25112A72600208AFCB44CEA9DC41DEFB7ECEB4D310B518566F908D3241D734AE108764

Uniqueness

Uniqueness Score: -1.00%

Function 006AB518, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E006AB518(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char* _t12;
				long _t13;
				void* _t15;
				void* _t22;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_t22 = __ebx;
				_push(0);
				_push(_t35);
				_push(0x6ab5aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				E006253E4(0);
				E006253D0(0);
				if( *0x6d550c != 0) {
					_t12 =  *0x6ccfc4; // 0x6d52e0
					if( *_t12 != 0) {
						E0061519C(0);
					}
					_t13 = GetTickCount();
					_t29 =  *0x6d550c; // 0x0
					_t15 = E0060D628(0, _t22, 1, _t29, _t13, E006AB4C4, 0, 0, 1, 1); // executed
					if(_t15 == 0) {
						_t26 =  *0x6d550c; // 0x0
						E0040B4C8( &_v8, _t26, L"Failed to remove temporary directory: ");
						E00615A90(_v8, _t22, _t31, _t32);
					}
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E006AB5B1);
				return E0040A1C8( &_v8);
			}

0x006ab518
0x006ab518
0x006ab518
0x006ab51b
0x006ab51f
0x006ab520
0x006ab525
0x006ab528
0x006ab52d
0x006ab534
0x006ab540
0x006ab542
0x006ab54a
0x006ab54e
0x006ab54e
0x006ab560
0x006ab568
0x006ab570
0x006ab577
0x006ab57c
0x006ab587
0x006ab58f
0x006ab58f
0x006ab577
0x006ab596
0x006ab599
0x006ab59c
0x006ab5a9

APIs

GetTickCount.KERNEL32 ref: 006AB560

Strings

Failed to remove temporary directory: , xrefs: 006AB582
Rm, xrefs: 006AB542

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory: $Rm
API String ID: 536389180-1076249570
Opcode ID: eb05f2f1d426846195bd894bb9a1501d3042d8e6f80724a24a7c25253b51bcb0
Instruction ID: 398c982c0538bc614d191d51ddc6a0f8b2f8344efc011b20d1c36e18f0abd6f5
Opcode Fuzzy Hash: eb05f2f1d426846195bd894bb9a1501d3042d8e6f80724a24a7c25253b51bcb0
Instruction Fuzzy Hash: 22012430A50B00AADB62FB71EC03B9973D7EB0A704F50542AF001972C3E7B4AC008E18

Uniqueness

Uniqueness Score: -1.00%

Function 006AAB88, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AAB88() {
				void* _v8;
				void* __ecx;
				void* _t9;
				long _t15;
				void* _t16;

				if( *0x6d57b9 == 0) {
					_t16 = 0;
				} else {
					_t16 = 2;
				}
				_t9 = E005C6790(_t16,  *((intOrPtr*)(0x6cc7dc + ( *0x6d57b8 & 0x000000ff) * 4)), 0x80000002,  &_v8, 1, 0); // executed
				if(_t9 == 0) {
					E005C66B8();
					E005C66B8();
					_t15 = RegCloseKey(_v8); // executed
					return _t15;
				}
				return _t9;
			}

0x006aab94
0x006aab9a
0x006aab96
0x006aab96
0x006aab96
0x006aabb9
0x006aabc0
0x006aabcf
0x006aabe1
0x006aabea
0x00000000
0x006aabea
0x006aabf2

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AAF73,00000000,006AAF8E,?,00000000,00000000,?,006B6424,00000006), ref: 006AABEA

Strings

RegisteredOwner, xrefs: 006AABC7
RegisteredOrganization, xrefs: 006AABD9

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 4a50621ee958c3a88f4c95fa135e0255c97d43b02fbcc7fef88b588f0bf40136
Instruction ID: 305c036771833dfdc17d30d00ed60186274228a7a0d0d41d10220e0ec65000dd
Opcode Fuzzy Hash: 4a50621ee958c3a88f4c95fa135e0255c97d43b02fbcc7fef88b588f0bf40136
Instruction Fuzzy Hash: 9FF0B430B45244AFDB01FAD4D956BAA7B9BD787314F60006EE1015B781D764AE40DB21

Uniqueness

Uniqueness Score: -1.00%

Function 005C6790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C6790(void* __eax, short* __ecx, void* __edx, void** _a4, char _a8, int _a12) {
				long _t7;
				short* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t1 =  &_a8; // 0x5c6e6a
				_t10 =  *_t1;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				_t7 = RegOpenKeyExW(_t9, _t8, _a12, _t10, _a4); // executed
				return _t7;
			}

0x005c6790
0x005c6790
0x005c6794
0x005c6794
0x005c6799
0x005c679b
0x005c679b
0x005c67ac
0x005c67b3

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC

Strings

jn\, xrefs: 005C6794, 005C67A5
Control Panel\Desktop\ResourceLocale, xrefs: 005C67AA

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale$jn\
API String ID: 71445658-1009623656
Opcode ID: 4df7dab56c477363e90a00ee02f53cdc5579ada3479c64b4cdcbde454e119a82
Instruction ID: f71c6a141f3997f2863d7813df77b61548f7dd53a97879805adc53d508b96e25
Opcode Fuzzy Hash: 4df7dab56c477363e90a00ee02f53cdc5579ada3479c64b4cdcbde454e119a82
Instruction Fuzzy Hash: E3D0C9769502287BAB009EC9DC41EFB7B9DEB19360F50841AFD0497101C6B4EDA187F4

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF0, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406DF0() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x006CEAE0;
				while(_t28 != 0x6ceadc) {
					_t2 = _t28 + 4; // 0x6ceadc
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x6c4084;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x6ceadc = 0x6ceadc;
				 *0x006CEAE0 = 0x6ceadc;
				_t26 = 0x400;
				_t23 = 0x6ceb7c;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					 *((intOrPtr*)(_t14 + 4)) = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x6ceaf8 = 0;
				E00407760(0x6ceafc, 0x80);
				_t18 = 0;
				 *0x6ceaf4 = 0;
				_t31 =  *0x006D0B84;
				while(_t31 != 0x6d0b80) {
					_t10 = _t31 + 4; // 0x6d0b80
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x6d0b80 = 0x6d0b80;
				 *0x006D0B84 = 0x6d0b80;
				return _t18;
			}

0x00406dfe
0x00406e15
0x00406e03
0x00406e0e
0x00406e13
0x00406e13
0x00406e19
0x00406e1e
0x00406e23
0x00406e25
0x00406e2a
0x00406e2d
0x00406e36
0x00406e39
0x00406e3c
0x00406e3c
0x00406e3f
0x00406e41
0x00406e44
0x00406e49
0x00406e4e
0x00406e4e
0x00406e50
0x00406e52
0x00406e55
0x00406e58
0x00406e58
0x00406e5d
0x00406e6e
0x00406e73
0x00406e75
0x00406e7a
0x00406e91
0x00406e7f
0x00406e8a
0x00406e8f
0x00406e8f
0x00406e95
0x00406e97
0x00406e9e

APIs

VirtualFree.KERNEL32(006CEADC,00000000,00008000), ref: 00406E0E
VirtualFree.KERNEL32(006D0B80,00000000,00008000), ref: 00406E8A

Strings

|l, xrefs: 00406E49

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FreeVirtual
String ID: |l
API String ID: 1263568516-2943479574
Opcode ID: 32207062ea42549adb7d8cd3475f211863a90d9262ab72e18aeacffdd3282589
Instruction ID: 7e10c0828048ea4be300fdc8c2ce23dddf2df71dc9f68ae824fb6f8d85bed3de
Opcode Fuzzy Hash: 32207062ea42549adb7d8cd3475f211863a90d9262ab72e18aeacffdd3282589
Instruction Fuzzy Hash: F411C1716003108FD7688F18C941B26BBE1FB88710F16807FE54AEF380D679AC018BD8

Uniqueness

Uniqueness Score: -1.00%

Function 006ACDD0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006ACDD0(long __eax, void* __ecx, void* __fp0) {
				void* __ebx;
				void* __ebp;
				long _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t49;
				intOrPtr _t54;
				intOrPtr _t59;
				intOrPtr _t64;
				intOrPtr* _t69;
				struct HWND__* _t72;
				int _t73;
				intOrPtr _t74;
				void* _t77;
				void* _t79;
				void* _t93;
				void* _t94;
				void* _t95;
				intOrPtr _t98;
				void* _t100;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				long _t126;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t147;

				_t147 = __fp0;
				_t95 = __ecx;
				_t23 = __eax;
				_t126 = __eax;
				_t131 = _t126 -  *0x6cc728; // 0x0
				if(_t131 == 0) {
					L28:
					return _t23;
				}
				_t24 =  *0x6d56d4; // 0x0
				_t93 = E00464CC8(_t24, __eax);
				_t1 = _t93 + 0x18; // 0x18
				_t100 = E0040A77C(_t1);
				_t28 =  *((intOrPtr*)(_t93 + 0x18));
				if(_t28 != 0) {
					_t28 =  *((intOrPtr*)(_t28 - 4));
				}
				E005CC37C(_t100, _t95, _t28);
				E005C6540();
				E005C6540();
				 *0x6cc728 = _t126;
				_t104 =  *0x5c99b0; // 0x5c99b4
				E0040BFAC(0x6d5694, _t104);
				_t98 =  *0x5c99b0; // 0x5c99b4
				E0040C278(0x6d5694, _t98, _t93, _t147);
				if( *0x6d56bc == 0x411 &&  *0x6d57cc < 0x5010000 && E005C6D08(L"MS PGothic", _t93) != 0) {
					E0040A5A8(0x6d56a4, L"MS PGothic");
					 *0x6d56c8 = 0xc;
				}
				if( *((intOrPtr*)(_t93 + 0x1c)) == 0) {
					_t106 =  *0x6d55dd; // 0x0
					E0040A644(0x6d5720, _t106);
				} else {
					E0040A644(0x6d5720,  *((intOrPtr*)(_t93 + 0x1c)));
				}
				if( *((intOrPtr*)(_t93 + 0x20)) == 0) {
					_t107 =  *0x6d55e1; // 0x0
					E0040A644(0x6d5724, _t107);
				} else {
					E0040A644(0x6d5724,  *((intOrPtr*)(_t93 + 0x20)));
				}
				_t139 =  *((intOrPtr*)(_t93 + 0x24));
				if( *((intOrPtr*)(_t93 + 0x24)) == 0) {
					_t108 =  *0x6d55e5; // 0x0
					E0040A644(0x6d5728, _t108);
				} else {
					E0040A644(0x6d5728,  *((intOrPtr*)(_t93 + 0x24)));
				}
				E005C7DC0( *0x6d56d0 & 0x000000ff);
				_t49 =  *0x6ccec0; // 0x6d4c14
				_t10 = _t49 + 0x1e8; // 0x0
				E005C7D34(0, _t98, E0040B278( *_t10), _t139);
				_t54 =  *0x6ccec0; // 0x6d4c14
				_t11 = _t54 + 0xb0; // 0x0
				E005C7D34(1, _t98, E0040B278( *_t11), _t139);
				_t59 =  *0x6ccec0; // 0x6d4c14
				_t12 = _t59 + 0x164; // 0x0
				E005C7D34(2, _t98, E0040B278( *_t12), _t139);
				_t64 =  *0x6ccec0; // 0x6d4c14
				_t13 = _t64 + 0x164; // 0x0
				E005C7D34(3, _t98, E0040B278( *_t13), _t139);
				_t113 =  *0x6ccec0; // 0x6d4c14
				_t14 = _t113 + 0x2f8; // 0x0
				_t69 =  *0x6cceac; // 0x6d479c
				E005B8250( *_t69,  *_t14, _t139);
				_t23 =  *0x6d56e0; // 0x0
				_t128 =  *((intOrPtr*)(_t23 + 8)) - 1;
				if(_t128 < 0) {
					L26:
					if( *0x6d5484 == 0) {
						goto L28;
					}
					_t72 =  *0x6d5488; // 0x24007e
					_t73 = SendNotifyMessageW(_t72, 0x496, 0x2711, _t126); // executed
					return _t73;
				} else {
					_t129 = _t128 + 1;
					_t130 = 0;
					do {
						_t74 =  *0x6d56e0; // 0x0
						_t94 = E00464CC8(_t74, _t130);
						_t77 = ( *(_t94 + 0x25) & 0x000000ff) - 1;
						if(_t77 == 0) {
							_t17 = _t94 + 4; // 0x4
							_t116 =  *0x6ccec0; // 0x6d4c14
							_t18 = _t116 + 0x1c8; // 0x0
							_t23 = E0040A5A8(_t17,  *_t18);
						} else {
							_t79 = _t77 - 1;
							if(_t79 == 0) {
								_t19 = _t94 + 4; // 0x4
								_t118 =  *0x6ccec0; // 0x6d4c14
								_t20 = _t118 + 0x94; // 0x0
								_t23 = E0040A5A8(_t19,  *_t20);
							} else {
								_t23 = _t79 - 1;
								if(_t23 == 0) {
									_t21 = _t94 + 4; // 0x4
									_t120 =  *0x6ccec0; // 0x6d4c14
									_t22 = _t120 + 0xb8; // 0x0
									_t23 = E0040A5A8(_t21,  *_t22);
								}
							}
						}
						_t130 = _t130 + 1;
						_t129 = _t129 - 1;
					} while (_t129 != 0);
					goto L26;
				}
			}

0x006acdd0
0x006acdd0
0x006acdd0
0x006acdd4
0x006acdd6
0x006acddc
0x006ad029
0x006ad029
0x006ad029
0x006acde4
0x006acdee
0x006acdf0
0x006acdf8
0x006acdfa
0x006acdff
0x006ace04
0x006ace04
0x006ace07
0x006ace1b
0x006ace2f
0x006ace34
0x006ace3f
0x006ace45
0x006ace51
0x006ace57
0x006ace66
0x006ace8c
0x006ace91
0x006ace91
0x006ace9f
0x006aceb5
0x006acebb
0x006acea1
0x006acea9
0x006acea9
0x006acec4
0x006aceda
0x006acee0
0x006acec6
0x006acece
0x006acece
0x006acee5
0x006acee9
0x006aceff
0x006acf05
0x006aceeb
0x006acef3
0x006acef3
0x006acf11
0x006acf16
0x006acf1b
0x006acf2a
0x006acf2f
0x006acf34
0x006acf43
0x006acf48
0x006acf4d
0x006acf5c
0x006acf61
0x006acf66
0x006acf75
0x006acf7a
0x006acf80
0x006acf86
0x006acf8d
0x006acf92
0x006acf9a
0x006acf9d
0x006ad006
0x006ad00d
0x00000000
0x00000000
0x006ad01a
0x006ad020
0x00000000
0x006acf9f
0x006acf9f
0x006acfa0
0x006acfa2
0x006acfa4
0x006acfae
0x006acfb4
0x006acfb6
0x006acfc2
0x006acfc5
0x006acfcb
0x006acfd1
0x006acfb8
0x006acfb8
0x006acfba
0x006acfd8
0x006acfdb
0x006acfe1
0x006acfe7
0x006acfbc
0x006acfbc
0x006acfbe
0x006acfee
0x006acff1
0x006acff7
0x006acffd
0x006acffd
0x006acfbe
0x006acfba
0x006ad002
0x006ad003
0x006ad003
0x00000000
0x006acfa2

APIs

SendNotifyMessageW.USER32(0024007E,00000496,00002711,-00000001), ref: 006AD020

Strings

MS PGothic, xrefs: 006ACE74, 006ACE87

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: MessageNotifySend
String ID: MS PGothic
API String ID: 3556456075-3532686627
Opcode ID: b6c258fb3c33f2813c3342e6157044606e6013f872fb64804e9522e309d3d3da
Instruction ID: 89a382baa9b680b343c583d8872c3f7c86f8ccc800703f58e8dd630edb69a3e5
Opcode Fuzzy Hash: b6c258fb3c33f2813c3342e6157044606e6013f872fb64804e9522e309d3d3da
Instruction Fuzzy Hash: 29516E307012408FCB10FF69D889E6A3BA3FB86354B64557AE4069F766CA35DC42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0045DCCC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0045DCCC(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x6d1634;
				}
				_t10 = FindResourceW(_t20, E0040B278(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E0046A118(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x45dd40);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E00469704(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E0045DD47);
					return E00408444(_v8);
				}
			}

0x0045dccd
0x0045dccf
0x0045dcd3
0x0045dcd5
0x0045dcd7
0x0045dcdb
0x0045dcdd
0x0045dcdd
0x0045dcf5
0x0045dcf8
0x0045dcfa
0x0045dd4e
0x0045dcfc
0x0045dd0d
0x0045dd12
0x0045dd13
0x0045dd18
0x0045dd1b
0x0045dd23
0x0045dd28
0x0045dd2c
0x0045dd2f
0x0045dd32
0x0045dd3f
0x0045dd3f

APIs

FindResourceW.KERNEL32(00000000,00000000,0000000A,?,?,00000000,00000000,?,00464890,00000000,004648A8,?,0000FFA2,00000000,00000000), ref: 0045DCEE

Strings

HJD, xrefs: 0045DD03

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FindResource
String ID: HJD
API String ID: 1635176832-4209977196
Opcode ID: 03b0c82be6f760f64e561bd3ff9d6fda7a7b4067bec252c696f52900dcbda579
Instruction ID: 8beb91453bcbaa737a20c691b85a4c3c719d3b699ae3dd38a1bbe86ed91b807b
Opcode Fuzzy Hash: 03b0c82be6f760f64e561bd3ff9d6fda7a7b4067bec252c696f52900dcbda579
Instruction Fuzzy Hash: 8C01F771704300BBD711DF66EC42E6AB7ADEB85715711407EF9009B242EAB99C059658

Uniqueness

Uniqueness Score: -1.00%

Function 00414D98, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414D98(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00407404();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004073F4(_t13);
				return _t24;
			}

0x00414d9f
0x00414da4
0x00414da6
0x00414dd7
0x00414de0
0x00414dec

APIs

CreateWindowExW.USER32 ref: 00414DD7

Strings

TWindowDisabler-Window, xrefs: 00414DD5

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window
API String ID: 716092398-1824977358
Opcode ID: 4c523ab884bdc3a49de6328adf8e7a054ac0ed32c9ba937a131d341f4e2fdf35
Instruction ID: 2ae43f73961e2cef950b8e695cbe18b859b25492b357a47972b29cef978d1eeb
Opcode Fuzzy Hash: 4c523ab884bdc3a49de6328adf8e7a054ac0ed32c9ba937a131d341f4e2fdf35
Instruction Fuzzy Hash: BAF092B2604158BF9B80DE9DEC81EDB77ECEB4D2A4B05416AFA0CD3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006AAAD8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AAAD8(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t7;
				long _t13;
				void* _t17;
				void* _t24;

				_t24 = _t17;
				_t7 = E005C6790(__eax, L"Software\\Microsoft\\Windows\\CurrentVersion", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return E0040A1C8(_t24);
				}
				if(E005C66B8() == 0) {
					E0040A1C8(_t24);
				}
				_t13 = RegCloseKey(_v8); // executed
				return _t13;
			}

0x006aaadf
0x006aaaf9
0x006aab00
0x00000000
0x006aab26
0x006aab10
0x006aab14
0x006aab14
0x006aab1d
0x00000000

APIs

Part of subcall function 005C6790: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B69F6,?,006AAD36,00000000,006AAF8E,?,00000000,00000000), ref: 006AAB1D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 006AAAEF

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 97fa7571ec6682ee3824988f6a56149588b7e14ceb96e20629ebdc4c0357ef91
Instruction ID: ff1a3d223dd7ccb396a2362d893f6dffa0b2018229c4d4fe2cb2bd772e9b64c8
Opcode Fuzzy Hash: 97fa7571ec6682ee3824988f6a56149588b7e14ceb96e20629ebdc4c0357ef91
Instruction Fuzzy Hash: 9CF0A7313002146BEA14B5DEAC86BAEA7DEDFC5754F20007FF608D7341DAA5AE018776

Uniqueness

Uniqueness Score: -1.00%

Function 0060D628, Relevance: 3.2, APIs: 2, Instructions: 192
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0060D628(signed int __eax, void* __ebx, char __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int _a16, signed int _a20, char _a24) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v17;
				intOrPtr _v24;
				char _v25;
				signed int _v26;
				void* _v32;
				struct _WIN32_FIND_DATAW _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				signed char _t106;
				signed char _t108;
				void* _t114;
				int _t122;
				signed int _t127;
				signed char _t135;
				signed char _t139;
				void* _t155;
				signed int _t158;
				intOrPtr _t177;
				intOrPtr _t187;
				void* _t201;
				void* _t202;
				intOrPtr _t203;

				_t159 = __ecx;
				_t201 = _t202;
				_t203 = _t202 + 0xfffffd84;
				_push(__ebx);
				_v640 = 0;
				_v636 = 0;
				_v632 = 0;
				_v628 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v25 = __ecx;
				_v24 = __edx;
				_v17 = __eax;
				_push(_t201);
				_push(0x60d8c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t203;
				_v26 = 1;
				if(_a24 == 0) {
					L26:
					__eflags = _a16 & 0x000000ff ^ 0x00000001 | _v26;
					if((_a16 & 0x000000ff ^ 0x00000001 | _v26) != 0) {
						__eflags = _v25;
						if(_v25 != 0) {
							__eflags = _a12;
							if(__eflags == 0) {
								_t106 = E0060BFC4(_v17 & 0x000000ff, _v24, __eflags); // executed
								__eflags = _t106;
								if(_t106 == 0) {
									_v26 = 0;
								}
							} else {
								_t108 = _a12();
								__eflags = _t108;
								if(_t108 == 0) {
									_v26 = 0;
								}
							}
						}
					}
					__eflags = 0;
					_pop(_t177);
					 *[fs:eax] = _t177;
					_push(E0060D8CD);
					E0040A228( &_v640, 4);
					return E0040A228( &_v16, 3);
				} else {
					_t205 = _v25;
					if(_v25 == 0) {
						L3:
						_t207 = _v25;
						if(_v25 == 0) {
							E005C5284(_v24, _t159,  &_v8);
							E0040A5F0( &_v12, _v24);
						} else {
							E005C4D00(_v24,  &_v8);
							E0040B4C8( &_v12, 0x60d8e4, _v8);
						}
						_t114 = E0060BC10(_v17 & 0x000000ff,  &_v624, _v12, _t207); // executed
						_v32 = _t114;
						if(_v32 == 0xffffffff) {
							goto L26;
						} else {
							_push(_t201);
							_push(0x60d852);
							_push( *[fs:eax]);
							 *[fs:eax] = _t203;
							do {
								E0040B318( &_v16, 0x104,  &(_v624.cFileName));
								E0040B660(_v16, 0x60d8f4);
								if(0 != 0) {
									_t127 = E0040B660(_v16, 0x60d904);
									if(0 != 0) {
										_t158 = _v624.dwFileAttributes;
										if((_t158 & 0x00000001) != 0 && (_t127 & 0xffffff00 | (_t158 & 0x00000010) == 0x00000000 | _a20) != 0) {
											E0040B4C8( &_v628, _v16, _v8);
											E0060C03C(_v17 & 0x000000ff, _t158 & 0xfffffffe, _v628, _t158 & 0xfffffffe);
										}
										if((_v624.dwFileAttributes & 0x00000010) != 0) {
											__eflags = _a20;
											if(_a20 != 0) {
												E0040B4C8( &_v640, _v16, _v8);
												_t135 = E0060D628(_v17 & 0x000000ff, _t158, 1, _v640, _a4, _a8, _a12, _a16 & 0x000000ff, 1, 1); // executed
												__eflags = _t135;
												if(_t135 == 0) {
													_v26 = 0;
												}
											}
										} else {
											if(_a8 == 0) {
												E0040B4C8( &_v636, _v16, _v8);
												_t139 = E0060BAB8(_v17 & 0x000000ff, _v636, __eflags);
												__eflags = _t139;
												if(_t139 == 0) {
													_v26 = 0;
												}
											} else {
												E0040B4C8( &_v632, _v16, _v8);
												if(_a8() == 0) {
													_v26 = 0;
												}
											}
										}
									}
								}
								if(_a16 == 0 || _v26 != 0) {
									goto L24;
								}
								break;
								L24:
								_t122 = FindNextFileW(_v32,  &_v624); // executed
							} while (_t122 != 0);
							_pop(_t187);
							 *[fs:eax] = _t187;
							_push(E0060D859);
							return FindClose(_v32);
						}
					} else {
						_t155 = E0060BDD4(_v17 & 0x000000ff, _v24, _t205); // executed
						if(_t155 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
			}

0x0060d628
0x0060d629
0x0060d62b
0x0060d631
0x0060d634
0x0060d63a
0x0060d640
0x0060d646
0x0060d64c
0x0060d64f
0x0060d652
0x0060d655
0x0060d658
0x0060d65b
0x0060d660
0x0060d661
0x0060d666
0x0060d669
0x0060d66c
0x0060d674
0x0060d859
0x0060d85f
0x0060d862
0x0060d864
0x0060d868
0x0060d86a
0x0060d86e
0x0060d88e
0x0060d893
0x0060d895
0x0060d897
0x0060d897
0x0060d870
0x0060d87a
0x0060d87d
0x0060d87f
0x0060d881
0x0060d881
0x0060d87f
0x0060d86e
0x0060d868
0x0060d89b
0x0060d89d
0x0060d8a0
0x0060d8a3
0x0060d8b3
0x0060d8c5
0x0060d67a
0x0060d67a
0x0060d67e
0x0060d694
0x0060d694
0x0060d698
0x0060d6bd
0x0060d6c8
0x0060d69a
0x0060d6a0
0x0060d6b0
0x0060d6b0
0x0060d6da
0x0060d6df
0x0060d6e6
0x00000000
0x0060d6ec
0x0060d6ee
0x0060d6ef
0x0060d6f4
0x0060d6f7
0x0060d6fa
0x0060d708
0x0060d715
0x0060d71a
0x0060d728
0x0060d72d
0x0060d733
0x0060d73c
0x0060d755
0x0060d769
0x0060d769
0x0060d775
0x0060d7d2
0x0060d7d6
0x0060d7f9
0x0060d80a
0x0060d80f
0x0060d811
0x0060d813
0x0060d813
0x0060d811
0x0060d777
0x0060d77b
0x0060d7b4
0x0060d7c3
0x0060d7c8
0x0060d7ca
0x0060d7cc
0x0060d7cc
0x0060d77d
0x0060d789
0x0060d7a0
0x0060d7a2
0x0060d7a2
0x0060d7a0
0x0060d77b
0x0060d775
0x0060d72d
0x0060d81b
0x00000000
0x00000000
0x00000000
0x0060d823
0x0060d82e
0x0060d833
0x0060d83d
0x0060d840
0x0060d843
0x0060d851
0x0060d851
0x0060d680
0x0060d687
0x0060d68e
0x00000000
0x00000000
0x00000000
0x00000000
0x0060d68e
0x0060d67e

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,0060D852,?,00000000,0060D8C6,?,?,?,006AB575,00000000,006AB4C4,00000000,00000000,00000001), ref: 0060D82E
FindClose.KERNEL32(000000FF,0060D859,0060D852,?,00000000,0060D8C6,?,?,?,006AB575,00000000,006AB4C4,00000000,00000000,00000001,00000001), ref: 0060D84C

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: c9d2ea2adbf939e7fcf28037c77850a07913178943bc60a2d811ab24dede9fae
Instruction ID: 1c78dce3c56f1043e552bdc12dc5b32a6e7837210c4168244b7acddc60a03fe0
Opcode Fuzzy Hash: c9d2ea2adbf939e7fcf28037c77850a07913178943bc60a2d811ab24dede9fae
Instruction Fuzzy Hash: 99818E30D442899EDF15DFA5C885BEEBBB6AF05304F1482AAE858732C1C7349F85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005CF994, Relevance: 3.1, APIs: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E005CF994(intOrPtr* __eax, void* __eflags, void* __fp0) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t68;
				int _t72;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t94;
				void* _t102;
				intOrPtr _t103;
				intOrPtr _t111;
				void* _t113;
				int _t114;
				void* _t116;
				void* _t121;
				void* _t123;
				intOrPtr _t124;
				void* _t126;

				_t126 = __eflags;
				_t121 = _t123;
				_t124 = _t123 + 0xffffffe8;
				_push(_t89);
				_push(_t116);
				_push(_t113);
				_v8 = __eax;
				_t94 =  *0x6ccb88; // 0x6d5694
				_t2 = _t94 + 0x2c; // 0x8
				_t103 =  *0x6ccb88; // 0x6d5694
				_t3 = _t103 + 8; // 0x0
				E005CD0B8( *((intOrPtr*)(_v8 + 0x74)), _t89,  *_t2,  *_t3, _t113, _t116, __fp0, 8, 0); // executed
				E005CD18C( *((intOrPtr*)(_v8 + 0x74)), _t89, _v8 + 0x3d4, _v8 + 0x3d0, _t113, _t116, _t126);
				if( *(_v8 + 0x3d0) != 6) {
					L2:
					_v12 = E005CFFE4(0, 1, _t113);
					 *[fs:eax] = _t124;
					E005CF484(_v8, _v12);
					E005CD31C(_v8, 6,  *(_v8 + 0x3d0), _t128, 0xd,  *(_v8 + 0x3d4));
					 *((intOrPtr*)( *_v8 + 0x70))( *[fs:eax], 0x5cface, _t121);
					_t114 = _v20;
					_t68 = MulDiv(_t114,  *(_v8 + 0x3d0), 6);
					_t72 = MulDiv(_v16,  *(_v8 + 0x3d4), 0xd);
					E005AE564(_v8);
					 *((intOrPtr*)( *_v8 + 0xc8))(E005AE584(_v8), _t72 +  *((intOrPtr*)(_v8 + 0x5c)) - _v16, _t68 +  *((intOrPtr*)(_v8 + 0x58)) - _t114);
					_pop(_t111);
					_pop(_t102);
					 *[fs:eax] = _t111;
					_push(E005CFAD5);
					return E005CF4FC( *_v8, _t102, _v12, 0);
				} else {
					_t88 = _v8;
					_t128 =  *((intOrPtr*)(_t88 + 0x3d4)) - 0xd;
					if( *((intOrPtr*)(_t88 + 0x3d4)) == 0xd) {
						return _t88;
					} else {
						goto L2;
					}
				}
			}

0x005cf994
0x005cf995
0x005cf997
0x005cf99a
0x005cf99b
0x005cf99c
0x005cf99d
0x005cf9a4
0x005cf9aa
0x005cf9ad
0x005cf9b3
0x005cf9bc
0x005cf9d9
0x005cf9e8
0x005cf9fa
0x005cfa08
0x005cfa16
0x005cfa1f
0x005cfa41
0x005cfa4e
0x005cfa5d
0x005cfa61
0x005cfa78
0x005cfaa2
0x005cfaaf
0x005cfab7
0x005cfab9
0x005cfaba
0x005cfabd
0x005cfacd
0x005cf9ea
0x005cf9ea
0x005cf9ed
0x005cf9f4
0x005cfadb
0x00000000
0x00000000
0x00000000
0x005cf9f4

APIs

Part of subcall function 005CD18C: GetDC.USER32(00000000), ref: 005CD19D
Part of subcall function 005CD18C: SelectObject.GDI32(0068C9D4,00000000), ref: 005CD1BF
Part of subcall function 005CD18C: GetTextExtentPointW.GDI32(0068C9D4,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CD1D3
Part of subcall function 005CD18C: GetTextMetricsW.GDI32(0068C9D4,?,00000000,005CD218,?,00000000,?,?,0068C9D4), ref: 005CD1F5
Part of subcall function 005CD18C: ReleaseDC.USER32 ref: 005CD212

MulDiv.KERNEL32(0068D3C3,00000006,00000006), ref: 005CFA61
MulDiv.KERNEL32(?,?,0000000D), ref: 005CFA78

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Text$ExtentMetricsObjectPointReleaseSelect
String ID:
API String ID: 844173074-0
Opcode ID: fd25a673d468ed6fabf3aa3adbc59892d19b3712dbcf1daa220eafedc1c648fb
Instruction ID: ab832f5469577de02f6ead1a3026336d1fcba8013a7d9bcb612a7bf876de2192
Opcode Fuzzy Hash: fd25a673d468ed6fabf3aa3adbc59892d19b3712dbcf1daa220eafedc1c648fb
Instruction Fuzzy Hash: D841F835A00109EFCB04DBA8D985EADB7F9FB49314F2541A9F808EB361D771AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00410ED4, Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410ED4(intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _v32;
				intOrPtr _t28;
				void* _t46;
				void* _t47;
				intOrPtr _t70;
				void* _t71;

				_t70 = _a4;
				_v8 = 0;
				if(_t70 == 0) {
					_t28 = 0;
				} else {
					_t28 = E004110F4(_t70);
				}
				_v16 = _t28;
				_t47 =  *0x6c4c4c; // 0x0
				while(_t47 != 0) {
					_t66 = E004110A4( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 4)));
					_v20 = E004110F4(_t31);
					_v12 =  *_t47;
					if(_t70 == 0) {
						L7:
						if(_t47 != 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 0x18)) != 0) {
							_v24 = E004110B4( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 8)));
							_v28 =  *_v24;
							_v32 = E004110D4( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 0x18)));
							E00411150(_t38, _v32, E00411138(E004110C4( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 0xc)))) << 2);
							_t71 = _t71 + 0xc;
							FreeLibrary(_v28); // executed
							 *_v24 = 0;
							if(_t47 != 0) {
								E00411178(_t47);
								LocalFree(_t47);
							}
							_v8 = 1;
						}
						if(_t70 == 0) {
							goto L13;
						}
					} else {
						if(_v20 != _v16) {
							goto L13;
						} else {
							_t46 = E00411108(_t70, _t66, _v20);
							_t71 = _t71 + 0xc;
							if(_t46 != 0) {
								goto L13;
							} else {
								goto L7;
							}
						}
					}
					goto L14;
					L13:
					_t47 = _v12;
				}
				L14:
				return _v8;
			}

0x00410edf
0x00410ee2
0x00410ee7
0x00410ef2
0x00410ee9
0x00410eea
0x00410eef
0x00410ef4
0x00410ef7
0x00410eff
0x00410f12
0x00410f1b
0x00410f22
0x00410f25
0x00410f49
0x00410f4b
0x00410f63
0x00410f6b
0x00410f78
0x00410f97
0x00410f9c
0x00410fa3
0x00410fad
0x00410fb1
0x00410fb4
0x00410fbd
0x00410fbd
0x00410fc2
0x00410fc2
0x00410fcb
0x00000000
0x00000000
0x00410f27
0x00410f2d
0x00000000
0x00410f33
0x00410f39
0x00410f3e
0x00410f43
0x00000000
0x00000000
0x00000000
0x00000000
0x00410f43
0x00410f2d
0x00000000
0x00410fcd
0x00410fcd
0x00410fd0
0x00410fd8
0x00410fe1

APIs

FreeLibrary.KERNEL32(00000000), ref: 00410FA3
LocalFree.KERNEL32(00000000,00000000), ref: 00410FBD

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Free$LibraryLocal
String ID:
API String ID: 3007483513-0
Opcode ID: 2c56d0444da96fb36466aa933463bccba2c3bdcbce3cca605f17c6cf2350efff
Instruction ID: 8866b8cac1c51f9e5027aba2395861c2b17d45cfec343fd2db600496dc988245
Opcode Fuzzy Hash: 2c56d0444da96fb36466aa933463bccba2c3bdcbce3cca605f17c6cf2350efff
Instruction Fuzzy Hash: DC318371D00105AB8B24DF96D5829FFB7B9AF88314B15811EFA0497351DBB8DDC1CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040E8BC(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				E0040A2AC(_v12);
				_push(_t84);
				_push(0x40e9d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E0040A1C8(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040E9DA);
					return E0040A228( &_v28, 6);
				}
				E0040A5F0( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040E5E0(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L0040524C();
						E0040DF90(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040E70C(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x6d0c10;
							if( *0x6d0c10 == 0) {
								L00405254();
								E0040DF90(_t46, _t60,  &_v28, _t79, _t81);
								E0040E70C(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040E7F0(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040E70C(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E0040B698(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040e8bc
0x0040e8bc
0x0040e8bf
0x0040e8c1
0x0040e8c3
0x0040e8c5
0x0040e8c7
0x0040e8c9
0x0040e8cb
0x0040e8cc
0x0040e8cd
0x0040e8cf
0x0040e8d2
0x0040e8d8
0x0040e8e0
0x0040e8e7
0x0040e8e8
0x0040e8ed
0x0040e8f0
0x0040e8f5
0x0040e8fe
0x0040e9b8
0x0040e9ba
0x0040e9bd
0x0040e9c0
0x0040e9d2
0x0040e9d2
0x0040e90a
0x0040e90f
0x0040e914
0x0040e919
0x0040e919
0x0040e91b
0x0040e920
0x0040e947
0x0040e94d
0x0040e956
0x0040e967
0x0040e96f
0x0040e97c
0x0040e981
0x0040e984
0x0040e986
0x0040e98d
0x0040e98f
0x0040e997
0x0040e9a4
0x0040e9a4
0x0040e98d
0x0040e9a9
0x0040e9ac
0x0040e9b3
0x0040e9b3
0x0040e958
0x0040e960
0x0040e960
0x00000000
0x0040e956
0x0040e922
0x0040e942
0x0040e943
0x0040e945
0x00000000
0x00000000
0x00000000
0x0040e945
0x0040e931
0x0040e93b
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: e8cd89fe78807f8a59e4ef6fd92fca2d24216d165143f74ece7b225ae6d9bccb
Instruction ID: 67efb5fed51bc053756b647ddfd8e6ea43793a5abe40bf12c6ea97a73f2c0f5a
Opcode Fuzzy Hash: e8cd89fe78807f8a59e4ef6fd92fca2d24216d165143f74ece7b225ae6d9bccb
Instruction Fuzzy Hash: AF312F70A002199FDB10EB9AC882BAEB7B5EF48308F50497BE400B33D1D7789D558B99

Uniqueness

Uniqueness Score: -1.00%

Function 00414020, Relevance: 3.1, APIs: 2, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00414020(void* __ebx, void* __esi, struct HINSTANCE__* _a4, CHAR* _a8) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _t22;
				CHAR* _t31;
				intOrPtr _t38;
				intOrPtr _t39;
				struct HINSTANCE__* _t41;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_v8 = 0;
				_t31 = _a8;
				_t41 = _a4;
				_push(_t43);
				_push(0x4140be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				if(_t31 >> 0x10 != 0) {
					_push(_t43);
					 *[fs:eax] = _t45;
					E0040A1EC( &_v8);
					E0040A944( &_v8, 0, _t31,  *[fs:eax]);
					_t22 = GetProcAddress(_t41, E0040AC70(_v8)); // executed
					_v12 = _t22;
					_t38 = 0x4140a1;
					 *[fs:eax] = _t38;
					_push(E004140A8);
					return E0040A1EC( &_v8);
				} else {
					_v12 = GetProcAddress(_t41, _t31);
					_pop(_t39);
					 *[fs:eax] = _t39;
					_push(E004140C5);
					return E0040A1EC( &_v8);
				}
			}

0x00414021
0x00414023
0x0041402a
0x0041402d
0x00414030
0x00414035
0x00414036
0x0041403b
0x0041403e
0x00414046
0x00414056
0x0041405f
0x00414065
0x00414074
0x00414083
0x00414088
0x0041408d
0x00414090
0x00414093
0x004140a0
0x00414048
0x0041404f
0x004140aa
0x004140ad
0x004140b0
0x004140bd
0x004140bd

APIs

GetProcAddress.KERNEL32(?,?), ref: 0041404A
GetProcAddress.KERNEL32(?,00000000), ref: 00414083

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
Instruction ID: b41df1fa75d381eed13266955d9feb05bf3a80cdd3b44aa66b38c7297c5ee5d6
Opcode Fuzzy Hash: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
Instruction Fuzzy Hash: 3C11C631604208AFD701DF22CC529AD7BECEB8E714BA2047AF904E3680DB385F549599

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040E9E0(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40ea9a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E0040B2DC( &_v536, _t49);
				_push(_v536);
				E0040B318( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040E8BC(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E0040B278(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040EAA1);
				E0040A228( &_v540, 2);
				return E0040A1C8( &_v8);
			}

0x0040e9ed
0x0040e9f3
0x0040e9f9
0x0040e9fc
0x0040ea00
0x0040ea01
0x0040ea06
0x0040ea09
0x0040ea1c
0x0040ea29
0x0040ea34
0x0040ea46
0x0040ea54
0x0040ea55
0x0040ea5e
0x0040ea6d
0x0040ea72
0x0040ea76
0x0040ea79
0x0040ea7c
0x0040ea8c
0x0040ea99

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99

Uniqueness

Uniqueness Score: -1.00%

Function 005C5964, Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E005C5964(intOrPtr* __eax, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				WCHAR* _t7;
				WCHAR* _t9;
				int _t12;
				void* _t13;
				WCHAR* _t15;
				WCHAR* _t17;
				WCHAR* _t19;
				int _t22;
				intOrPtr _t26;
				void* _t30;
				intOrPtr* _t33;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_push(_t26);
				_v8 = _t26;
				_t30 = __edx;
				_t33 = __eax;
				_t24 = _a4;
				if(_a4 == 0) {
					_t7 = E0040B278(_v8);
					_t9 = E0040B278(_t30);
					_t12 = WriteProfileStringW(E0040B278(_t33), _t9, _t7);
					asm("sbb eax, eax");
					_t13 = _t12 + 1;
				} else {
					_t15 = E0040B278(_t24);
					_t17 = E0040B278(_v8);
					_t19 = E0040B278(_t30);
					_t22 = WritePrivateProfileStringW(E0040B278(_t33), _t19, _t17, _t15); // executed
					asm("sbb eax, eax");
					_t13 = _t22 + 1;
				}
				return _t13;
			}

0x005c5964
0x005c5966
0x005c596b
0x005c596f
0x005c5972
0x005c5974
0x005c5976
0x005c597b
0x005c59ae
0x005c59b6
0x005c59c4
0x005c59cc
0x005c59ce
0x005c597d
0x005c597f
0x005c5988
0x005c5990
0x005c599e
0x005c59a6
0x005c59a8
0x005c59a8
0x005c59d4

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005C599E
WriteProfileStringW.KERNEL32(00000000,00000000,00000000), ref: 005C59C4

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ProfileStringWrite$Private
String ID:
API String ID: 3244626871-0
Opcode ID: 24166e916fdcbb5de9eec2c568382637024ce919e0626cdeb4092057b3b9d4f0
Instruction ID: 4c0831dff2f9534e1eaeffab5a34e09486192bdcdc485c874b1f7743586d8f6a
Opcode Fuzzy Hash: 24166e916fdcbb5de9eec2c568382637024ce919e0626cdeb4092057b3b9d4f0
Instruction Fuzzy Hash: 81F0A471784244EECA00B6BF9C8AD6E669CDE9531971007BFF805E7242D6399D0152AD

Uniqueness

Uniqueness Score: -1.00%

Function 005ABB4C, Relevance: 3.0, APIs: 2, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E005ABB4C(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_t23 =  *0x6cbbac; // 0x0
				_v12 = _t23;
				_t24 =  *0x6cbbbc; // 0x0
				_v16 = _t24;
				 *0x6cbbac = __eax;
				 *0x6cbbbc = 0;
				_push(_t30);
				_push(0x5abbf9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				 *0x6cbbb8 = 1;
				_push(_t30);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				EnumThreadWindows(GetCurrentThreadId(), 0x5abafc, 0);
				_t12 =  *0x6cbbbc; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_t26 = 0x5abbbb;
				 *[fs:eax] = _t26;
				_push(E005ABC00);
				 *0x6cbbb8 = 0;
				 *0x6cbbbc = _v16;
				_t16 = _v12;
				 *0x6cbbac = _t16;
				return _t16;
			}

0x005abb4d
0x005abb4f
0x005abb55
0x005abb5b
0x005abb5e
0x005abb64
0x005abb67
0x005abb6e
0x005abb7a
0x005abb7b
0x005abb80
0x005abb83
0x005abb86
0x005abb8f
0x005abb95
0x005abb98
0x005abba4
0x005abba9
0x005abbae
0x005abbb3
0x005abbb6
0x005abbd6
0x005abbd9
0x005abbdc
0x005abbe1
0x005abbeb
0x005abbf0
0x005abbf3
0x005abbf8

APIs

GetCurrentThreadId.KERNEL32 ref: 005ABB9E
EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 2500ecb8bc62876c8ff2405f47f095ea4bb89944262ada6799aa535262b27f39
Instruction ID: 4b564e7848d778c1821dbee75f023e1981a666a926d985b7d896297b812e440b
Opcode Fuzzy Hash: 2500ecb8bc62876c8ff2405f47f095ea4bb89944262ada6799aa535262b27f39
Instruction Fuzzy Hash: 93112574A08744AFD711CF26DC92D6ABFE9E74A710F11A4AAE800D3795EB756C00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0060BAB8, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0060BAB8(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0060B8D4(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x60bb15);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E0040B278(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060BB1C);
					return E0060B910( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0060bab9
0x0060babb
0x0060bad0
0x0060badb
0x0060badc
0x0060bae1
0x0060bae4
0x0060baef
0x0060baf4
0x0060bafc
0x0060bb01
0x0060bb04
0x0060bb07
0x0060bb14
0x0060bad2
0x0060bad4
0x0060bb2d
0x0060bb2d

APIs

DeleteFileW.KERNEL32(00000000,00000000,0060BB15,?,?,?), ref: 0060BAEF
GetLastError.KERNEL32(00000000,00000000,0060BB15,?,?,?), ref: 0060BAF7

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 3ac4022b0d504f8d56561d974b577821acbd762e4ecd66f76f585f39e4d74a53
Instruction ID: 78568c7df48a63312c1550ac91009127c3edb94fe6ea848b53d264e1db3dc997
Opcode Fuzzy Hash: 3ac4022b0d504f8d56561d974b577821acbd762e4ecd66f76f585f39e4d74a53
Instruction Fuzzy Hash: 89F0C831B44308ABCB15DFB5AC014AFB7EDDB49310B5189B6F804E3281EB755E005694

Uniqueness

Uniqueness Score: -1.00%

Function 0060BFC4, Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0060BFC4(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0060B8D4(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x60c021);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = RemoveDirectoryW(E0040B278(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C028);
					return E0060B910( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x0060bfc5
0x0060bfc7
0x0060bfdc
0x0060bfe7
0x0060bfe8
0x0060bfed
0x0060bff0
0x0060bffb
0x0060c000
0x0060c008
0x0060c00d
0x0060c010
0x0060c013
0x0060c020
0x0060bfde
0x0060bfe0
0x0060c039
0x0060c039

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,0060C021,?,?,00000000), ref: 0060BFFB
GetLastError.KERNEL32(00000000,00000000,0060C021,?,?,00000000), ref: 0060C003

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 4f11924e44832b53a48258f3fad39eddf14758d76f0ec3ccb02dc41b6ad7c7d0
Instruction ID: d83f262ecc697e56b821021d063cc9f2e957c9b8bafe74f0302a089c4b99f6ee
Opcode Fuzzy Hash: 4f11924e44832b53a48258f3fad39eddf14758d76f0ec3ccb02dc41b6ad7c7d0
Instruction Fuzzy Hash: 28F0C231A44208ABCB04DFB5AC418AFB3EDDB493207518ABAF804E3281EB355E009698

Uniqueness

Uniqueness Score: -1.00%

Function 0042B840, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042B840(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x42b8b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x42b894);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E0040B278(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0042B89B);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0042b841
0x0042b843
0x0042b847
0x0042b84a
0x0042b84f
0x0042b854
0x0042b855
0x0042b85a
0x0042b85d
0x0042b860
0x0042b865
0x0042b866
0x0042b86b
0x0042b86e
0x0042b879
0x0042b87e
0x0042b883
0x0042b886
0x0042b889
0x0042b88e
0x0042b890
0x0042b893

APIs

SetErrorMode.KERNEL32(00008000,00000000), ref: 0042B84A
LoadLibraryW.KERNEL32(00000000,00000000,0042B894,?,00000000,0042B8B2,?,00008000,00000000), ref: 0042B879

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: b993803051ae100aefba2c2869379d033386bf384ceaa9f28ae483a43a6be7f1
Instruction ID: 8ff579c406fa8de576af151128aa35465f0cec1f25fcd6592dc14664995b8e04
Opcode Fuzzy Hash: b993803051ae100aefba2c2869379d033386bf384ceaa9f28ae483a43a6be7f1
Instruction Fuzzy Hash: E9F08270614B04BEDF116FB69C5286ABBECE74AB0479349B6F814A2691E67C481086A8

Uniqueness

Uniqueness Score: -1.00%

Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005B8250(void* __eax, void* __edx, void* __eflags) {
				void* _t9;
				void* _t17;
				void* _t22;
				void* _t23;

				_t23 = __eflags;
				_t22 = __edx;
				_t17 = __eax;
				_t9 = E0040B660( *((intOrPtr*)(__eax + 0xa4)), __edx);
				if(_t23 == 0) {
					return _t9;
				}
				if( *((char*)(_t17 + 0xc4)) != 0) {
					if( *((char*)(_t17 + 0xeb)) == 0) {
						SetWindowTextW( *(_t17 + 0x188), E0040B278(__edx));
					} else {
						SetWindowTextW( *(_t17 + 0x188), 0);
					}
				}
				_t6 = _t17 + 0xa4; // 0xa4
				return E0040A5A8(_t6, _t22);
			}

0x005b8250
0x005b8253
0x005b8255
0x005b825f
0x005b8264
0x005b82ac
0x005b82ac
0x005b826d
0x005b8276
0x005b8297
0x005b8278
0x005b8281
0x005b8281
0x005b8276
0x005b829c
0x00000000

APIs

SetWindowTextW.USER32(?,00000000), ref: 005B8281
SetWindowTextW.USER32(?,00000000), ref: 005B8297

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 106e8816436f1c0698a1400b8a78d0a82f037fb7dfb6323774298cdd51175139
Instruction ID: 55054c52d29fd938ddbce081dc8bbbf905119a19cfde818b1d6f861c0ddb3f35
Opcode Fuzzy Hash: 106e8816436f1c0698a1400b8a78d0a82f037fb7dfb6323774298cdd51175139
Instruction Fuzzy Hash: AFF0A7343016002ADB11AB6A8885BFA678CAF95715F0805BAFD049F287CF785D41C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 006AAE7F, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E006AAE7F() {
				void* _t13;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t37;
				intOrPtr _t48;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t57;

				_t13 =  *0x6d5888(0x6cc7f4, 0x8000, 0, _t56 - 4); // executed
				if(_t13 != 0) {
					_t15 =  *0x6d5888(0x6cc804, 0x8000, 0, _t56 - 4); // executed
					if(_t15 != 0) {
						if( *0x6d57b8 == 0) {
							_t16 =  *0x6d5510; // 0x0
							E005C4D00(_t16, _t56 - 0x38);
							E0040B4C8(0x6d5540, L"COMMAND.COM",  *((intOrPtr*)(_t56 - 0x38))); // executed
						} else {
							_t24 =  *0x6d5514; // 0x0
							E005C4D00(_t24, _t56 - 0x34);
							E0040B4C8(0x6d5540, L"cmd.exe",  *((intOrPtr*)(_t56 - 0x34)));
						}
						E006AAB88(); // executed
						_pop(_t48);
						 *[fs:eax] = _t48;
						_push(E006AAF95);
						return E0040A228(_t56 - 0x38, 0xd);
					} else {
						_push(_t56);
						_push(0x6aaf1e);
						_push( *[fs:eax]);
						 *[fs:eax] = _t57;
						E0040C8BC();
						_pop(_t53);
						 *[fs:eax] = _t53;
						_push(E006AAF25);
						_t32 =  *((intOrPtr*)(_t56 - 4));
						_push(_t32);
						L0043C20C();
						return _t32;
					}
				} else {
					_push(_t56);
					_push(0x6aaecb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t57;
					E0040C8BC();
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(E006AAED2);
					_t37 =  *((intOrPtr*)(_t56 - 4));
					_push(_t37);
					L0043C20C();
					return _t37;
				}
			}

0x006aae8f
0x006aae97
0x006aaee2
0x006aaeea
0x006aaf2c
0x006aaf52
0x006aaf57
0x006aaf69
0x006aaf2e
0x006aaf31
0x006aaf36
0x006aaf48
0x006aaf48
0x006aaf6e
0x006aaf75
0x006aaf78
0x006aaf7b
0x006aaf8d
0x006aaeec
0x006aaeee
0x006aaeef
0x006aaef4
0x006aaef7
0x006aaf02
0x006aaf09
0x006aaf0c
0x006aaf0f
0x006aaf14
0x006aaf17
0x006aaf18
0x006aaf1d
0x006aaf1d
0x006aae99
0x006aae9b
0x006aae9c
0x006aaea1
0x006aaea4
0x006aaeaf
0x006aaeb6
0x006aaeb9
0x006aaebc
0x006aaec1
0x006aaec4
0x006aaec5
0x006aaeca
0x006aaeca

APIs

SHGetKnownFolderPath.SHELL32(006CC7F4,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAE8F
CoTaskMemFree.OLE32(?,006AAED2,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEC5
SHGetKnownFolderPath.SHELL32(006CC804,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEE2
CoTaskMemFree.OLE32(?,006AAF25,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAF18

Strings

Common Files, xrefs: 006AAD9B
\Program Files, xrefs: 006AAD51
COMMAND.COM, xrefs: 006AAF64
cmd.exe, xrefs: 006AAF43
SystemDrive, xrefs: 006AACC9
CommonFilesDir, xrefs: 006AAD64, 006AADE0
ProgramFilesDir, xrefs: 006AAD2A, 006AADB1
Failed to get path of 64-bit Common Files directory, xrefs: 006AAE02
Failed to get path of 64-bit Program Files directory, xrefs: 006AADD3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: d842c7c1da2f123ce9d11a7297303bffa5d20d4a34150eda36a0696f7cbe019c
Instruction ID: 9ad3a79c7d002b666d6474b190419673809a6fc1a9e74143ce7ee687fd54a3e4
Opcode Fuzzy Hash: d842c7c1da2f123ce9d11a7297303bffa5d20d4a34150eda36a0696f7cbe019c
Instruction Fuzzy Hash: E3E09231704704AFE711EBE19C52F2A77EAF749B00F6204A7F400E2A80D734AD10EE25

Uniqueness

Uniqueness Score: -1.00%

Function 006AAED2, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E006AAED2() {
				void* _t10;
				intOrPtr _t11;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t36;
				intOrPtr _t41;
				void* _t42;
				intOrPtr _t43;

				_t10 =  *0x6d5888(0x6cc804, 0x8000, 0, _t42 - 4); // executed
				if(_t10 != 0) {
					if( *0x6d57b8 == 0) {
						_t11 =  *0x6d5510; // 0x0
						E005C4D00(_t11, _t42 - 0x38);
						E0040B4C8(0x6d5540, L"COMMAND.COM",  *((intOrPtr*)(_t42 - 0x38))); // executed
					} else {
						_t19 =  *0x6d5514; // 0x0
						E005C4D00(_t19, _t42 - 0x34);
						E0040B4C8(0x6d5540, L"cmd.exe",  *((intOrPtr*)(_t42 - 0x34)));
					}
					E006AAB88(); // executed
					_pop(_t36);
					 *[fs:eax] = _t36;
					_push(E006AAF95);
					return E0040A228(_t42 - 0x38, 0xd);
				} else {
					_push(_t42);
					_push(0x6aaf1e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t43;
					E0040C8BC();
					_pop(_t41);
					 *[fs:eax] = _t41;
					_push(E006AAF25);
					_t27 =  *((intOrPtr*)(_t42 - 4));
					_push(_t27);
					L0043C20C();
					return _t27;
				}
			}

0x006aaee2
0x006aaeea
0x006aaf2c
0x006aaf52
0x006aaf57
0x006aaf69
0x006aaf2e
0x006aaf31
0x006aaf36
0x006aaf48
0x006aaf48
0x006aaf6e
0x006aaf75
0x006aaf78
0x006aaf7b
0x006aaf8d
0x006aaeec
0x006aaeee
0x006aaeef
0x006aaef4
0x006aaef7
0x006aaf02
0x006aaf09
0x006aaf0c
0x006aaf0f
0x006aaf14
0x006aaf17
0x006aaf18
0x006aaf1d
0x006aaf1d

APIs

SHGetKnownFolderPath.SHELL32(006CC804,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEE2
CoTaskMemFree.OLE32(?,006AAF25,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAF18

Strings

Common Files, xrefs: 006AAD9B
\Program Files, xrefs: 006AAD51
COMMAND.COM, xrefs: 006AAF64
cmd.exe, xrefs: 006AAF43
SystemDrive, xrefs: 006AACC9
CommonFilesDir, xrefs: 006AAD64, 006AADE0
ProgramFilesDir, xrefs: 006AAD2A, 006AADB1
Failed to get path of 64-bit Common Files directory, xrefs: 006AAE02
Failed to get path of 64-bit Program Files directory, xrefs: 006AADD3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: ac0e4c5cf4e5570656f2ce48f9db2bd67d3f5e148baebc3b6527ce026dfeb88c
Instruction ID: cd3cf3ec7fba9d7ce51e799f7c5b4265af527ddaa3f41ab80d914f6c7bcac3b9
Opcode Fuzzy Hash: ac0e4c5cf4e5570656f2ce48f9db2bd67d3f5e148baebc3b6527ce026dfeb88c
Instruction Fuzzy Hash: A7E092B1744744AEE715AFA0EC52F3A77AAEB49B00F6204BBF500D2A80D7389D00DE15

Uniqueness

Uniqueness Score: -1.00%

Function 004786A4, Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004786A4(struct HWND__* __eax) {
				int _t3;
				struct HWND__* _t7;

				_t7 = __eax;
				_t6 = GetWindowLongW(__eax, 0xfffffffc);
				_t3 = DestroyWindow(_t7); // executed
				if(_t2 != L00414778) {
					return E004784EC(_t6);
				}
				return _t3;
			}

0x004786a6
0x004786b0
0x004786b3
0x004786be
0x00000000
0x004786c2
0x004786c9

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 004786AB
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,00614EFE,006B75B7,?,?,?,?,006B8087), ref: 004786B3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: a0f4de818b6c187177cc114b37eba82a09dd20e37bb5ee93d5eef72e24578566
Instruction ID: c410a6bbb0581be46f1468b21c97e0a54dad118b04ee59d8e0f801625c1648ef
Opcode Fuzzy Hash: a0f4de818b6c187177cc114b37eba82a09dd20e37bb5ee93d5eef72e24578566
Instruction Fuzzy Hash: EAC0126121213026562132792CC98EF008C8C833B93A6862FF824962E2DB4D0D8242AD

Uniqueness

Uniqueness Score: -1.00%

Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C4000,006D0B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 29d77d1977de03f842f62e82ece66a1c881036920cb29be16d73caabd79fdd10
Instruction ID: 389971a1f4baea938d1d0fa213264d1b5a13cd789ecb9c39f2161e3fb8af8bd3
Opcode Fuzzy Hash: 29d77d1977de03f842f62e82ece66a1c881036920cb29be16d73caabd79fdd10
Instruction Fuzzy Hash: 03F090316057059EE3314F0AB880F13BBACFB49774B65047BD848A2792D3B9BC00C5A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042369C, Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042369C(signed int __eax, signed int __edx) {
				signed int _t6;
				signed int _t9;
				void* _t14;
				signed int _t21;

				_t6 = __eax | 0xffffffff;
				_t21 = 0x00000003 & __edx;
				if(3 <= 2 && (0x000000f0 & __edx) <= 0x40) {
					_t9 = (0x000000f0 & __edx) >> 4;
					_t14 = CreateFileW(E0040B278(__eax),  *(0x6c6594 + _t21 * 4),  *(0x6c65a0 + _t9 * 4), 0, 3, 0x80, 0); // executed
					return _t14;
				}
				return _t6;
			}

0x004236a3
0x004236ab
0x004236b0
0x004236d0
0x004236eb
0x00000000
0x004236eb
0x004236f3

APIs

CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D44,004699C4,00000000,00469A44,?,?,00443D44), ref: 004236EB

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2c50ac4039e231b887772ee4b902df7dfed1ee6562b7803af28acda790a08750
Instruction ID: 3d6a0be59f47f8a977aa557ea6331b01b4114f86e5c817687e30c717e74e9de2
Opcode Fuzzy Hash: 2c50ac4039e231b887772ee4b902df7dfed1ee6562b7803af28acda790a08750
Instruction Fuzzy Hash: 98E09BB2B901213AF7306DADDC82F5B514E879577AF590236F615EB3C2C5989D0182AC

Uniqueness

Uniqueness Score: -1.00%

Function 004236F4, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D44,00469959,00000000,00469A44,?,?,00443D44), ref: 0042373D

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 076ec8ae1f58cb05293f27f07419deb19f562ae2ab51ba9545379dba31c7bb51
Instruction ID: 8dfed55e6d8a22672dc3f1ffa9947b8613efbdeb4d3f47b158d81c1b607e3982
Opcode Fuzzy Hash: 076ec8ae1f58cb05293f27f07419deb19f562ae2ab51ba9545379dba31c7bb51
Instruction Fuzzy Hash: 46E0DFE3B401243AF7206AAE9C82F6B9159CB81776F16023AFB50EB2D1C159DC0082EC

Uniqueness

Uniqueness Score: -1.00%

Function 005C72F8, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C72F8(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E0040A350(_t10, _t7, _t17, _t20);
			}

0x005c72ff
0x005c7317
0x005c731f
0x005c7323
0x005c732c
0x005c731e
0x005c731e
0x005c731e
0x00000000
0x005c732e
0x005c732e
0x005c7332
0x00000000
0x00000000
0x005c7332
0x00000000
0x005c732c
0x005c7345

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CAC2A,00000000,005CAC7B,?,005CAE5C), ref: 005C7317

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 92174c62a2c45d8a2c12e6bf488df06399d2689c0495a4d8e1833499a2fb33bf
Instruction ID: 641584d36dbd7fbf743d3cd11ed81fd1cc40cbed176580940663114c4c94ec85
Opcode Fuzzy Hash: 92174c62a2c45d8a2c12e6bf488df06399d2689c0495a4d8e1833499a2fb33bf
Instruction Fuzzy Hash: E5E0D8607983452BE33465984C03F7A1649A7C4F01FA44C3D7A008E6D5D6AA9855A696

Uniqueness

Uniqueness Score: -1.00%

Function 005C5584, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E005C5584(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x5c55ca);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E005C54D8(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E0040B278(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E005C55D1);
				return E0040A1C8( &_v8);
			}

0x005c5587
0x005c558e
0x005c558f
0x005c5594
0x005c5597
0x005c559f
0x005c55ad
0x005c55b6
0x005c55b9
0x005c55bc
0x005c55c9

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005C55CA,?,00000000,00000000,?,005C561A,00000000,0060BBD5,00000000,0060BBF6,?,00000000,00000000,00000000), ref: 005C55AD

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e93b562a759e66bd38da0de11055e6c017c6201b016aab2ebf39318819426300
Instruction ID: a8011987c62d8bbf1b65cfa24b3062553c79dfa79d40fcaab4f28f3b38eec933
Opcode Fuzzy Hash: e93b562a759e66bd38da0de11055e6c017c6201b016aab2ebf39318819426300
Instruction Fuzzy Hash: 19E09231344704AFD701EAF2CC92E5DBBADE749700BA108B9F400E7641E678AE408558

Uniqueness

Uniqueness Score: -1.00%

Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D754(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040E9E0(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x0040d75c
0x0040d75e
0x0040d762
0x0040d772
0x0040d77b
0x0040d780
0x0040d782
0x0040d787
0x0040d78c
0x0040d78c
0x0040d787
0x0040d79a

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772

Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C5620, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C5620(void* __eax) {
				signed char _t7;

				_t7 = GetFileAttributesW(E0040B278(__eax)); // executed
				if(_t7 == 0xffffffff || (_t7 & 0x00000010) == 0 || (_t7 & 0x00000004) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x005c562b
0x005c5633
0x005c5641
0x005c5642
0x005c5645
0x005c5645

APIs

GetFileAttributesW.KERNEL32(00000000,?,0060BE09,00000000,0060BE22,?,?,00000000), ref: 005C562B

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d03a573201fb9b0cdfea091783fb35ce32931a896a6b2078e9e32ab2ad42dd54
Instruction ID: 1dd340722b5d2e1c7f6fd742ac5f6a0627fbc3f81dbe6857a6f1813bcaa5320a
Opcode Fuzzy Hash: d03a573201fb9b0cdfea091783fb35ce32931a896a6b2078e9e32ab2ad42dd54
Instruction Fuzzy Hash: 49D080A0241A000DDE2499FD0CCDF5905845F45775FA41B6EFB64D11E2F739ECD31028

Uniqueness

Uniqueness Score: -1.00%

Function 005C55D8, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C55D8(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesW(E0040B278(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x005c55e3
0x005c55eb
0x005c55f4
0x005c55f5
0x005c55f8
0x005c55f8

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005CC453,00000000), ref: 005C55E3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abae256f38c62cea3cb366abebd9f15dae453fea92c2924580d2950efdc0a250
Instruction ID: f244ca52905a2ca0d7e8f8dae3113ac9f84fcdd46d4f5ac2ce178984a170c16f
Opcode Fuzzy Hash: abae256f38c62cea3cb366abebd9f15dae453fea92c2924580d2950efdc0a250
Instruction Fuzzy Hash: 41C08CB5241A000A9E10A5FE1CC9E5E06885A0933A3240B7EF428E22D3E229E8932018

Uniqueness

Uniqueness Score: -1.00%

Function 00413E90, Relevance: 1.5, APIs: 1, Instructions: 14
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00413E90(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, WCHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexW(_a4,  &(_a12[0]) & 0x0000007f, _t4); // executed
				return _t8;
			}

0x00413e93
0x00413e9b
0x00413ea6
0x00413eac

APIs

CreateMutexW.KERNEL32(?,00000001,00000000,?,006B7A93,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000), ref: 00413EA6

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 998b8db590697b8cd4d3fdef7820781a6c6844faac2d13c8a1210bf1408346bf
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: B9C0127359034CAB8700EEA9DC05D9B33DC572860AB008419B918C7100C139E5908B60

Uniqueness

Uniqueness Score: -1.00%

Function 00424018, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00424018(void* __eax) {
				int _t4;

				_t4 = SetCurrentDirectoryW(E0040B278(__eax)); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}

0x00424023
0x0042402b
0x0042402f

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,006B72C2,00000000,006B74D1,?,?,00000005,00000000,006B750A,?,?,00000000), ref: 00424023

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b41edb0a4df931d5a21137a954c81f509e59aa98b61e1410a4a2b386c852c7b5
Instruction ID: daf6799c843f8394e9bb8cef5a1a486137c4a768e82a56cfe4f83ef7845b6ded
Opcode Fuzzy Hash: b41edb0a4df931d5a21137a954c81f509e59aa98b61e1410a4a2b386c852c7b5
Instruction Fuzzy Hash: 9AB012A27903400ACE0075FF0CC9D1D00CCD95920F7200FBFB409D2143D57EC484001C

Uniqueness

Uniqueness Score: -1.00%

Function 006AB828, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AB828() {
				struct HINSTANCE__* _t2;

				 *0x6d5884 = 0;
				if( *0x6d5880 != 0) {
					_t2 =  *0x6d5880; // 0x0
					FreeLibrary(_t2); // executed
					 *0x6d5880 = 0;
					return 0;
				}
				return 0;
			}

0x006ab82a
0x006ab836
0x006ab838
0x006ab83e
0x006ab845
0x00000000
0x006ab845
0x006ab84a

APIs

FreeLibrary.KERNEL32(00000000,006B7594,00000000,006B75A3,?,?,?,?,?,006B8087), ref: 006AB83E

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2695f92f2fa7d24faa2f376818f6f7d9f006623dc7bec41f8e6a1cdd6a70376c
Instruction ID: 5844eadd80105d2e42a7600cd3cf7755a0515bcc5506321b481997a7c00cba5d
Opcode Fuzzy Hash: 2695f92f2fa7d24faa2f376818f6f7d9f006623dc7bec41f8e6a1cdd6a70376c
Instruction Fuzzy Hash: 4BC0E971D125A0CEC748AB78B9056513BE6E708306B44252BE006C6565D7344441FB01

Uniqueness

Uniqueness Score: -1.00%

Function 0042B89B, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042B89B() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0042B8B9);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0042b89d
0x0042b8a0
0x0042b8a3
0x0042b8ac
0x0042b8b1

APIs

SetErrorMode.KERNEL32(?,0042B8B9), ref: 0042B8AC

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 47be76df901b706332e82315827ab564c907f61500e99d3db6c4ca40acd98452
Instruction ID: ef9e139676d678b46c4a1b97fc79adffdf8f2034590dff84815287bca9bfeada
Opcode Fuzzy Hash: 47be76df901b706332e82315827ab564c907f61500e99d3db6c4ca40acd98452
Instruction Fuzzy Hash: 09B09B76F0C2005DB705B6E5741155C63D8D7C47103E144A7F104C2541D57C5440465C

Uniqueness

Uniqueness Score: -1.00%

Function 004103B4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004103B4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x004103b8
0x004103c4

APIs

GetSystemInfo.KERNEL32 ref: 004103B8

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
Instruction ID: dd27519167a78a1d4504dc33fea54df0b767f1302367e86ea931617165e635a5
Opcode Fuzzy Hash: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
Instruction Fuzzy Hash: FAA012144089000ACC04F7194C4340B35905D40114FC40668745CA92C3E61985644ADB

Uniqueness

Uniqueness Score: -1.00%

Function 00478454, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00478454(intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t14;
				void _t15;
				void* _t24;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x6d3ff8 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x6d3ff4; // 0x0
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E0040714C(0x6c6a94, _t24, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0047844C(_t2, 0x47842c);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0047844C(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x6d3ff8;
						 *0x6d3ff8 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x6d3ff4 = _t35;
				}
				_t25 =  *0x6d3ff8;
				 *0x6d3ff8 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x6d3ff8;
			}

0x00478462
0x00478472
0x00478477
0x00478479
0x0047847e
0x00478480
0x0047848d
0x00478497
0x0047849f
0x004784a2
0x004784a2
0x004784a5
0x004784a5
0x004784a8
0x004784b2
0x004784b7
0x004784ba
0x004784bc
0x004784c3
0x004784ca
0x004784ca
0x004784d2
0x004784d7
0x004784dc
0x004784e2
0x004784e9

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?,0051557F,00517B00,?,?,?,00000000,?,005ACC13), ref: 00478472

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de729ddde1ab35689ebcf33e75b4741765b06252e55050244c733b99a5348007
Instruction ID: ab27ebc95461ba232bf13c55df377a678303af6bdd926863771c3d858f146c26
Opcode Fuzzy Hash: de729ddde1ab35689ebcf33e75b4741765b06252e55050244c733b99a5348007
Instruction Fuzzy Hash: B5111C746403169BD720DF19C881B82F7E5EF88354F14C53AE9588B385E7B4E904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E8(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E0040567C(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x6ceaf4 = 0;
					return 0;
				} else {
					_t10 =  *0x6ceae0; // 0x6ceadc
					_t14 = _t4;
					 *_t14 = 0x6ceadc;
					 *0x6ceae0 = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x6ceaf4 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x6ceaf0 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x004056ea
0x004056ec
0x004056ff
0x00405706
0x00405758
0x00405761
0x00405708
0x00405708
0x0040570e
0x00405710
0x00405716
0x0040571b
0x0040571e
0x00405722
0x0040572d
0x0040573a
0x00405742
0x00405744
0x00405751
0x00405755
0x00405755

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 372fdb11d68696d0a9504d5671ad1f35a7de9a6c0df944fae13850880d11afbd
Instruction ID: 40859592abdda3e3096ffbba1f4dd7bba12a73507ad120b9e5aa9eaa2caa55c8
Opcode Fuzzy Hash: 372fdb11d68696d0a9504d5671ad1f35a7de9a6c0df944fae13850880d11afbd
Instruction Fuzzy Hash: DEF0AFF2B003114FD7149FB89D40B127BE6F708354F10413EE909EB794D7B588008B88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00625580, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187
pipeprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00625580(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				struct _STARTUPINFOW _v96;
				struct _PROCESS_INFORMATION _v112;
				char _v116;
				long _v120;
				char _v124;
				long _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char* _t62;
				WCHAR* _t91;
				WCHAR* _t97;
				intOrPtr _t98;
				void* _t127;
				intOrPtr _t139;
				struct _FILETIME* _t141;
				void* _t145;
				void* _t146;
				intOrPtr _t147;

				_t145 = _t146;
				_t147 = _t146 + 0xffffff4c;
				_v156 = 0;
				_v160 = 0;
				_v16 = 0;
				_t127 = __eax;
				_t141 =  &_v12;
				_push(_t145);
				_push(0x62587b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				E00615A90(L"Starting 64-bit helper process.", __eax, _t141, 0x6d5368);
				_t62 =  *0x6cca0c; // 0x6d57b9
				if( *_t62 == 0) {
					E0060C688(L"Cannot utilize 64-bit features on this version of Windows", _t127);
				}
				if( *0x6d5364 == 0) {
					E0060C688(L"64-bit helper EXE wasn\'t extracted", _t127);
				}
				while(1) {
					 *0x6d5368 =  *0x6d5368 + 1;
					 *((intOrPtr*)(_t127 + 0x14)) = GetTickCount();
					if(QueryPerformanceCounter(_t141) == 0) {
						GetSystemTimeAsFileTime(_t141);
					}
					_v152 = GetCurrentProcessId();
					_v148 = 0;
					_v144 =  *0x6d5368;
					_v140 = 0;
					_v136 =  *((intOrPtr*)(_t127 + 0x14));
					_v132 = 0;
					_v128 = _t141->dwHighDateTime;
					_v124 = 0;
					_v120 = _t141->dwLowDateTime;
					_v116 = 0;
					E004244F0(L"\\\\.\\pipe\\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x", 4,  &_v152,  &_v16);
					_v20 = CreateNamedPipeW(E0040B278(_v16), 0x40080003, 6, 1, 0x2000, 0x2000, 0, 0);
					if(_v20 != 0xffffffff) {
						break;
					}
					if(GetLastError() != 0xe7) {
						E0060C7E4(L"CreateNamedPipe");
					}
				}
				_push(_t145);
				_push(0x625837);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v24 = CreateFileW(E0040B278(_v16), 0xc0000000, 0, 0x6cc098, 3, 0, 0);
				if(_v24 == 0xffffffff) {
					E0060C7E4(L"CreateFile");
				}
				_push(_t145);
				_push(0x625826);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v28 = 2;
				if(SetNamedPipeHandleState(_v24,  &_v28, 0, 0) == 0) {
					E0060C7E4(L"SetNamedPipeHandleState");
				}
				E00407760( &_v96, 0x44);
				_v96.cb = 0x44;
				E005C61D8( &_v156);
				_t91 = E0040B278(_v156);
				_v176 = 0x69;
				_v172 = 0;
				_v168 = _v24;
				_v164 = 0;
				E004244F0(L"helper %d 0x%x", 1,  &_v176,  &_v160);
				_t97 = E0040B278(_v160);
				_t98 =  *0x6d5364; // 0x0
				if(CreateProcessW(E0040B278(_t98), _t97, 0, 0, 0xffffffff, 0xc000000, 0, _t91,  &_v96,  &_v112) == 0) {
					E0060C7E4(L"CreateProcess");
				}
				 *((char*)(_t127 + 4)) = 1;
				 *((char*)(_t127 + 5)) = 0;
				 *(_t127 + 8) = _v112.hProcess;
				 *((intOrPtr*)(_t127 + 0x10)) = _v112.dwProcessId;
				 *((intOrPtr*)(_t127 + 0xc)) = _v20;
				_v20 = 0;
				CloseHandle(_v112.hThread);
				_v184 =  *((intOrPtr*)(_t127 + 0x10));
				_v180 = 0;
				E00615D14(L"Helper process PID: %u", _t127, 0,  &_v184, _t141, 0x6d5368);
				_pop(_t139);
				 *[fs:eax] = _t139;
				_push(E0062582D);
				return CloseHandle(_v24);
			}

0x00625581
0x00625583
0x0062558e
0x00625594
0x0062559a
0x0062559d
0x006255a4
0x006255a9
0x006255aa
0x006255af
0x006255b2
0x006255ba
0x006255bf
0x006255c7
0x006255ce
0x006255ce
0x006255da
0x006255e1
0x006255e1
0x006255e6
0x006255e6
0x006255ed
0x006255f8
0x006255fb
0x006255fb
0x00625609
0x0062560f
0x00625618
0x0062561e
0x00625628
0x0062562e
0x00625635
0x00625638
0x0062563e
0x00625641
0x00625655
0x0062567f
0x00625686
0x00000000
0x00000000
0x00625692
0x0062569d
0x0062569d
0x00625692
0x006256a9
0x006256aa
0x006256af
0x006256b2
0x006256d5
0x006256dc
0x006256e3
0x006256e3
0x006256ea
0x006256eb
0x006256f0
0x006256f3
0x006256f6
0x00625710
0x00625717
0x00625717
0x00625726
0x0062572b
0x00625740
0x0062574b
0x00625765
0x0062576f
0x00625779
0x0062577f
0x00625796
0x006257a1
0x006257a7
0x006257b9
0x006257c0
0x006257c0
0x006257c5
0x006257c9
0x006257d0
0x006257d6
0x006257dc
0x006257e1
0x006257e8
0x006257f0
0x006257f6
0x0062580a
0x00625811
0x00625814
0x00625817
0x00625825

APIs

GetTickCount.KERNEL32 ref: 006255E8
QueryPerformanceCounter.KERNEL32(00000000,00000000,0062587B,?,?,00000000,00000000,?,0062627A,?,00000000,00000000), ref: 006255F1
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006255FB
GetCurrentProcessId.KERNEL32(?,00000000,00000000,0062587B,?,?,00000000,00000000,?,0062627A,?,00000000,00000000), ref: 00625604
CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062567A
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00625688
CreateFileW.KERNEL32(00000000,C0000000,00000000,006CC098,00000003,00000000,00000000,00000000,00625837,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006256D0
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00625826,?,00000000,C0000000,00000000,006CC098,00000003,00000000,00000000,00000000,00625837), ref: 00625709

Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB

CreateProcessW.KERNEL32 ref: 006257B2
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006257E8
CloseHandle.KERNEL32(000000FF,0062582D,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00625820

Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7

Strings

CreateFile, xrefs: 006256DE
Starting 64-bit helper process., xrefs: 006255B5
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00625650
SetNamedPipeHandleState, xrefs: 00625712
CreateProcess, xrefs: 006257BB
Cannot utilize 64-bit features on this version of Windows, xrefs: 006255C9
i, xrefs: 00625765
CreateNamedPipe, xrefs: 00625698
Helper process PID: %u, xrefs: 00625805
helper %d 0x%x, xrefs: 00625791
64-bit helper EXE wasn't extracted, xrefs: 006255DC
D, xrefs: 0062572B

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 4d5e5aa8dfd0420ffde64bac1c78408e7bed037a8b8300697dafef9d1627ca58
Instruction ID: dc9605a8fa85faa7e26666280e38f4bb9eef289f9d475eb09267a792e8d1a7e6
Opcode Fuzzy Hash: 4d5e5aa8dfd0420ffde64bac1c78408e7bed037a8b8300697dafef9d1627ca58
Instruction Fuzzy Hash: 2071A070E00B589EDB20DFA9DC46B9EBBF5EB09304F5041AAF509EB282D7749940CF65

Uniqueness

Uniqueness Score: -1.00%

Function 006A4AF0, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E006A4AF0(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				DWORD* _v16;
				struct _SHELLEXECUTEINFOW _v76;
				long _t41;
				intOrPtr _t69;
				void* _t71;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffffb8;
				_v8 = 0;
				_v12 = 0;
				_v16 = __ecx;
				_t71 = __edx;
				_t60 = __eax;
				_push(_t73);
				_push(0x6a4c3f);
				 *[fs:eax] = _t75;
				E006A490C(__eax,  &_v8,  *[fs:eax]);
				E006A4A1C( &_v12, _t60, _t71);
				E00407760( &_v76, 0x3c);
				_v76.cbSize = 0x3c;
				_v76.fMask = 0x800540;
				_v76.lpVerb = L"runas";
				_v76.lpFile = E0040B278(_v8);
				_v76.lpParameters = E0040B278(_t71);
				_v76.lpDirectory = E0040B278(_v12);
				_v76.nShow = 1;
				if(ShellExecuteExW( &_v76) == 0) {
					if(GetLastError() == 0x4c7) {
						E00428FD4();
					}
					E0060C7E4(L"ShellExecuteEx");
				}
				if(_v76.hProcess == 0) {
					E0060C688(L"ShellExecuteEx returned hProcess=0", _t60);
				}
				_push(_t73);
				_push(0x6a4c1d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				do {
					E006A4618();
					_t41 = MsgWaitForMultipleObjects(1,  &(_v76.hProcess), 0, 0xffffffff, 0x4ff);
				} while (_t41 == 1);
				if(_t41 == 0xffffffff) {
					E0060C7E4(L"MsgWaitForMultipleObjects");
				}
				E006A4618();
				if(GetExitCodeProcess(_v76.hProcess, _v16) == 0) {
					E0060C7E4(L"GetExitCodeProcess");
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(0x6a4c24);
				return CloseHandle(_v76.hProcess);
			}

0x006a4af1
0x006a4af3
0x006a4afa
0x006a4afd
0x006a4b00
0x006a4b03
0x006a4b05
0x006a4b09
0x006a4b0a
0x006a4b12
0x006a4b1a
0x006a4b22
0x006a4b31
0x006a4b36
0x006a4b3d
0x006a4b49
0x006a4b54
0x006a4b5e
0x006a4b69
0x006a4b6c
0x006a4b7e
0x006a4b8a
0x006a4b8c
0x006a4b8c
0x006a4b96
0x006a4b96
0x006a4b9f
0x006a4ba6
0x006a4ba6
0x006a4bad
0x006a4bae
0x006a4bb3
0x006a4bb6
0x006a4bb9
0x006a4bb9
0x006a4bcd
0x006a4bd2
0x006a4bda
0x006a4be1
0x006a4be1
0x006a4be6
0x006a4bfa
0x006a4c01
0x006a4c01
0x006a4c08
0x006a4c0b
0x006a4c0e
0x006a4c1c

APIs

Part of subcall function 006A490C: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4938
Part of subcall function 006A490C: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4951
Part of subcall function 006A490C: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A497B
Part of subcall function 006A490C: CloseHandle.KERNEL32(00000000), ref: 006A4999

Part of subcall function 006A4A1C: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A4AAD,?,00000097,00000000,?,006A4B27,00000000,006A4C3F,?,?,00000001), ref: 006A4A4B

ShellExecuteExW.SHELL32(0000003C), ref: 006A4B77
GetLastError.KERNEL32(0000003C,00000000,006A4C3F,?,?,00000001), ref: 006A4B80
MsgWaitForMultipleObjects.USER32 ref: 006A4BCD
GetExitCodeProcess.KERNEL32 ref: 006A4BF3
CloseHandle.KERNEL32(00000000,006A4C24,00000000,00000000,000000FF,000004FF,00000000,006A4C1D,?,0000003C,00000000,006A4C3F,?,?,00000001), ref: 006A4C17

Strings

runas, xrefs: 006A4B44
ShellExecuteEx returned hProcess=0, xrefs: 006A4BA1
<, xrefs: 006A4B36
MsgWaitForMultipleObjects, xrefs: 006A4BDC
GetExitCodeProcess, xrefs: 006A4BFC
ShellExecuteEx, xrefs: 006A4B91

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: f58d892ecbf3957924baaf94d627c3f4773a6fb568573e385cd84aadd096ba2e
Instruction ID: af08106467425c78c69e3bcdac59d2dec0135d8603cf53517b0e3d9c80496904
Opcode Fuzzy Hash: f58d892ecbf3957924baaf94d627c3f4773a6fb568573e385cd84aadd096ba2e
Instruction Fuzzy Hash: C0318470A01208AFDB10FFE9CC82A9DB6A5EF8A314F500579F514E7281DBB49D408F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040E0D4(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040E0B0(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040E0B0(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040DAF8( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040E0B0(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040DAF8(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040DAF8( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040DAF8(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040DAF8(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040e0e0
0x0040e0e3
0x0040e0e9
0x0040e0f6
0x0040e0fa
0x0040e139
0x0040e140
0x0040e180
0x00000000
0x0040e142
0x0040e14a
0x0040e15b
0x0040e161
0x0040e167
0x0040e16f
0x0040e175
0x0040e183
0x0040e185
0x0040e188
0x0040e18a
0x0040e18c
0x0040e18c
0x0040e18f
0x0040e197
0x0040e1a8
0x0040e26f
0x0040e1ba
0x0040e1be
0x0040e1c0
0x0040e1c2
0x0040e1c4
0x0040e1c4
0x0040e1cf
0x0040e1df
0x0040e1e3
0x0040e1e5
0x0040e1e7
0x0040e1e9
0x0040e1e9
0x0040e1ef
0x0040e207
0x0040e20e
0x0040e214
0x0040e230
0x0040e232
0x0040e259
0x0040e26b
0x0040e26d
0x00000000
0x0040e26d
0x0040e230
0x0040e20e
0x00000000
0x0040e1cf
0x0040e285
0x0040e285
0x0040e197
0x0040e175
0x0040e161
0x0040e14a
0x0040e0fc
0x0040e107
0x0040e10b
0x00000000
0x0040e10d
0x0040e10d
0x0040e118
0x0040e11c
0x0040e121
0x00000000
0x0040e123
0x0040e12f
0x0040e12f
0x0040e121
0x0040e10b
0x0040e28a
0x0040e293

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041CF88,?,?), ref: 0040E0F1
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF88,?,?), ref: 0040E202
FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF88,?,?), ref: 0040E214
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF88,?,?), ref: 0040E220
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF88,?,?), ref: 0040E265

Strings

\, xrefs: 0040E232
GetLongPathNameW, xrefs: 0040E0FC
kernel32.dll, xrefs: 0040E0EC

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89

Uniqueness

Uniqueness Score: -1.00%

Function 006A52B8, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E006A52B8(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, short* _a8, intOrPtr _a12, void* _a16, char _a20, intOrPtr _a24, intOrPtr* _a32, intOrPtr _a36, intOrPtr* _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				char _v5;
				intOrPtr _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v60;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t79;
				signed int _t82;
				signed int _t83;
				short* _t87;
				intOrPtr _t106;
				intOrPtr _t123;
				void* _t125;
				char _t126;
				intOrPtr* _t127;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr* _t148;
				void* _t150;
				void* _t151;
				intOrPtr _t152;
				intOrPtr _t164;

				_t150 = _t151;
				_t152 = _t151 + 0xffffff8c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t147 = __ecx;
				_t123 = __edx;
				_t145 = __eax;
				_push(_t150);
				_push(0x6a54d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152;
				if( *0x6d546c == 0) {
					_v5 = 0;
					__eflags = 0;
					_pop(_t136);
					 *[fs:eax] = _t136;
					_push(E006A54DC);
					return 0;
				} else {
					E00407760( &_v120, 0x60);
					_v120 = 0x60;
					if(_a20 != 0) {
						_v108 = _v108 | 0x00002000;
					}
					_v112 =  *0x6d1634;
					_t70 =  *0x6cceac; // 0x6d479c
					if(IsIconic( *( *_t70 + 0x188)) == 0) {
						_t74 =  *0x6cceac; // 0x6d479c
						_t77 = GetWindowLongW( *( *_t74 + 0x188), 0xfffffff0);
						__eflags = _t77 & 0x10000000;
						_t12 = (_t77 & 0x10000000) == 0;
						__eflags = _t12;
						_t78 = _t77 & 0xffffff00 | _t12;
					} else {
						_t78 = 1;
					}
					if(_t78 == 0) {
						_t79 =  *0x6cceac; // 0x6d479c
						_t82 = GetWindowLongW( *( *_t79 + 0x188), 0xffffffec);
						__eflags = _t82 & 0x00000080;
						_t17 = (_t82 & 0x00000080) != 0;
						__eflags = _t17;
						_t83 = _t82 & 0xffffff00 | _t17;
					} else {
						_t83 = 1;
					}
					if(_t83 == 0) {
						_v116 = _t145;
					} else {
						_v116 = 0;
					}
					_v104 = _a44;
					_v100 = _a52;
					_v96 = _a48;
					_v92 = _t123;
					_v88 = _t147;
					_t87 = _a8;
					if(_t87 != 0 &&  *_t87 != 0) {
						_v60 = _a8;
					}
					if(_a24 != 0) {
						_v36 = 0x6a5290;
						_v32 = _a24;
					}
					_v12 = 0;
					_push(_t150);
					_push(0x6a54bc);
					_push( *[fs:edx]);
					 *[fs:edx] = _t152;
					_t125 = _a36 + 1;
					if(_t125 != 0) {
						_t106 =  *0x54808c; // 0x5480e4
						_v12 = E00466A5C(0, 1, _t145, _t106);
						_v108 = _v108 | 0x00000010;
						_t125 = _t125 - 1;
						if(_t125 >= 0) {
							_t126 = _t125 + 1;
							_t164 = _t126;
							_v24 = _t126;
							_t127 = _a40;
							_t148 = _a32;
							do {
								_t145 = E0054BA48(_v12);
								E0054B708(_t145,  *_t127, _t164);
								 *((intOrPtr*)(_t145 + 0x18)) =  *_t148;
								_t148 = _t148 + 4;
								_t127 = _t127 + 4;
								_t45 =  &_v24;
								 *_t45 = _v24 - 1;
							} while ( *_t45 != 0);
						}
						_v80 = E0054BA54(_v12);
						_v84 =  *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 8));
					}
					E005C7DDC();
					_v16 = GetActiveWindow();
					_v20 = E005ABB4C(0, _t125, _t145, _t147);
					 *[fs:eax] = _t152;
					_v5 =  *0x6d546c( &_v120, _a12, 0, _a4,  *[fs:eax], 0x6a549f, _t150) == 0;
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(E006A54A6);
					E005ABC0C(_v20);
					SetActiveWindow(_v16);
					return E005C7DDC();
				}
			}

0x006a52b9
0x006a52bb
0x006a52be
0x006a52bf
0x006a52c0
0x006a52c1
0x006a52c3
0x006a52c5
0x006a52c9
0x006a52ca
0x006a52cf
0x006a52d2
0x006a52dc
0x006a54c3
0x006a54c7
0x006a54c9
0x006a54cc
0x006a54cf
0x006a54d4
0x006a52e2
0x006a52ec
0x006a52f1
0x006a52fc
0x006a52fe
0x006a52fe
0x006a530a
0x006a530d
0x006a5322
0x006a5328
0x006a5338
0x006a533d
0x006a5342
0x006a5342
0x006a5342
0x006a5324
0x006a5324
0x006a5324
0x006a5347
0x006a534d
0x006a535d
0x006a5362
0x006a5364
0x006a5364
0x006a5364
0x006a5349
0x006a5349
0x006a5349
0x006a5369
0x006a5372
0x006a536b
0x006a536d
0x006a536d
0x006a5378
0x006a537e
0x006a5384
0x006a5387
0x006a538a
0x006a538d
0x006a5392
0x006a539d
0x006a539d
0x006a53a4
0x006a53a6
0x006a53b0
0x006a53b0
0x006a53b5
0x006a53ba
0x006a53bb
0x006a53c0
0x006a53c3
0x006a53c9
0x006a53cc
0x006a53ce
0x006a53e2
0x006a53e5
0x006a53e9
0x006a53ec
0x006a53ee
0x006a53ee
0x006a53ef
0x006a53f2
0x006a53f5
0x006a53f8
0x006a5400
0x006a5406
0x006a540d
0x006a5410
0x006a5413
0x006a5416
0x006a5416
0x006a5416
0x006a53f8
0x006a5423
0x006a542f
0x006a542f
0x006a5437
0x006a5441
0x006a544b
0x006a5459
0x006a5472
0x006a5478
0x006a547b
0x006a547e
0x006a5486
0x006a548f
0x006a549e
0x006a549e

APIs

IsIconic.USER32(?), ref: 006A531B
GetWindowLongW.USER32(?,000000F0), ref: 006A5338
GetWindowLongW.USER32(?,000000EC), ref: 006A535D

Part of subcall function 005ABC0C: IsWindow.USER32(?), ref: 005ABC1A
Part of subcall function 005ABC0C: EnableWindow.USER32(?,000000FF), ref: 005ABC29

GetActiveWindow.USER32 ref: 006A543C
SetActiveWindow.USER32(00000005,006A54A6,006A54BC,?,?,000000EC,?,000000F0,00000000,006A54D5,?,00000000,?,00000000), ref: 006A548F

Strings

`, xrefs: 006A52F1

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$ActiveLong$EnableIconic
String ID: `
API String ID: 4222481217-2679148245
Opcode ID: f82f3a88dc6d79e55ae111fc2833cd54c161982065b92a2fb1a1cf7feaba2b23
Instruction ID: 0fd76088e2c4d2a0b73483b86e0718ee358c57a1ce37f9eef895c2ea124613ec
Opcode Fuzzy Hash: f82f3a88dc6d79e55ae111fc2833cd54c161982065b92a2fb1a1cf7feaba2b23
Instruction Fuzzy Hash: 3C613574A04608AFDB00EFA9C885A9EBBF6FB4A350F55406AF805E7361E7749D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B76A0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E006B76A0(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				struct _WIN32_FIND_DATAW _v604;
				char _v608;
				char _v612;
				void* _t59;
				intOrPtr _t70;
				intOrPtr _t73;
				signed int _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xfffffda0;
				_v612 = 0;
				_v608 = 0;
				_v8 = 0;
				_t59 = __eax;
				_push(_t80);
				_push(0x6b77dd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				E0040B4C8( &_v608, L"isRS-???.tmp", __eax);
				_v12 = FindFirstFileW(E0040B278(_v608),  &_v604);
				if(_v12 == 0xffffffff) {
					_pop(_t70);
					 *[fs:eax] = _t70;
					_push(E006B77E4);
					E0040A228( &_v612, 2);
					return E0040A1C8( &_v8);
				} else {
					_push(_t80);
					_push(0x6b77b0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					do {
						if(E00424198( &(_v604.cFileName), 5, L"isRS-") == 0 && (_v604.dwFileAttributes & 0x00000010) == 0) {
							E0040B318( &_v612, 0x104,  &(_v604.cFileName));
							E0040B4C8( &_v8, _v612, _t59);
							_t77 = _v604.dwFileAttributes;
							if((_t77 & 0x00000001) != 0) {
								SetFileAttributesW(E0040B278(_v8), _t77 & 0xfffffffe);
							}
							E00423A18(_v8);
						}
					} while (FindNextFileW(_v12,  &_v604) != 0);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E006B77B7);
					return FindClose(_v12);
				}
			}

0x006b76a1
0x006b76a3
0x006b76ad
0x006b76b3
0x006b76b9
0x006b76bc
0x006b76c0
0x006b76c1
0x006b76c6
0x006b76c9
0x006b76e0
0x006b76f6
0x006b76fd
0x006b77b9
0x006b77bc
0x006b77bf
0x006b77cf
0x006b77dc
0x006b7703
0x006b7705
0x006b7706
0x006b770b
0x006b770e
0x006b7711
0x006b7728
0x006b7744
0x006b7754
0x006b7759
0x006b7765
0x006b7774
0x006b7774
0x006b777c
0x006b777c
0x006b7791
0x006b779b
0x006b779e
0x006b77a1
0x006b77af
0x006b77af

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,006B77DD,?,006D479C,?,?,006B7992,00000000,006B79E6,?,00000000,00000000,00000000), ref: 006B76F1
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B7774
FindNextFileW.KERNEL32(000000FF,?,00000000,006B77B0,?,00000000,?,00000000,006B77DD,?,006D479C,?,?,006B7992,00000000,006B79E6), ref: 006B778C
FindClose.KERNEL32(000000FF,006B77B7,006B77B0,?,00000000,?,00000000,006B77DD,?,006D479C,?,?,006B7992,00000000,006B79E6), ref: 006B77AA

Strings

isRS-???.tmp, xrefs: 006B76D9
isRS-, xrefs: 006B7711

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 72a87d45f8f4311508266c42e4514f85dd211430a417353e9b2e3adf713046a6
Instruction ID: 79e9ceeb2d56e6557c801ea3163462384df166d2aae906ae326ab386235d3f59
Opcode Fuzzy Hash: 72a87d45f8f4311508266c42e4514f85dd211430a417353e9b2e3adf713046a6
Instruction Fuzzy Hash: 6631A470A04618AFCB10DB65CC95ADDB7B9EBC8304F5145FAE804B3391EB389E808B58

Uniqueness

Uniqueness Score: -1.00%

Function 005C7E30, Relevance: 9.1, APIs: 6, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E005C7E30(WCHAR* __eax, void* __ebx, signed int __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr* _t28;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr* _t37;
				signed int _t41;
				intOrPtr* _t43;
				WCHAR* _t62;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				WCHAR* _t78;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t76 = __edi;
				_t80 = _t81;
				_t82 = _t81 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t78 = __edx;
				_t62 = __eax;
				if( *0x6d4800 != 0) {
					_v8 = _v8 | 0x00180000;
				}
				E005C7DDC();
				_push(_t80);
				_push(0x5c7f56);
				_push( *[fs:edx]);
				 *[fs:edx] = _t82;
				_t28 =  *0x6cceac; // 0x6d479c
				if(IsIconic( *( *_t28 + 0x188)) == 0) {
					_t32 =  *0x6cceac; // 0x6d479c
					_t36 = GetWindowLongW( *( *_t32 + 0x188), 0xfffffff0) & 0xffffff00 | (_t35 & 0x10000000) == 0x00000000;
				} else {
					_t36 = 1;
				}
				if(_t36 == 0) {
					_t37 =  *0x6cceac; // 0x6d479c
					_t41 = GetWindowLongW( *( *_t37 + 0x188), 0xffffffec) & 0xffffff00 | (_t40 & 0x00000080) != 0x00000000;
				} else {
					_t41 = 1;
				}
				if(_t41 == 0) {
					_t43 =  *0x6cceac; // 0x6d479c
					_v12 = E005B8BCC( *_t43, _t62, _t78, _t62, _t76, _t78, _v8);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E005C7F5D);
					return E005C7DDC();
				} else {
					_v16 = GetActiveWindow();
					_v20 = E005ABB4C(0, _t62, _t76, _t78);
					_push(_t80);
					_push(0x5c7f19);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					_v12 = MessageBoxW(0, _t62, _t78, _v8 | 0x00002000);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E005C7F20);
					E005ABC0C(_v20);
					return SetActiveWindow(_v16);
				}
			}

0x005c7e30
0x005c7e31
0x005c7e33
0x005c7e36
0x005c7e37
0x005c7e38
0x005c7e3b
0x005c7e3d
0x005c7e46
0x005c7e48
0x005c7e48
0x005c7e54
0x005c7e5b
0x005c7e5c
0x005c7e61
0x005c7e64
0x005c7e67
0x005c7e7c
0x005c7e82
0x005c7e9c
0x005c7e7e
0x005c7e7e
0x005c7e7e
0x005c7ea1
0x005c7ea7
0x005c7ebe
0x005c7ea3
0x005c7ea3
0x005c7ea3
0x005c7ec3
0x005c7f2b
0x005c7f3b
0x005c7f40
0x005c7f43
0x005c7f46
0x005c7f55
0x005c7ec5
0x005c7eca
0x005c7ed4
0x005c7ed9
0x005c7eda
0x005c7edf
0x005c7ee2
0x005c7ef7
0x005c7efc
0x005c7eff
0x005c7f02
0x005c7f0a
0x005c7f18
0x005c7f18

APIs

IsIconic.USER32(?), ref: 005C7E75
GetWindowLongW.USER32(?,000000F0), ref: 005C7E92
GetWindowLongW.USER32(?,000000EC), ref: 005C7EB7
GetActiveWindow.USER32 ref: 005C7EC5
MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C7EF2
SetActiveWindow.USER32(00000000,005C7F20,000000E5,00000000,005C7F19,?,?,000000EC,?,000000F0,?,00000000,005C7F56,?,?,00000000), ref: 005C7F13

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 89247077e473a3f80b344840f48a9dcafb7ad50444f056bad934636e3a99670f
Instruction ID: 04038d4d1975b4c22e4e20a0d885d21cf8c5e77e15af7471f3fa6a64eef30c34
Opcode Fuzzy Hash: 89247077e473a3f80b344840f48a9dcafb7ad50444f056bad934636e3a99670f
Instruction Fuzzy Hash: F3316E75A08208AFDB00DFA9D885EA97BE9FB8E754F1144A9F504D77A1CB34AD00DB14

Uniqueness

Uniqueness Score: -1.00%

Function 006B79F4, Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E006B79F4(char __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v21;
				signed int _v22;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				void* _t62;
				signed int _t110;
				intOrPtr _t129;
				signed int _t130;
				char _t134;
				char _t139;
				char _t142;
				char* _t149;
				intOrPtr* _t158;
				void* _t159;
				intOrPtr _t181;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr* _t204;
				intOrPtr _t206;
				intOrPtr _t207;
				void* _t216;

				_t216 = __fp0;
				_t202 = __edi;
				_t157 = __ebx;
				_t206 = _t207;
				_t159 = 7;
				do {
					_push(0);
					_push(0);
					_t159 = _t159 - 1;
				} while (_t159 != 0);
				_push(__ebx);
				_push(__edi);
				_t204 =  *0x6cceac; // 0x6d479c
				_push(_t206);
				_push(0x6b7db9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t207;
				E005C5D2C(1, __ebx,  &_v36, __edi, _t204);
				_t62 = E00422360(_v36, _t159, L"/REG");
				_t209 = _t62;
				if(_t62 != 0) {
					E005C5D2C(1, __ebx,  &_v40, __edi, _t204);
					__eflags = E00422360(_v40, _t159, L"/REGU");
					if(__eflags != 0) {
						__eflags = 0;
						_pop(_t181);
						 *[fs:eax] = _t181;
						_push(E006B7DC0);
						E0040A228( &_v60, 7);
						return E0040A228( &_v20, 4);
					} else {
						_v21 = 0;
						goto L6;
					}
				} else {
					_v21 = 1;
					L6:
					E005B8250( *_t204, L"Setup", _t209);
					ShowWindow( *( *_t204 + 0x188), 5);
					E006AE22C();
					_v28 = E00413E90(0, 0, L"Inno-Setup-RegSvr-Mutex");
					ShowWindow( *( *_t204 + 0x188), 0);
					if(_v28 != 0) {
						do {
							E005B8704( *_t204);
						} while (MsgWaitForMultipleObjects(1,  &_v28, 0, 0xffffffff, 0x4ff) == 1);
					}
					ShowWindow( *( *_t204 + 0x188), 5);
					_push(_t206);
					_push(0x6b7d8a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t207;
					E005C5D2C(0, _t157,  &_v44, _t202, _t204);
					E005C4DEC(_v44, _t157,  &_v8, L".msg", _t202, _t204);
					E005C5D2C(0, _t157,  &_v48, _t202, _t204);
					E005C4DEC(_v48, _t157,  &_v12, L".lst", _t202, _t204);
					if(E005C55D8(_v12) == 0) {
						E00423A18(_v12);
						E00423A18(_v8);
						_push(_t206);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						E006B7954(_t157,  &_v12, _t202, _t204, __eflags);
						_pop(_t189);
						 *[fs:eax] = _t189;
						_t190 = 0x6b7d5a;
						 *[fs:eax] = _t190;
						_push(E006B7D91);
						__eflags = _v28;
						if(_v28 != 0) {
							ReleaseMutex(_v28);
							return CloseHandle(_v28);
						}
						return 0;
					} else {
						E005CC438(_v8, _t157, 1, 0, _t202, _t204);
						_t110 =  *0x6ccdb8; // 0x6d5028
						E005C7DC0(_t110 & 0xffffff00 | ( *(_t110 + 0x4c) & 0x00000001) != 0x00000000);
						_t192 =  *0x6ccec0; // 0x6d4c14
						_t26 = _t192 + 0x2f8; // 0x0
						E005B8250( *_t204,  *_t26,  *(_t110 + 0x4c) & 0x00000001);
						_push(_t206);
						_push(0x6b7d26);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						E006AB2D4(_t157,  *_t26, _t202, _t204);
						_v32 = E005CAD34(1, 1, 0, 2);
						_push(_t206);
						_push(0x6b7d0c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						while(E005CAFD4(_v32) == 0) {
							E005CAFE4(_v32, _t157,  &_v16, _t202, _t204, __eflags);
							_t157 = _v16;
							__eflags = _t157;
							if(_t157 != 0) {
								_t158 = _t157 - 4;
								__eflags = _t158;
								_t157 =  *_t158;
							}
							__eflags = _t157 - 4;
							if(__eflags > 0) {
								__eflags =  *_v16 - 0x5b;
								if(__eflags == 0) {
									__eflags =  *((short*)(_v16 + 6)) - 0x5d;
									if(__eflags == 0) {
										E0040B698(_v16, 0x7fffffff, 5,  &_v20);
										_t129 = _v16;
										__eflags =  *((short*)(_t129 + 4)) - 0x71;
										if( *((short*)(_t129 + 4)) == 0x71) {
											L19:
											_t130 = 1;
										} else {
											__eflags = _v21;
											if(_v21 == 0) {
												L18:
												_t130 = 0;
											} else {
												_t149 =  *0x6cccb0; // 0x6d57bb
												__eflags =  *_t149;
												if( *_t149 == 0) {
													goto L19;
												} else {
													goto L18;
												}
											}
										}
										_v22 = _t130;
										_push(_t206);
										_push(0x6b7c81);
										_push( *[fs:eax]);
										 *[fs:eax] = _t207;
										_t134 = ( *(_v16 + 2) & 0x0000ffff) - 0x53;
										__eflags = _t134;
										if(_t134 == 0) {
											_push(_v22 & 0x000000ff);
											E00624CA4(0, _t157, _v20, 1, _t202, _t204, _t216);
										} else {
											_t139 = _t134 - 1;
											__eflags = _t139;
											if(_t139 == 0) {
												__eflags = 0;
												E0062541C(0, _t157, _v20, _t204, 0, _t216);
											} else {
												_t142 = _t139 - 0x1f;
												__eflags = _t142;
												if(_t142 == 0) {
													_push(_v22 & 0x000000ff);
													E00624CA4(0, _t157, _v20, 0, _t202, _t204, _t216);
												} else {
													__eflags = _t142 - 1;
													if(__eflags == 0) {
														E00624438(_v20, _t157, _t204);
													}
												}
											}
										}
										_pop(_t199);
										 *[fs:eax] = _t199;
									}
								}
							}
						}
						_pop(_t196);
						 *[fs:eax] = _t196;
						_push(E006B7D13);
						return E00408444(_v32);
					}
				}
			}

0x006b79f4
0x006b79f4
0x006b79f4
0x006b79f5
0x006b79f7
0x006b79fc
0x006b79fc
0x006b79fe
0x006b7a00
0x006b7a00
0x006b7a03
0x006b7a05
0x006b7a06
0x006b7a0e
0x006b7a0f
0x006b7a14
0x006b7a17
0x006b7a22
0x006b7a2f
0x006b7a34
0x006b7a36
0x006b7a46
0x006b7a58
0x006b7a5a
0x006b7d91
0x006b7d93
0x006b7d96
0x006b7d99
0x006b7da6
0x006b7db8
0x006b7a60
0x006b7a60
0x00000000
0x006b7a60
0x006b7a38
0x006b7a38
0x006b7a64
0x006b7a6b
0x006b7a7b
0x006b7a80
0x006b7a93
0x006b7aa1
0x006b7aaa
0x006b7aac
0x006b7aae
0x006b7ac7
0x006b7aac
0x006b7ad7
0x006b7ade
0x006b7adf
0x006b7ae4
0x006b7ae7
0x006b7aef
0x006b7aff
0x006b7b09
0x006b7b19
0x006b7b28
0x006b7d30
0x006b7d38
0x006b7d3f
0x006b7d45
0x006b7d48
0x006b7d4b
0x006b7d52
0x006b7d55
0x006b7d66
0x006b7d69
0x006b7d6c
0x006b7d71
0x006b7d75
0x006b7d7b
0x00000000
0x006b7d84
0x006b7d89
0x006b7b2e
0x006b7b35
0x006b7b3a
0x006b7b46
0x006b7b4b
0x006b7b51
0x006b7b59
0x006b7b60
0x006b7b61
0x006b7b66
0x006b7b69
0x006b7b6c
0x006b7b86
0x006b7b8b
0x006b7b8c
0x006b7b91
0x006b7b94
0x006b7ce6
0x006b7ba2
0x006b7ba7
0x006b7baa
0x006b7bac
0x006b7bae
0x006b7bae
0x006b7bb1
0x006b7bb1
0x006b7bb3
0x006b7bb6
0x006b7bbf
0x006b7bc3
0x006b7bcc
0x006b7bd1
0x006b7be8
0x006b7bed
0x006b7bf0
0x006b7bf5
0x006b7c0b
0x006b7c0b
0x006b7bf7
0x006b7bf7
0x006b7bfb
0x006b7c07
0x006b7c07
0x006b7bfd
0x006b7bfd
0x006b7c02
0x006b7c05
0x00000000
0x00000000
0x00000000
0x00000000
0x006b7c05
0x006b7bfb
0x006b7c0d
0x006b7c12
0x006b7c13
0x006b7c18
0x006b7c1b
0x006b7c25
0x006b7c25
0x006b7c29
0x006b7c54
0x006b7c5c
0x006b7c2b
0x006b7c2b
0x006b7c2b
0x006b7c2e
0x006b7c70
0x006b7c72
0x006b7c30
0x006b7c30
0x006b7c30
0x006b7c34
0x006b7c41
0x006b7c49
0x006b7c36
0x006b7c36
0x006b7c39
0x006b7c66
0x006b7c66
0x006b7c39
0x006b7c34
0x006b7c2e
0x006b7c79
0x006b7c7c
0x006b7c7c
0x006b7bd1
0x006b7bc3
0x006b7bb6
0x006b7cf8
0x006b7cfb
0x006b7cfe
0x006b7d0b
0x006b7d0b
0x006b7b28

APIs

ShowWindow.USER32(?,00000005,00000000,006B7DB9,?,?,00000000,?,00000000,00000000,?,006B829A,00000000,006B82A4,?,00000000), ref: 006B7A7B
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000,?,00000000,00000000), ref: 006B7AA1
MsgWaitForMultipleObjects.USER32 ref: 006B7AC2
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000,?,00000000), ref: 006B7AD7

Part of subcall function 005C5D2C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C5DC1,?,?,?,00000001,?,0060FCDE,00000000,0060FD49), ref: 005C5D61

Strings

.msg, xrefs: 006B7AFA
(Pm, xrefs: 006B7B3A
Inno-Setup-RegSvr-Mutex, xrefs: 006B7A85
Setup, xrefs: 006B7A66
.lst, xrefs: 006B7B14
/REGU, xrefs: 006B7A4E
/REG, xrefs: 006B7A2A

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: (Pm$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-2153116510
Opcode ID: 5566d6d2da1f2f86e2fdd3a92613041ec8b3e8af727592a06184f6964a83b7a2
Instruction ID: 8ff4ba97fe8783844e50e44af70b96f4c7a98e8a8f2e68f95f10e32dd77d20f9
Opcode Fuzzy Hash: 5566d6d2da1f2f86e2fdd3a92613041ec8b3e8af727592a06184f6964a83b7a2
Instruction Fuzzy Hash: 9E91B1B06082099FDB10EBA4D856FEEBBB6FF88304F514469F500A7691DB39AD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0062967C, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0062967C(char __eax, void* __ebx, signed char __edx, void* __edi, void* __esi, void* __fp0, char _a4, char _a8, intOrPtr _a12) {
				char _v5;
				char _v6;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				void* __ecx;
				char _t65;
				void* _t69;
				void* _t112;
				signed char _t135;
				intOrPtr _t137;
				intOrPtr _t164;
				intOrPtr _t178;
				void* _t188;
				signed int _t189;
				char _t191;
				intOrPtr _t193;
				intOrPtr _t194;

				_t210 = __fp0;
				_t187 = __edi;
				_t193 = _t194;
				_t137 = 6;
				do {
					_push(0);
					_push(0);
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_push(_t137);
				_t1 =  &_v8;
				_t138 =  *_t1;
				 *_t1 = _t137;
				_push(__edi);
				_v5 =  *_t1;
				_t135 = __edx;
				_t191 = __eax;
				_push(_t193);
				_push(0x62993e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				_v6 = 1;
				E005C522C(__eax,  &_v12);
				if(E00422360(_v12,  *_t1, L".hlp") != 0) {
					E005C522C(_t191,  &_v24);
					_t65 = E00422360(_v24, _t138, L".chm");
					__eflags = _t65;
					if(_t65 == 0) {
						E005C4DEC(_t191, _t135,  &_v28, L".chw", __edi, _t191);
						__eflags = 0;
						E0062967C(_v28, _t135, _t135, __edi, _t191, __fp0, 0, 0, _a12);
						_pop(_t138);
					}
				} else {
					E005C4DEC(_t191, _t135,  &_v16, L".gid", __edi, _t191);
					E0062967C(_v16, _t135, _t135, __edi, _t191, __fp0, 0, 0, _a12);
					E005C4DEC(_t191, _t135,  &_v20, L".fts", __edi, _t191);
					E0062967C(_v20, _t135, _t135, _t187, _t191, __fp0, 0, 0, _a12);
					_pop(_t138);
				}
				E005C522C(_t191,  &_v32);
				_t69 = E00422360(_v32, _t138, L".lnk");
				_t197 = _t69;
				if(_t69 == 0) {
					E00624750(_t191, _t135);
				}
				if(E0060BF54(_t135, _t191, _t197) == 0) {
					L25:
					_pop(_t164);
					 *[fs:eax] = _t164;
					_push(E00629945);
					E0040A228( &_v60, 5);
					return E0040A228( &_v32, 6);
				} else {
					_v40 = _t191;
					_v36 = 0x11;
					_t141 = 0;
					E00615D14(L"Deleting file: %s", _t135, 0,  &_v40, _t187, _t191);
					_t199 = _a4;
					if(_a4 != 0) {
						_t189 = E0060BC90(_t135, _t191, _t199);
						if(_t189 != 0xffffffff) {
							_t201 = _t189 & 0x00000001;
							if((_t189 & 0x00000001) != 0) {
								_t141 = 0xfffffffe & _t189;
								_t112 = E0060C03C(_t135, 0xfffffffe & _t189, _t191, _t201);
								_t202 = _t112;
								if(_t112 == 0) {
									E00615A90(L"Failed to strip read-only attribute.", _t135, _t189, _t191);
								} else {
									E00615A90(L"Stripped read-only attribute.", _t135, _t189, _t191);
								}
							}
						}
					}
					if(E0060BAB8(_t135, _t191, _t202) != 0) {
						__eflags = _v5;
						if(_v5 != 0) {
							SHChangeNotify(4, 5, E0040B278(_t191), 0);
							E005C51D4(_t191, _t141,  &_v60);
							E0060FFA0( *((intOrPtr*)(_a12 - 0x3c)), _t141, _v60, _t210);
						}
						goto L25;
					} else {
						_t188 = GetLastError();
						if(_a8 == 0 ||  *((char*)(_a12 - 0x29)) == 0) {
							L22:
							_v40 = _t188;
							_v36 = 0;
							E00615D14(L"Failed to delete the file; it may be in use (%d).", _t135, 0,  &_v40, _t188, _t191);
							_v6 = 0;
							goto L25;
						} else {
							if(_t188 == 5) {
								L20:
								if((E0060BC90(_t135, _t191, _t207) & 0x00000001) != 0) {
									goto L22;
								}
								_v40 = _t188;
								_v36 = 0;
								E00615D14(L"The file appears to be in use (%d). Will delete on restart.", _t135, 0,  &_v40, _t188, _t191);
								_push(_t193);
								 *[fs:eax] = _t194;
								E0060D210(_t135, _t135, _t191, _t188, _t191);
								 *((char*)( *((intOrPtr*)(_a12 - 0x30)) + 0x1c)) = 1;
								E005C5124(_t191,  &_v48, _t193,  *[fs:eax]);
								E005C51D4(_v48, 0,  &_v44);
								E0060FFA0( *((intOrPtr*)(_a12 + (_t135 & 0x000000ff) * 4 - 0x38)), _a12, _v44, _t210);
								_t178 = 0x629899;
								 *[fs:eax] = _t178;
								goto L25;
							}
							_t207 = _t188 - 0x20;
							if(_t188 != 0x20) {
								goto L22;
							}
							goto L20;
						}
					}
				}
			}

0x0062967c
0x0062967c
0x0062967d
0x00629680
0x00629685
0x00629685
0x00629687
0x00629689
0x00629689
0x0062968c
0x0062968d
0x0062968d
0x0062968d
0x00629692
0x00629693
0x00629696
0x00629698
0x0062969c
0x0062969d
0x006296a2
0x006296a5
0x006296a8
0x006296b1
0x006296c5
0x00629716
0x00629723
0x00629728
0x0062972a
0x0062973e
0x00629746
0x0062974a
0x0062974f
0x0062974f
0x006296c7
0x006296d9
0x006296e5
0x006296fd
0x00629709
0x0062970e
0x0062970e
0x00629755
0x00629762
0x00629767
0x00629769
0x0062976d
0x0062976d
0x0062977d
0x00629916
0x00629918
0x0062991b
0x0062991e
0x0062992b
0x0062993d
0x00629783
0x00629783
0x00629786
0x0062978d
0x00629794
0x00629799
0x0062979d
0x006297a8
0x006297ad
0x006297af
0x006297b5
0x006297bc
0x006297c2
0x006297c7
0x006297c9
0x006297dc
0x006297cb
0x006297d0
0x006297d0
0x006297c9
0x006297b5
0x006297ad
0x006297ec
0x006298e5
0x006298e9
0x006298f9
0x00629903
0x00629911
0x00629911
0x00000000
0x006297f2
0x006297f7
0x006297fd
0x006298c9
0x006298c9
0x006298cc
0x006298da
0x006298df
0x00000000
0x00629810
0x00629813
0x0062981e
0x00629829
0x00000000
0x00000000
0x0062982f
0x00629832
0x00629840
0x00629847
0x00629850
0x00629859
0x00629864
0x0062986d
0x00629878
0x0062988a
0x00629891
0x00629894
0x00000000
0x00629894
0x00629815
0x00629818
0x00000000
0x00000000
0x00000000
0x00629818
0x006297fd
0x006297ec

APIs

GetLastError.KERNEL32(00000000,0062993E,?,?,?,?,00000005,00000000,00000000,?,?,0062AD40,00000000,00000000,?,00000000), ref: 006297F2

Strings

.lnk, xrefs: 0062975D
.fts, xrefs: 006296F6
Failed to strip read-only attribute., xrefs: 006297D7
.chm, xrefs: 0062971E
.gid, xrefs: 006296D2
Stripped read-only attribute., xrefs: 006297CB
Failed to delete the file; it may be in use (%d)., xrefs: 006298D5
The file appears to be in use (%d). Will delete on restart., xrefs: 0062983B
.chw, xrefs: 00629737
.hlp, xrefs: 006296B9
Deleting file: %s, xrefs: 0062978F

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 6f92307537ceb8c7d2d67ad019ef8242b08bbbbcbbbebdc35b56f5247fe92f36
Instruction ID: 5f97cc3f942ec822775001ce78f35f044808c5a8b545990c5ebfc5930a6ec5c3
Opcode Fuzzy Hash: 6f92307537ceb8c7d2d67ad019ef8242b08bbbbcbbbebdc35b56f5247fe92f36
Instruction Fuzzy Hash: 7871B430B00A645BDB05EBA8E846BEE77A6AFC9310F14446DF801EB381DA749D45CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0060DE38, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0060DE38(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				void* _v20;
				char _v21;
				char _v28;
				int _v32;
				int _v36;
				char _v40;
				char _v44;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char* _v72;
				char _v76;
				char _v80;
				void* _t77;
				char _t98;
				char _t103;
				char* _t110;
				char _t133;
				char _t139;
				char _t144;
				void* _t168;
				short* _t169;
				char _t170;
				char _t172;
				intOrPtr _t189;
				intOrPtr _t194;
				intOrPtr _t196;
				void* _t207;
				void* _t208;
				intOrPtr _t209;

				_t207 = _t208;
				_t209 = _t208 + 0xffffffb4;
				_push(__esi);
				_push(__edi);
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				_v76 = 0;
				_v80 = 0;
				_v56 = 0;
				_v8 = 0;
				_v12 = __edx;
				_push(_t207);
				_push(0x60e11e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t209;
				_v13 = 0;
				_t168 = E005C6790(_t77, L"Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v20, 3, 0);
				if(_t168 == 2) {
					L30:
					_pop(_t189);
					 *[fs:eax] = _t189;
					_push(E0060E125);
					E0040A228( &_v80, 2);
					E0040A228( &_v60, 2);
					E0040A228( &_v44, 2);
					return E0040A1C8( &_v8);
				} else {
					if(_t168 != 0) {
						E0060C8F8(0x80000002,  &_v56, _t207);
						_v52 = _v56;
						_v48 = L"Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
						E005CC254(0x52, 1,  &_v52,  &_v44);
						_push(_v44);
						_push(L"\r\n\r\n");
						_v72 = L"RegOpenKeyEx";
						E00422FFC(_t168,  &_v76);
						_v68 = _v76;
						E005C72F8(_t168,  &_v80);
						_v64 = _v80;
						E005CC254(0x48, 2,  &_v72,  &_v60);
						_push(_v60);
						E0040B550( &_v40, _t168, 3, __edi, __esi);
						E00429000(_v40, 1);
						E004098C4();
					}
					_push(_t207);
					_push(0x60e0da);
					_push( *[fs:eax]);
					 *[fs:eax] = _t209;
					_t169 = E0040B278(_v12);
					if(RegQueryValueExW(_v20, _t169, 0,  &_v32, 0,  &_v36) == 0) {
						_v21 = 0;
						_v28 = 0;
						_push(_t207);
						_push(0x60e018);
						_push( *[fs:eax]);
						 *[fs:eax] = _t209;
						_t98 = _v32 - 1;
						__eflags = _t98;
						if(_t98 == 0) {
							__eflags = E005C66B8();
							if(__eflags != 0) {
								_v28 = E00423394(_v8, __eflags);
								_v21 = 1;
							}
						} else {
							_t133 = _t98 - 2;
							__eflags = _t133;
							if(_t133 == 0) {
								__eflags = _v36 - 1;
								if(_v36 >= 1) {
									__eflags = _v36 - 4;
									if(_v36 <= 4) {
										_t139 = RegQueryValueExW(_v20, E0040B278(_v12), 0, 0,  &_v28,  &_v36);
										__eflags = _t139;
										if(_t139 == 0) {
											_v21 = 1;
										}
									}
								}
							} else {
								__eflags = _t133 == 1;
								if(_t133 == 1) {
									_v36 = 4;
									_t144 = RegQueryValueExW(_v20, _t169, 0, 0,  &_v28,  &_v36);
									__eflags = _t144;
									if(_t144 == 0) {
										_v21 = 1;
									}
								}
							}
						}
						_pop(_t194);
						 *[fs:eax] = _t194;
						__eflags = _v21;
						if(_v21 != 0) {
							_v28 = _v28 - 1;
							__eflags = _v28;
							if(_v28 > 0) {
								_t103 = _v32 - 1;
								__eflags = _t103;
								if(_t103 == 0) {
									E00423024( &_v8, _v28, 0);
									_t170 = _v8;
									__eflags = _t170;
									if(_t170 != 0) {
										_t172 = _t170 - 4;
										__eflags = _t172;
										_t170 =  *_t172;
									}
									_t110 = E0040B278(_v8);
									RegSetValueExW(_v20, E0040B278(_v12), 0, 1, _t110, _t170 + 1 + _t170 + 1);
								} else {
									__eflags = _t103 + 0xfffffffe - 2;
									if(_t103 + 0xfffffffe - 2 < 0) {
										RegSetValueExW(_v20, E0040B278(_v12), 0, _v32,  &_v28, 4);
									}
								}
							} else {
								_v13 = 1;
								RegDeleteValueW(_v20, E0040B278(_v12));
							}
							__eflags = 0;
							_pop(_t196);
							 *[fs:eax] = _t196;
							_push(E0060E0E1);
							return RegCloseKey(_v20);
						} else {
							E004099B8();
							goto L30;
						}
					} else {
						E004099B8();
						goto L30;
					}
				}
			}

0x0060de39
0x0060de3b
0x0060de3f
0x0060de40
0x0060de43
0x0060de46
0x0060de49
0x0060de4c
0x0060de4f
0x0060de52
0x0060de55
0x0060de58
0x0060de5d
0x0060de5e
0x0060de63
0x0060de66
0x0060de69
0x0060de84
0x0060de89
0x0060e0e1
0x0060e0e3
0x0060e0e6
0x0060e0e9
0x0060e0f6
0x0060e103
0x0060e110
0x0060e11d
0x0060de8f
0x0060de91
0x0060dea3
0x0060deab
0x0060deb3
0x0060dec2
0x0060dec7
0x0060deca
0x0060ded8
0x0060dee0
0x0060dee8
0x0060def0
0x0060def8
0x0060df07
0x0060df0c
0x0060df17
0x0060df26
0x0060df2b
0x0060df2b
0x0060df32
0x0060df33
0x0060df38
0x0060df3b
0x0060df52
0x0060df60
0x0060df6c
0x0060df72
0x0060df77
0x0060df78
0x0060df7d
0x0060df80
0x0060df86
0x0060df86
0x0060df87
0x0060dfa0
0x0060dfa2
0x0060dfac
0x0060dfaf
0x0060dfaf
0x0060df89
0x0060df89
0x0060df89
0x0060df8c
0x0060dfb5
0x0060dfb9
0x0060dfbb
0x0060dfbf
0x0060dfda
0x0060dfdf
0x0060dfe1
0x0060dfe3
0x0060dfe3
0x0060dfe1
0x0060dfbf
0x0060df8e
0x0060df8e
0x0060df8f
0x0060dfe9
0x0060e001
0x0060e006
0x0060e008
0x0060e00a
0x0060e00a
0x0060e008
0x0060df8f
0x0060df8c
0x0060e010
0x0060e013
0x0060e022
0x0060e026
0x0060e032
0x0060e035
0x0060e039
0x0060e056
0x0060e056
0x0060e057
0x0060e06d
0x0060e072
0x0060e075
0x0060e077
0x0060e079
0x0060e079
0x0060e07c
0x0060e07c
0x0060e087
0x0060e09e
0x0060e059
0x0060e05c
0x0060e05f
0x0060e0be
0x0060e0be
0x0060e05f
0x0060e03b
0x0060e03b
0x0060e04c
0x0060e04c
0x0060e0c3
0x0060e0c5
0x0060e0c8
0x0060e0cb
0x0060e0d9
0x0060e028
0x0060e028
0x00000000
0x0060e028
0x0060df62
0x0060df62
0x00000000
0x0060df62
0x0060df60

APIs

Part of subcall function 005C6790: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,0060E0DA,?,?,00000003,00000000,00000000,0060E11E), ref: 0060DF59

Part of subcall function 005C72F8: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CAC2A,00000000,005CAC7B,?,005CAE5C), ref: 005C7317

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E018,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060DFDA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E018,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E001

Strings

RegOpenKeyEx, xrefs: 0060DED3
, xrefs: 0060DECA
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060DEAE
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060DE75

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: c0f6a3415407b5ed82ac2097bcbe5bd87fd80c7496bfbd7c27457ca2540ccd7a
Instruction ID: 5ffe65932f4f8e7796c8cf642ead8af5e42ac307f6e0ca7c7b751169975c555e
Opcode Fuzzy Hash: c0f6a3415407b5ed82ac2097bcbe5bd87fd80c7496bfbd7c27457ca2540ccd7a
Instruction Fuzzy Hash: 62919E70A44219AFDB04DFE5C886BEFBBBAEB48304F10486AF501F7381D77999458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00626EC8, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00626EC8(signed int __eax, void* __ebx, signed int __edx, void* __edi, void* __esi) {
				signed int _v5;
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ecx;
				void* _t79;
				signed int _t83;
				signed char _t125;
				intOrPtr _t127;
				intOrPtr _t156;
				signed int _t170;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t181;

				_t180 = _t181;
				_t127 = 4;
				do {
					_push(0);
					_push(0);
					_t127 = _t127 - 1;
				} while (_t127 != 0);
				_t1 =  &_v8;
				_t128 =  *_t1;
				 *_t1 = _t127;
				_t178 =  *_t1;
				_v5 = __edx;
				_t125 = __eax;
				_push(_t180);
				_push(0x6270d1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t181;
				if( *((intOrPtr*)(0x6d537c + ((__eax & 0x000000ff) + (__eax & 0x000000ff)) * 8 + (_v5 & 0x000000ff) * 4)) != 0) {
					L18:
					E0040A5A8(_t178,  *((intOrPtr*)(0x6d537c + ((_t125 & 0x000000ff) + (_t125 & 0x000000ff)) * 8 + (_v5 & 0x000000ff) * 4)));
					_pop(_t156);
					 *[fs:eax] = _t156;
					_push(E006270D8);
					return E0040A228( &_v32, 5);
				}
				E00626D74(__eax, _t128,  &_v16, _t180);
				if((_v5 & 0x000000ff) + 0xfe - 2 >= 0 || E005C6790(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v4.0", 0x80000002,  &_v12, 1, 0) != 0) {
					_t79 = (_v5 & 0x000000ff) - 1;
					if(_t79 == 0 || _t79 == 2) {
						if(E005C6790(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0", 0x80000002,  &_v12, 1, 0) != 0) {
							goto L10;
						} else {
							_t174 = _t125 & 0x0000007f;
							E005C4D00( *((intOrPtr*)(0x6d5370 + (_t125 & 0x0000007f) * 4)),  &_v24);
							E0040B4C8(0x6d537c + (_t174 + _t174) * 8 + (_v5 & 0x000000ff) * 4, L"v2.0.50727", _v24);
							RegCloseKey(_v12);
							goto L14;
						}
					} else {
						L10:
						_t83 = _v5 & 0x000000ff;
						if(_t83 == 0 || _t83 == 3) {
							if(E005C6790(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v1.1", 0x80000002,  &_v12, 1, 0) == 0) {
								_t172 = _t125 & 0x0000007f;
								E005C4D00( *((intOrPtr*)(0x6d5370 + (_t125 & 0x0000007f) * 4)),  &_v28);
								E0040B4C8(0x6d537c + (_t172 + _t172) * 8 + (_v5 & 0x000000ff) * 4, L"v1.1.4322", _v28);
								RegCloseKey(_v12);
							}
						}
						goto L14;
					}
				} else {
					_t176 = _t125 & 0x0000007f;
					E005C4D00( *((intOrPtr*)(0x6d5370 + (_t125 & 0x0000007f) * 4)),  &_v20);
					E0040B4C8(0x6d537c + (_t176 + _t176) * 8 + (_v5 & 0x000000ff) * 4, L"v4.0.30319", _v20);
					RegCloseKey(_v12);
					L14:
					_t170 = _v5 & 0x000000ff;
					if( *((intOrPtr*)(0x6d537c + ((_t125 & 0x000000ff) + (_t125 & 0x000000ff)) * 8 + _t170 * 4)) == 0) {
						if(_v5 == 3) {
							E0060C688(L".NET Framework not found", _t125);
						} else {
							_v40 =  *((intOrPtr*)(0x6cc0a4 + _t170 * 4));
							_v36 = 0x11;
							E004244F0(L".NET Framework version %s not found", 0,  &_v40,  &_v32);
							E0060C688(_v32, _t125);
						}
					}
					goto L18;
				}
			}

0x00626ec9
0x00626ecc
0x00626ed1
0x00626ed1
0x00626ed3
0x00626ed5
0x00626ed5
0x00626ed8
0x00626ed8
0x00626ed8
0x00626ede
0x00626ee0
0x00626ee3
0x00626ee7
0x00626ee8
0x00626eed
0x00626ef0
0x00626f07
0x0062709c
0x006270b1
0x006270b8
0x006270bb
0x006270be
0x006270d0
0x006270d0
0x00626f12
0x00626f1f
0x00626f83
0x00626f85
0x00626fa6
0x00000000
0x00626fa8
0x00626fad
0x00626fb7
0x00626fd6
0x00626fdf
0x00000000
0x00626fdf
0x00626fe6
0x00626fe6
0x00626fe6
0x00626fec
0x0062700d
0x00627014
0x0062701e
0x0062703d
0x00627046
0x00627046
0x0062700d
0x00000000
0x00626fec
0x00626f3e
0x00626f43
0x00626f4d
0x00626f6c
0x00626f75
0x0062704b
0x0062704b
0x0062705f
0x00627065
0x00627097
0x00627067
0x00627072
0x00627075
0x00627083
0x0062708b
0x0062708b
0x00627065
0x00000000
0x0062705f

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006270D1,?,00626BCC,?,00000000,00000000,00000000,?,?,0062733C,00000000), ref: 00626F75
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006270D1,?,00626BCC,?,00000000,00000000,00000000,?,?,0062733C,00000000), ref: 00626FDF
RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,006270D1,?,00626BCC,?,00000000,00000000,00000000,?), ref: 00627046

Strings

.NET Framework version %s not found, xrefs: 0062707E
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00626F95
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00626F2B
v4.0.30319, xrefs: 00626F67
v1.1.4322, xrefs: 00627038
.NET Framework not found, xrefs: 00627092
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00626FFC
v2.0.50727, xrefs: 00626FD1

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Close
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 3535843008-446240816
Opcode ID: 76f3cfdfd72a9adba869984664d92be285200d7ffe64c148a2e70a9fac420ab0
Instruction ID: c0f20b2d71ec8f474bf61d9ec020991ed2f273380f667ab3d85d0ceb4907a677
Opcode Fuzzy Hash: 76f3cfdfd72a9adba869984664d92be285200d7ffe64c148a2e70a9fac420ab0
Instruction Fuzzy Hash: 86510970E08529AFCB05DBA8E861FFE7BB7DB85300F15006EF50197381D679AA098F60

Uniqueness

Uniqueness Score: -1.00%

Function 00625B40, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00625B40(intOrPtr __eax, void* __edx) {
				long _v12;
				long _v16;
				void* __ebx;
				void* __esi;
				void* _t44;
				void* _t50;
				intOrPtr _t51;
				DWORD* _t52;

				_t19 = __eax;
				_t52 =  &_v12;
				_t44 = __edx;
				_t51 = __eax;
				if( *((char*)(__eax + 4)) == 0) {
					L11:
					return _t19;
				}
				 *((char*)(__eax + 5)) = 1;
				_v16 =  *((intOrPtr*)(__eax + 0x10));
				_v12 = 0;
				E00615D14(L"Stopping 64-bit helper process. (PID: %u)", __edx, 0,  &_v16, _t50, __eax);
				CloseHandle( *(_t51 + 0xc));
				 *(_t51 + 0xc) = 0;
				while(WaitForSingleObject( *(_t51 + 8), 0x2710) == 0x102) {
					E00615A90(L"Helper isn\'t responding; killing it.", _t44, _t50, _t51);
					TerminateProcess( *(_t51 + 8), 1);
				}
				if(GetExitCodeProcess( *(_t51 + 8), _t52) == 0) {
					E00615A90(L"Helper process exited, but failed to get exit code.", _t44, _t50, _t51);
				} else {
					if( *_t52 != 0) {
						_v16 =  *_t52;
						_v12 = 0;
						E00615D14(L"Helper process exited with failure code: 0x%x", _t44, 0,  &_v16, _t50, _t51);
					} else {
						E00615A90(L"Helper process exited.", _t44, _t50, _t51);
					}
				}
				CloseHandle( *(_t51 + 8));
				 *(_t51 + 8) = 0;
				_t19 = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((char*)(_t51 + 4)) = 0;
				if(_t44 == 0) {
					goto L11;
				} else {
					Sleep(0xfa);
					return 0;
				}
			}

0x00625b40
0x00625b42
0x00625b45
0x00625b47
0x00625b4d
0x00625c1f
0x00625c1f
0x00625c1f
0x00625b53
0x00625b5a
0x00625b5e
0x00625b6e
0x00625b77
0x00625b7e
0x00625b98
0x00625b88
0x00625b93
0x00625b93
0x00625bb9
0x00625bf0
0x00625bbb
0x00625bbf
0x00625bd0
0x00625bd4
0x00625be4
0x00625bc1
0x00625bc6
0x00625bc6
0x00625bbf
0x00625bf9
0x00625c00
0x00625c03
0x00625c05
0x00625c08
0x00625c0e
0x00000000
0x00625c10
0x00625c15
0x00000000
0x00625c15

APIs

CloseHandle.KERNEL32(?), ref: 00625B77
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625B93
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625BA1
GetExitCodeProcess.KERNEL32 ref: 00625BB2
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625BF9
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625C15

Strings

Helper process exited., xrefs: 00625BC1
Stopping 64-bit helper process. (PID: %u), xrefs: 00625B69
Helper process exited with failure code: 0x%x, xrefs: 00625BDF
Helper isn't responding; killing it., xrefs: 00625B83
Helper process exited, but failed to get exit code., xrefs: 00625BEB

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 345e8be281349136ce4f41bbb6d12d2eccf1fef384b7983b5e8052c9d0ea8ad0
Instruction ID: d0bfad0dce46509abd09e9749dfb7e1faf5b73955165e0b8576abc6345a57add
Opcode Fuzzy Hash: 345e8be281349136ce4f41bbb6d12d2eccf1fef384b7983b5e8052c9d0ea8ad0
Instruction Fuzzy Hash: C6218070604F519EC330EB78E885B8BBBD69F48314F44CD2DB59BC7681E674E8808B66

Uniqueness

Uniqueness Score: -1.00%

Function 006B5CC8, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E006B5CC8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v28;
				struct HWND__* _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				WCHAR* _t41;
				intOrPtr _t42;
				int _t44;
				intOrPtr* _t54;
				void* _t68;
				intOrPtr _t80;
				intOrPtr _t102;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t118;

				_t118 = __fp0;
				_t106 = __esi;
				_t105 = __edi;
				_t88 = __ecx;
				_t87 = __ebx;
				_t108 = _t109;
				_t110 = _t109 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v48 = 0;
				_v44 = 0;
				_v20 = 0;
				_v8 = 0;
				_push(_t108);
				_push(0x6b5eb6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t110;
				E005C6360( &_v20, __ebx, __ecx, __eflags);
				if(E0060CD14(_v20, __ebx,  &_v8, __edi, __esi) == 0) {
					_push(_t108);
					_push( *[fs:eax]);
					 *[fs:eax] = _t110;
					E0060D210(0, _t87, _v8, __edi, __esi);
					_pop(_t104);
					_t88 = 0x6b5d2b;
					 *[fs:eax] = _t104;
				}
				_t41 = E0040B278(_v8);
				_t42 =  *0x6d58ac; // 0x0
				_t44 = CopyFileW(E0040B278(_t42), _t41, 0);
				_t113 = _t44;
				if(_t44 == 0) {
					_t80 =  *0x6ccec0; // 0x6d4c14
					_t11 = _t80 + 0x208; // 0x0
					E006B5200( *_t11, _t87, _t88, _t106, _t113);
				}
				SetFileAttributesW(E0040B278(_v8), 0x80);
				_v12 = E00414D98(0, L"STATIC", 0,  *0x6d1634, 0, 0, 0, 0, 0, 0, 0);
				 *0x6d58d8 = SetWindowLongW(_v12, 0xfffffffc, E006B53C4);
				_push(_t108);
				_push(0x6b5e7f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t110;
				_t54 =  *0x6cceac; // 0x6d479c
				SetWindowPos( *( *_t54 + 0x188), 0, 0, 0, 0, 0, 0x97);
				E005C5D2C(0, _t87,  &_v44, _t105, _t106);
				_v40 = _v44;
				_v36 = 0x11;
				_v32 = _v12;
				_v28 = 0;
				E004244F0(L"/SECONDPHASE=\"%s\" /FIRSTPHASEWND=$%x ", 1,  &_v40,  &_v24);
				_push( &_v24);
				E005C5C0C( &_v48, _t87, _t106, 0);
				_pop(_t68);
				E0040B470(_t68, _v48);
				_v16 = E006B52AC(_v8, _t87, _v24, _t105, _t106, _t118);
				do {
				} while (E006B5388() == 0 && MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0x4ff) == 1);
				CloseHandle(_v16);
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(E006B5E86);
				return DestroyWindow(_v12);
			}

0x006b5cc8
0x006b5cc8
0x006b5cc8
0x006b5cc8
0x006b5cc8
0x006b5cc9
0x006b5ccb
0x006b5cce
0x006b5ccf
0x006b5cd0
0x006b5cd3
0x006b5cd6
0x006b5cd9
0x006b5cdc
0x006b5cdf
0x006b5ce4
0x006b5ce5
0x006b5cea
0x006b5ced
0x006b5cf3
0x006b5d05
0x006b5d09
0x006b5d0f
0x006b5d12
0x006b5d1c
0x006b5d23
0x006b5d25
0x006b5d26
0x006b5d26
0x006b5d3a
0x006b5d40
0x006b5d4b
0x006b5d50
0x006b5d52
0x006b5d54
0x006b5d59
0x006b5d5f
0x006b5d5f
0x006b5d72
0x006b5d9e
0x006b5db1
0x006b5db8
0x006b5db9
0x006b5dbe
0x006b5dc1
0x006b5dd3
0x006b5de1
0x006b5def
0x006b5df7
0x006b5dfa
0x006b5e01
0x006b5e04
0x006b5e15
0x006b5e1d
0x006b5e21
0x006b5e29
0x006b5e2a
0x006b5e3a
0x006b5e3d
0x006b5e42
0x006b5e63
0x006b5e6a
0x006b5e6d
0x006b5e70
0x006b5e7e

APIs

Part of subcall function 0060CD14: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE01
Part of subcall function 0060CD14: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE11

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B5EB6), ref: 006B5D4B
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B5EB6), ref: 006B5D72
SetWindowLongW.USER32 ref: 006B5DAC
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B5E7F,?,?,000000FC,006B53C4,00000000,?,00000000), ref: 006B5DE1
MsgWaitForMultipleObjects.USER32 ref: 006B5E55
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B5E7F,?,?,000000FC,006B53C4,00000000), ref: 006B5E63

Part of subcall function 0060D210: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D2F6

DestroyWindow.USER32(?,006B5E86,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B5E7F,?,?,000000FC,006B53C4,00000000,?), ref: 006B5E79

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 006B5E10
STATIC, xrefs: 006B5D92

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-2312673372
Opcode ID: f78d63b615e1901277396d3872a4f52d1db43ce29e079395b52964e91af068f3
Instruction ID: 631bd36c21b8289a2ffb424a70e424515061202145823e8d8c015a7ddcff5e77
Opcode Fuzzy Hash: f78d63b615e1901277396d3872a4f52d1db43ce29e079395b52964e91af068f3
Instruction Fuzzy Hash: 0D418FB0A00708AFDB00EFB5D856FDE7BF9EB48710F11496AF501E7291D7749A408B68

Uniqueness

Uniqueness Score: -1.00%

Function 005B8BCC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E005B8BCC(intOrPtr __eax, void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi, int _a4) {
				intOrPtr _v8;
				WCHAR* _v12;
				int _v16;
				struct HWND__* _v20;
				struct HMONITOR__* _v24;
				struct HWND__* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct tagMONITORINFO _v76;
				struct tagRECT _v92;
				struct HMONITOR__* _t49;
				struct HWND__* _t51;
				long _t68;
				intOrPtr _t79;
				struct HWND__* _t85;
				signed int _t91;
				signed int _t92;
				signed int _t95;
				signed int _t96;
				intOrPtr _t99;
				intOrPtr _t100;
				signed int _t102;
				signed int _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t108;
				WCHAR* _t111;
				int _t113;
				void* _t115;
				void* _t116;
				intOrPtr _t117;

				_t115 = _t116;
				_t117 = _t116 + 0xffffffa8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __ecx;
				_t111 = __edx;
				_v8 = __eax;
				_t113 = _a4;
				_v20 = E005BA14C(_v8, __ecx);
				if(_v20 != 0) {
					_t85 = _v20;
				} else {
					_t85 =  *(_v8 + 0x188);
				}
				_push(2);
				_t49 = _v20;
				_push(_t49);
				L004FBD14();
				_v24 = _t49;
				_push(2);
				_t51 =  *(_v8 + 0x188);
				_push(_t51);
				L004FBD14();
				_v28 = _t51;
				if(_v24 != _v28) {
					_v76.cbSize = 0x28;
					GetMonitorInfoW(_v24,  &_v76);
					GetWindowRect( *(_v8 + 0x188),  &_v92);
					_push(0x1d);
					_push(0);
					_push(0);
					_t105 = _v68;
					_t95 = _v60 - _t105;
					_t96 = _t95 >> 1;
					if(_t95 < 0) {
						asm("adc ecx, 0x0");
					}
					_push(_t96 + _t105);
					_t79 = _v76.rcMonitor;
					_t107 = _v64 - _t79;
					_t108 = _t107 >> 1;
					if(_t107 < 0) {
						asm("adc edx, 0x0");
					}
					SetWindowPos( *(_v8 + 0x188), 0, _t108 + _t79, ??, ??, ??, ??);
				}
				_v36 = E005ABB4C(_v20, _t85, _t111, _t113);
				_v32 = E005AB9A0();
				if(E005B7300(_v8) != 0) {
					_t113 = _t113 | 0x00100000;
				}
				_push(_t115);
				_push(0x5b8d37);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t117;
				_v16 = MessageBoxW(_t85, _t111, _v12, _t113);
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(E005B8D3E);
				if(_v24 != _v28) {
					_push(0x1d);
					_push(0);
					_push(0);
					_t100 = _v92.top;
					_t91 = _v92.bottom - _t100;
					_t92 = _t91 >> 1;
					if(_t91 < 0) {
						asm("adc ecx, 0x0");
					}
					_push(_t92 + _t100);
					_t68 = _v92.left;
					_t102 = _v92.right - _t68;
					_t103 = _t102 >> 1;
					if(_t102 < 0) {
						asm("adc edx, 0x0");
					}
					SetWindowPos( *(_v8 + 0x188), 0, _t103 + _t68, ??, ??, ??, ??);
				}
				E005ABC0C(_v36);
				SetActiveWindow(_v20);
				return E005AB9A8(_v32);
			}

0x005b8bcd
0x005b8bcf
0x005b8bd2
0x005b8bd3
0x005b8bd4
0x005b8bd5
0x005b8bd8
0x005b8bda
0x005b8bdd
0x005b8be8
0x005b8bef
0x005b8bfc
0x005b8bf1
0x005b8bf4
0x005b8bf4
0x005b8bff
0x005b8c01
0x005b8c04
0x005b8c05
0x005b8c0a
0x005b8c0d
0x005b8c12
0x005b8c18
0x005b8c19
0x005b8c1e
0x005b8c27
0x005b8c29
0x005b8c38
0x005b8c4b
0x005b8c50
0x005b8c52
0x005b8c54
0x005b8c59
0x005b8c5c
0x005b8c5e
0x005b8c60
0x005b8c62
0x005b8c62
0x005b8c67
0x005b8c6b
0x005b8c6e
0x005b8c70
0x005b8c72
0x005b8c74
0x005b8c74
0x005b8c86
0x005b8c86
0x005b8c93
0x005b8c9b
0x005b8ca8
0x005b8caa
0x005b8caa
0x005b8cb2
0x005b8cb3
0x005b8cb8
0x005b8cbb
0x005b8cca
0x005b8ccf
0x005b8cd2
0x005b8cd5
0x005b8ce0
0x005b8ce2
0x005b8ce4
0x005b8ce6
0x005b8ceb
0x005b8cee
0x005b8cf0
0x005b8cf2
0x005b8cf4
0x005b8cf4
0x005b8cf9
0x005b8cfd
0x005b8d00
0x005b8d02
0x005b8d04
0x005b8d06
0x005b8d06
0x005b8d18
0x005b8d18
0x005b8d20
0x005b8d29
0x005b8d36

APIs

Part of subcall function 005BA14C: GetActiveWindow.USER32 ref: 005BA173
Part of subcall function 005BA14C: GetLastActivePopup.USER32(?), ref: 005BA188

MonitorFromWindow.USER32(00000000,00000002), ref: 005B8C05
MonitorFromWindow.USER32(?,00000002), ref: 005B8C19
GetMonitorInfoW.USER32 ref: 005B8C38
GetWindowRect.USER32 ref: 005B8C4B
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?,00000000,00000028,?,00000002,?,?,00000000), ref: 005B8C86
MessageBoxW.USER32(00000000,00000000,?,?), ref: 005B8CC5
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,005B8D3E,?,00000002,?,?,00000000), ref: 005B8D18

Part of subcall function 005ABC0C: IsWindow.USER32(?), ref: 005ABC1A
Part of subcall function 005ABC0C: EnableWindow.USER32(?,000000FF), ref: 005ABC29

SetActiveWindow.USER32(00000000,005B8D3E,?,00000002,?,?,00000000), ref: 005B8D29

Strings

(, xrefs: 005B8C29

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$ActiveMonitor$From$EnableInfoLastMessagePopupRect
String ID: (
API String ID: 2800294577-3887548279
Opcode ID: 697067ae2afa1e135e09f613447b76a02380f836c62bd5e999329a0a4143e532
Instruction ID: e103ff10fad479e04e90777f58b06b380e75d42997427aec15eeb7db3903070a
Opcode Fuzzy Hash: 697067ae2afa1e135e09f613447b76a02380f836c62bd5e999329a0a4143e532
Instruction Fuzzy Hash: CE41ECB5E00109AFDB04DBA8D895FFEBBB9FB88300F554469F500AB291DB74AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00625DF0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124
pipeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00625DF0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, char _a4) {
				intOrPtr _v8;
				long _v12;
				void* _v16;
				struct _OVERLAPPED _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _t83;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_t101 = _t100 + 0xffffffd8;
				_v40 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t99);
				_push(0x62602e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t101;
				 *(_v8 + 0x14) =  *(_v8 + 0x14) + 1;
				 *(_v8 + 0x20) =  *(_v8 + 0x14);
				 *((intOrPtr*)(_v8 + 0x24)) = __edx;
				 *((intOrPtr*)(_v8 + 0x28)) = __ecx;
				_t83 = 0xc + __ecx;
				_push(_t99);
				_push(0x625fd3);
				_push( *[fs:edx]);
				 *[fs:edx] = _t101;
				_v16 = CreateEventW(0, 0xffffffff, 0, 0);
				if(_v16 == 0) {
					E0060C7E4(L"CreateEvent");
				}
				_push(_t99);
				_push(0x625f68);
				_push( *[fs:edx]);
				 *[fs:edx] = _t101;
				E00407760( &_v36, 0x14);
				_v36.hEvent = _v16;
				if(TransactNamedPipe( *(_v8 + 0xc), _v8 + 0x20, _t83, _v8 + 0x4034, 0x14,  &_v12,  &_v36) != 0) {
					_pop(_t94);
					 *[fs:eax] = _t94;
					_push(E00625F6F);
					return CloseHandle(_v16);
				} else {
					if(GetLastError() != 0x3e5) {
						E0060C7E4(L"TransactNamedPipe");
					}
					_push(_t99);
					_push(0x625f3a);
					_push( *[fs:edx]);
					 *[fs:edx] = _t101;
					if(_a4 != 0 &&  *((short*)(_v8 + 0x1a)) != 0) {
						do {
							 *((intOrPtr*)(_v8 + 0x18))();
						} while (MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0x4ff) == 1);
					}
					_pop( *[fs:0x0]);
					_push(E00625F41);
					GetOverlappedResult( *(_v8 + 0xc),  &_v36,  &_v12, 0xffffffff);
					return GetLastError();
				}
			}

0x00625df1
0x00625df3
0x00625dfb
0x00625dfe
0x00625e01
0x00625e06
0x00625e07
0x00625e0c
0x00625e0f
0x00625e15
0x00625e21
0x00625e27
0x00625e2d
0x00625e35
0x00625e39
0x00625e3a
0x00625e3f
0x00625e42
0x00625e52
0x00625e59
0x00625e60
0x00625e60
0x00625e67
0x00625e68
0x00625e6d
0x00625e70
0x00625e7d
0x00625e85
0x00625eb1
0x00625f53
0x00625f56
0x00625f59
0x00625f67
0x00625eb7
0x00625ec1
0x00625ec8
0x00625ec8
0x00625ecf
0x00625ed0
0x00625ed5
0x00625ed8
0x00625edf
0x00625eeb
0x00625ef1
0x00625f08
0x00625eeb
0x00625f0d
0x00625f17
0x00625f2d
0x00625f39
0x00625f39

APIs

CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00625FD3,?,00000000,0062602E,?,?,00000000,00000000), ref: 00625E4D
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00625F68,?,00000000,000000FF,00000000,00000000,00000000,00625FD3), ref: 00625EAA
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00625F68,?,00000000,000000FF,00000000,00000000,00000000,00625FD3), ref: 00625EB7
MsgWaitForMultipleObjects.USER32 ref: 00625F03
GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00625F41,00000000,00000000), ref: 00625F2D
GetLastError.KERNEL32(?,?,00000000,000000FF,00625F41,00000000,00000000), ref: 00625F34

Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7

Strings

CreateEvent, xrefs: 00625E5B
TransactNamedPipe, xrefs: 00625EC3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: fae5c78e997bc8b5791c6b07024b9a4f39506fb163322dfd2895260b01c1bf19
Instruction ID: 45a7b13262c8ba221a264593c31f2682aee6f87904bd064028a6768281c8f284
Opcode Fuzzy Hash: fae5c78e997bc8b5791c6b07024b9a4f39506fb163322dfd2895260b01c1bf19
Instruction Fuzzy Hash: C6418D71A00A08AFDB11DF99DA81EDEBBBAFB08710F1141A9F514E7391D634AA40CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040DF90(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40e094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x6d0c14);
				if(_t28 !=  *0x6d0c2c) {
					LeaveCriticalSection(0x6d0c14);
					E0040A1C8(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x6d0c10 == 0) {
							_t18 = E0040DC78(_t28, _t28, _t44, __edi, _t44);
							L00405254();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E0040B470(_t44, E0040E0AC);
								}
								L00405254();
								E0040DC78(_t18, _t28,  &_v8, _t42, _t44);
								E0040B470(_t44, _v8);
							}
						} else {
							E0040DE74(_t28, _t44);
						}
					}
					EnterCriticalSection(0x6d0c14);
					 *0x6d0c2c = _t28;
					E0040DAF8(0x6d0c2e, E0040B278( *_t44), 0xaa);
					LeaveCriticalSection(0x6d0c14);
				} else {
					E0040B318(_t44, 0x55, 0x6d0c2e);
					LeaveCriticalSection(0x6d0c14);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040E09B);
				return E0040A1C8( &_v8);
			}

0x0040df90
0x0040df93
0x0040df95
0x0040df96
0x0040df97
0x0040df99
0x0040df9d
0x0040df9e
0x0040dfa3
0x0040dfa6
0x0040dfae
0x0040dfba
0x0040dfe1
0x0040dfe8
0x0040dffa
0x0040e003
0x0040e014
0x0040e019
0x0040e021
0x0040e026
0x0040e02f
0x0040e02f
0x0040e034
0x0040e03c
0x0040e046
0x0040e046
0x0040e005
0x0040e009
0x0040e009
0x0040e003
0x0040e050
0x0040e055
0x0040e06f
0x0040e079
0x0040dfbc
0x0040dfc8
0x0040dfd2
0x0040dfd2
0x0040e080
0x0040e083
0x0040e086
0x0040e093

APIs

EnterCriticalSection.KERNEL32(006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
LeaveCriticalSection.KERNEL32(006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
LeaveCriticalSection.KERNEL32(006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
IsValidLocale.KERNEL32(00000000,00000002,006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
EnterCriticalSection.KERNEL32(006D0C14,00000000,00000002,006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
LeaveCriticalSection.KERNEL32(006D0C14,006D0C14,00000000,00000002,006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079

Strings

en-US,en,, xrefs: 0040DFBE, 0040E065

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 132b5c44b66357a61607cea8e570c4f98048163ec2b2b075c620ee471578f9dc
Instruction ID: 4182a3ca1ca8de6b44c3d638db47ef535eef3e1020ae15a43facf6376d410dc7
Opcode Fuzzy Hash: 132b5c44b66357a61607cea8e570c4f98048163ec2b2b075c620ee471578f9dc
Instruction Fuzzy Hash: B221C360B506149AEB20B7B78C42B1E3286DB45708F50497FB440BF3C6CAFC8C458AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00624530, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00624530(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr* _t37;
				intOrPtr* _t49;
				intOrPtr _t61;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t70;
				intOrPtr _t71;

				_t70 = _t71;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t68 = __eax;
				_push(_t70);
				_push(0x62464a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71;
				_t66 = E00414020(__ebx, _t68, GetModuleHandleW(L"OLEAUT32.DLL"), L"UnRegisterTypeLib");
				_t49 = _t66;
				if(_t66 == 0) {
					E0060C7E4(L"GetProcAddress");
				}
				E005C5124(_t68,  &_v20, _t70);
				E0040B368( &_v8, _v20);
				_push(E0040EC28( &_v12));
				_t28 = E0040AEF4(_v8);
				_push(_t28);
				L0043C23C();
				if(_t28 != 0) {
					E0060C7F8(L"LoadTypeLib", _t49, _t28, _t68);
				}
				_push( &_v16);
				_t30 = _v12;
				_push(_t30);
				if( *((intOrPtr*)( *_t30 + 0x1c))() != 0) {
					E0060C7F8(L"ITypeLib::GetLibAttr", _t49, _t32, _t68);
				}
				_push(_t70);
				_push(0x62461d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t71;
				_t33 = _v16;
				_push( *((intOrPtr*)(_t33 + 0x14)));
				_push( *((intOrPtr*)(_t33 + 0x10)));
				_push( *(_t33 + 0x1a) & 0x0000ffff);
				_push( *(_t33 + 0x18) & 0x0000ffff);
				_push(_t33);
				if( *_t49() != 0) {
					E0060C7F8(L"UnRegisterTypeLib", _t49, _t34, _t68);
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_t37 = _v12;
				return  *((intOrPtr*)( *_t37 + 0x30))(_t37, _v16, E00624624);
			}

0x00624531
0x00624535
0x00624536
0x00624537
0x00624538
0x00624539
0x0062453a
0x0062453c
0x00624540
0x00624541
0x00624546
0x00624549
0x00624561
0x00624563
0x00624567
0x0062456e
0x0062456e
0x00624578
0x00624583
0x00624590
0x00624594
0x00624599
0x0062459a
0x006245a1
0x006245aa
0x006245aa
0x006245b2
0x006245b3
0x006245b6
0x006245be
0x006245c7
0x006245c7
0x006245ce
0x006245cf
0x006245d4
0x006245d7
0x006245da
0x006245e0
0x006245e4
0x006245e9
0x006245ee
0x006245ef
0x006245f4
0x006245fd
0x006245fd
0x00624604
0x00624607
0x00624613
0x0062461c

APIs

GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0062464A,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00629FF1,00000000,0062A005), ref: 00624556

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062459A

Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7

Strings

UnRegisterTypeLib, xrefs: 0062454C
OLEAUT32.DLL, xrefs: 00624551
UnRegisterTypeLib, xrefs: 006245F8
ITypeLib::GetLibAttr, xrefs: 006245C2
LoadTypeLib, xrefs: 006245A5
GetProcAddress, xrefs: 00624569

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 3799fd6d903a69a31f79a75ffe0ed153fdae39087b1b7be4b8271f0e1526af79
Instruction ID: 6e8e0d31e8c3c09f4e33b7ba0e6d10679ae3de64b1987244dfe505353b5bcc3b
Opcode Fuzzy Hash: 3799fd6d903a69a31f79a75ffe0ed153fdae39087b1b7be4b8271f0e1526af79
Instruction Fuzzy Hash: E9219CB1A40A24AFDB04EBAADC42D6B77EEEF8A7403114469F400E7651EE34EC018F25

Uniqueness

Uniqueness Score: -1.00%

Function 005C6D70, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E005C6D70(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x5c6e6a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E00414020(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E00429D10() != 2) {
						if(E005C6790(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E005C66B8();
							RegCloseKey(_v12);
						}
					} else {
						if(E005C6790(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E005C66B8();
							RegCloseKey(_v12);
						}
					}
					E0040B4C8( &_v20, _v8, 0x5c6f80);
					E00407870(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E005C6E71);
				E0040A1C8( &_v20);
				return E0040A1C8( &_v8);
			}

0x005c6d76
0x005c6d79
0x005c6d7c
0x005c6d81
0x005c6d82
0x005c6d87
0x005c6d8a
0x005c6d9d
0x005c6da4
0x005c6db7
0x005c6e0c
0x005c6e19
0x005c6e22
0x005c6e22
0x005c6db9
0x005c6dd4
0x005c6de1
0x005c6dea
0x005c6dea
0x005c6dd4
0x005c6e32
0x005c6e3d
0x005c6e48
0x005c6e48
0x005c6da6
0x005c6da6
0x005c6da8
0x005c6e4e
0x005c6e51
0x005c6e54
0x005c6e5c
0x005c6e69

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A,?,00000000), ref: 005C6D97

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A,?,00000000), ref: 005C6DEA

Strings

GetUserDefaultUILanguage, xrefs: 005C6D8D
Locale, xrefs: 005C6DD9
.DEFAULT\Control Panel\International, xrefs: 005C6DC1
kernel32.dll, xrefs: 005C6D92
Control Panel\Desktop\ResourceLocale, xrefs: 005C6DF9

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: cc85766d71f6e073a9635a3cb907928d28e67f04f3e8b4b7adf5c86a20e485f5
Instruction ID: 99792ba0868377f284877609c025123efe30c02dabd3e6f2c0b5c4ff46beac99
Opcode Fuzzy Hash: cc85766d71f6e073a9635a3cb907928d28e67f04f3e8b4b7adf5c86a20e485f5
Instruction Fuzzy Hash: BC212C79A00209AEDB10EAF1D856F9F7BF9FB48704F60486EE500E7281EA74AB408755

Uniqueness

Uniqueness Score: -1.00%

Function 006249D4, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E006249D4(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v13;
				char _v84;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				void* _t58;
				void* _t91;
				char _t92;
				intOrPtr _t110;
				void* _t120;
				void* _t123;

				_t118 = __edi;
				_v116 = 0;
				_v120 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v8 = 0;
				_v12 = 0;
				_t120 = __ecx;
				_t91 = __edx;
				_v13 = __eax;
				_push(_t123);
				_push(0x624b6a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t123 + 0xffffff84;
				E005C61D8( &_v8);
				_push(0x624b84);
				E005C4D00(_v8,  &_v104);
				_push(_v104);
				_push(L"regsvr32.exe\"");
				E0040B550( &_v12, _t91, 3, __edi, _t120);
				if(_v13 != 0) {
					E0040B470( &_v12, 0x624bbc);
				}
				_push(_v12);
				_push(L" /s \"");
				_push(_t120);
				_push(0x624b84);
				E0040B550( &_v12, _t91, 4, _t118, _t120);
				_t126 = _t91;
				if(_t91 == 0) {
					E0040B4C8( &_v112, _v12, L"Spawning 32-bit RegSvr32: ");
					E00615A90(_v112, _t91, _t118, _t120);
				} else {
					E0040B4C8( &_v108, _v12, L"Spawning 64-bit RegSvr32: ");
					E00615A90(_v108, _t91, _t118, _t120);
				}
				E00407760( &_v84, 0x44);
				_v84 = 0x44;
				_t58 = E0040B278(_v8);
				if(E0060B998(_t91, E0040B278(_v12), 0, _t126,  &_v100,  &_v84, _t58, 0, 0x4000000, 0, 0, 0) == 0) {
					E0060C7E4(L"CreateProcess");
				}
				CloseHandle(_v96);
				_t92 = E006248D0( &_v100);
				if(_t92 != 0) {
					_v128 = _t92;
					_v124 = 0;
					E004244F0(L"0x%x", 0,  &_v128,  &_v120);
					E005CC284(0x53,  &_v116, _v120);
					E00429000(_v116, 1);
					E004098C4();
				}
				_pop(_t110);
				 *[fs:eax] = _t110;
				_push(E00624B71);
				E0040A228( &_v120, 5);
				return E0040A228( &_v12, 2);
			}

0x006249d4
0x006249de
0x006249e1
0x006249e4
0x006249e7
0x006249ea
0x006249ed
0x006249f0
0x006249f3
0x006249f5
0x006249f7
0x006249fc
0x006249fd
0x00624a02
0x00624a05
0x00624a0b
0x00624a10
0x00624a1b
0x00624a20
0x00624a23
0x00624a30
0x00624a39
0x00624a43
0x00624a43
0x00624a48
0x00624a4b
0x00624a50
0x00624a51
0x00624a5e
0x00624a63
0x00624a65
0x00624a8c
0x00624a94
0x00624a67
0x00624a72
0x00624a7a
0x00624a7a
0x00624aa3
0x00624aa8
0x00624abf
0x00624ae2
0x00624ae9
0x00624ae9
0x00624af2
0x00624aff
0x00624b03
0x00624b09
0x00624b0c
0x00624b1a
0x00624b29
0x00624b38
0x00624b3d
0x00624b3d
0x00624b44
0x00624b47
0x00624b4a
0x00624b57
0x00624b69

APIs

Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624B84,00000000, /s ",006D479C,regsvr32.exe",?,00624B84), ref: 00624AF2

Strings

/s ", xrefs: 00624A4B
Spawning 64-bit RegSvr32: , xrefs: 00624A6D
Spawning 32-bit RegSvr32: , xrefs: 00624A87
0x%x, xrefs: 00624B15
regsvr32.exe", xrefs: 00624A23
CreateProcess, xrefs: 00624AE4
/u, xrefs: 00624A3E
D, xrefs: 00624AA8

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: ff6b3e51cfe6d65b4fd66b800098d3e8dbd157fe585adce9f2af6c58d9b3f159
Instruction ID: 95f43718ecb6a3265bc8f77fac2cb7b4ee0adae1cc946baa76750ec423c23771
Opcode Fuzzy Hash: ff6b3e51cfe6d65b4fd66b800098d3e8dbd157fe585adce9f2af6c58d9b3f159
Instruction Fuzzy Hash: DA413134A40718ABDB10EFE5D892BDDBBBAFF48304F50417EA504A7282DB749A05CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062CC(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x6ce05c == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L0040529C();
				} else {
					_t7 = E0040A6C4(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x6c407c; // 0x40543c
					_t12 = E0040A6C4(_t11);
					_t13 =  *0x6c407c; // 0x40543c
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E0040A6C4(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004062cc
0x004062cf
0x004062d1
0x004062da
0x0040633d
0x00406342
0x00406343
0x00406344
0x00406346
0x004062dc
0x004062e5
0x004062f4
0x00406300
0x00406305
0x0040630b
0x00406319
0x00406327
0x00406336
0x00406336
0x0040634e

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336

Strings

<T@, xrefs: 00406300, 0040630B

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite
String ID: <T@
API String ID: 3320372497-2050694182
Opcode ID: 4b1bca956a6cf0ac3a8163dca5164d8526c5294e1121d059f47b6d96abba5736
Instruction ID: 33e408ca48ad1dbcb2fa22716985c37038247fab0905643a34c658cb983966db
Opcode Fuzzy Hash: 4b1bca956a6cf0ac3a8163dca5164d8526c5294e1121d059f47b6d96abba5736
Instruction Fuzzy Hash: A401A9A16086147DE610F3BA9C8AF6B279CCB0976CF10463BB614F61D2C97C9C548B7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405D88(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x6ce05d; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00405764();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x6d0b7c = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x6ce98d;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x6ce05d; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x6ceaec], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x6ce98d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x6ceaec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004055DC(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004055DC(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x6ceaf4 - 0x13ffe0;
							if( *0x6ceaf4 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E0040567C(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x6ceaf4 = 0x13ffe0;
								 *0x6ceaf0 = _t82;
								 *0x6ceaec = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x6ceaec = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E0040561C(_t106, _t88, _t81);
							 *0x6ceaec = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x00405d88
0x00405d88
0x00405d91
0x00405d97
0x00405e80
0x00405e83
0x00405f70
0x00405f71
0x00405f74
0x00405814
0x00405816
0x00405818
0x0040581d
0x00405820
0x00405825
0x00405829
0x0040582f
0x00405833
0x00405839
0x00405855
0x00405859
0x0040585c
0x0040585c
0x0040585e
0x00405866
0x00405873
0x00405878
0x0040587a
0x0040587c
0x0040587f
0x0040587f
0x00405881
0x00405885
0x00405887
0x00405889
0x0040588b
0x00000000
0x0040588b
0x00000000
0x00405887
0x0040583b
0x0040584a
0x00405850
0x0040584c
0x0040584c
0x0040584c
0x0040584a
0x0040588f
0x00405891
0x0040589a
0x004058a3
0x004058a3
0x004058a6
0x004058b6
0x00405f7a
0x00405f7f
0x00405f7f
0x00000000
0x00000000
0x00000000
0x00405d9d
0x00405d9d
0x00405d9f
0x00405da1
0x00405e04
0x00405e04
0x00405e09
0x00405e0d
0x00000000
0x00000000
0x00405e0f
0x00405e11
0x00405e18
0x00000000
0x00405e1a
0x00405e1e
0x00405e23
0x00405e24
0x00405e25
0x00405e2a
0x00405e2e
0x00405e38
0x00405e3d
0x00405e3e
0x00000000
0x00405e3e
0x00405e2e
0x00000000
0x00405e18
0x00405e04
0x00405da3
0x00405da3
0x00405da3
0x00405da3
0x00405da7
0x00405daa
0x00405dd8
0x00405dda
0x00405def
0x00405def
0x00405ddc
0x00405ddc
0x00405ddf
0x00405de2
0x00405de5
0x00405de8
0x00405dea
0x00405ded
0x00000000
0x00000000
0x00405ded
0x00405df2
0x00405df4
0x00405df6
0x00405df9
0x00405e89
0x00405e8c
0x00405e8e
0x00405e90
0x00405e91
0x00405e93
0x00405e44
0x00405e44
0x00405e49
0x00405e51
0x00000000
0x00000000
0x00405e53
0x00405e55
0x00405e5c
0x00000000
0x00405e5e
0x00405e60
0x00405e65
0x00405e6a
0x00405e72
0x00405e76
0x00000000
0x00405e76
0x00405e72
0x00000000
0x00405e5c
0x00405e44
0x00405e95
0x00405e95
0x00405e9d
0x00405ea1
0x00405ed8
0x00405edb
0x00405ede
0x00405ee0
0x00405ee6
0x00405ee8
0x00405ee8
0x00405ea3
0x00405ea3
0x00405ea3
0x00405ea6
0x00405ea6
0x00405eaa
0x00405eae
0x00405ef0
0x00405ef3
0x00405ef5
0x00405ef7
0x00405efd
0x00405f01
0x00405f01
0x00405efd
0x00405eb0
0x00405eb6
0x00405f08
0x00405f12
0x00405f40
0x00405f46
0x00405f4b
0x00405f52
0x00405f5c
0x00405f62
0x00405f69
0x00405f6d
0x00405f14
0x00405f14
0x00405f17
0x00405f19
0x00405f1c
0x00405f1f
0x00405f21
0x00405f30
0x00405f35
0x00405f38
0x00405f3c
0x00405f3c
0x00405eb8
0x00405ebb
0x00405ebe
0x00405ec6
0x00405ecb
0x00405ed2
0x00405ed6
0x00405ed6
0x00405dac
0x00405dac
0x00405dae
0x00405db4
0x00405db7
0x00405dc0
0x00405dc3
0x00405dc6
0x00405dc9
0x00405dcc
0x00405dcf
0x00405dd2
0x00405dd2
0x00405dd4
0x00405dd5
0x00405db9
0x00405db9
0x00405db9
0x00405dbb
0x00405dbd
0x00405dbe
0x00405dbe
0x00405db7
0x00405daa

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8bac78cd018c24294fae1372a9ade90c3476160636c7b0da8341b439c678a567
Instruction ID: da3bc9e3fd9e780578e72be1a575793d19e87bbd1db11b6bdefce3007bd96747
Opcode Fuzzy Hash: 8bac78cd018c24294fae1372a9ade90c3476160636c7b0da8341b439c678a567
Instruction Fuzzy Hash: CA71D131600A408FD715DB29C988B27BBD5EF85314F18C17FE884AB3D2D6B98941CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00628C68, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00628C68(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				void* _t44;
				intOrPtr _t50;
				void* _t51;
				void* _t65;
				void* _t71;
				void* _t76;
				intOrPtr _t88;
				signed int _t103;
				void* _t104;
				char _t106;
				void* _t109;
				void* _t122;

				_t122 = __fp0;
				_push(__ebx);
				_push(__esi);
				_v24 = 0;
				_v8 = __ecx;
				_t106 = __edx;
				_t76 = __eax;
				_push(_t109);
				_push(0x628dee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109 + 0xffffffec;
				_t103 = E0060BC90(__eax, __edx, __eflags);
				if(_t103 == 0xffffffff || (_t103 & 0x00000010) == 0) {
					_v9 = 1;
					goto L18;
				} else {
					_v20 = _t106;
					_v16 = 0x11;
					E00615D14(L"Deleting directory: %s", _t76, 0,  &_v20, _t103, _t106);
					if((_t103 & 0x00000001) == 0) {
						L9:
						_t44 = E0060BFC4(_t76, _t106, _t117);
						asm("sbb eax, eax");
						_v9 = _t44 + 1;
						if(_v9 != 0) {
							L18:
							_pop(_t88);
							 *[fs:eax] = _t88;
							_push(E00628DF5);
							return E0040A1C8( &_v24);
						}
						_t104 = GetLastError();
						if(_v8 == 0) {
							__eflags = _a4;
							if(_a4 == 0) {
								L16:
								_v20 = _t104;
								_v16 = 0;
								E00615D14(L"Failed to delete directory (%d).", _t76, 0,  &_v20, _t104, _t106);
								goto L18;
							}
							_t50 = E00628A94(_a4, _t76, _t106, _t106);
							__eflags = _t50;
							if(_t50 == 0) {
								goto L16;
							}
							_t51 = E00429D10();
							__eflags = _t51 - 2;
							if(_t51 != 2) {
								goto L16;
							}
							_v20 = _t104;
							_v16 = 0;
							E00615D14(L"Failed to delete directory (%d). Will delete on restart (if empty).", _t76, 0,  &_v20, _t104, _t106);
							E00628B7C(_t76, _t76, _t106, _t104, _t106);
							goto L18;
						}
						_v20 = _t104;
						_v16 = 0;
						E00615D14(L"Failed to delete directory (%d). Will retry later.", _t76, 0,  &_v20, _t104, _t106);
						E0040B29C();
						E0040B470( &_v24, _t106);
						E0060FFA0(_v8, 0, _v24, _t122);
						goto L18;
					}
					_t115 = _t103 & 0x00000400;
					if((_t103 & 0x00000400) != 0) {
						L5:
						_t65 = E0060C03C(_t76, 0xfffffffe & _t103, _t106, _t116);
						_t117 = _t65;
						if(_t65 == 0) {
							E00615A90(L"Failed to strip read-only attribute.", _t76, _t103, _t106);
						} else {
							E00615A90(L"Stripped read-only attribute.", _t76, _t103, _t106);
						}
						goto L9;
					}
					_t71 = E0060D90C(_t76, _t76, _t106, _t106, _t115);
					_t116 = _t71;
					if(_t71 == 0) {
						E00615A90(L"Not stripping read-only attribute because the directory does not appear to be empty.", _t76, _t103, _t106);
						goto L9;
					}
					goto L5;
				}
			}

0x00628c68
0x00628c6e
0x00628c6f
0x00628c73
0x00628c76
0x00628c79
0x00628c7b
0x00628c7f
0x00628c80
0x00628c85
0x00628c88
0x00628c94
0x00628c99
0x00628dd4
0x00000000
0x00628cab
0x00628cab
0x00628cae
0x00628cbc
0x00628cc7
0x00628d14
0x00628d18
0x00628d20
0x00628d23
0x00628d2a
0x00628dd8
0x00628dda
0x00628ddd
0x00628de0
0x00628ded
0x00628ded
0x00628d35
0x00628d3b
0x00628d7d
0x00628d81
0x00628dbc
0x00628dbc
0x00628dbf
0x00628dcd
0x00000000
0x00628dcd
0x00628d88
0x00628d8d
0x00628d8f
0x00000000
0x00000000
0x00628d91
0x00628d96
0x00628d99
0x00000000
0x00000000
0x00628d9b
0x00628d9e
0x00628dac
0x00628db5
0x00000000
0x00628db5
0x00628d3d
0x00628d40
0x00628d4e
0x00628d61
0x00628d6b
0x00628d76
0x00000000
0x00628d76
0x00628cc9
0x00628ccf
0x00628cde
0x00628ce9
0x00628cee
0x00628cf0
0x00628d03
0x00628cf2
0x00628cf7
0x00628cf7
0x00000000
0x00628cf0
0x00628cd5
0x00628cda
0x00628cdc
0x00628d0f
0x00000000
0x00628d0f
0x00000000
0x00628cdc

APIs

GetLastError.KERNEL32(00000000,00628DEE,?,00000000,?), ref: 00628D30

Part of subcall function 0060D90C: FindClose.KERNEL32(000000FF,0060DA01), ref: 0060D9F0

Strings

Stripped read-only attribute., xrefs: 00628CF2
Failed to delete directory (%d). Will retry later., xrefs: 00628D49
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00628DA7
Failed to delete directory (%d)., xrefs: 00628DC8
Deleting directory: %s, xrefs: 00628CB7
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00628D0A
Failed to strip read-only attribute., xrefs: 00628CFE

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: aa3b3f088d5fbb5b1b5d06c422d89045a40eca079ae14add12b28603df552b18
Instruction ID: 0d7053e611d435c1968383ac90d2efcc691faa7e680c69a06bbf0affe518b4a0
Opcode Fuzzy Hash: aa3b3f088d5fbb5b1b5d06c422d89045a40eca079ae14add12b28603df552b18
Instruction Fuzzy Hash: 3041D630A019288EDB04EB68EC452EEB6F7AF94304F55897EA411E73C1CF748D098F66

Uniqueness

Uniqueness Score: -1.00%

Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005B8390(void* __eax, struct HWND__** __edx) {
				long _v20;
				intOrPtr _t17;
				intOrPtr _t30;
				void* _t46;
				void* _t50;
				struct HWND__** _t51;
				struct HWND__* _t52;
				struct HWND__* _t53;
				void* _t54;
				DWORD* _t55;

				_t55 = _t54 + 0xfffffff8;
				_t51 = __edx;
				_t50 = __eax;
				_t46 = 0;
				_t17 =  *((intOrPtr*)(__edx + 4));
				if(_t17 < 0x100 || _t17 > 0x109) {
					L19:
					return _t46;
				} else {
					_t52 = GetCapture();
					if(_t52 != 0) {
						GetWindowThreadProcessId(_t52, _t55);
						GetWindowThreadProcessId( *(_t50 + 0x188),  &_v20);
						if( *_t55 == _v20 && SendMessageW(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
							_t46 = 1;
						}
						goto L19;
					}
					_t53 =  *_t51;
					_t30 =  *((intOrPtr*)(_t50 + 0x58));
					if(_t30 == 0 || _t53 !=  *((intOrPtr*)(_t30 + 0x3c4))) {
						L7:
						if(E0050E9B4(_t53) == 0 && _t53 != 0) {
							_t53 = GetParent(_t53);
							goto L7;
						}
						if(_t53 == 0) {
							_t53 =  *_t51;
						}
						goto L11;
					} else {
						_t53 = E0051B414(_t30);
						L11:
						if(IsWindowUnicode(_t53) == 0) {
							if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						} else {
							if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						}
						goto L19;
					}
				}
			}

0x005b8394
0x005b8397
0x005b8399
0x005b839b
0x005b839d
0x005b83a5
0x005b847e
0x005b8486
0x005b83b6
0x005b83bb
0x005b83bf
0x005b8442
0x005b8453
0x005b845f
0x005b847c
0x005b847c
0x00000000
0x005b845f
0x005b83c1
0x005b83c3
0x005b83c8
0x005b83e3
0x005b83ec
0x005b83e1
0x00000000
0x005b83e1
0x005b83f4
0x005b83f6
0x005b83f6
0x00000000
0x005b83d2
0x005b83d7
0x005b83f8
0x005b8400
0x005b843a
0x005b843c
0x005b843c
0x005b8402
0x005b841b
0x005b841d
0x005b841d
0x005b841b
0x00000000
0x005b8400
0x005b83c8

APIs

GetCapture.USER32 ref: 005B83B6
IsWindowUnicode.USER32(00000000), ref: 005B83F9
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 222849e93f791e6fe5336b19d95e43f48479be18d58de6e0f9e896b259e8fefc
Instruction ID: 47a373bf8cf15ed47240c2e20fb0cc0c25a2ef49831a5707915557531a2b0ceb
Opcode Fuzzy Hash: 222849e93f791e6fe5336b19d95e43f48479be18d58de6e0f9e896b259e8fefc
Instruction Fuzzy Hash: 0021CEB520460A6FDA60EA99CE80FF777DCFF44748B105829B999C3642EE14FC40C769

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00405F80(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00405A04(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E004055C0(_t202, _t218, _t150);
										E00405D88(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00405A04(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00405590(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E00405D88(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00405A04(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00405590(_t217, _t207, _t109);
									E00405D88(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x6ce05d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E004055DC(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E0040561C(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x6ceaec = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x6ceaec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x6ce98d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x6ceaec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x6ceaec = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x6ce05d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x6ceaec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x6ce98d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x6ceaec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E004055DC(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E0040561C(_t217 + _t238, _t174, _t161);
									}
									 *0x6ceaec = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00405A04(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E004055C0(_t217, _t213, _t140);
											E00405D88(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00405A04((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E00405D88(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00405A04(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E00405D88(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00405f80
0x00405f80
0x00405f80
0x00405f88
0x00405f8a
0x00406018
0x0040601b
0x00406288
0x00406289
0x0040628a
0x0040628d
0x004058b8
0x004058b9
0x004058ba
0x004058bb
0x004058bc
0x004058bf
0x004058c1
0x004058c8
0x004058d1
0x004058d6
0x004059bd
0x004059bf
0x004059d2
0x004059d4
0x004059d6
0x004059d8
0x004059de
0x004059e2
0x004059e2
0x004059e5
0x004059e5
0x004059ee
0x004059f5
0x004059f5
0x004059c1
0x004059c1
0x004059c6
0x004059c6
0x004058dc
0x004058e5
0x004058eb
0x004058e7
0x004058e7
0x004058e7
0x004058f7
0x00405906
0x00405913
0x00405983
0x0040598a
0x0040598c
0x0040598e
0x00405990
0x00405996
0x0040599a
0x0040599a
0x0040599d
0x0040599d
0x004059ad
0x004059b4
0x004059b4
0x00405915
0x00405915
0x00405921
0x00405927
0x00000000
0x00405929
0x0040593a
0x0040593e
0x00405940
0x00405940
0x00405956
0x00000000
0x0040596e
0x00405970
0x00405973
0x0040597c
0x0040597f
0x0040597f
0x00405956
0x00405927
0x00405913
0x00405a03
0x00406293
0x00406293
0x00406295
0x00406295
0x00406021
0x00406023
0x00406026
0x00406027
0x0040602a
0x0040602d
0x00406030
0x00406032
0x00406033
0x00406148
0x0040614b
0x0040614d
0x00406240
0x0040624b
0x00406252
0x00406254
0x00406257
0x0040625c
0x0040625d
0x0040625f
0x00000000
0x00406261
0x00406261
0x00406267
0x00406269
0x00406269
0x0040626c
0x00406274
0x0040627b
0x00406286
0x00406286
0x00406153
0x00406153
0x00406156
0x00406159
0x0040615b
0x00000000
0x00406161
0x00406161
0x00406168
0x004061c5
0x004061c5
0x004061ca
0x004061d0
0x004061d5
0x004061d6
0x004061d6
0x004061e2
0x004061f3
0x004061f9
0x004061f9
0x004061fb
0x00406208
0x0040620f
0x00406213
0x00406215
0x0040621b
0x0040621d
0x0040621f
0x0040621f
0x004061fd
0x004061fd
0x00406201
0x00406201
0x00406224
0x00406224
0x00406226
0x00406229
0x00406230
0x00406232
0x00406236
0x0040616a
0x0040616a
0x0040616f
0x00406177
0x00000000
0x00000000
0x00406179
0x0040617b
0x00406182
0x00000000
0x00406184
0x00406188
0x0040618d
0x0040618e
0x00406194
0x0040619c
0x004061a2
0x004061a7
0x004061a8
0x00000000
0x004061a8
0x0040619c
0x00000000
0x00406182
0x004061b1
0x004061b4
0x004061b7
0x004061b9
0x00406239
0x00406239
0x00000000
0x004061bb
0x004061bb
0x004061be
0x004061c1
0x004061c3
0x00000000
0x00000000
0x00000000
0x00000000
0x004061c3
0x004061b9
0x00406168
0x0040615b
0x00406039
0x0040603c
0x0040603e
0x00406048
0x0040604e
0x00406065
0x00406065
0x00406071
0x00406077
0x00406079
0x00406080
0x00406082
0x00406087
0x0040608f
0x00000000
0x00000000
0x00406091
0x00406093
0x0040609a
0x00000000
0x0040609c
0x0040609f
0x004060a4
0x004060aa
0x004060b2
0x004060b7
0x004060bc
0x00000000
0x004060bc
0x004060b2
0x00000000
0x0040609a
0x004060c5
0x004060c5
0x004060c5
0x004060ca
0x004060cd
0x004060cf
0x004060d2
0x004060d5
0x004060e0
0x004060e2
0x004060e5
0x004060e7
0x004060e9
0x004060ef
0x004060f1
0x004060f1
0x004060d7
0x004060da
0x004060da
0x004060f6
0x004060fc
0x00406100
0x00406106
0x0040610d
0x0040610d
0x00406112
0x0040611f
0x00406050
0x00406050
0x00406056
0x00406120
0x00406124
0x00406129
0x0040612b
0x0040612d
0x00406135
0x0040613c
0x00406141
0x00406141
0x00406147
0x0040605c
0x0040605c
0x00406061
0x00406063
0x00000000
0x00000000
0x00000000
0x00000000
0x00406063
0x00406056
0x00406040
0x00406040
0x00406044
0x00406044
0x0040603e
0x00406033
0x00405f90
0x00405f90
0x00405f92
0x00405f96
0x00405f99
0x00405f9b
0x00405fd4
0x00405fd8
0x00405fd9
0x00405fdb
0x00405fdd
0x00405fdf
0x00405fe2
0x00405fe4
0x00405fe6
0x00405feb
0x00405fed
0x00405fef
0x00405ff5
0x00405ff7
0x00405ff7
0x00405ffe
0x00405ffe
0x00406001
0x00406003
0x0040600c
0x00406011
0x00406011
0x00406013
0x00406014
0x00406015
0x00406016
0x00405f9d
0x00405f9d
0x00405fa4
0x00405fa6
0x00405fac
0x00405fae
0x00405fb0
0x00405fb5
0x00405fb7
0x00405fb9
0x00405fbb
0x00405fbd
0x00405fc8
0x00405fcd
0x00405fcd
0x00405fcf
0x00405fd0
0x00405fd1
0x00405fa8
0x00405fa8
0x00405fa9
0x00405faa
0x00405faa
0x00405fa6
0x00405f9b

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608735f5bce0e36611a6a74c8b5942bb2db45b7b298456c3db6888c90be37e0c
Instruction ID: 7dd5b4cb36b4a9a591d6b9d30fe19ff178ae28b977775f2e11cfa4002bd538ad
Opcode Fuzzy Hash: 608735f5bce0e36611a6a74c8b5942bb2db45b7b298456c3db6888c90be37e0c
Instruction Fuzzy Hash: 04C123A2710A004BD714AA7D9C8476FB286DBC5324F19823FF645EB3D6DA7CCC558B88

Uniqueness

Uniqueness Score: -1.00%

Function 0060D210, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0060D210(char __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v41;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				void* __ecx;
				char _t90;
				char _t167;
				char _t168;
				intOrPtr _t171;
				intOrPtr _t179;
				intOrPtr _t186;
				intOrPtr _t207;
				intOrPtr _t217;
				intOrPtr _t218;

				_t215 = __esi;
				_t214 = __edi;
				_t217 = _t218;
				_t171 = 8;
				goto L1;
				L4:
				if(E005C6564() != 0) {
					__eflags = _t167;
					if(__eflags == 0) {
						E0060CFB0(_v8, _t167,  &_v68, _t214, _t215, __eflags);
						E0040A5F0( &_v8, _v68);
						__eflags = _v12;
						if(__eflags != 0) {
							E0060CFB0(_v12, _t167,  &_v72, _t214, _t215, __eflags);
							E0040A5F0( &_v12, _v72);
						}
					}
					_t90 = E0060BEB8(_t167, _v12, _v8, 5);
					__eflags = _t90;
					if(_t90 == 0) {
						E0060C7E4(L"MoveFileEx");
					}
					__eflags = 0;
					_pop(_t186);
					 *[fs:eax] = _t186;
					_push(E0060D539);
					E0040A228( &_v72, 7);
					return E0040A228( &_v32, 7);
				} else {
					E005C61AC( &_v16);
					E005C4D00(_v16,  &_v56);
					E0040B4C8( &_v20, L"WININIT.INI", _v56);
					E0060CBF4(0, _t167, L".tmp", _v16, _t214, _t215,  &_v24);
					_push(_t217);
					_push(0x60d49e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t218;
					_v36 = 0;
					_v40 = 0;
					_push(_t217);
					_push(0x60d442);
					_push( *[fs:eax]);
					 *[fs:eax] = _t218;
					WritePrivateProfileStringW(0, 0, 0, E0040B278(_v20));
					_v36 = E005CAD34(1, 1, 0, 3);
					_t179 = _v24;
					_v40 = E005CAD34(1, 0, 1, 0);
					_v41 = 0;
					_t168 = 0;
					while(E005CAFD4(_v36) == 0) {
						E005CAFE4(_v36, _t168,  &_v28, _t214, _t215, __eflags);
						E004225E4(_v28, 1,  &_v32, _t215);
						__eflags = _v32;
						if(__eflags == 0) {
							L11:
							E005CB31C(_v40, 1, _v28, _t215, __eflags);
							_t168 = 0;
							__eflags = 0;
							continue;
						} else {
							__eflags =  *_v32 - 0x5b;
							if(__eflags != 0) {
								goto L11;
							} else {
								__eflags = E00422360(_v32, _t179, L"[rename]");
								if(__eflags != 0) {
									__eflags = _v41;
									if(__eflags == 0) {
										goto L11;
									}
								} else {
									_v41 = 1;
									goto L11;
								}
							}
						}
						break;
					}
					_t223 = _v41;
					if(_v41 == 0) {
						E005CB31C(_v40, _t168, L"[rename]", _t215, _t223);
					}
					_t224 = _v12;
					if(_v12 == 0) {
						E0040A5F0( &_v32, 0x60d5a8);
					} else {
						E005C6154(_v12, _t179,  &_v32, _t224);
					}
					_push(_v32);
					_push(0x60d5bc);
					E005C6154(_v8, _t179,  &_v64, _t224);
					_push(_v64);
					E0040B550( &_v60, _t168, 3, _t214, _t215);
					E005CB31C(_v40, _t168, _v60, _t215, _t224);
					_t225 = _t168;
					if(_t168 != 0) {
						E005CB31C(_v40, _t168, _v28, _t215, _t225);
					}
					while(E005CAFD4(_v36) == 0) {
						E005CAFE4(_v36, _t168,  &_v28, _t214, _t215, __eflags);
						E005CB31C(_v40, _t168, _v28, _t215, __eflags);
					}
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(E0060D449);
					E00408444(_v40);
					return E00408444(_v36);
				}
				L1:
				_push(0);
				_push(0);
				_t171 = _t171 - 1;
				if(_t171 != 0) {
					goto L1;
				} else {
					_t1 =  &_v8;
					 *_t1 = _t171;
					_push(__esi);
					_push(__edi);
					_v12 =  *_t1;
					_v8 = __edx;
					_t167 = __eax;
					E0040A2AC(_v8);
					E0040A2AC(_v12);
					_push(_t217);
					_push(0x60d532);
					 *[fs:eax] = _t218;
					E005C5124(_v8,  &_v48, _t217,  *[fs:eax]);
					E0040A5F0( &_v8, _v48);
					if(_v12 != 0) {
						E005C5124(_v12,  &_v52, _t217);
						E0040A5F0( &_v12, _v52);
					}
				}
				goto L4;
			}

0x0060d210
0x0060d210
0x0060d211
0x0060d214
0x0060d214
0x0060d27e
0x0060d285
0x0060d4b7
0x0060d4b9
0x0060d4c1
0x0060d4cc
0x0060d4d1
0x0060d4d5
0x0060d4dd
0x0060d4e8
0x0060d4e8
0x0060d4d5
0x0060d4f7
0x0060d4fc
0x0060d4fe
0x0060d505
0x0060d505
0x0060d50a
0x0060d50c
0x0060d50f
0x0060d512
0x0060d51f
0x0060d531
0x0060d28b
0x0060d28e
0x0060d299
0x0060d2a9
0x0060d2bc
0x0060d2c3
0x0060d2c4
0x0060d2c9
0x0060d2cc
0x0060d2d1
0x0060d2d6
0x0060d2db
0x0060d2dc
0x0060d2e1
0x0060d2e4
0x0060d2f6
0x0060d310
0x0060d319
0x0060d328
0x0060d32b
0x0060d32f
0x0060d384
0x0060d339
0x0060d346
0x0060d34b
0x0060d34f
0x0060d377
0x0060d37d
0x0060d382
0x0060d382
0x00000000
0x0060d351
0x0060d354
0x0060d358
0x00000000
0x0060d35a
0x0060d367
0x0060d369
0x0060d371
0x0060d375
0x00000000
0x00000000
0x0060d36b
0x0060d36b
0x00000000
0x0060d36b
0x0060d369
0x0060d358
0x00000000
0x0060d34f
0x0060d390
0x0060d394
0x0060d39e
0x0060d39e
0x0060d3a3
0x0060d3a7
0x0060d3be
0x0060d3a9
0x0060d3af
0x0060d3af
0x0060d3c3
0x0060d3c6
0x0060d3d1
0x0060d3d6
0x0060d3e1
0x0060d3ec
0x0060d3f1
0x0060d3f3
0x0060d3fb
0x0060d3fb
0x0060d418
0x0060d408
0x0060d413
0x0060d413
0x0060d426
0x0060d429
0x0060d42c
0x0060d434
0x0060d441
0x0060d441
0x0060d219
0x0060d219
0x0060d21b
0x0060d21d
0x0060d21e
0x00000000
0x0060d220
0x0060d220
0x0060d220
0x0060d224
0x0060d225
0x0060d226
0x0060d229
0x0060d22c
0x0060d231
0x0060d239
0x0060d240
0x0060d241
0x0060d249
0x0060d252
0x0060d25d
0x0060d266
0x0060d26e
0x0060d279
0x0060d279
0x0060d266
0x00000000

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D2F6

Strings

NUL, xrefs: 0060D3B9
.tmp, xrefs: 0060D2B2
MoveFileEx, xrefs: 0060D500
[rename], xrefs: 0060D35A, 0060D396
WININIT.INI, xrefs: 0060D2A4

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: b9ebf660728a835d33957e48bea4b0eea1af9e845cae36a148b089ac74072d33
Instruction ID: 7d9515a221cbc80ce02f792d78276580e8b66b65743a39b66aad4c04d9ca5984
Opcode Fuzzy Hash: b9ebf660728a835d33957e48bea4b0eea1af9e845cae36a148b089ac74072d33
Instruction Fuzzy Hash: E7812B70A40209AFDF14EBE4D882BDEBBB6FF84304F504569E800B7291D778AE45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408E18(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E004092D8(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040901C(_t71);
								_t57 =  *0x6ce8fc; // 0x6c66d4
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00408AF8( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x00408e1f
0x00408e21
0x00408e23
0x00408e26
0x00408e26
0x00408e2d
0x00408e34
0x00000000
0x00000000
0x00408e42
0x00408e49
0x00408ee1
0x00408ee1
0x00408ee1
0x00408ee5
0x00000000
0x00000000
0x00408ef0
0x00408ef6
0x00000000
0x00000000
0x00000000
0x00000000
0x00408ef8
0x00408ef8
0x00408efd
0x00408f03
0x00408f0a
0x00408f14
0x00408f19
0x00408f20
0x00408f27
0x00408f35
0x00408f43
0x00408f37
0x00408f3f
0x00408f3f
0x00408f35
0x00408f49
0x00408f6b
0x00408f74
0x00408f78
0x00408f7c
0x00000000
0x00408f4b
0x00408f4b
0x00408f50
0x00000000
0x00000000
0x00408f5c
0x00408f62
0x00000000
0x00000000
0x00408f64
0x00000000
0x00408f64
0x00408f4b
0x00408f81
0x00408f81
0x00408f90
0x00408f97
0x00408f9a
0x00408f9a
0x00000000
0x00408f90
0x00000000
0x00408ee1
0x00408e54
0x00408e5a
0x00408e60
0x00408ebc
0x00408ebf
0x00000000
0x00000000
0x00408ec6
0x00408ece
0x00408ed4
0x00408edf
0x00000000
0x00408edf
0x00408ed6
0x00000000
0x00408ed6
0x00000000
0x00408e62
0x00408e65
0x00000000
0x00408e74
0x00408e74
0x00408e74
0x00000000
0x00408e7d
0x00408e80
0x00000000
0x00000000
0x00408e85
0x00408eae
0x00408eb2
0x00408eb7
0x00408eba
0x00000000
0x00000000
0x00000000
0x00408eba
0x00408e8e
0x00408e94
0x00000000
0x00000000
0x00408e9b
0x00408e9e
0x00408ea5
0x00000000
0x00408ea5
0x00408fa1
0x00408fac

APIs

Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB

GetTickCount.KERNEL32 ref: 00408E4F
GetTickCount.KERNEL32 ref: 00408E67
GetCurrentThreadId.KERNEL32 ref: 00408E96
GetTickCount.KERNEL32 ref: 00408EC1
GetTickCount.KERNEL32 ref: 00408EF8
GetTickCount.KERNEL32 ref: 00408F22
GetCurrentThreadId.KERNEL32 ref: 00408F92

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 6ac2be8b98c6d59f6bfb7c2bc899f414c467b6e539e9ece706351b94971b3cf7
Instruction ID: 6a262f9eb7bf8d50cb6d4ed5a75cfeecc0694df2e1247547c03083db5600c3d5
Opcode Fuzzy Hash: 6ac2be8b98c6d59f6bfb7c2bc899f414c467b6e539e9ece706351b94971b3cf7
Instruction Fuzzy Hash: C74171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A

Uniqueness

Uniqueness Score: -1.00%

Function 006A490C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E006A490C(void* __eax, void* __edx, intOrPtr _a4076) {
				char _v4120;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t6;
				void* _t11;
				signed char _t14;
				void* _t22;
				intOrPtr* _t23;
				void* _t24;
				void* _t28;
				long _t30;
				void* _t31;
				void* _t32;
				void* _t33;

				_push(__eax);
				_t6 = 2;
				do {
					_t32 = _t32 + 0xfffff004;
					_push(_t6);
					_t6 = _t6 - 1;
				} while (_t6 != 0);
				_t33 = _t32 + 4;
				_t28 = __edx;
				_t29 = _a4076;
				_t23 = E00414020(_t22, _a4076, GetModuleHandleW(L"kernel32.dll"), L"GetFinalPathNameByHandleW");
				if(_t23 == 0) {
					L11:
					_t11 = E0040A5A8(_t28, _t29);
				} else {
					_t14 = GetFileAttributesW(E0040B278(_t29));
					if(_t14 == 0xffffffff) {
						goto L11;
					} else {
						if((_t14 & 0x00000010) == 0) {
							_t30 = 0;
							__eflags = 0;
						} else {
							_t30 = 0x2000000;
						}
						_t31 = CreateFileW(E0040B278(_t29), 0, 7, 0, 3, _t30, 0);
						if(_t31 == 0xffffffff) {
							goto L11;
						} else {
							_t24 =  *_t23(_t31,  &_v4120, 0x1000, 0);
							CloseHandle(_t31);
							if(_t24 <= 0) {
								goto L11;
							} else {
								_t41 = _t24 - 0xff0;
								if(_t24 >= 0xff0) {
									goto L11;
								} else {
									_t11 = E006A4824(_t33, _t24, _t28, _t29, _t41);
								}
							}
						}
					}
				}
				return _t11;
			}

0x006a4910
0x006a4911
0x006a4916
0x006a4916
0x006a491c
0x006a491d
0x006a491d
0x006a4927
0x006a492a
0x006a492c
0x006a4943
0x006a4947
0x006a49b5
0x006a49b9
0x006a4949
0x006a4951
0x006a4959
0x00000000
0x006a495b
0x006a495d
0x006a4966
0x006a4966
0x006a495f
0x006a495f
0x006a495f
0x006a4980
0x006a4985
0x00000000
0x006a4987
0x006a4996
0x006a4999
0x006a49a0
0x00000000
0x006a49a2
0x006a49a2
0x006a49a8
0x00000000
0x006a49aa
0x006a49ae
0x006a49ae
0x006a49a8
0x006a49a0
0x006a4985
0x006a4959
0x006a49c8

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4938
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4951
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A497B
CloseHandle.KERNEL32(00000000), ref: 006A4999

Strings

kernel32.dll, xrefs: 006A4933
GetFinalPathNameByHandleW, xrefs: 006A492E

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: 46edc32922d97541eea9ffd5bf782110e08f3350b8b02ca49513a8707fc912eb
Instruction ID: 721dd7993c735447edb6cc92a4eac4eb3665cfe7763642c980e607850eaa0253
Opcode Fuzzy Hash: 46edc32922d97541eea9ffd5bf782110e08f3350b8b02ca49513a8707fc912eb
Instruction Fuzzy Hash: A711086078030427F520717B5C8AFBB268E8BD376DF10023ABA18DA3C3EDD99D52059E

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00408BB4(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00405324();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E00406F0C(_v16);
						_push(_t41);
						_push(E00408C62);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00405324();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E00408C69);
							return E00406F28(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E004099B8();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00408bb5
0x00408bb7
0x00408bbc
0x00408bd6
0x00408c69
0x00408c69
0x00000000
0x00408bdc
0x00408bdc
0x00408bdf
0x00408be0
0x00408be2
0x00408be9
0x00000000
0x00408bf5
0x00408bfd
0x00408c02
0x00408c03
0x00408c08
0x00408c0b
0x00408c11
0x00408c15
0x00408c16
0x00408c1b
0x00408c22
0x00408c4c
0x00408c4e
0x00408c51
0x00408c54
0x00408c61
0x00408c24
0x00408c24
0x00408c3f
0x00408c42
0x00408c4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c4a
0x00408c35
0x00408c38
0x00408c70
0x00408c76
0x00408c76
0x00408c22
0x00408be9
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB

Strings

kernel32.dll, xrefs: 00408BC4
GetLogicalProcessorInformation, xrefs: 00408BBF
@, xrefs: 00408C69

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29

Uniqueness

Uniqueness Score: -1.00%

Function 005CD18C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E005CD18C(void* __eax, void* __ebx, long* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICW _v76;
				signed int _t26;
				signed int _t27;
				void* _t36;
				intOrPtr _t43;
				long* _t45;
				signed int* _t47;
				void* _t50;

				_t37 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = __ecx;
				_t47 = __edx;
				_t36 = __eax;
				_v8 = GetDC(0);
				_push(_t50);
				_push(0x5cd218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xffffffb8;
				SelectObject(_v8, E004EE230(_t36, _t36, _t37, _t45, _t47));
				GetTextExtentPointW(_v8, L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16);
				asm("cdq");
				_t26 = _v16.cx / 0x1a + 1;
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				 *_t47 = _t27;
				GetTextMetricsW(_v8,  &_v76);
				 *_t45 = _v76.tmHeight;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E005CD21F);
				return ReleaseDC(0, _v8);
			}

0x005cd18c
0x005cd192
0x005cd193
0x005cd194
0x005cd195
0x005cd197
0x005cd199
0x005cd1a2
0x005cd1a7
0x005cd1a8
0x005cd1ad
0x005cd1b0
0x005cd1bf
0x005cd1d3
0x005cd1e0
0x005cd1e3
0x005cd1e4
0x005cd1e6
0x005cd1e8
0x005cd1e8
0x005cd1eb
0x005cd1f5
0x005cd1fd
0x005cd201
0x005cd204
0x005cd207
0x005cd217

APIs

GetDC.USER32(00000000), ref: 005CD19D

Part of subcall function 004EE230: EnterCriticalSection.KERNEL32(?,00000000,004EE49F,?,?), ref: 004EE278

SelectObject.GDI32(0068C9D4,00000000), ref: 005CD1BF
GetTextExtentPointW.GDI32(0068C9D4,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CD1D3
GetTextMetricsW.GDI32(0068C9D4,?,00000000,005CD218,?,00000000,?,?,0068C9D4), ref: 005CD1F5
ReleaseDC.USER32 ref: 005CD212

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CD1CA

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1334710084-222967699
Opcode ID: cfdea7413595acbddd1e106899056d90e4d8163f6ab9ae2ba1f39e21ef6df673
Instruction ID: 7c54d4053370f3abf143933d0ccd8ed0548831f5c72a22e7813bae608c756ede
Opcode Fuzzy Hash: cfdea7413595acbddd1e106899056d90e4d8163f6ab9ae2ba1f39e21ef6df673
Instruction Fuzzy Hash: 6C016DBAA54204BFD700DEE9CC41FAEB7FCEB89714F51047AB604E7281D678AE008724

Uniqueness

Uniqueness Score: -1.00%

Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00409E60(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x6ce05c == 0) {
					if( *0x6c4036 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L0040529C();
					}
					return _t3;
				} else {
					if( *0x6ce348 == 0xd7b2 &&  *0x6ce350 > 0) {
						 *0x6ce360();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E0040AC70(0x409ef4);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x00409e68
0x00409ece
0x00409ed0
0x00409ed2
0x00409ed7
0x00409edc
0x00409ede
0x00409ede
0x00409ee4
0x00409e6a
0x00409e73
0x00409e83
0x00409e83
0x00409e9f
0x00409eb2
0x00409ec6
0x00409ec6

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

Error, xrefs: 00409ED2
Runtime error at 00000000, xrefs: 00409E92, 00409ED7

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 045d3ad08753bf338bfa42345213cc89658a5cf1a888b84c100e5d4f8ba8bf1a
Instruction ID: 268cd0542ea206bc9f0d4c864baa5783ee04774fe02170aeb16690cb3bd490d1
Opcode Fuzzy Hash: 045d3ad08753bf338bfa42345213cc89658a5cf1a888b84c100e5d4f8ba8bf1a
Instruction Fuzzy Hash: CAF044A0A4438079FB10F7A19C57F7B2729D741B14F14152FB214791D2C6BD5CC48AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00431714, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00431714(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					L00430EC0(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L0042F044();
					return L00430EC0(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L0042F620();
						_t123 = _t64;
						if(_t123 == 0) {
							E00430C18(_t110);
						}
						L0043115C(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E0043168C(_v788 - 1, _t125) != 0) {
								L0042F648();
								L00430EC0(_v792);
								L0042F648();
								L00430EC0( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004316BC(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L0042F628();
							L00430EC0(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L0042F630();
							L00430EC0(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x00431714
0x00431720
0x00431726
0x0043172c
0x0043173c
0x00431743
0x00431743
0x0043174e
0x0043175c
0x004318e7
0x004318ee
0x004318ef
0x00000000
0x00431762
0x00431765
0x00431783
0x00431767
0x00431772
0x00431772
0x00431792
0x0043179e
0x004317a1
0x0043180e
0x00431814
0x00431815
0x0043181b
0x0043181c
0x0043181e
0x00431823
0x00431827
0x00431829
0x00431829
0x00431834
0x0043183f
0x0043184a
0x00431853
0x00431856
0x00431872
0x00431879
0x00431884
0x0043189b
0x004318a0
0x004318b4
0x004318b9
0x004318cc
0x004318cc
0x004318d5
0x00431858
0x00431858
0x00431859
0x0043185f
0x00431865
0x00431867
0x00431869
0x0043186c
0x0043186f
0x0043186f
0x00431872
0x00000000
0x00000000
0x00000000
0x00431872
0x004317a3
0x004317a3
0x004317a4
0x004317a6
0x004317ac
0x004317ae
0x004317bd
0x004317be
0x004317c8
0x004317c9
0x004317ce
0x004317d9
0x004317da
0x004317e4
0x004317e5
0x004317ea
0x00431805
0x00431807
0x00431808
0x0043180b
0x0043180b
0x00000000
0x004317ac
0x004317a1

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317C9
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317E5
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0043181E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0043189B
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318B4
VariantCopy.OLEAUT32(?,?), ref: 004318EF

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction ID: d043b24a0edc3b3be54f954eb6f8b3249bac98b3ef8f213e332385a6eed1b33d
Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction Fuzzy Hash: 0951ED75A012299FCB26DB59CC91BDAB3FCAF4C304F4451EAE508E7211D634AF858F68

Uniqueness

Uniqueness Score: -1.00%

Function 006AD100, Relevance: 9.1, APIs: 6, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006AD100(signed int __eax) {
				intOrPtr* _t14;
				signed int _t18;
				intOrPtr* _t19;
				intOrPtr* _t23;
				signed int _t26;
				long _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				signed int _t37;
				intOrPtr* _t38;

				_t37 = __eax;
				 *0x6d5803 = __eax ^ 0x00000001;
				_t14 =  *0x6cceac; // 0x6d479c
				_t18 = GetWindowLongW( *( *_t14 + 0x188), 0xffffffec) & 0xffffff00 | (_t17 & 0x00000080) == 0x00000000;
				if(_t37 != _t18) {
					_t19 =  *0x6cceac; // 0x6d479c
					SetWindowPos( *( *_t19 + 0x188), 0, 0, 0, 0, 0, 0x97);
					_t23 =  *0x6cceac; // 0x6d479c
					_t26 = GetWindowLongW( *( *_t23 + 0x188), 0xffffffec);
					if(_t37 == 0) {
						_t27 = _t26 | 0x00000080;
					} else {
						_t27 = _t26 & 0xffffff7f;
					}
					_t38 =  *0x6cceac; // 0x6d479c
					SetWindowLongW( *( *_t38 + 0x188), 0xffffffec, _t27);
					if(_t37 == 0) {
						_t29 =  *0x6cceac; // 0x6d479c
						return SetWindowPos( *( *_t29 + 0x188), 0, 0, 0, 0, 0, 0x57);
					} else {
						_t33 =  *0x6cceac; // 0x6d479c
						return ShowWindow( *( *_t33 + 0x188), 5);
					}
				}
				return _t18;
			}

0x006ad101
0x006ad107
0x006ad10c
0x006ad123
0x006ad128
0x006ad13d
0x006ad14b
0x006ad150
0x006ad160
0x006ad167
0x006ad170
0x006ad169
0x006ad169
0x006ad169
0x006ad175
0x006ad187
0x006ad18e
0x006ad1b3
0x00000000
0x006ad190
0x006ad192
0x00000000
0x006ad1a0
0x006ad18e
0x006ad1c7

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006AD11C
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B6179,00000000,006B6AB5), ref: 006AD14B
GetWindowLongW.USER32(?,000000EC), ref: 006AD160
SetWindowLongW.USER32 ref: 006AD187
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AD1A0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AD1C1

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 8c15675f462a7cdb815d276fd5399c83959d586331ff738c09226122516c88e8
Instruction ID: e0796330955e18cad47395dd65cec407d9ab9d814e750fdff8721624bbe0e900
Opcode Fuzzy Hash: 8c15675f462a7cdb815d276fd5399c83959d586331ff738c09226122516c88e8
Instruction Fuzzy Hash: 9F114C75B45200AFC700EB68DC81FE277E9AB8E710F058296FA158B3F2CB75AC409B40

Uniqueness

Uniqueness Score: -1.00%

Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405A04(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x6ce05d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00405764();
								_t99 =  *0x6d0b84; // 0x6d0b80
								 *_t147 = 0x6d0b80;
								 *0x6d0b84 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x6d0b7c = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x6ceaec], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x6ce98d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x6ceaec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x6ceafc + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x6ceaf8;
							if((0xfffffffe << _t132 &  *0x6ceaf8) == 0) {
								_t133 =  *0x6ceaf4; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E004056E8(_t125);
								} else {
									_t110 =  *0x6ceaf0; // 0x383fff0
									_t109 = _t110 - _t125;
									 *0x6ceaf0 = _t109;
									 *0x6ceaf4 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x6ceaec = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x6ceb7c + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x6ceafc + _t142 * 4;
								 *_t80 =  *(0x6ceafc + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x6ceaf8], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E0040561C(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x6ceaec = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x6ce994; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x6c4084 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x6ce98d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x6ce05d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x6ceaec], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x6ce98d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x6ceaec], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x6ceaf8;
							__eflags =  *(__ebx + 1) &  *0x6ceaf8;
							if(( *(__ebx + 1) &  *0x6ceaf8) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x6ceaf4; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E004056E8(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x6ceaec = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x6ceaf0; // 0x383fff0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x6ceaf4 =  *0x6ceaf4 - __edi;
									 *0x6ceaf0 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x6ceafc + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x6ceafc + __eax * 4) + __eax * 8 * 4;
								__edi = 0x6ceb7c + ( *(0x6ceafc + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x6ceafc + __eax * 4;
									 *_t38 =  *(0x6ceafc + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x6ceaf8], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E0040561C(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x6ceaec = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x3840010
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00405a04
0x00405a10
0x00405a16
0x00405c64
0x00405c69
0x00405d7c
0x00405d7d
0x00405d7f
0x004057b0
0x004057b4
0x004057b6
0x004057c0
0x004057d5
0x004057d9
0x004057db
0x004057dd
0x004057e3
0x004057e6
0x004057eb
0x004057f0
0x004057f6
0x004057fc
0x004057ff
0x00405801
0x00405808
0x00405808
0x00405811
0x00405d85
0x00405d85
0x00405d87
0x00405d87
0x00405c6f
0x00405c6f
0x00405c7b
0x00405c7e
0x00405c80
0x00405c28
0x00405c2d
0x00405c35
0x00000000
0x00000000
0x00405c37
0x00405c39
0x00405c40
0x00000000
0x00405c42
0x00405c44
0x00405c4e
0x00405c56
0x00405c5a
0x00000000
0x00405c5a
0x00405c56
0x00000000
0x00405c40
0x00405c28
0x00405c82
0x00405c82
0x00405c82
0x00405c8a
0x00405c8d
0x00405c97
0x00405c97
0x00405c9e
0x00405cb1
0x00405cb5
0x00405cbb
0x00405cd4
0x00405cda
0x00405cda
0x00405cdc
0x00405cfa
0x00405cde
0x00405cde
0x00405ce3
0x00405ce5
0x00405cea
0x00405cf3
0x00405cf3
0x00405cff
0x00405d07
0x00405cbd
0x00405cbd
0x00405cc7
0x00405ccf
0x00000000
0x00405ccf
0x00405ca0
0x00405ca3
0x00405ca6
0x00405d08
0x00405d08
0x00405d09
0x00405d0a
0x00405d11
0x00405d14
0x00405d17
0x00405d1a
0x00405d1c
0x00405d1e
0x00405d25
0x00405d27
0x00405d27
0x00405d27
0x00405d2e
0x00405d30
0x00405d30
0x00405d2e
0x00405d3c
0x00405d41
0x00405d41
0x00405d43
0x00405d64
0x00405d64
0x00405d64
0x00405d45
0x00405d45
0x00405d4b
0x00405d4e
0x00405d52
0x00405d58
0x00405d5a
0x00405d5a
0x00405d58
0x00405d69
0x00405d6c
0x00405d6f
0x00405d7b
0x00405d7b
0x00405c9e
0x00405a1c
0x00405a1c
0x00405a1e
0x00405a1e
0x00405a25
0x00405a2c
0x00405a84
0x00405a84
0x00405a89
0x00405a8d
0x00000000
0x00000000
0x00405a8f
0x00405a8f
0x00405a92
0x00405a97
0x00405a9b
0x00405a9d
0x00405a9d
0x00405aa0
0x00405aa5
0x00405aa9
0x00405aab
0x00405aae
0x00405ab0
0x00405ab7
0x00000000
0x00405ab9
0x00405abb
0x00405ac0
0x00405ac5
0x00405ac9
0x00405ad1
0x00000000
0x00405ad1
0x00405ac9
0x00405ab7
0x00405aa9
0x00000000
0x00405a9b
0x00405a84
0x00405a2e
0x00405a2e
0x00405a31
0x00405a34
0x00405a39
0x00405a3b
0x00405a54
0x00405a57
0x00405a5b
0x00405a5d
0x00405a60
0x00405ad8
0x00405ad9
0x00405ada
0x00405ae1
0x00405ae3
0x00405ae3
0x00405ae8
0x00405af0
0x00000000
0x00000000
0x00405af2
0x00405af4
0x00405afb
0x00000000
0x00405afd
0x00405aff
0x00405b04
0x00405b09
0x00405b11
0x00405b15
0x00000000
0x00405b15
0x00405b11
0x00000000
0x00405afb
0x00405ae3
0x00405b1c
0x00405b20
0x00405b20
0x00405b26
0x00405b98
0x00405b9c
0x00405ba2
0x00405ba4
0x00405bcc
0x00405bd0
0x00405bd2
0x00405bd7
0x00405bd9
0x00405bdb
0x00000000
0x00405bdd
0x00405bdd
0x00405be2
0x00405be4
0x00405be5
0x00405be6
0x00405be7
0x00405be7
0x00405ba6
0x00405ba6
0x00405bac
0x00405bb0
0x00405bb6
0x00405bb8
0x00405bba
0x00405bba
0x00405bbc
0x00405bbe
0x00405bc4
0x00000000
0x00405bc4
0x00405b28
0x00405b28
0x00405b2b
0x00405b32
0x00405b39
0x00405b3c
0x00405b3f
0x00405b46
0x00405b49
0x00405b4c
0x00405b4f
0x00405b51
0x00405b53
0x00405b55
0x00405b5a
0x00405b5c
0x00405b5c
0x00405b5c
0x00405b63
0x00405b65
0x00405b65
0x00405b63
0x00405b6c
0x00405b71
0x00405b74
0x00405b7a
0x00405be8
0x00405be8
0x00405be8
0x00405b7c
0x00405b7c
0x00405b7e
0x00405b82
0x00405b84
0x00405b87
0x00405b8a
0x00405b8d
0x00405b91
0x00405b91
0x00405bed
0x00405bed
0x00405bed
0x00405bf0
0x00405bf3
0x00405bf5
0x00405bfa
0x00405bfc
0x00405bff
0x00405c06
0x00405c09
0x00405c09
0x00405c0c
0x00405c10
0x00405c13
0x00405c16
0x00405c18
0x00405c18
0x00405c1a
0x00405c1d
0x00405c20
0x00405c23
0x00405c24
0x00405c25
0x00405c26
0x00405c26
0x00405a62
0x00405a62
0x00405a62
0x00405a62
0x00405a66
0x00405a69
0x00405a6c
0x00405a6f
0x00405a70
0x00405a70
0x00405a3d
0x00405a3d
0x00405a41
0x00405a41
0x00405a44
0x00405a47
0x00405a4a
0x00405a74
0x00405a77
0x00405a7a
0x00405a7d
0x00405a80
0x00405a81
0x00405a4c
0x00405a4c
0x00405a4f
0x00405a50
0x00405a50
0x00405a4a
0x00405a3b

APIs

Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e7e71c79c8b2f7f4141069f16e0a27a38b71a8b4eb915ec7efac4787ea8505e0
Instruction ID: cf671527993281747ba66e579e9841af11c1d4a0360e4ae8ae7f13ecf7528b2d
Opcode Fuzzy Hash: e7e71c79c8b2f7f4141069f16e0a27a38b71a8b4eb915ec7efac4787ea8505e0
Instruction Fuzzy Hash: 3EC1F072601B518FDB15CF69E884727BBA2FB85310F08827FD4159B3D5C2B9A841CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00615224, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00615224(void* __ebx, int* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				int* _v16;
				char _v144;
				intOrPtr _v148;
				void* _v152;
				intOrPtr _v156;
				char _v168;
				char _v172;
				void* _t51;
				intOrPtr* _t57;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr* _t71;
				intOrPtr _t77;
				void* _t104;
				void* _t107;
				int* _t108;
				struct HWND__* _t118;
				int _t122;
				intOrPtr _t152;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t162;
				struct HWND__* _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t169;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t181;
				void* _t182;
				intOrPtr _t183;
				void* _t189;

				_t189 = __fp0;
				_t179 = __esi;
				_t178 = __edi;
				_t181 = _t182;
				_t183 = _t182 + 0xffffff58;
				_push(__esi);
				_push(__edi);
				_v172 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = __edx;
				_push(_t181);
				_push(0x6155de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				_push(_t181);
				_push(0x6155a0);
				_push( *[fs:edx]);
				 *[fs:edx] = _t183;
				_t122 =  *_v16;
				_t51 = _t122 - 0x4a;
				if(_t51 == 0) {
					_t53 = _v16[2];
					_t152 =  *(_v16[2]) - 0x800;
					__eflags = _t152;
					if(__eflags == 0) {
						_push(_t181);
						_push(0x6153cb);
						_push( *[fs:edx]);
						 *[fs:edx] = _t183;
						E0040A350( &_v8,  *(_t53 + 4) >> 1,  *((intOrPtr*)(_t53 + 8)), __eflags);
						_push(_t181);
						_push(0x615389);
						_push( *[fs:eax]);
						 *[fs:eax] = _t183;
						_t57 =  *0x6cc8bc; // 0x6d57f8
						 *_t57 =  *_t57 + 1;
						_push(_t181);
						_push(0x61536e);
						_push( *[fs:eax]);
						 *[fs:eax] = _t183;
						L006AA744(_v8,  *(_t53 + 4) >> 1,  &_v12);
						_pop(_t156);
						 *[fs:eax] = _t156;
						_push(E00615375);
						_t62 =  *0x6cc8bc; // 0x6d57f8
						 *_t62 =  *_t62 - 1;
						__eflags =  *_t62;
						return _t62;
					} else {
						_t157 = _t152 - 1;
						__eflags = _t157;
						if(_t157 == 0) {
							_push(_t181);
							_push(0x6154c1);
							_push( *[fs:edx]);
							 *[fs:edx] = _t183;
							E0040714C( *((intOrPtr*)(_t53 + 8)), _t122, 0x98,  &_v168);
							_push(_t181);
							_push(0x61547f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t183;
							_t65 =  *0x6ccb38; // 0x6d5808
							__eflags =  *_t65;
							if( *_t65 == 0) {
								E00429000(L"Cannot evaluate variable because [Code] isn\'t running yet", 1);
								E004098C4();
							}
							E0040A998( &_v172, 0x80,  &_v144, 0);
							_t71 =  *0x6ccb38; // 0x6d5808
							E006A2808( *_t71, _t122, _v156, _t178, _t179, _t189,  &_v12, _v172, _v148);
							_v16[3] = 1;
							_pop(_t162);
							 *[fs:eax] = _t162;
							_t163 =  *0x6d52f4; // 0x0
							_t77 =  *0x6d52f0; // 0x0
							E005D4F84(_t77, _t122, _t163, _t178, _t179, _v12);
							_pop(_t164);
							 *[fs:eax] = _t164;
						} else {
							_t169 = _t157 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								_push(_t181);
								_push(0x615517);
								_push( *[fs:edx]);
								 *[fs:edx] = _t183;
								E0040A1EC(0x6d52e4);
								E0040A3A4(0x6d52e4,  *(_v16[2] + 4) >> 0,  *((intOrPtr*)(_v16[2] + 8)), __eflags, 0);
								_v16[3] = 1;
								_pop(_t172);
								 *[fs:eax] = _t172;
							} else {
								__eflags = _t169 == 1;
								if(_t169 == 1) {
									_push(_t181);
									_push(0x61556a);
									_push( *[fs:edx]);
									 *[fs:edx] = _t183;
									E0040A1EC(0x6d52e8);
									E0040A3A4(0x6d52e8,  *(_v16[2] + 4) >> 0,  *((intOrPtr*)(_v16[2] + 8)), __eflags, 0);
									_v16[3] = 1;
									_pop(_t176);
									 *[fs:eax] = _t176;
								}
							}
						}
						goto L21;
					}
				} else {
					_t104 = _t51 - 0xbb6;
					if(_t104 == 0) {
						 *0x6d52e0 = 0;
						 *0x6d52f0 = 0;
						 *0x6d52f8 = 1;
						 *0x6d52f9 = 0;
						PostMessageW(0, 0, 0, 0);
					} else {
						_t107 = _t104 - 1;
						if(_t107 == 0) {
							 *0x6d52f8 = 1;
							_t108 = _v16;
							__eflags =  *((intOrPtr*)(_t108 + 4)) - 1;
							 *0x6d52f9 =  *((intOrPtr*)(_t108 + 4)) == 1;
							PostMessageW(0, 0, 0, 0);
						} else {
							if(_t107 == 2) {
								SetForegroundWindow(_v16[1]);
							} else {
								_t118 =  *0x6d52f4; // 0x0
								_v16[3] = DefWindowProcW(_t118, _t122, _v16[1], _v16[2]);
							}
						}
					}
					L21:
					_pop(_t165);
					 *[fs:eax] = _t165;
					_pop(_t166);
					 *[fs:eax] = _t166;
					_push(0x6155e5);
					E0040A1EC( &_v172);
					return E0040A228( &_v12, 2);
				}
			}

0x00615224
0x00615224
0x00615224
0x00615225
0x00615227
0x0061522e
0x0061522f
0x00615232
0x00615238
0x0061523b
0x0061523e
0x00615243
0x00615244
0x00615249
0x0061524c
0x00615251
0x00615252
0x00615257
0x0061525a
0x00615260
0x00615264
0x00615267
0x006152e6
0x006152eb
0x006152eb
0x006152f1
0x0061530f
0x00615310
0x00615315
0x00615318
0x00615326
0x0061532d
0x0061532e
0x00615333
0x00615336
0x00615339
0x0061533e
0x00615342
0x00615343
0x00615348
0x0061534b
0x00615354
0x0061535b
0x0061535e
0x00615361
0x00615366
0x0061536b
0x0061536b
0x0061536d
0x006152f3
0x006152f3
0x006152f3
0x006152f4
0x006153dc
0x006153dd
0x006153e2
0x006153e5
0x006153f6
0x006153fd
0x006153fe
0x00615403
0x00615406
0x00615409
0x0061540e
0x00615411
0x0061541f
0x00615424
0x00615424
0x00615443
0x00615453
0x00615466
0x0061546e
0x00615477
0x0061547a
0x006154a4
0x006154aa
0x006154af
0x006154b6
0x006154b9
0x006152fa
0x006152fa
0x006152fa
0x006152fb
0x006154d2
0x006154d3
0x006154d8
0x006154db
0x006154e3
0x006154fe
0x00615506
0x0061550f
0x00615512
0x00615301
0x00615301
0x00615302
0x00615525
0x00615526
0x0061552b
0x0061552e
0x00615536
0x00615551
0x00615559
0x00615562
0x00615565
0x00615565
0x00615302
0x006152fb
0x00000000
0x006152f4
0x00615269
0x00615269
0x0061526e
0x0061527d
0x00615286
0x0061528b
0x00615292
0x006152a1
0x00615270
0x00615270
0x00615271
0x006152ab
0x006152b2
0x006152b5
0x006152b9
0x006152c8
0x00615273
0x00615276
0x006152d9
0x00615278
0x00615585
0x00615593
0x00615593
0x00615276
0x00615271
0x00615596
0x00615598
0x0061559b
0x006155ba
0x006155bd
0x006155c0
0x006155cb
0x006155dd
0x006155dd

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006152A1
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006152C8
SetForegroundWindow.USER32(?,00000000,006155A0,?,00000000,006155DE), ref: 006152D9
DefWindowProcW.USER32(00000000,?,?,?,00000000,006155A0,?,00000000,006155DE), ref: 0061558B

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00615413

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-3182603685
Opcode ID: ad64c6b591af40ea4ba5f545b99f93c9333cd1e0c09a555d573a4fe1ca73c04e
Instruction ID: d9496450f22983edaa4d95273014296636a6dee02a04e0b8031e0d1d01461ad4
Opcode Fuzzy Hash: ad64c6b591af40ea4ba5f545b99f93c9333cd1e0c09a555d573a4fe1ca73c04e
Instruction Fuzzy Hash: 4291E134A04A04EFD711CF29D851F99FBF7EB89700F1584AAF8069B7A1D638AD84CB14

Uniqueness

Uniqueness Score: -1.00%

Function 006B7254, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E006B7254(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t61;
				intOrPtr _t66;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				intOrPtr _t99;

				_t100 = __eflags;
				_t95 = __esi;
				_t94 = __edi;
				_t68 = __ebx;
				_t97 = _t98;
				_t99 = _t98 + 0xffffffdc;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				 *[fs:eax] = _t99;
				_t27 =  *0x6cceac; // 0x6d479c
				E005B8250( *_t27, L"Uninstall", __eflags);
				_t30 =  *0x6cceac; // 0x6d479c
				ShowWindow( *( *_t30 + 0x188), 5);
				 *[fs:edx] = _t99;
				E006AE22C();
				E005C61D8( &_v20);
				E00424018(_v20);
				E005C5D2C(0, __ebx,  &_v24, __edi, __esi);
				E0040A5A8(0x6d58ac, _v24);
				E006B5594(__ebx, __edi, __esi, _t100);
				_t44 =  *0x6d58ac; // 0x0
				E005C4DEC(_t44, _t68,  &_v28, L".dat", _t94, _t95);
				E0040A5A8(0x6d58b0, _v28);
				_t48 =  *0x6d58ac; // 0x0
				E005C4DEC(_t48, _t68,  &_v32, L".msg", _t94, _t95);
				E0040A5A8(0x6d58b4, _v32);
				_v8 = E005CAD34(1, 1, 0, 2);
				 *[fs:eax] = _t99;
				 *((intOrPtr*)( *_v8 + 4))( *[fs:eax], 0x6b73ac, _t97,  *[fs:edx], 0x6b74d1, _t97,  *[fs:eax], 0x6b750a, _t97, __edi, __esi, __ebx, _t96);
				E005CACF4(_v8, _v40 - 8);
				E005CACCC(_v8, 8,  &_v16);
				if(_v16 == 0x67734d49) {
					_t61 =  *0x6d58ac; // 0x0
					E005CC438(_t61, _t68, 1, _v12, _t94, _t95);
				} else {
					_t66 =  *0x6d58b4; // 0x0
					E005CC438(_t66, _t68, 1, 0, _t94, _t95);
				}
				_pop(_t92);
				 *[fs:eax] = _t92;
				_push(E006B73B3);
				return E00408444(_v8);
			}

0x006b7254
0x006b7254
0x006b7254
0x006b7254
0x006b7255
0x006b7257
0x006b725f
0x006b7262
0x006b7265
0x006b7268
0x006b7276
0x006b7279
0x006b7285
0x006b728c
0x006b729a
0x006b72aa
0x006b72ad
0x006b72b5
0x006b72bd
0x006b72c7
0x006b72d4
0x006b72d9
0x006b72e6
0x006b72eb
0x006b72f8
0x006b7305
0x006b730a
0x006b7317
0x006b7334
0x006b7342
0x006b734d
0x006b7359
0x006b7369
0x006b7375
0x006b738c
0x006b7391
0x006b7377
0x006b737b
0x006b7380
0x006b7380
0x006b7398
0x006b739b
0x006b739e
0x006b73ab

APIs

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006B750A,?,?,00000000), ref: 006B729A

Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB

Part of subcall function 00424018: SetCurrentDirectoryW.KERNEL32(00000000,?,006B72C2,00000000,006B74D1,?,?,00000005,00000000,006B750A,?,?,00000000), ref: 00424023

Part of subcall function 005C5D2C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C5DC1,?,?,?,00000001,?,0060FCDE,00000000,0060FD49), ref: 005C5D61

Strings

IMsg, xrefs: 006B736E
.msg, xrefs: 006B7300
.dat, xrefs: 006B72E1
Uninstall, xrefs: 006B7280

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 9bac32933d93267d62a0efbfbf38caf58aabf4bae368766dc52fc197654038be
Instruction ID: 9c0d9b5f261d395dc086ceef7e8291460dcd09bff1b52f9da0bdf24afaf5186f
Opcode Fuzzy Hash: 9bac32933d93267d62a0efbfbf38caf58aabf4bae368766dc52fc197654038be
Instruction Fuzzy Hash: 5841A274A006159FC700EFA4CC52E9EBBF6FBC8300B508465F801A7761DB34AE40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 006248D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E006248D0(HANDLE* __eax) {
				HANDLE* _v8;
				long _v12;
				intOrPtr* _t7;
				long _t11;
				intOrPtr _t27;
				void* _t30;

				_v8 = __eax;
				_push(_t30);
				_push(0x624951);
				_push( *[fs:edx]);
				 *[fs:edx] = _t30 + 0xfffffff8;
				do {
					_t7 =  *0x6cceac; // 0x6d479c
					E005B8704( *_t7);
					_t11 = MsgWaitForMultipleObjects(1, _v8, 0, 0xffffffff, 0x4ff);
				} while (_t11 == 1);
				if(_t11 == 0xffffffff) {
					E0060C7E4(L"MsgWaitForMultipleObjects");
				}
				if(GetExitCodeProcess( *_v8,  &_v12) == 0) {
					E0060C7E4(L"GetExitCodeProcess");
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00624958);
				return CloseHandle( *_v8);
			}

0x006248d6
0x006248db
0x006248dc
0x006248e1
0x006248e4
0x006248e7
0x006248e7
0x006248ee
0x00624902
0x00624907
0x0062490f
0x00624916
0x00624916
0x0062492c
0x00624933
0x00624933
0x0062493a
0x0062493d
0x00624940
0x00624950

APIs

MsgWaitForMultipleObjects.USER32 ref: 00624902
GetExitCodeProcess.KERNEL32 ref: 00624925
CloseHandle.KERNEL32(?,00624958,00000001,00000000,000000FF,000004FF,00000000,00624951), ref: 0062494B

Strings

MsgWaitForMultipleObjects, xrefs: 00624911
GetExitCodeProcess, xrefs: 0062492E

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: cc9e249baa6994b2598d9c694f2ef55ea7c7b9f658000726c2725fa3f68a5bce
Instruction ID: a132d3f15b3ed1f1d80a1d3b4c170ebef992d73a30201ff541600c1582f6e0c9
Opcode Fuzzy Hash: cc9e249baa6994b2598d9c694f2ef55ea7c7b9f658000726c2725fa3f68a5bce
Instruction Fuzzy Hash: 07018470E04604AFD710DBA99952A9E77AAEB4A724B600265F524D73D0DE34DD40CA15

Uniqueness

Uniqueness Score: -1.00%

Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004070B0(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E0040B318(_t24, 0x105,  &_v1052);
			}

0x004070b2
0x004070b8
0x004070ba
0x004070be
0x004070c8
0x004070cc
0x004070d3
0x004070e7
0x004070ed
0x004070ed
0x004070fc
0x00407103
0x0040710d
0x0040710d
0x0040712a

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D

Strings

:, xrefs: 004070CC

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B

Uniqueness

Uniqueness Score: -1.00%

Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0059BDE0(int __eax, void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t45;
				void* _t47;
				int _t48;
				intOrPtr* _t49;

				_t18 = __eax;
				_t49 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x80)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x78));
					if( *((intOrPtr*)(__eax + 0x78)) != 0) {
						return E0059BDE0(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0059BF18(__eax, _t45, _t47));
					_t48 = _t18;
					_t40 = _t39 & 0xffffff00 | _t48 == 0x00000000;
					while(_t48 > 0) {
						_t45 = _t48 - 1;
						_t18 = GetMenuState(E0059BF18(_t49, _t45, _t48), _t45, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0059BF18(_t49, _t45, _t48), _t45, 0x400);
							_t40 = 1;
						}
						_t48 = _t48 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t49 + 0x70)) != 0) {
							L14:
							E0059BC9C(_t49, _t45, _t48);
							L15:
							return  *((intOrPtr*)( *_t49 + 0x50))();
						}
						_t44 =  *0x59a1c4; // 0x59a21c
						if(E0040868C( *((intOrPtr*)(_t49 + 0x7c)), _t44) == 0 || GetMenuItemCount(E0059BF18(_t49, _t45, _t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t49 + 0xbc));
							 *(_t49 + 0xbc) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x0059bde0
0x0059bde4
0x0059bdea
0x0059bdf4
0x0059bdf6
0x00000000
0x0059bdf6
0x0059be02
0x0059be07
0x00000000
0x0059be09
0x0059be1b
0x0059be20
0x0059be24
0x0059be29
0x0059be32
0x0059be3c
0x0059be43
0x0059be53
0x0059be58
0x0059be58
0x0059be5a
0x0059be5b
0x0059be61
0x0059be67
0x0059bea2
0x0059bea4
0x0059bea9
0x00000000
0x0059beaf
0x0059be6c
0x0059be79
0x00000000
0x0059be8c
0x0059be93
0x0059be9a
0x00000000
0x0059be9a
0x0059be79
0x0059be61
0x0059beb6

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b3b5ba3f34c12df063ee6c251904e89849e49180af3165c918a28def48443d
Instruction ID: 706b2e572761d8ad47ba34f54f722de4143ff6edab11ef8c4ec80c26a390842e
Opcode Fuzzy Hash: 40b3b5ba3f34c12df063ee6c251904e89849e49180af3165c918a28def48443d
Instruction Fuzzy Hash: C211A26060425956FF706A7A6F09BEA3F9C7FD1745F050429BE41AB283CB38CC458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E005B631C() {
				intOrPtr _v4;
				void* _v8;
				int _t5;
				void* _t6;
				intOrPtr _t12;
				struct HHOOK__* _t14;
				void* _t19;
				void* _t20;

				if( *0x6d47c0 != 0) {
					_t14 =  *0x6d47c0; // 0x0
					UnhookWindowsHookEx(_t14);
				}
				 *0x6d47c0 = 0;
				_v4 = 0x6d47c4;
				_t5 = 0;
				asm("lock xchg [edx], eax");
				_v8 = 0;
				if(_v8 != 0) {
					_t6 =  *0x6d47bc; // 0x0
					SetEvent(_t6);
					if(GetCurrentThreadId() !=  *0x6d47b8) {
						while(MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff) != 0) {
							_t12 =  *0x6d479c; // 0x0
							E005B871C(_t12, _t19, _t20);
						}
					}
					_t5 = CloseHandle(_v8);
				}
				return _t5;
			}

0x005b6326
0x005b6328
0x005b632e
0x005b632e
0x005b6335
0x005b633a
0x005b6346
0x005b6348
0x005b634b
0x005b6352
0x005b6354
0x005b635a
0x005b636a
0x005b6378
0x005b636e
0x005b6373
0x005b6373
0x005b6378
0x005b6395
0x005b6395
0x005b639c

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
SetEvent.KERNEL32(00000000), ref: 005B635A
GetCurrentThreadId.KERNEL32 ref: 005B635F
MsgWaitForMultipleObjects.USER32 ref: 005B6388
CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: e94e872c21a9411d187f10d741ef09094218303874320b298fc11e20b5f9e78e
Instruction ID: cd3b1eb59f2816b39bfe75ca0595b4a5fb52581fa55038232e58a65bf6996549
Opcode Fuzzy Hash: e94e872c21a9411d187f10d741ef09094218303874320b298fc11e20b5f9e78e
Instruction Fuzzy Hash: AE016D70A09300AFD700EBA5EC45BAA37E5FB46714F105A2EF194C71D1DF38A880CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0060CD14, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0060CD14(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _t60;
				signed int _t63;
				intOrPtr _t77;
				void* _t83;
				intOrPtr _t86;

				_t64 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t86);
				_push(0x60ce51);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E005C4D00(_v8,  &_v24);
				E0040A5F0( &_v8, _v24);
				_t83 = 0x123456;
				_t63 = 0;
				_v17 = 0;
				do {
					_t83 = _t83 + 1;
					if(_t83 > 0x1ffffff) {
						_t83 = 0;
					}
					_t90 = 0x123456 - _t83;
					if(0x123456 == _t83) {
						E005C54D8(_v8, _t64,  &_v32, _t90);
						E005CC284(0x5a,  &_v28, _v32);
						_t64 = _v28;
						E00429000(_v28, 1);
						E004098C4();
					}
					_push(_v8);
					_push("_iu");
					E0060CB7C(_t83, _t63,  &_v36, 0x123456, _t83);
					_push(_v36);
					_push(L".tmp");
					E0040B550( &_v12, _t63, 4, 0x123456, _t83);
					if(E005C55FC(_t90) == 0) {
						_t63 = 1;
						_v17 = E005C55D8(_v12);
						if(_v17 != 0) {
							_t60 = CreateFileW(E0040B278(_v12), 0xc0000000, 0, 0, 2, 0x80, 0);
							_t63 = 0 | _t60 != 0xffffffff;
							if(1 != 0) {
								CloseHandle(_t60);
							}
						}
					}
				} while (_t63 == 0);
				E0040A5A8(_v16, _v12);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(E0060CE58);
				E0040A228( &_v36, 4);
				return E0040A228( &_v12, 2);
			}

0x0060cd17
0x0060cd19
0x0060cd1a
0x0060cd1b
0x0060cd1c
0x0060cd1d
0x0060cd1e
0x0060cd1f
0x0060cd20
0x0060cd24
0x0060cd27
0x0060cd2d
0x0060cd34
0x0060cd35
0x0060cd3a
0x0060cd3d
0x0060cd46
0x0060cd51
0x0060cd5b
0x0060cd5d
0x0060cd5f
0x0060cd63
0x0060cd63
0x0060cd6a
0x0060cd6c
0x0060cd6c
0x0060cd6e
0x0060cd70
0x0060cd78
0x0060cd87
0x0060cd8c
0x0060cd96
0x0060cd9b
0x0060cd9b
0x0060cda0
0x0060cda3
0x0060cdad
0x0060cdb2
0x0060cdb5
0x0060cdc2
0x0060cdd1
0x0060cdd3
0x0060cddd
0x0060cde4
0x0060ce01
0x0060ce09
0x0060ce0e
0x0060ce11
0x0060ce11
0x0060ce0e
0x0060cde4
0x0060ce16
0x0060ce24
0x0060ce2b
0x0060ce2e
0x0060ce31
0x0060ce3e
0x0060ce50

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE01
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE11

Strings

_iu, xrefs: 0060CDA3
.tmp, xrefs: 0060CDB5

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 1f2282741ea711d12f89f15d85a9c88f9bc9b0b2ba3ce1585af2f7154c687e4f
Instruction ID: f0c61975f8e987b86bac7f04f067b2ad5b288a9d8ae99280b348037a25044e3b
Opcode Fuzzy Hash: 1f2282741ea711d12f89f15d85a9c88f9bc9b0b2ba3ce1585af2f7154c687e4f
Instruction Fuzzy Hash: CD319E30A40209ABDB14EBE4C842FDEBBB9EF44714F1042A9F804B73C2D778AE459B54

Uniqueness

Uniqueness Score: -1.00%

Function 005B92C8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
timethreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E005B92C8(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t41;
				long _t46;
				_Unknown_base(*)()* _t54;
				intOrPtr _t64;
				void* _t68;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t81;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t87);
				_push(0x5b9431);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t68 = E005B923C(_v8, 0);
				if( *((char*)(_v8 + 0x9c)) != 0) {
					_t64 = _v8;
					_t91 =  *((intOrPtr*)(_t64 + 0x5c));
					if( *((intOrPtr*)(_t64 + 0x5c)) == 0) {
						E005B9948(_v8, 0);
					}
				}
				E005B615C(_t68,  &_v20);
				E0050EA64(_v20, 0,  &_v16, _t91);
				_t41 =  *0x6d479c; // 0x0
				E005B94FC(_t41, _v16, _t91);
				_v9 = 1;
				_push(_t87);
				_push(0x5b93d8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				if( *((short*)(_v8 + 0x14a)) != 0) {
					 *((intOrPtr*)(_v8 + 0x148))();
				}
				if(_v9 != 0) {
					if( *(_v8 + 0xd8) > 0) {
						__eflags =  *0x6d47c8;
						if( *0x6d47c8 == 0) {
							__eflags =  *0x6d47cc;
							if( *0x6d47cc == 0) {
								 *0x6d47cc = 0x5b9260;
							}
							_t54 =  *0x6d47cc; // 0x0
							_t27 = _v8 + 0xd8; // 0x5fcc754f
							 *0x6d47c8 = SetTimer(0, 0,  *_t27, _t54);
							__eflags =  *0x6d47c8;
							if( *0x6d47c8 == 0) {
								E005B91D8();
							}
						}
					} else {
						E005B91D8();
					}
				}
				_pop(_t79);
				 *[fs:eax] = _t79;
				_t46 = GetCurrentThreadId();
				_t80 =  *0x6cd1a8; // 0x6ce044
				if(_t46 ==  *_t80 && E00474F9C(0, _t80) != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(E005B9438);
				return E0040A228( &_v20, 2);
			}

0x005b92c9
0x005b92cb
0x005b92d3
0x005b92d6
0x005b92d9
0x005b92de
0x005b92df
0x005b92e4
0x005b92e7
0x005b92f2
0x005b92fe
0x005b9300
0x005b9303
0x005b9307
0x005b930c
0x005b930c
0x005b9307
0x005b9316
0x005b9321
0x005b9329
0x005b932e
0x005b9333
0x005b9339
0x005b933a
0x005b933f
0x005b9342
0x005b9350
0x005b9361
0x005b9361
0x005b936b
0x005b9377
0x005b9383
0x005b938a
0x005b938c
0x005b9393
0x005b9395
0x005b9395
0x005b939f
0x005b93a8
0x005b93b8
0x005b93bd
0x005b93c4
0x005b93c9
0x005b93c9
0x005b93c4
0x005b9379
0x005b937c
0x005b937c
0x005b9377
0x005b93d0
0x005b93d3
0x005b93ed
0x005b93f2
0x005b93fa
0x005b9407
0x005b9407
0x005b940f
0x005b9411
0x005b9411
0x005b9418
0x005b941b
0x005b941e
0x005b9430

APIs

Part of subcall function 005B923C: GetCursorPos.USER32 ref: 005B9243

SetTimer.USER32(00000000,00000000,5FCC754F,00000000), ref: 005B93B3
GetCurrentThreadId.KERNEL32 ref: 005B93ED
WaitMessage.USER32(00000000,005B9431,?,?,?,00000000), ref: 005B9411

Strings

Dl, xrefs: 005B93F2

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CurrentCursorMessageThreadTimerWait
String ID: Dl
API String ID: 3909455694-1042291793
Opcode ID: 1f6f0a1c510f93f692655a977ba6e5298b4086ccb601a4d072a2bbdb339548d0
Instruction ID: 597a7682cf751412642d1ca47e474f5c06ff596d9fe9d998d875485cc057c909
Opcode Fuzzy Hash: 1f6f0a1c510f93f692655a977ba6e5298b4086ccb601a4d072a2bbdb339548d0
Instruction Fuzzy Hash: 43416C30A04244EFDB11DFA9D88ABEDBBF6FB45304F6188B9E904972A1C7746E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 006B7820, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E006B7820(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				WCHAR* _t43;
				char _t58;
				intOrPtr _t68;
				void* _t72;
				signed int _t74;
				void* _t78;

				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = __edx;
				_v16 = __eax;
				_push(_t78);
				_push(0x6b791e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xffffffe4;
				E0040A1C8(_v20);
				E005C5284(_v16, 0,  &_v8);
				_t72 = 0;
				_t58 = 0;
				do {
					_v32 = _t58;
					_v28 = 0;
					E004244F0(L"isRS-%.3u.tmp", 0,  &_v32,  &_v24);
					E0040B4C8( &_v12, _v24, _v8);
					_t74 = GetFileAttributesW(E0040B278(_v12));
					if(_t74 == 0xffffffff) {
						L5:
						_t43 = E0040B278(_v12);
						if(MoveFileExW(E0040B278(_v16), _t43, 1) == 0) {
							_t72 = _t72 + 1;
							if(_t72 == 0xa) {
								break;
							}
							goto L8;
						}
						E0040A5A8(_v20, _v12);
						break;
					}
					if((_t74 & 0x00000010) != 0) {
						goto L8;
					}
					if((_t74 & 0x00000001) != 0) {
						SetFileAttributesW(E0040B278(_v12), _t74 & 0xfffffffe);
					}
					goto L5;
					L8:
					_t58 = _t58 + 1;
				} while (_t58 != 0x3e8);
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E006B7925);
				E0040A1C8( &_v24);
				return E0040A228( &_v12, 2);
			}

0x006b782b
0x006b782e
0x006b7831
0x006b7834
0x006b7837
0x006b783c
0x006b783d
0x006b7842
0x006b7845
0x006b784b
0x006b7856
0x006b785b
0x006b785d
0x006b785f
0x006b7863
0x006b7866
0x006b7874
0x006b7882
0x006b7895
0x006b789a
0x006b78be
0x006b78c3
0x006b78d9
0x006b78e8
0x006b78ec
0x00000000
0x00000000
0x00000000
0x006b78ec
0x006b78e1
0x00000000
0x006b78e1
0x006b78a2
0x00000000
0x00000000
0x006b78aa
0x006b78b9
0x006b78b9
0x00000000
0x006b78ee
0x006b78ee
0x006b78ef
0x006b78fd
0x006b7900
0x006b7903
0x006b790b
0x006b791d

APIs

GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B791E,?,?,006D479C,?,006B7D50,00000000,006B7D5A,?,00000000,006B7D8A,?,?), ref: 006B7890
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B791E,?,?,006D479C,?,006B7D50,00000000,006B7D5A,?,00000000,006B7D8A), ref: 006B78B9
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B791E,?,?,006D479C,?,006B7D50,00000000,006B7D5A,?,00000000), ref: 006B78D2

Strings

isRS-%.3u.tmp, xrefs: 006B786F

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 08fb3f8a2552ed2ef6fee7f0fa6a00d655b048a56f687b70bca4fdfe3b5c4a69
Instruction ID: 0f43dc597fc5b70accabae0da728ee0b08a343283778375b3c6cba122b7c2eac
Opcode Fuzzy Hash: 08fb3f8a2552ed2ef6fee7f0fa6a00d655b048a56f687b70bca4fdfe3b5c4a69
Instruction Fuzzy Hash: 95318170D04208AFCB00EBA9C8859EEB7B9EF84314F11467AF814B7291D7385E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00614D0C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00614D0C(struct HWND__* __eax, signed char __edx, void* __ebp) {
				char _v16;
				signed char _v20;
				char _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t8;
				struct HWND__* _t14;
				void* _t21;
				intOrPtr* _t22;
				struct HWND__* _t28;
				void* _t29;
				signed char* _t31;

				_t31 =  &_v20;
				 *_t31 = __edx;
				_t28 = __eax;
				_t21 = SendMessageW(__eax, 0xb06, 0, 0);
				if(_t21 != 0x6010200) {
					_v28 = _t21;
					_v24 = 0;
					_v20 = 0x6010200;
					_v16 = 0;
					_t23 = L"Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)";
					E0042903C(_t21, L"Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)", 1, 0x6d52f4, _t28, 1,  &_v28);
					E004098C4();
				}
				 *0x6d52e0 = 1;
				 *0x6d52f0 = _t28;
				_t8 =  *0x614c70; // 0x614cc8
				 *0x6d52f4 = E004785F0(E00615224, _t8);
				if( *0x6d52f4 == 0) {
					E0060C688(L"Failed to create DebugClientWnd", _t21);
				}
				_t29 = 4;
				_t22 =  *0x6ccb40; // 0x6cbeb0
				do {
					E005C745C( *0x6d52f4, _t23,  *_t22);
					_t22 = _t22 + 4;
					_t29 = _t29 - 1;
				} while (_t29 != 0);
				_t14 =  *0x6d52f0; // 0x0
				return SendMessageW(_t14, 0xb00,  *0x6d52f4,  *_t31 & 0x000000ff);
			}

0x00614d0f
0x00614d12
0x00614d15
0x00614d2b
0x00614d33
0x00614d35
0x00614d39
0x00614d3e
0x00614d46
0x00614d52
0x00614d5e
0x00614d63
0x00614d63
0x00614d68
0x00614d6f
0x00614d75
0x00614d85
0x00614d8a
0x00614d91
0x00614d91
0x00614d96
0x00614d9b
0x00614da1
0x00614da5
0x00614daa
0x00614dad
0x00614dad
0x00614dbd
0x00614dce

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 00614D26
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00614DC3

Strings

Failed to create DebugClientWnd, xrefs: 00614D8C
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00614D52

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: ea57cd588fe8570c91b24ef0b746a875249b5149722270d15631428ffe25c9ac
Instruction ID: d134127b693325792274e9a01a70f49e89543c9fcfe531e84006ac1a280ab911
Opcode Fuzzy Hash: ea57cd588fe8570c91b24ef0b746a875249b5149722270d15631428ffe25c9ac
Instruction Fuzzy Hash: 3311E7B1A043519FD700EB69EC81F9A7B95AF45314F08402AF585CB392DB759C84C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00624438, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00624438(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _t19;
				char _t20;
				void* _t34;
				intOrPtr _t39;
				intOrPtr _t45;

				_t42 = __esi;
				_push(0);
				_push(0);
				_push(0);
				_push(_t45);
				_push(0x6244d2);
				 *[fs:eax] = _t45;
				E005C5124(__eax,  &_v16, _t45,  *[fs:eax]);
				E0040B368( &_v8, _v16);
				_push(E0040EC28( &_v12));
				_t19 = E0040AEF4(_v8);
				_t34 = _t19;
				_push(_t34);
				L0043C23C();
				if(_t19 != 0) {
					E0060C7F8(L"LoadTypeLib", _t34, _t19, __esi);
				}
				_push(0);
				_push(_t34);
				_t20 = _v12;
				_push(_t20);
				L0043C244();
				if(_t20 != 0) {
					E0060C7F8(L"RegisterTypeLib", _t34, _t20, _t42);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E006244D9);
				E0040A1C8( &_v16);
				E0040EC28( &_v12);
				return E0040A210( &_v8);
			}

0x00624438
0x0062443b
0x0062443d
0x0062443f
0x00624446
0x00624447
0x0062444f
0x00624457
0x00624462
0x0062446f
0x00624473
0x00624478
0x0062447a
0x0062447b
0x00624482
0x0062448b
0x0062448b
0x00624490
0x00624492
0x00624493
0x00624496
0x00624497
0x0062449e
0x006244a7
0x006244a7
0x006244ae
0x006244b1
0x006244b4
0x006244bc
0x006244c4
0x006244d1

APIs

Part of subcall function 005C5124: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D479C,00000000,0060D257,00000000,0060D532,?,?,006D479C), ref: 005C5155

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062447B
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 00624497

Strings

RegisterTypeLib, xrefs: 006244A2
LoadTypeLib, xrefs: 00624486

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 3aca009d31f0f1a8cac111bc50824ede26e8fddbcab806dd9635b5a5ee37d0ef
Instruction ID: e38850ae6034221aecf35b856b26f0223ed0c8226c2a0ebd231c24fb5e5372d8
Opcode Fuzzy Hash: 3aca009d31f0f1a8cac111bc50824ede26e8fddbcab806dd9635b5a5ee37d0ef
Instruction Fuzzy Hash: 4D0148307406046BDB10FBA6DC82B4E77EDEB48704F504875B500F6292DB74AE158A19

Uniqueness

Uniqueness Score: -1.00%

Function 0060D449, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0060D449(void* __edx) {
				WCHAR* _t13;
				intOrPtr _t32;
				intOrPtr _t33;
				void* _t36;

				SetFileAttributesW(E0040B278( *((intOrPtr*)(_t36 - 0x10))), 0x20);
				if(E00423A18( *((intOrPtr*)(_t36 - 0x10))) == 0) {
					E0060C7E4(L"DeleteFile");
				}
				_t13 = E0040B278( *((intOrPtr*)(_t36 - 0x10)));
				if(MoveFileW(E0040B278( *((intOrPtr*)(_t36 - 0x14))), _t13) == 0) {
					E0060C7E4(L"MoveFile");
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0060D539);
				E0040A228(_t36 - 0x44, 7);
				return E0040A228(_t36 - 0x1c, 7);
			}

0x0060d454
0x0060d463
0x0060d46a
0x0060d46a
0x0060d472
0x0060d488
0x0060d48f
0x0060d48f
0x0060d496
0x0060d499
0x0060d50c
0x0060d50f
0x0060d512
0x0060d51f
0x0060d531

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060D454

Part of subcall function 00423A18: DeleteFileW.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A28
Part of subcall function 00423A18: GetLastError.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A37
Part of subcall function 00423A18: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A3F
Part of subcall function 00423A18: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000), ref: 00423A5A

MoveFileW.KERNEL32(00000000,00000000), ref: 0060D481

Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7

Strings

DeleteFile, xrefs: 0060D465
MoveFile, xrefs: 0060D48A

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
String ID: DeleteFile$MoveFile
API String ID: 3947864702-139070271
Opcode ID: f3368971435f0e1ffcad46702f9ad1321795944c84a6ed4736d87a1c7c95c989
Instruction ID: e65586cb8c2ba221caf3cfd224dcd0eff8e091a7cc457f3bf2639edee59451d9
Opcode Fuzzy Hash: f3368971435f0e1ffcad46702f9ad1321795944c84a6ed4736d87a1c7c95c989
Instruction Fuzzy Hash: 42F049716841054ADB09FBF6E9065AF63E5EF44318F504A7EF804E72C1D63C9C05462D

Uniqueness

Uniqueness Score: -1.00%

Function 00626D74, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00626D74(signed int __eax, void* __ecx, void* __edx, void* __ebp) {
				void* _v16;
				void* __ebx;
				void* _t31;
				signed int _t33;

				_push(__ecx);
				_t31 = __edx;
				_t22 = __eax;
				_t33 = __eax & 0x0000007f;
				if( *((intOrPtr*)(0x6d5370 + _t33 * 4)) == 0) {
					if(E005C6790(__eax, L"SOFTWARE\\Microsoft\\.NETFramework", 0x80000002,  &_v16, 1, 0) == 0) {
						E005C66B8();
						RegCloseKey(_v16);
					}
					if( *((intOrPtr*)(0x6d5370 + _t33 * 4)) == 0) {
						E0060C688(L".NET Framework not found", _t22);
					}
				}
				return E0040A5A8(_t31,  *((intOrPtr*)(0x6d5370 + _t33 * 4)));
			}

0x00626d77
0x00626d78
0x00626d7a
0x00626d7e
0x00626d89
0x00626da7
0x00626db8
0x00626dc1
0x00626dc1
0x00626dce
0x00626dd5
0x00626dd5
0x00626dce
0x00626dec

APIs

Part of subcall function 005C6790: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC

RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,00626BCC,00000003,00000000,00626F17,00000000,006270D1,?,00626BCC,?,00000000,00000000), ref: 00626DC1

Strings

.NET Framework not found, xrefs: 00626DD0
InstallRoot, xrefs: 00626DB0
SOFTWARE\Microsoft\.NETFramework, xrefs: 00626D96

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 4e90e6b52ce669b56234092f67e36b41781123705fdaf7197761fa131338c803
Instruction ID: 8af0ce4ad620272c9594f6d9018686f01a2d88763efb0c0a0c7834eb730a36f0
Opcode Fuzzy Hash: 4e90e6b52ce669b56234092f67e36b41781123705fdaf7197761fa131338c803
Instruction Fuzzy Hash: 32F02231B01528AFD710AF49E845B9A6BCADFD6352F91143AF185C3290E6B1CC028F92

Uniqueness

Uniqueness Score: -1.00%

Function 005C67B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E005C67B8(void* __eax, short* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;

				_t10 = __ecx;
				_t7 = __edx;
				if(__eax == 2) {
					if( *0x6d47d0 == 0) {
						 *0x6d47d0 = E00414020(_t7, _t10, GetModuleHandleW(L"advapi32.dll"), L"RegDeleteKeyExW");
					}
					if( *0x6d47d0 == 0) {
						return 0x7f;
					} else {
						return  *0x6d47d0(_t7, _t10, 0x100, 0);
					}
				}
				return RegDeleteKeyW(__edx, __ecx);
			}

0x005c67ba
0x005c67bc
0x005c67c0
0x005c67d3
0x005c67ea
0x005c67ea
0x005c67f6
0x00000000
0x005c67f8
0x00000000
0x005c6801
0x005c67f6
0x005c67cb

APIs

RegDeleteKeyW.ADVAPI32(?,00000000), ref: 005C67C4
GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,?,00000000,005C69AB,00000000,005C69C3,?,?,?), ref: 005C67DF

Strings

RegDeleteKeyExW, xrefs: 005C67D5
advapi32.dll, xrefs: 005C67DA

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DeleteHandleModule
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 3550747403-4033151799
Opcode ID: 446bbcfcc69e87ec6a54bc98b0bd0db8a719cbf54cb0d116f2ffc1e03499b033
Instruction ID: dc63331fa5a8f3f500f99eadda01b9e76553ba7a97e57ea72adecfe1af790e06
Opcode Fuzzy Hash: 446bbcfcc69e87ec6a54bc98b0bd0db8a719cbf54cb0d116f2ffc1e03499b033
Instruction Fuzzy Hash: 84E06DB0A42210AFD32467A9BC4AFD22F89FB8575EF50382FF10155492CBB84D90C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 005C745C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E005C745C(void* __eax, void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				void* _t3;
				void* _t7;
				void* _t12;
				intOrPtr* _t13;

				_t8 = __ecx;
				_push(__ecx);
				_t7 = __edx;
				_t12 = __eax;
				if( *0x6d47dc == 0) {
					 *0x6d47e0 = E00414020(_t7, _t12, GetModuleHandleW(L"user32.dll"), L"ChangeWindowMessageFilterEx");
					 *_t13 = 0x6d47dc;
					asm("lock xchg [edx], eax");
				}
				if( *0x6d47e0 == 0) {
					_t3 = E005C73C0(_t7, _t8);
				} else {
					_t3 =  *0x6d47e0(_t12, _t7, 1, 0);
				}
				return _t3;
			}

0x005c745c
0x005c745e
0x005c745f
0x005c7461
0x005c746a
0x005c7481
0x005c7486
0x005c7495
0x005c7495
0x005c749f
0x005c74b1
0x005c74a1
0x005c74a7
0x005c74a7
0x005c74b9

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C7476

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Part of subcall function 005C73C0: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C74B6,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C73D7

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C74A7

Strings

ChangeWindowMessageFilterEx, xrefs: 005C746C
user32.dll, xrefs: 005C7471

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: HandleModule$AddressChangeFilterMessageProcWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 989041661-2676053874
Opcode ID: a7f6f2e5f8f57a6afa57f5accac88337017fdea6f4c9c9ed7d5e2355f95595c0
Instruction ID: 26a363f38c9b500d63c7b8355889e9a68f3a4e891c8784958a891250910d6643
Opcode Fuzzy Hash: a7f6f2e5f8f57a6afa57f5accac88337017fdea6f4c9c9ed7d5e2355f95595c0
Instruction Fuzzy Hash: 1CF027706093149FD704ABA9BCC4F853F99FB8D351F00152EF204C6581CBB80C808EA4

Uniqueness

Uniqueness Score: -1.00%

Function 004698F4, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004698F4(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* _a4, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t30;
				void* _t67;
				void* _t68;
				intOrPtr _t73;
				intOrPtr _t77;
				char _t78;
				intOrPtr _t82;
				signed short _t93;
				void* _t96;
				void* _t98;
				void* _t99;
				intOrPtr _t100;

				_t78 = __edx;
				_t68 = __ecx;
				_t98 = _t99;
				_t100 = _t99 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t100 = _t100 + 0xfffffff0;
					_t30 = E00408A40(_t30, _t98);
				}
				_t96 = _t68;
				_v5 = _t78;
				_t67 = _t30;
				_t93 = _a8;
				_push(_t98);
				_push(0x469a44);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100;
				if((0x0000ff00 & _t93) != 0xff00) {
					E00469764(E0042369C(_t96, _t93 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t67 + 4)) == 0xffffffff) {
						E00423BC8(_t96,  &_v36);
						_v24 = _v36;
						_v20 = 0x11;
						E00427D4C(GetLastError(), _t67, 0, _t96);
						_v16 = _v40;
						_v12 = 0x11;
						_t73 =  *0x6cc898; // 0x41555c
						E004290F8(_t67, _t73, 1, _t93, _t96, 1,  &_v24);
						E004098C4();
					}
				} else {
					_t94 = _t93 & 0x000000ff;
					if((_t93 & 0x000000ff) == 0xff) {
						_t94 = 0x10;
					}
					E00469764(E004236F4(_t96, _t94 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t67 + 4)) == 0xffffffff) {
						E00423BC8(_t96,  &_v28);
						_v24 = _v28;
						_v20 = 0x11;
						E00427D4C(GetLastError(), _t67, 0, _t96);
						_v16 = _v32;
						_v12 = 0x11;
						_t77 =  *0x6cd190; // 0x415554
						E004290F8(_t67, _t77, 1, _t94, _t96, 1,  &_v24);
						E004098C4();
					}
				}
				_t28 = _t67 + 8; // 0x443d4c
				E0040A5A8(_t28, _t96);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E00469A4B);
				return E0040A228( &_v40, 4);
			}

0x004698f4
0x004698f4
0x004698f5
0x004698f7
0x004698ff
0x00469902
0x00469905
0x00469908
0x0046990d
0x0046990f
0x00469912
0x00469912
0x00469917
0x00469919
0x0046991c
0x0046991e
0x00469923
0x00469924
0x00469929
0x0046992c
0x0046993a
0x004699ca
0x004699d3
0x004699da
0x004699e2
0x004699e5
0x004699f3
0x004699fb
0x004699fe
0x00469a08
0x00469a15
0x00469a1a
0x00469a1a
0x0046993c
0x0046993c
0x00469946
0x00469948
0x00469948
0x0046995f
0x00469968
0x00469973
0x0046997b
0x0046997e
0x0046998c
0x00469994
0x00469997
0x004699a1
0x004699ae
0x004699b3
0x004699b3
0x00469968
0x00469a1f
0x00469a24
0x00469a2b
0x00469a2e
0x00469a31
0x00469a43

APIs

GetLastError.KERNEL32(00000000,00469A44,?,?,00443D44,00000001), ref: 00469982

Part of subcall function 0042369C: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D44,004699C4,00000000,00469A44,?,?,00443D44), ref: 004236EB

Part of subcall function 00423BC8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D44,004699DF,00000000,00469A44,?,?,00443D44,00000001), ref: 00423BEB

GetLastError.KERNEL32(00000000,00469A44,?,?,00443D44,00000001), ref: 004699E9

Part of subcall function 00427D4C: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D44,00000000,?,004699F8,00000000,00469A44), ref: 00427D70
Part of subcall function 00427D4C: LocalFree.KERNEL32(00000001,00427DC9,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D44,00000000,?,004699F8,00000000,00469A44), ref: 00427DBC

Strings

TUA, xrefs: 004699A1
\UA, xrefs: 00469A08

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
String ID: TUA$\UA
API String ID: 503893064-4291284429
Opcode ID: 16c3a7c1edecb1a6fb67f941cdccc39d2bbf5b553f33231be13615cc94cc8ccc
Instruction ID: 8d929fe5fe5036276eb1cf3e5c1d8d9621af2457b238719d8755a1a314a4a9d0
Opcode Fuzzy Hash: 16c3a7c1edecb1a6fb67f941cdccc39d2bbf5b553f33231be13615cc94cc8ccc
Instruction Fuzzy Hash: 5841C370B002599FCB00EFA9D8815EEB7F5AF48314F50812AE514A7382DB7D5E059B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040DE74(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x6d0c0c()) {
					_v16 = E0040DE30( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x6d0c08(4,  &_v32,  &_v20);
				}
				_t39 = E0040DE30( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E0040B2DC(_t81, _t67);
					_t39 = E00406F28(_t67);
				}
				if(_v16 != 0) {
					 *0x6d0c08(0, 0,  &_v20);
					_t68 = E0040DE30( &_v12);
					if(_v8 != _v12 || E0040DE0C(_v16, _v12, _t68) != 0) {
						 *0x6d0c08(8, _v16,  &_v20);
					}
					E00406F28(_t68);
					return E00406F28(_v16);
				}
				return _t39;
			}

0x0040de7c
0x0040de7e
0x0040de82
0x0040de8e
0x0040de98
0x0040de9b
0x0040de9d
0x0040dea4
0x0040dea7
0x0040deb8
0x0040debe
0x0040dec1
0x0040dec4
0x0040dec7
0x0040decd
0x0040ded3
0x0040dee3
0x0040dee3
0x0040deec
0x0040def1
0x0040def5
0x0040defa
0x0040deff
0x0040df01
0x0040df02
0x0040df09
0x0040df11
0x0040df16
0x0040df16
0x0040df1c
0x0040df1f
0x0040df1f
0x0040df09
0x0040df26
0x0040df2d
0x0040df2d
0x0040df36
0x0040df40
0x0040df4e
0x0040df56
0x0040df73
0x0040df73
0x0040df7b
0x00000000
0x0040df83
0x0040df8d

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73

Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 339f940500be62133d20186022ad95a148fb343104f844956e141825995a35fa
Instruction ID: 6b3602698f867434315670786c57d1330f11e75d411b24415d78b62a36c3f300
Opcode Fuzzy Hash: 339f940500be62133d20186022ad95a148fb343104f844956e141825995a35fa
Instruction Fuzzy Hash: 6B316F70E1021A9BDB10DFE9C884AAEB7B5EF14304F40417AE555E72D1DB789A09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005CD294, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CD294(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				int _v8;
				int _v12;
				int _t31;
				intOrPtr* _t41;
				int _t54;
				int _t55;

				_v8 = __ecx;
				_t54 = __edx;
				_t41 = __eax;
				MulDiv( *(__eax + 0x50), __edx, _v8);
				_v12 = MulDiv( *(_t41 + 0x54), _a8, _a4);
				if(( *(_t41 + 0x61) & 0x00000001) != 0) {
					_t55 =  *(_t41 + 0x58);
				} else {
					_t55 = MulDiv( *(_t41 + 0x58), _t54, _v8);
				}
				if(( *(_t41 + 0x61) & 0x00000002) != 0) {
					_t31 =  *(_t41 + 0x5c);
				} else {
					_t31 = MulDiv( *(_t41 + 0x5c), _a8, _a4);
				}
				return  *((intOrPtr*)( *_t41 + 0xc8))(_t31, _t55);
			}

0x005cd29d
0x005cd2a0
0x005cd2a2
0x005cd2ad
0x005cd2c5
0x005cd2cc
0x005cd2e0
0x005cd2ce
0x005cd2dc
0x005cd2dc
0x005cd2e7
0x005cd2fc
0x005cd2e9
0x005cd2f5
0x005cd2f5
0x005cd316

APIs

MulDiv.KERNEL32(?,?,?), ref: 005CD2AD
MulDiv.KERNEL32(?,005CD3DF,?), ref: 005CD2C0
MulDiv.KERNEL32(?,?,?), ref: 005CD2D7
MulDiv.KERNEL32(?,005CD3DF,?), ref: 005CD2F5

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d854f0a41b6c0be31f27ed2a2595d08c7a93b107329d657449771b3e36219948
Instruction ID: 2647700dfaabd85a373208064ba8ef14f9f71db11805bddc88b4befc8354b4ba
Opcode Fuzzy Hash: d854f0a41b6c0be31f27ed2a2595d08c7a93b107329d657449771b3e36219948
Instruction Fuzzy Hash: 05113076A04214AFCB44DEDDD8C4E9B7BEDEF48360B1440A9F908DB242C634ED80C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E005B9590(signed char __eax, intOrPtr _a4) {
				int _t22;
				void* _t23;
				int _t31;
				signed int _t35;
				signed char _t38;
				void* _t43;
				void* _t44;

				_t38 = __eax;
				_t2 = _a4 - 4; // 0xc31852ff
				_t22 = IsWindowVisible( *( *_t2 + 0x188));
				asm("sbb eax, eax");
				_t23 = _t22 + 1;
				_t43 = _t23 -  *0x6cbcd4; // 0x0
				if(_t43 == 0) {
					_t44 = _t38 -  *0x6cbcd4; // 0x0
					if(_t44 != 0) {
						_t5 = _a4 - 4; // 0xc31852ff
						if( *((char*)( *_t5 + 0xeb)) != 0 &&  *0x6cbcd4 == 0) {
							_t8 = _a4 - 4; // 0xc31852ff
							_t35 = GetWindowLongW( *( *_t8 + 0x188), 0xffffffec);
							_t11 = _a4 - 4; // 0xc31852ff
							SetWindowLongW( *( *_t11 + 0x188), 0xffffffec, _t35 | 0x08000000);
						}
						_t16 = _a4 - 4; // 0xc31852ff
						_t31 = SetWindowPos( *( *_t16 + 0x188), 0, 0, 0, 0, 0,  *(0x6cbcd6 + (_t38 & 0x000000ff) * 2) & 0x0000ffff);
						 *0x6cbcd4 = _t38;
						return _t31;
					}
				}
				return _t23;
			}

0x005b9594
0x005b9599
0x005b95a3
0x005b95ab
0x005b95ad
0x005b95ae
0x005b95b4
0x005b95b6
0x005b95bc
0x005b95c1
0x005b95cb
0x005b95d9
0x005b95e5
0x005b95ed
0x005b95ff
0x005b95ff
0x005b961d
0x005b9627
0x005b962c
0x00000000
0x005b962c
0x005b95bc
0x005b9634

APIs

IsWindowVisible.USER32 ref: 005B95A3
GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
SetWindowLongW.USER32 ref: 005B95FF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window$Long$Visible
String ID:
API String ID: 2967648141-0
Opcode ID: d84f1fa0e73aa85d6e82c49bc6aaa60b6125fd632751402fd138937b714318b1
Instruction ID: 5518093a597a3e42cc7efe86925244264c3f969ac261f295b92f519f6962ed08
Opcode Fuzzy Hash: d84f1fa0e73aa85d6e82c49bc6aaa60b6125fd632751402fd138937b714318b1
Instruction Fuzzy Hash: C3115E742451446FDB00DB38E989FEA7FE9AB44314F449191F984CB362CB38ED81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046A210, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046A210(void* __eax, struct HINSTANCE__* __edx, WCHAR* _a8) {
				WCHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				WCHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceW(__edx, _v8, _a8);
				 *(_t23 + 0x10) = _t29;
				if(_t29 == 0) {
					E0046A170(_t23, _t24, _t29, _t31, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x46a2ac
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				if(_t30 == 0) {
					E0046A170(_t23, _t24, _t30, _t31, _t32);
				}
				_t7 = _t23 + 0x10; // 0x46a2ac
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x469af8
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00469AA4(_t23, _t25, _t18);
			}

0x0046a217
0x0046a21a
0x0046a21c
0x0046a22c
0x0046a22e
0x0046a233
0x0046a236
0x0046a23b
0x0046a23b
0x0046a23c
0x0046a246
0x0046a248
0x0046a24d
0x0046a250
0x0046a255
0x0046a256
0x0046a260
0x0046a261
0x0046a265
0x0046a26e
0x0046a279

APIs

FindResourceW.KERNEL32(?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000,00000000,?,006D479C,?,?,006AB298), ref: 0046A227
LoadResource.KERNEL32(?,0046A2AC,?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000,00000000,?,006D479C,?), ref: 0046A241
SizeofResource.KERNEL32(?,0046A2AC,?,0046A2AC,?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000,00000000), ref: 0046A25B
LockResource.KERNEL32(00469AF8,00000000,?,0046A2AC,?,0046A2AC,?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000), ref: 0046A265

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: fc1199bd8b7576b79735118972852dd1a7e8ba42b3ca2b0218e849eb7ba95f41
Instruction ID: 65ec82024f0050d62c5aa18a9d59af1631c7c5e859e50fdde1c6790020d80a24
Opcode Fuzzy Hash: fc1199bd8b7576b79735118972852dd1a7e8ba42b3ca2b0218e849eb7ba95f41
Instruction Fuzzy Hash: FBF081B36006046F4745EE9DA881D9B77ECEE89364310015FF908D7302EA39DD51477E

Uniqueness

Uniqueness Score: -1.00%

Function 0060F9A0, Relevance: 6.0, APIs: 4, Instructions: 48
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0060F9A0(void* __eax, void* __ecx, void* __edx) {
				void* _v16;
				int _t13;
				void* _t20;
				void* _t26;
				void* _t27;

				_push(__ecx);
				_t27 = __edx;
				_t26 = __eax;
				if(__ecx == 0) {
					_t20 = 0x80000002;
				} else {
					_t20 = 0x80000001;
				}
				if(E005C6790(0,  *((intOrPtr*)(0x6cbfc0 + (E005C6564() & 0x0000007f) * 4)), _t20,  &_v16, 2, 0) == 0) {
					RegDeleteValueW(_v16, E0040B278(_t26));
					RegCloseKey(_v16);
				}
				_t13 = RemoveFontResourceW(E0040B278(_t27));
				if(_t13 != 0) {
					_t13 = SendNotifyMessageW(0xffff, 0x1d, 0, 0);
				}
				return _t13;
			}

0x0060f9a3
0x0060f9a4
0x0060f9a6
0x0060f9aa
0x0060f9b3
0x0060f9ac
0x0060f9ac
0x0060f9ac
0x0060f9db
0x0060f9ea
0x0060f9f3
0x0060f9f3
0x0060fa00
0x0060fa07
0x0060fa14
0x0060fa14
0x0060fa1d

APIs

RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,?,0062AA5C), ref: 0060F9EA
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,?,0062AA5C), ref: 0060F9F3
RemoveFontResourceW.GDI32(00000000), ref: 0060FA00
SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0060FA14

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyRemoveResourceSendValue
String ID:
API String ID: 261542597-0
Opcode ID: 8ab8b583ab22f9450f2e66a6808d4a41059f4d6db090d9e3a283c91a10046e72
Instruction ID: dfbc53e8f1cdd66ec9ebb9bd66f4992ca480b4c62771c623e92dda120a3c2ed9
Opcode Fuzzy Hash: 8ab8b583ab22f9450f2e66a6808d4a41059f4d6db090d9e3a283c91a10046e72
Instruction Fuzzy Hash: 98F0C87278430177D630B7B65C4BFAF128D4FC5744F60493DB604EB3C2D668D84142A9

Uniqueness

Uniqueness Score: -1.00%

Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0050E958(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x6d4648; // 0x0
					if(GlobalFindAtomW(E0040B278(_t5)) !=  *0x6d4642) {
						_t15 = E0050E924(_t12, _t13);
					} else {
						_t15 = GetPropW(_t12,  *0x6d4642 & 0x0000ffff);
					}
				}
				return _t15;
			}

0x0050e958
0x0050e95a
0x0050e95b
0x0050e95d
0x0050e961
0x0050e978
0x0050e98f
0x0050e9aa
0x0050e991
0x0050e99f
0x0050e99f
0x0050e98f
0x0050e9b1

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0050E96E
GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
GetPropW.USER32 ref: 0050E99A

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: d2063d6d394e8f62765d83b803eda28d99256e3f1fe5fb1cd52194ae8a2630a5
Instruction ID: e102eef170da63bf505a6d713c1113ee4801a35bc19e545ba3a982a5f04e7684
Opcode Fuzzy Hash: d2063d6d394e8f62765d83b803eda28d99256e3f1fe5fb1cd52194ae8a2630a5
Instruction Fuzzy Hash: B3F0ECA160511167CF60BBB65C8787F5A8C9FC43D03351D2BF945DB182D924CC8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 006A4790, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006A4790() {
				long _v8;
				void _v12;
				void* _v16;
				void* _t16;
				HANDLE* _t17;

				_t17 =  &_v12;
				_t16 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t17) != 0) {
					_v12 = 0;
					if(GetTokenInformation(_v16, 0x12,  &_v12, 4,  &_v8) != 0) {
						_t16 = _v16;
					}
					CloseHandle( *_t17);
				}
				return _t16;
			}

0x006a4791
0x006a4794
0x006a47a6
0x006a47aa
0x006a47c8
0x006a47ca
0x006a47ca
0x006a47d2
0x006a47d2
0x006a47dd

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 006A4799
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A479F
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A47C1
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A47D2

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 50a0dd33171f56d43b5bd2971d4e4b19e0fdfd2185010e1c04c4a4d9079a78cb
Instruction ID: 10da8f8c74a3241f5e02fb80210d1ec53806dfcf86ee80de0044891c11e458d6
Opcode Fuzzy Hash: 50a0dd33171f56d43b5bd2971d4e4b19e0fdfd2185010e1c04c4a4d9079a78cb
Instruction Fuzzy Hash: 2AF0A0706043003BD300EAB58C82E9B37DCAF85711F00482DBA98C7280DA78ED489762

Uniqueness

Uniqueness Score: -1.00%

Function 004F5540, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004F5540() {
				signed char _v28;
				void* _t4;
				signed int _t8;
				struct HDC__* _t9;
				struct tagTEXTMETRICW* _t10;

				_t8 = 1;
				_t9 = GetDC(0);
				if(_t9 != 0) {
					_t4 =  *0x6d44b0; // 0x58a00b4
					if(SelectObject(_t9, _t4) != 0 && GetTextMetricsW(_t9, _t10) != 0) {
						_t8 = _v28 & 0x000000ff;
					}
					ReleaseDC(0, _t9);
				}
				return _t8;
			}

0x004f5545
0x004f554e
0x004f5552
0x004f5554
0x004f5562
0x004f556f
0x004f556f
0x004f5577
0x004f5577
0x004f5583

APIs

GetDC.USER32(00000000), ref: 004F5549
SelectObject.GDI32(00000000,058A00B4), ref: 004F555B
GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F5566
ReleaseDC.USER32 ref: 004F5577

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 14fbe85bcd4cf3be47bb432825b68447d7e4ed233deadf784685ce309785678e
Instruction ID: 658a988d36d71ce3bab16ef7ee104d6016508106ebe8fbf8f6d71eaa57139fcf
Opcode Fuzzy Hash: 14fbe85bcd4cf3be47bb432825b68447d7e4ed233deadf784685ce309785678e
Instruction Fuzzy Hash: 43E04871E169A433D61161662C42BEB25498F423A9F08111BFF44992D5DA0DCD4042FD

Uniqueness

Uniqueness Score: -1.00%

Function 0060EC98, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0060EC98(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, intOrPtr _a12, signed char _a16, char _a20) {
				intOrPtr _v8;
				struct _SHELLEXECUTEINFOW _v68;
				void* _t52;
				intOrPtr _t61;
				void* _t65;
				intOrPtr* _t67;
				void* _t70;

				_v8 = __ecx;
				_t65 = __edx;
				_t52 = __eax;
				_t67 = _a4;
				E0040A2AC(_a20);
				_push(_t70);
				_push(0x60ed7c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xffffffc0;
				if(_a20 == 0) {
					E005C51D4(_t65, __ecx,  &_a20);
					if(_a20 == 0) {
						E005C61D8( &_a20);
					}
				}
				E00407760( &_v68, 0x3c);
				_v68.cbSize = 0x3c;
				_v68.fMask = 0x540;
				if(_t52 != 0) {
					_v68.lpVerb = E0040B278(_t52);
				}
				_v68.lpFile = E0040B278(_t65);
				_v68.lpParameters = E0040B278(_v8);
				_v68.lpDirectory = E0040B278(_a20);
				_v68.nShow = _a12;
				ShellExecuteExW( &_v68);
				asm("sbb ebx, ebx");
				_t53 = _t52 + 1;
				if(_t52 + 1 != 0) {
					 *_t67 = 0x103;
					_t39 = _v68.hProcess;
					if(_v68.hProcess != 0) {
						E0060E938(_t39, _t53, _a16 & 0x000000ff, _t65, _t67, _t67);
					}
				} else {
					 *_t67 = GetLastError();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0060ED83);
				return E0040A1C8( &_a20);
			}

0x0060eca1
0x0060eca4
0x0060eca6
0x0060eca8
0x0060ecae
0x0060ecb5
0x0060ecb6
0x0060ecbb
0x0060ecbe
0x0060ecc5
0x0060eccc
0x0060ecd5
0x0060ecda
0x0060ecda
0x0060ecd5
0x0060ece9
0x0060ecee
0x0060ecf5
0x0060ecfe
0x0060ed07
0x0060ed07
0x0060ed11
0x0060ed1c
0x0060ed27
0x0060ed2d
0x0060ed34
0x0060ed3c
0x0060ed3e
0x0060ed41
0x0060ed4c
0x0060ed52
0x0060ed57
0x0060ed61
0x0060ed61
0x0060ed43
0x0060ed48
0x0060ed48
0x0060ed68
0x0060ed6b
0x0060ed6e
0x0060ed7b

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0060ED34
GetLastError.KERNEL32(00000000,0060ED7C,?,?,?,00000001), ref: 0060ED43

Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB

Strings

<, xrefs: 0060ECEE

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 480ba7d80929159cff1dc9196e4ab957db805e1bfd706933b8e8c71d327d0e34
Instruction ID: e241974b84c1913d27331e1b8670269cd021abd25e4475656a32ed52160d5831
Opcode Fuzzy Hash: 480ba7d80929159cff1dc9196e4ab957db805e1bfd706933b8e8c71d327d0e34
Instruction Fuzzy Hash: 76216B70A40219DFDB14EFA9C886ADE7BF9EF49344F50043AF804A72D1E7759A418B98

Uniqueness

Uniqueness Score: -1.00%

Function 006B5B7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E006B5B7E(void* __ecx, void* __esi, void* __fp0) {
				void* _t21;
				intOrPtr* _t27;
				intOrPtr* _t33;
				void* _t41;
				intOrPtr _t43;
				char _t46;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t62;
				void* _t67;

				_t67 = __fp0;
				_t60 = __esi;
				_t47 = __ecx;
				if(( *(_t61 - 9) & 0x00000001) != 0) {
					L3:
					_t46 = 1;
				} else {
					_t64 =  *(_t61 - 9) & 0x00000040;
					if(( *(_t61 - 9) & 0x00000040) != 0) {
						goto L3;
					} else {
						_t46 = 0;
					}
				}
				_t21 = E006A47E0(_t46, _t47, 0, _t64, _t67);
				_t65 = _t21;
				if(_t21 != 0) {
					_t27 =  *0x6cceac; // 0x6d479c
					SetWindowPos( *( *_t27 + 0x188), 0, 0, 0, 0, 0, 0x97);
					_push(_t61);
					_push(0x6b5c29);
					_push( *[fs:eax]);
					 *[fs:eax] = _t62;
					_t33 =  *0x6cceac; // 0x6d479c
					 *((intOrPtr*)(_t61 - 0x18)) =  *((intOrPtr*)( *_t33 + 0x188));
					 *((char*)(_t61 - 0x14)) = 0;
					E004244F0(L"/INITPROCWND=$%x ", 0, _t61 - 0x18, _t61 - 0x10);
					_push(_t61 - 0x10);
					E005C5C0C(_t61 - 0x1c, _t46, _t60, _t65);
					_pop(_t41);
					E0040B470(_t41,  *((intOrPtr*)(_t61 - 0x1c)));
					_t43 =  *0x6d58ac; // 0x0
					E006A4AF0(_t43, _t46, 0x6cc874,  *((intOrPtr*)(_t61 - 0x10)), _t60, _t65, _t67);
					_pop(_t59);
					 *[fs:eax] = _t59;
					 *((char*)(_t61 - 1)) = 1;
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E006B5C8A);
				E0040A1C8(_t61 - 0x1c);
				return E0040A1C8(_t61 - 0x10);
			}

0x006b5b7e
0x006b5b7e
0x006b5b7e
0x006b5b82
0x006b5b8e
0x006b5b8e
0x006b5b84
0x006b5b84
0x006b5b88
0x00000000
0x006b5b8a
0x006b5b8a
0x006b5b8a
0x006b5b88
0x006b5b94
0x006b5b99
0x006b5b9b
0x006b5bb0
0x006b5bbe
0x006b5bc5
0x006b5bc6
0x006b5bcb
0x006b5bce
0x006b5bd5
0x006b5be2
0x006b5be5
0x006b5bf3
0x006b5bfb
0x006b5bff
0x006b5c07
0x006b5c08
0x006b5c15
0x006b5c1a
0x006b5c21
0x006b5c24
0x006b5c61
0x006b5c61
0x006b5c67
0x006b5c6a
0x006b5c6d
0x006b5c75
0x006b5c82

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B5BBE

Strings

/INITPROCWND=$%x , xrefs: 006B5BEE
@, xrefs: 006B5B84

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 0da45c906bc462cfda2b55ec21fdaafc96ca9e8939f242fc2e36ad7194794db2
Instruction ID: a54ba8f7f6fb51cac07e83dc6930cd9f58dc65c08491e71cf19d1336e0aa8d26
Opcode Fuzzy Hash: 0da45c906bc462cfda2b55ec21fdaafc96ca9e8939f242fc2e36ad7194794db2
Instruction Fuzzy Hash: F921C070A047098FCB00EBA4E891BFEBBF6EB89314F50447AE505D7291EB74A9448B54

Uniqueness

Uniqueness Score: -1.00%

Function 006B52AC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
processCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E006B52AC(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				int _t22;
				intOrPtr _t28;
				intOrPtr _t41;
				void* _t47;

				_v8 = 0;
				_t44 = __edx;
				_t32 = __eax;
				_push(_t47);
				_push(0x6b5354);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47 + 0xffffffa8;
				_push(0x6b5370);
				_push(__eax);
				_push(E006B5380);
				_push(__edx);
				E0040B550( &_v8, __eax, 4, __edi, __edx);
				E00407760( &_v76, 0x44);
				_v76.cb = 0x44;
				_t22 = CreateProcessW(0, E0040B278(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t49 = _t22;
				if(_t22 == 0) {
					_t28 =  *0x6ccec0; // 0x6d4c14
					_t8 = _t28 + 0x20c; // 0x0
					E006B5200( *_t8, _t32, 0, _t44, _t49);
				}
				CloseHandle(_v92.hThread);
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E006B535B);
				return E0040A1C8( &_v8);
			}

0x006b52b6
0x006b52b9
0x006b52bb
0x006b52bf
0x006b52c0
0x006b52c5
0x006b52c8
0x006b52cb
0x006b52d0
0x006b52d1
0x006b52d6
0x006b52df
0x006b52ee
0x006b52f3
0x006b5319
0x006b531e
0x006b5320
0x006b5322
0x006b5327
0x006b532d
0x006b532d
0x006b5336
0x006b5340
0x006b5343
0x006b5346
0x006b5353

APIs

CreateProcessW.KERNEL32 ref: 006B5319
CloseHandle.KERNEL32(006B53C4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B5380,?,006B5370,00000000), ref: 006B5336

Part of subcall function 006B5200: GetLastError.KERNEL32(00000000,006B529D,?,?,?), ref: 006B5223

Strings

D, xrefs: 006B52F3

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 833fbd99d152daf2e52a47816dc75679bbddeb5de7bee5dcb9934dcf4c862459
Instruction ID: 4eb0c59f4803b7506f5ff6830a9c1deb5937146a7a7730e05c7aa181d319c706
Opcode Fuzzy Hash: 833fbd99d152daf2e52a47816dc75679bbddeb5de7bee5dcb9934dcf4c862459
Instruction Fuzzy Hash: 1C1182B1604608AFD704EBA5DC92FEE77EDEF08304F91007AF605E7281E6745E448758

Uniqueness

Uniqueness Score: -1.00%

Function 00435600, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00435600(signed short* __eax, void* __ebx, void* __edx) {
				signed short* _v8;
				char _v16;
				char _v24;
				intOrPtr* _t13;
				void* _t23;
				intOrPtr _t31;
				void* _t32;
				void* _t34;

				_t23 = __edx;
				_v8 = __eax;
				_t2 =  &_v24; // 0x43593e
				L0042F034();
				 *[fs:eax] = _t34 + 0xffffffec;
				_t4 =  &_v24; // 0x43593e
				_t13 =  *0x6ccfe4; // 0x6d3910
				E00430ECC( *((intOrPtr*)( *_t13))(_v8, 0x400, 0, 8,  *[fs:eax], 0x43566c, _t34, _t2, __ebx, _t32), 8,  *_v8 & 0x0000ffff);
				_t6 =  &_v16; // 0x435963
				E0040A61C(_t23,  *_t6);
				_t31 = _t4;
				 *[fs:eax] = _t31;
				_push(0x435673);
				_t7 =  &_v24; // 0x43593e
				return L0043115C(_t7);
			}

0x00435607
0x00435609
0x0043560c
0x00435610
0x00435620
0x00435630
0x00435634
0x00435647
0x0043564e
0x00435651
0x00435658
0x0043565b
0x0043565e
0x00435663
0x0043566b

APIs

VariantInit.OLEAUT32(>YC), ref: 00435610

Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636

Strings

cYC, xrefs: 0043564E
>YC, xrefs: 0043560C, 00435630, 00435663, 0043560F, 00435633

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AllocInitStringVariant
String ID: >YC$cYC
API String ID: 4010818693-2962211312
Opcode ID: 95145bfc45b7620ee9ddcdd8df841c505c76c4f986ac1c97678f8ad24fa23931
Instruction ID: 5a220649ebee1d9f27268bcd1ac9fa6249c44259e217bc11eddfa162a287c46a
Opcode Fuzzy Hash: 95145bfc45b7620ee9ddcdd8df841c505c76c4f986ac1c97678f8ad24fa23931
Instruction Fuzzy Hash: A8F08170700604AFD700EB95CD42E9EB7FCEB8D700FA04576F204E3291DA346E048669

Uniqueness

Uniqueness Score: -1.00%

Function 006B7568, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E006B7568(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t1;
				int _t9;
				void* _t12;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t18;
				intOrPtr _t20;

				_t15 = __edx;
				if( *0x6d58c1 != 0) {
					E00615A90(L"Detected restart. Removing temporary directory.", _t12, _t17, _t18);
					_push(0x6b75a3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t20;
					E006AB828();
					E006AB518(_t12, _t15, _t17, _t18);
					_pop(_t16);
					 *[fs:eax] = _t16;
					E00614EC0();
					_t9 =  *0x6cc874; // 0x1
					return TerminateProcess(GetCurrentProcess(), _t9);
				}
				return _t1;
			}

0x006b7568
0x006b7575
0x006b757c
0x006b7584
0x006b7589
0x006b758c
0x006b758f
0x006b7594
0x006b759b
0x006b759e
0x006b75b2
0x006b75b7
0x00000000
0x006b75c3
0x006b75cc

APIs

Part of subcall function 006AB828: FreeLibrary.KERNEL32(00000000,006B7594,00000000,006B75A3,?,?,?,?,?,006B8087), ref: 006AB83E

Part of subcall function 006AB518: GetTickCount.KERNEL32 ref: 006AB560

Part of subcall function 00614EC0: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 00614EDF

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B8087), ref: 006B75BD
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B8087), ref: 006B75C3

Strings

Detected restart. Removing temporary directory., xrefs: 006B7577

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 45618aae9cb5e0ddd86fda6c1571fbc61e24b750a47e7da7bf69b78b659eaf21
Instruction ID: eb50edc141b176b4c4c2d30214ac255ec0ff1137937d64bc1826d6109f125fe4
Opcode Fuzzy Hash: 45618aae9cb5e0ddd86fda6c1571fbc61e24b750a47e7da7bf69b78b659eaf21
Instruction Fuzzy Hash: FAE02BF260C6042ED3613BB5BC02DE67F9FEBC7364751043AF40482902CD1968C18778

Uniqueness

Uniqueness Score: -1.00%

Function 005C750C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E005C750C(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t9;
				void* _t11;
				intOrPtr* _t12;
				void* _t14;
				void* _t15;

				_t14 = __edx;
				_t15 = __eax;
				E005C759C(__eax, __eflags);
				_t12 = E00414020(_t11, _t15, GetModuleHandleW(L"user32.dll"), L"ShutdownBlockReasonCreate");
				if(_t12 == 0) {
					__eflags = 0;
					return 0;
				}
				_t9 =  *_t12(_t15, E0040B278(_t14));
				asm("sbb eax, eax");
				return _t9 + 1;
			}

0x005c750f
0x005c7511
0x005c7515
0x005c752f
0x005c7533
0x005c7548
0x00000000
0x005c7548
0x005c753e
0x005c7543
0x00000000

APIs

Part of subcall function 005C759C: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C751A,?,?,?,006B66A5,0000000A,00000002,00000001,00000031,00000000,006B68D5), ref: 005C75AA

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B66A5,0000000A,00000002,00000001,00000031,00000000,006B68D5,?,00000000,006B69A2), ref: 005C7524

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

ShutdownBlockReasonCreate, xrefs: 005C751A
user32.dll, xrefs: 005C751F

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: efebfd98173b0eafe801dbdb02c234ba5fe6efea653fc4811e05af60f83a25fa
Instruction ID: 7e2c108bb10f7f082d0db0eee0b4291c943f7f38440bc59f5173c01314d4ac5e
Opcode Fuzzy Hash: efebfd98173b0eafe801dbdb02c234ba5fe6efea653fc4811e05af60f83a25fa
Instruction Fuzzy Hash: 68E0C2B23482152FC20172FF2C85F6F4E8CEDCD75A310043EF605E2502E958CD0209AC

Uniqueness

Uniqueness Score: -1.00%

Function 005C6204, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E005C6204(void* __eax, void* __esi, void* __ebp, void* __eflags) {
				char _v536;
				void* __ebx;
				intOrPtr* _t6;
				void* _t9;
				void* _t15;

				_t9 = __eax;
				E0040A1C8(__eax);
				_t6 = E00414020(_t9, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetSystemWow64DirectoryW");
				if(_t6 != 0) {
					_t6 =  *_t6( &_v536, 0x105);
					if(_t6 > 0 && _t6 < 0x105) {
						return E0040B318(_t9, 0x105, _t15);
					}
				}
				return _t6;
			}

0x005c620b
0x005c620f
0x005c6224
0x005c622b
0x005c6237
0x005c623b
0x00000000
0x005c624d
0x005c623b
0x005c6259

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060CFD8,00000000,0060D0AA,?,?,006D479C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C621E

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

GetSystemWow64DirectoryW, xrefs: 005C6214
kernel32.dll, xrefs: 005C6219

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: 62b8e0f0a56936aa9a12e08c2800317b2c896f52e35f249fadc7c93598274ed8
Instruction ID: c75d70e110fee00d4030cd3977e0a9c06a7ab18f3cb046c04c9789280543d232
Opcode Fuzzy Hash: 62b8e0f0a56936aa9a12e08c2800317b2c896f52e35f249fadc7c93598274ed8
Instruction Fuzzy Hash: 09E086B874070116DB2072FA5CC3F9B1A8B6BC4714F10443E7B54D62C6EDADDA8442DA

Uniqueness

Uniqueness Score: -1.00%

Function 005C73C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E005C73C0(void* __eax, void* __ecx) {
				void* __ebx;
				void* _t1;
				void* _t4;
				void* _t8;
				intOrPtr* _t9;

				_t1 = __eax;
				_t4 = __eax;
				if( *0x6d47d4 == 0) {
					 *0x6d47d8 = E00414020(_t4, _t8, GetModuleHandleW(L"user32.dll"), L"ChangeWindowMessageFilter");
					 *_t9 = 0x6d47d4;
					_t1 = 1;
					asm("lock xchg [edx], eax");
				}
				if( *0x6d47d8 != 0) {
					_t1 =  *0x6d47d8(_t4, 1);
				}
				return _t1;
			}

0x005c73c0
0x005c73c2
0x005c73cb
0x005c73e2
0x005c73e7
0x005c73f1
0x005c73f6
0x005c73f6
0x005c7400
0x005c7405
0x005c7405
0x005c740d

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C74B6,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C73D7

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

ChangeWindowMessageFilter, xrefs: 005C73CD
user32.dll, xrefs: 005C73D2

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1646373207-2498399450
Opcode ID: a04977c9df1766bfa9eb39965416b1cc808de74be9259f562920b096e4c3932b
Instruction ID: c2b8af028828c778303b028511c4b48d7ee3342a6cedbc73199b4139695af62d
Opcode Fuzzy Hash: a04977c9df1766bfa9eb39965416b1cc808de74be9259f562920b096e4c3932b
Instruction Fuzzy Hash: C4E092B0619204DFDB05AB64EC85F853FD5E78D305F11281EF14092991CBB508D0CB54

Uniqueness

Uniqueness Score: -1.00%

Function 005C759C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E005C759C(void* __eax, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t7;
				intOrPtr* _t8;
				void* _t9;

				_t9 = __eax;
				_t8 = E00414020(_t7, _t9, GetModuleHandleW(L"user32.dll"), L"ShutdownBlockReasonDestroy");
				if(_t8 == 0) {
					L2:
					return 0;
				} else {
					_push(_t9);
					if( *_t8() != 0) {
						return 1;
					} else {
						goto L2;
					}
				}
			}

0x005c759e
0x005c75b5
0x005c75b9
0x005c75c2
0x005c75c6
0x005c75bb
0x005c75bb
0x005c75c0
0x005c75cb
0x00000000
0x00000000
0x00000000
0x005c75c0

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C751A,?,?,?,006B66A5,0000000A,00000002,00000001,00000031,00000000,006B68D5), ref: 005C75AA

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

ShutdownBlockReasonDestroy, xrefs: 005C75A0
user32.dll, xrefs: 005C75A5

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 8390f49b65f4fec2f209d5efc8905e974ae146cd1b5ec0c6a84ab675bf547ecf
Instruction ID: 4e3f113fda4c16e881a5f3aa9ecd558cba9a4971931a60422d60a81ddc808e35
Opcode Fuzzy Hash: 8390f49b65f4fec2f209d5efc8905e974ae146cd1b5ec0c6a84ab675bf547ecf
Instruction Fuzzy Hash: D7D0C7B23167171F551171FA3CD1FDB0E8C5A5D399314047AF600D2941D655CD4119A8

Uniqueness

Uniqueness Score: -1.00%

Function 006B80BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E006B80BC(void* __eflags) {
				intOrPtr* _t2;
				void* _t4;
				void* _t5;

				_t2 = E00414020(_t4, _t5, GetModuleHandleW(L"user32.dll"), L"DisableProcessWindowsGhosting");
				if(_t2 != 0) {
					return  *_t2();
				}
				return _t2;
			}

0x006b80cc
0x006b80d3
0x00000000
0x006b80d5
0x006b80d7

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C36AE,00000001,00000000,006C36D4,?,?,000000EC,00000000), ref: 006B80C6

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

DisableProcessWindowsGhosting, xrefs: 006B80BC
user32.dll, xrefs: 006B80C1

Memory Dump Source

Source File: 00000005.00000002.372037942.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.372022813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372558582.00000000006C4000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372579969.00000000006C9000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372592807.00000000006CB000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372608125.00000000006CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372617151.00000000006CE000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372628692.00000000006D3000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372639610.00000000006D8000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.372649825.00000000006DA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.372659790.00000000006DB000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.372669977.00000000006DD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_innosetup-6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 5cbe801bf7b381ca0378d38539efb860e368aea908294e06d9e36ba0bca127a5
Instruction ID: b900b06cde22f286b5d6b80c7bf5c94766530aebccc61ebef0275fd01e3919ca
Opcode Fuzzy Hash: 5cbe801bf7b381ca0378d38539efb860e368aea908294e06d9e36ba0bca127a5
Instruction Fuzzy Hash: 50B092E02C130218182072B72C03ACA040F0994B8A70104553B10A3481DD5880C98339

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Compil32.exe PID: 6232 Parent PID: 4880 Compil32.exeCOMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1638
Total number of Limit Nodes:	50

Executed Functions

Function 0040BA8C, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040BA8C(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407EC8(_v8);
				_push(_t61);
				_push(0x40bb4c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L004037D0();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E00408CF4( &_v20, 4,  &_v16);
				E00408EA4(_t44, _v20, _v8);
				_t29 = E0040B93C( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E00408CF4( &_v24, 4,  &_v16);
					E00408EA4(_t44, _v24, _v8);
					_t40 = E0040B93C( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407DE4(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040BB53);
				E00407E44( &_v24, 2);
				return E00407DE4( &_v8);
			}

0x0040ba92
0x0040ba95
0x0040ba98
0x0040ba9b
0x0040ba9d
0x0040baa3
0x0040baaa
0x0040baab
0x0040bab0
0x0040bab3
0x0040bab8
0x0040babe
0x0040bac7
0x0040bad7
0x0040bae4
0x0040baeb
0x0040baf2
0x0040baf4
0x0040bb05
0x0040bb12
0x0040bb19
0x0040bb20
0x0040bb24
0x0040bb24
0x0040bb20
0x0040bb2b
0x0040bb2e
0x0040bb31
0x0040bb3e
0x0040bb4b

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040BB4C,?,?), ref: 0040BABE
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040BB4C,?,?), ref: 0040BAC7

Part of subcall function 0040B93C: FindFirstFileW.KERNEL32(00000000,?,00000000,0040B99A,?,?), ref: 0040B96F
Part of subcall function 0040B93C: FindClose.KERNEL32(00000000,00000000,?,00000000,0040B99A,?,?), ref: 0040B97F

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 5a6a1ac6b0486d9fa13e0a7bac5183a962f870cb790fdc05bb120020f9b83c4d
Instruction ID: b56b141933bec9af13a3f5978ba867c340c3fab6cbbbb9653b359bc4de815ad1
Opcode Fuzzy Hash: 5a6a1ac6b0486d9fa13e0a7bac5183a962f870cb790fdc05bb120020f9b83c4d
Instruction Fuzzy Hash: 18116070A042499BDB04EB95D982AAEB7B8EF44704F5040BFB504B32D2DB786E04C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B93C, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040B93C(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407EC8(_v8);
				_push(_t27);
				_push(0x40b99a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E00408C3C(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040B9A1);
				return E00407DE4( &_v8);
			}

0x0040b945
0x0040b946
0x0040b94c
0x0040b953
0x0040b954
0x0040b959
0x0040b95c
0x0040b96f
0x0040b97c
0x0040b97f
0x0040b97f
0x0040b986
0x0040b989
0x0040b98c
0x0040b999

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040B99A,?,?), ref: 0040B96F
FindClose.KERNEL32(00000000,00000000,?,00000000,0040B99A,?,?), ref: 0040B97F

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 076a493b0e59744c53e6f2be56fa9f34844fc6540f6d5306b89b09f8a5fc355b
Instruction ID: 6613194135aa30df163952cb495be68b7048fba4f6119cc752ffa5857bef8215
Opcode Fuzzy Hash: 076a493b0e59744c53e6f2be56fa9f34844fc6540f6d5306b89b09f8a5fc355b
Instruction Fuzzy Hash: 10F0BEB1908208AEC750EBB9CD1299EBBACEB04314BA005B6F804F32C1EB3C9F00955C

Uniqueness

Uniqueness Score: -1.00%

Function 005EEE78, Relevance: 38.7, APIs: 1, Strings: 21, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E005EEE78(void* __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t23;
				void* _t72;
				intOrPtr _t90;
				char* _t114;
				intOrPtr _t117;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t114 = __edx;
				_t72 = __eax;
				_push(_t117);
				_push(0x5ef065);
				_push( *[fs:eax]);
				 *[fs:eax] = _t117;
				_t112 = E005EECE8();
				 *__edx = _t22 == 0x80000002;
				if( *__edx != 0 || _t72 == 0 || E005ED618(L"Unable to associate for all users without administrative privileges. Do you want to associate only for yourself instead?", 1, L"Associate", 4) == 6) {
					_t23 = 1;
				} else {
					_t23 = 0;
				}
				_t73 = _t23;
				_t122 = _t23;
				if(_t23 != 0) {
					E005E4D5C(0, _t73,  &_v8, _t112, _t114);
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\.iss", _t112, _t114, _t122, L"InnoSetupScriptFile"); // executed
					E005EEDDC(_t112, _t73, L"Content Type", L"Software\\Classes\\.iss", _t112, _t114, _t122, L"text/plain"); // executed
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile", _t112, _t114, _t122, L"Inno Setup Script"); // executed
					E00408EA4( &_v12, 0x5ef2c0, _v8);
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile\\DefaultIcon", _t112, _t114, _t122, _v12); // executed
					_push(0x5ef338);
					_push(_v8);
					_push(L"\" \"%1\"");
					E00408F2C( &_v16, _t73, 3, _t112, _t114);
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile\\shell\\open\\command", _t112, _t114, _t122, _v16); // executed
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile\\shell\\OpenWithInnoSetup", _t112, _t114, _t122, L"Open with &Inno Setup"); // executed
					_push(0x5ef338);
					_push(_v8);
					_push(L"\" \"%1\"");
					E00408F2C( &_v20, _t73, 3, _t112, _t114);
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile\\shell\\OpenWithInnoSetup\\command", _t112, _t114, _t122, _v20); // executed
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile\\shell\\Compile", _t112, _t114, _t122, L"Compi&le"); // executed
					_push(0x5ef338);
					_push(_v8);
					_push(L"\" /cc \"%1\"");
					E00408F2C( &_v24, _t73, 3, _t112, _t114);
					E005EEDDC(_t112, _t73, 0, L"Software\\Classes\\InnoSetupScriptFile\\shell\\Compile\\command", _t112, _t114, _t122, _v24); // executed
					_push(0);
					_push(L"Software\\Classes\\Applications\\");
					E005D1A84(_v8, 0,  &_v32);
					_push(_v32);
					E00408F2C( &_v28, _t73, 3, _t112, _t114);
					E005EEDDC(_t112, _t73, L".iss", E00408C3C(_v28), _t112, _t114, _t122, L"\\SupportedTypes"); // executed
					if( *_t114 != 0) {
						E005EF820(0x80000001, _t73, 0, _t112, _t114, 0); // executed
					}
					SHChangeNotify(0x8000000, 0, 0, 0); // executed
				}
				_pop(_t90);
				 *[fs:eax] = _t90;
				_push(E005EF06C);
				return E00407E44( &_v32, 7);
			}

0x005eee7d
0x005eee7e
0x005eee7f
0x005eee80
0x005eee81
0x005eee82
0x005eee83
0x005eee87
0x005eee89
0x005eee8d
0x005eee8e
0x005eee93
0x005eee96
0x005eee9e
0x005eeea6
0x005eeeac
0x005eeece
0x005eeeca
0x005eeeca
0x005eeeca
0x005eeed0
0x005eeed2
0x005eeed4
0x005eeedf
0x005eeef2
0x005eef08
0x005eef1b
0x005eef2b
0x005eef3d
0x005eef42
0x005eef47
0x005eef4a
0x005eef57
0x005eef69
0x005eef7c
0x005eef81
0x005eef86
0x005eef89
0x005eef96
0x005eefa8
0x005eefbb
0x005eefc0
0x005eefc5
0x005eefc8
0x005eefd5
0x005eefe7
0x005eefec
0x005eefee
0x005eeff9
0x005eeffe
0x005ef00e
0x005ef024
0x005ef02c
0x005ef035
0x005ef035
0x005ef045
0x005ef045
0x005ef04c
0x005ef04f
0x005ef052
0x005ef064

APIs

SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 005EF045

Strings

InnoSetupScriptFile, xrefs: 005EEEE4
Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup, xrefs: 005EEF73
Software\Classes\.iss, xrefs: 005EEEE9, 005EEF01
Inno Setup Script, xrefs: 005EEF0D
Software\Classes\InnoSetupScriptFile, xrefs: 005EEF12
Software\Classes\InnoSetupScriptFile\DefaultIcon, xrefs: 005EEF34
Software\Classes\InnoSetupScriptFile\shell\open\command, xrefs: 005EEF60
" /cc "%1", xrefs: 005EEFC8
Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command, xrefs: 005EEF9F
Software\Classes\Applications\, xrefs: 005EEFEE
Content Type, xrefs: 005EEEFC
Software\Classes\InnoSetupScriptFile\shell\Compile\command, xrefs: 005EEFDE
" "%1", xrefs: 005EEF4A, 005EEF89
.iss, xrefs: 005EF01D
\SupportedTypes, xrefs: 005EF001
Software\Classes\InnoSetupScriptFile\shell\Compile, xrefs: 005EEFB2
Unable to associate for all users without administrative privileges. Do you want to associate only for yourself instead?, xrefs: 005EEEBB
Associate, xrefs: 005EEEB6
Compi&le, xrefs: 005EEFAD
text/plain, xrefs: 005EEEF7
Open with &Inno Setup, xrefs: 005EEF6E

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: ChangeNotify
String ID: " "%1"$" /cc "%1"$.iss$Associate$Compi&le$Content Type$Inno Setup Script$InnoSetupScriptFile$Open with &Inno Setup$Software\Classes\.iss$Software\Classes\Applications\$Software\Classes\InnoSetupScriptFile$Software\Classes\InnoSetupScriptFile\DefaultIcon$Software\Classes\InnoSetupScriptFile\shell\Compile$Software\Classes\InnoSetupScriptFile\shell\Compile\command$Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup$Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command$Software\Classes\InnoSetupScriptFile\shell\open\command$Unable to associate for all users without administrative privileges. Do you want to associate only for yourself instead?$\SupportedTypes$text/plain
API String ID: 3893256919-2234051897
Opcode ID: eea6abb0b1d946a5a6e58948023a5c870793402d4533a366450fd3cf96f59a1b
Instruction ID: e7e7414fb527fa1e786bc10f9ed6fd3255130bb6187169f5ead064cf6e7b8646
Opcode Fuzzy Hash: eea6abb0b1d946a5a6e58948023a5c870793402d4533a366450fd3cf96f59a1b
Instruction Fuzzy Hash: EE41E3747402C66BDB0DE7AA8D07B6F7EA6BB88300F204439F5C5E7682CE749E028315

Uniqueness

Uniqueness Score: -1.00%

Function 005E5434, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E005E5434(long __eax) {
				signed char _v5;
				void* _v12;
				char _v16;
				void* _v20;
				long _v24;
				void* _v28;
				struct _SID_IDENTIFIER_AUTHORITY* _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t89;
				long _t97;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				void* _t107;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t115;
				intOrPtr _t116;

				_t113 = _t115;
				_t116 = _t115 + 0xffffffe4;
				_push(_t107);
				_t97 = __eax;
				if(E00426774() == 2) {
					_v5 = 0;
					_v32 = 0x646ad8;
					if(AllocateAndInitializeSid(_v32, 2, 0x20, _t97, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t113);
						_push(0x5e561f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t116;
						_t99 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_t99 = E0041158C(0, _t107, GetModuleHandleW(L"advapi32.dll"), L"CheckTokenMembership");
						}
						if(_t99 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v20) != 0) {
								L13:
								_push(_t113);
								_push(0x5e5601);
								_push( *[fs:eax]);
								 *[fs:eax] = _t116;
								_v24 = 0;
								if(GetTokenInformation(_v20, 2, 0, 0,  &_v24) != 0 || GetLastError() == 0x7a) {
									_v28 = E00405490(_v24);
									if(GetTokenInformation(_v20, 2, _v28, _v24,  &_v24) != 0) {
										_t110 =  *_v28 - 1;
										if(_t110 >= 0) {
											_t111 = _t110 + 1;
											_t100 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t100 * 8)) == 0 || ( *(_v28 + 8 + _t100 * 8) & 0x00000014) != 4) {
												_t100 = _t100 + 1;
												_t111 = _t111 - 1;
												if(_t111 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t105);
										 *[fs:eax] = _t105;
										_push(E005E5608);
										E004054AC(_v28);
										return CloseHandle(_v20);
									} else {
										E004075D4();
										E004075D4();
										goto L26;
									}
								} else {
									E004075D4();
									E004075D4();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E004075D4();
										goto L26;
									}
								} else {
									E004075D4();
									goto L26;
								}
							}
						} else {
							_t89 =  *_t99(0, _v12,  &_v16); // executed
							if(_t89 != 0) {
								asm("sbb eax, eax");
								_v5 = _t89 + 1;
							}
							_pop(_t106);
							 *[fs:eax] = _t106;
							_push(E005E5626);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5 & 0x000000ff;
				}
			}

0x005e5435
0x005e5437
0x005e543b
0x005e543c
0x005e5446
0x005e5451
0x005e545a
0x005e547d
0x00000000
0x005e5483
0x005e5485
0x005e5486
0x005e548b
0x005e548e
0x005e5491
0x005e54a1
0x005e54b8
0x005e54b8
0x005e54bc
0x005e54e3
0x005e54fb
0x005e5532
0x005e5534
0x005e5535
0x005e553a
0x005e553d
0x005e5542
0x005e555a
0x005e557d
0x005e5599
0x005e55ac
0x005e55af
0x005e55b1
0x005e55b2
0x005e55b4
0x005e55de
0x005e55df
0x005e55e0
0x00000000
0x00000000
0x00000000
0x005e55e0
0x005e55d8
0x005e55d8
0x005e55e2
0x005e55e4
0x005e55e7
0x005e55ea
0x005e55f2
0x005e5600
0x005e559b
0x005e559b
0x005e55a0
0x00000000
0x005e55a0
0x005e5566
0x005e5566
0x005e556b
0x00000000
0x005e556b
0x005e54fd
0x005e5507
0x005e5526
0x00000000
0x005e5528
0x005e5528
0x00000000
0x005e5528
0x005e5509
0x005e5509
0x00000000
0x005e5509
0x005e5507
0x005e54be
0x005e54c8
0x005e54cc
0x005e54d6
0x005e54d9
0x005e54d9
0x005e560a
0x005e560d
0x005e5610
0x005e561e
0x005e561e
0x005e54bc
0x005e5448
0x005e5448
0x005e5626
0x005e562f
0x005e562f

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0063D1D6), ref: 005E5476
GetVersion.KERNEL32(00000000,005E561F,?,00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0063D1D6), ref: 005E5493
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005E561F,?,00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0063D1D6), ref: 005E54AD
CheckTokenMembership.KERNELBASE(00000000,0063D1D6,00000001,00000000,005E561F,?,00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005E54C8
FreeSid.ADVAPI32(0063D1D6,005E5626,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0063D1D6), ref: 005E5619

Strings

CheckTokenMembership, xrefs: 005E54A3
advapi32.dll, xrefs: 005E54A8

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: ee99dbde4843d1cb3df2486bb15edccdbcb279d15150e7bffca15a96fd34526d
Instruction ID: 3652949f21ec825ade92f090403e739f404fa364cb8b3dcea065f1e374d814ce
Opcode Fuzzy Hash: ee99dbde4843d1cb3df2486bb15edccdbcb279d15150e7bffca15a96fd34526d
Instruction Fuzzy Hash: 9D51A671E446896FDB14DBEA8C42BFF7BACFB04308F50046AFA91E2191E978D9408765

Uniqueness

Uniqueness Score: -1.00%

Function 005EF820, Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 161
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E005EF820(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t23;
				void* _t45;
				void* _t47;
				void* _t74;
				void* _t76;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;

				_t122 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t76 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x5efa2a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t23 = E005EF740(__eax, L"Software\\Classes\\InnoSetupScriptFile", __eflags); // executed
				_t129 = _t23;
				if(_t23 != 0) {
					L2:
					E005E4D5C(0, _t76,  &_v8, _t122, _t124);
					E00408EA4( &_v20, 0x5efabc, _v8);
					if(E005EF6B0(_t124, _t76, _v20, L"Software\\Classes\\InnoSetupScriptFile\\DefaultIcon", _t122, _t124, _t130) != 0) {
						E005E5178(0, _t76, L"Software\\Classes\\InnoSetupScriptFile\\DefaultIcon", _t124, _t122, _t124);
					}
					_push(0x5efb34);
					_push(_v8);
					_push(L"\" \"%1\"");
					E00408F2C( &_v24, _t76, 3, _t122, _t124);
					if(E005EF6B0(_t124, _t76, _v24, L"Software\\Classes\\InnoSetupScriptFile\\shell\\open\\command", _t122, _t124, 0) != 0) {
						E005E5178(0, _t76, L"Software\\Classes\\InnoSetupScriptFile\\shell\\open", _t124, _t122, _t124);
					}
					_push(0x5efb34);
					_push(_v8);
					_push(L"\" \"%1\"");
					E00408F2C( &_v28, _t76, 3, _t122, _t124);
					if(E005EF6B0(_t124, _t76, _v28, L"Software\\Classes\\InnoSetupScriptFile\\shell\\OpenWithInnoSetup\\command", _t122, _t124, 0) != 0) {
						E005E5178(0, _t76, L"Software\\Classes\\InnoSetupScriptFile\\shell\\OpenWithInnoSetup", _t124, _t122, _t124);
					}
					_push(0x5efb34);
					_push(_v8);
					_push(L"\" /cc \"%1\"");
					E00408F2C( &_v32, _t76, 3, _t122, _t124);
					if(E005EF6B0(_t124, _t76, _v32, L"Software\\Classes\\InnoSetupScriptFile\\shell\\Compile\\command", _t122, _t124, 0) != 0) {
						E005E5178(0, _t76, L"Software\\Classes\\InnoSetupScriptFile\\shell\\Compile", _t124, _t122, _t124);
					}
					E005E52FC(0, L"Software\\Classes\\InnoSetupScriptFile\\shell", _t124, 0);
					_t45 = E005EF6B0(_t124, _t76, L"Inno Setup Script", L"Software\\Classes\\InnoSetupScriptFile", _t122, _t124, 0);
					_t139 = _t45;
					if(_t45 != 0 && E005EF778(_t124,  &_v12, L"Software\\Classes\\InnoSetupScriptFile", _t139,  &_v16) != 0 && _v12 == 0) {
						_t142 = _v16 - 1;
						if(_v16 <= 1) {
							RegDeleteKeyW(_t124, L"Software\\Classes\\InnoSetupScriptFile");
						}
					}
					_t47 = E005EF740(_t124, L"Software\\Classes\\InnoSetupScriptFile", _t142);
					_t143 = _t47;
					if(_t47 == 0 && E005EF6B0(_t124, _t76, L"InnoSetupScriptFile", L"Software\\Classes\\.iss", _t122, _t124, _t143) != 0) {
						E005EF7E0(_t124, L"Software\\Classes\\.iss", 0);
						E005EF7E0(_t124, L"Software\\Classes\\.iss", 0);
					}
					E005E52FC(0, L"Software\\Classes\\.iss", _t124, 0);
					if(_t76 != 0) {
						SHChangeNotify(0x8000000, 0, 0, 0);
					}
					L20:
					_pop(_t111);
					 *[fs:eax] = _t111;
					_push(E005EFA31);
					E00407E44( &_v32, 4);
					return E00407DE4( &_v8);
				}
				_t74 = E005EF740(_t124, L"Software\\Classes\\.iss", _t129); // executed
				_t130 = _t74;
				if(_t74 == 0) {
					goto L20;
				}
				goto L2;
			}

0x005ef820
0x005ef825
0x005ef826
0x005ef827
0x005ef828
0x005ef829
0x005ef82a
0x005ef82b
0x005ef82c
0x005ef82d
0x005ef82e
0x005ef830
0x005ef834
0x005ef835
0x005ef83a
0x005ef83d
0x005ef847
0x005ef84c
0x005ef84e
0x005ef864
0x005ef869
0x005ef879
0x005ef88f
0x005ef89a
0x005ef89a
0x005ef89f
0x005ef8a4
0x005ef8a7
0x005ef8b4
0x005ef8ca
0x005ef8d5
0x005ef8d5
0x005ef8da
0x005ef8df
0x005ef8e2
0x005ef8ef
0x005ef905
0x005ef910
0x005ef910
0x005ef915
0x005ef91a
0x005ef91d
0x005ef92a
0x005ef940
0x005ef94b
0x005ef94b
0x005ef959
0x005ef96a
0x005ef96f
0x005ef971
0x005ef990
0x005ef994
0x005ef99c
0x005ef99c
0x005ef994
0x005ef9a8
0x005ef9ad
0x005ef9af
0x005ef9cf
0x005ef9e0
0x005ef9e0
0x005ef9ee
0x005ef9f5
0x005efa02
0x005efa02
0x005efa07
0x005efa09
0x005efa0c
0x005efa0f
0x005efa1c
0x005efa29
0x005efa29
0x005ef857
0x005ef85c
0x005ef85e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 005EF740: RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00000001,00000000,?,005EF84C,00000000,005EFA2A,?,?,?,00000000,00000000), ref: 005EF76C

RegDeleteKeyW.ADVAPI32(00000000,Software\Classes\InnoSetupScriptFile), ref: 005EF99C
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 005EFA02

Part of subcall function 005EF7E0: RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,00000000,00000001,00000000,?,005EF9D4," /cc "%1",?,005EFB34," "%1",?), ref: 005EF809
Part of subcall function 005EF7E0: RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,?,00000000,00000001,00000000,?,005EF9D4," /cc "%1",?,005EFB34," "%1"), ref: 005EF812

Strings

Software\Classes\InnoSetupScriptFile, xrefs: 005EF840, 005EF95E, 005EF97A, 005EF996, 005EF9A1
" /cc "%1", xrefs: 005EF91D
" "%1", xrefs: 005EF8A7, 005EF8E2
Inno Setup Script, xrefs: 005EF963
Content Type, xrefs: 005EF9D4
InnoSetupScriptFile, xrefs: 005EF9B6
Software\Classes\InnoSetupScriptFile\shell\open, xrefs: 005EF8CC
Software\Classes\InnoSetupScriptFile\shell\Compile, xrefs: 005EF942
Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command, xrefs: 005EF8F7
Software\Classes\InnoSetupScriptFile\shell\Compile\command, xrefs: 005EF932
Software\Classes\InnoSetupScriptFile\DefaultIcon, xrefs: 005EF881, 005EF891
Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup, xrefs: 005EF907
Software\Classes\.iss, xrefs: 005EF850, 005EF9B1, 005EF9C6, 005EF9D9, 005EF9E5
Software\Classes\InnoSetupScriptFile\shell, xrefs: 005EF950
Software\Classes\InnoSetupScriptFile\shell\open\command, xrefs: 005EF8BC

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CloseDelete$ChangeNotifyValue
String ID: " "%1"$" /cc "%1"$Content Type$Inno Setup Script$InnoSetupScriptFile$Software\Classes\.iss$Software\Classes\InnoSetupScriptFile$Software\Classes\InnoSetupScriptFile\DefaultIcon$Software\Classes\InnoSetupScriptFile\shell$Software\Classes\InnoSetupScriptFile\shell\Compile$Software\Classes\InnoSetupScriptFile\shell\Compile\command$Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup$Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command$Software\Classes\InnoSetupScriptFile\shell\open$Software\Classes\InnoSetupScriptFile\shell\open\command
API String ID: 4224269550-962491716
Opcode ID: 11b405e86d494f0c5ccc6da568d43c8f0fb5a6f916e65c7587b99324bbede1bc
Instruction ID: 789ea6cdcdb7f717a1cb7bacd4c0edacda5adafb2cba494be19f7791ccaec5e1
Opcode Fuzzy Hash: 11b405e86d494f0c5ccc6da568d43c8f0fb5a6f916e65c7587b99324bbede1bc
Instruction Fuzzy Hash: 5F419D30B006C567CF1CEB6389167AE2F96BBC5704F108479B9C4AF382DE789E028794

Uniqueness

Uniqueness Score: -1.00%

Function 0040B560, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040B560(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407EC8(_v8);
				_push(_t112);
				_push(0x40b785);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040AD94( &_v542, E00408C3C(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040B78C);
					return E00407DE4( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40b768);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040B370( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040B878, 0, 0, 0,  &_v20) == 0) {
								_v12 = E00405490(_v20);
								RegQueryValueExW(_v16, E0040B878, 0, 0, _v12,  &_v20);
								E00408CA0(_t97, _v12);
							}
						} else {
							_v12 = E00405490(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408CA0(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040B76F);
						if(_v12 != 0) {
							E004054AC(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040b561
0x0040b563
0x0040b56a
0x0040b56c
0x0040b572
0x0040b579
0x0040b57a
0x0040b57f
0x0040b582
0x0040b589
0x0040b5b5
0x0040b58b
0x0040b599
0x0040b599
0x0040b5c2
0x0040b76f
0x0040b771
0x0040b774
0x0040b777
0x0040b784
0x0040b5c8
0x0040b5ca
0x0040b5e2
0x0040b5e9
0x0040b689
0x0040b68b
0x0040b68c
0x0040b691
0x0040b694
0x0040b6a2
0x0040b6c3
0x0040b712
0x0040b71c
0x0040b734
0x0040b73e
0x0040b73e
0x0040b6c5
0x0040b6cd
0x0040b6e7
0x0040b6f1
0x0040b6f1
0x0040b745
0x0040b748
0x0040b74b
0x0040b754
0x0040b759
0x0040b759
0x0040b767
0x0040b5ef
0x0040b604
0x0040b60b
0x00000000
0x0040b60d
0x0040b622
0x0040b629
0x00000000
0x0040b62b
0x0040b640
0x0040b647
0x00000000
0x0040b649
0x0040b65e
0x0040b665
0x00000000
0x0040b667
0x0040b67c
0x0040b683
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b683
0x0040b665
0x0040b647
0x0040b629
0x0040b60b
0x0040b5e9

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B785,?,?), ref: 0040B599
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B785,?,?), ref: 0040B5E2
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B785,?,?), ref: 0040B604
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040B622
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040B640
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040B65E
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040B67C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040B768,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B785), ref: 0040B6BC
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040B768,?,80000001), ref: 0040B6E7
RegCloseKey.ADVAPI32(?,0040B76F,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040B768,?,80000001,Software\Embarcadero\Locales), ref: 0040B762

Strings

Software\CodeGear\Locales, xrefs: 0040B618, 0040B636
Software\Borland\Delphi\Locales, xrefs: 0040B672
Software\Borland\Locales, xrefs: 0040B654
Software\Embarcadero\Locales, xrefs: 0040B5D8, 0040B5FA

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: e910e011e2c4455669f7797fb15ad3116e01278216bdcd651ac4d76390b06edb
Instruction ID: 39b85833522162b2148709fb2d09082d9a01957d783f492f585bc2377da84909
Opcode Fuzzy Hash: e910e011e2c4455669f7797fb15ad3116e01278216bdcd651ac4d76390b06edb
Instruction Fuzzy Hash: 04510476A40248BEEB10EA95CC42FAE77BCDB44704F5044BBBA04F76C1D7789A44879D

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD08, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0040DD08(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t133;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x63ec40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x63ec40;
				_v52 = E0040E1B8( *0x0063EC44);
				_v48 = E0040E1C8( *0x0063EC48);
				_v44 = E0040E1D8( *0x0063EC4C);
				_v40 = E0040E1E8( *0x0063EC50);
				_v36 = E0040E1E8( *0x0063EC54);
				_v32 = E0040E1E8( *0x0063EC58);
				_v28 =  *0x0063EC5C;
				memcpy( &_v92, 0x63ec60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x63ec60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x63ec84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040E1F8( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x64b640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x64b640 != 0) {
							_t191 =  *0x64b640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x64b644 != 0) {
									_t191 =  *0x64b644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x63ec8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x64b640 != 0) {
						_t142 =  *0x64b640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t133 = LoadLibraryA(_v80); // executed
						_t142 = _t133;
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040D690(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x63ec3c; // 0x0
									 *_v20 = _t126;
									 *0x63ec3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x64b644 != 0) {
							_t142 =  *0x64b644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x63ec88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x64b640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x64b640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x64b640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040dd1c
0x0040dd22
0x0040dd24
0x0040dd27
0x0040dd34
0x0040dd41
0x0040dd4e
0x0040dd5b
0x0040dd68
0x0040dd75
0x0040dd7e
0x0040dd8c
0x0040dd8e
0x0040dd8f
0x0040dd95
0x0040dd9b
0x0040dda2
0x0040dda4
0x0040ddaa
0x0040ddb0
0x0040ddc0
0x00000000
0x0040ddc5
0x0040ddd2
0x0040ddd7
0x0040ddd9
0x0040dddb
0x0040dddb
0x0040dde1
0x0040dde4
0x0040ddec
0x0040ddf6
0x0040ddf9
0x0040ddfe
0x0040de19
0x0040de00
0x0040de0c
0x0040de0c
0x0040de1c
0x0040de25
0x0040de3e
0x0040de40
0x0040df02
0x0040df02
0x0040df0c
0x0040df1a
0x0040df1a
0x0040df1e
0x0040df6b
0x0040df6d
0x0040df74
0x0040df7e
0x0040df8c
0x0040df8c
0x0040df90
0x0040df92
0x0040df97
0x0040df9d
0x0040dfad
0x0040dfb2
0x0040dfb2
0x0040df90
0x00000000
0x0040df20
0x0040df24
0x0040df5f
0x0040df69
0x00000000
0x0040df2c
0x0040df2f
0x0040df37
0x00000000
0x0040df50
0x0040df56
0x0040df5b
0x00000000
0x00000000
0x0040dfb5
0x0040dfb8
0x00000000
0x0040dfb8
0x0040df37
0x0040df24
0x0040df1e
0x0040de4d
0x0040de5b
0x0040de5b
0x0040de5f
0x0040de65
0x0040de6a
0x0040de6a
0x0040de6e
0x0040debb
0x0040dec7
0x0040defd
0x0040dec9
0x0040decd
0x0040ded3
0x0040ded8
0x0040dedd
0x0040dee4
0x0040deea
0x0040deef
0x0040def4
0x0040def4
0x0040dedd
0x0040decd
0x00000000
0x0040de70
0x0040de75
0x0040de7f
0x0040de8d
0x0040de8d
0x0040de91
0x00000000
0x0040de93
0x0040de93
0x0040de98
0x0040de9e
0x0040deae
0x00000000
0x0040deb3
0x0040de91
0x0040de27
0x0040de33
0x0040de37
0x00000000
0x0040de39
0x0040dfba
0x0040dfc1
0x0040dfc5
0x0040dfc8
0x0040dfcb
0x0040dfd4
0x0040dfd4
0x00000000
0x0040dfda
0x0040de37

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040DDC0

Strings

`c, xrefs: 0040DD82
@c, xrefs: 0040DD1D

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: ExceptionRaise
String ID: @c$`c
API String ID: 3997070919-3684129924
Opcode ID: 50cccea4d1b9fcc8a1cf25dcfd3295be7dbbd3e0ef184898a758294c36e9b0a9
Instruction ID: bf0a471e7f966ad20207657ab89de1fdb2edb1d5ff977dd01f0b10adc78d00cd
Opcode Fuzzy Hash: 50cccea4d1b9fcc8a1cf25dcfd3295be7dbbd3e0ef184898a758294c36e9b0a9
Instruction Fuzzy Hash: 3BA18075D006099FDB14DFE8D881BAEB7B5BF48310F14852AE505BB3C1DB78A948CB58

Uniqueness

Uniqueness Score: -1.00%

Function 005C3A6C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E005C3A6C(void* __eax, void* __edx) {
				int _t31;
				int _t32;
				int _t39;
				intOrPtr _t40;
				int _t50;
				intOrPtr _t51;
				void* _t57;
				intOrPtr _t60;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t70;
				void* _t71;

				_t71 = __eax;
				_t31 =  *0x64e7dc; // 0x0
				if( *((intOrPtr*)(_t31 + 0x188)) != 0) {
					if(__edx == 0) {
						if( *((intOrPtr*)(__eax + 0xb4)) != 0) {
							L11:
							 *((intOrPtr*)(_t71 + 0xb4)) =  *((intOrPtr*)(_t71 + 0xb4)) + 1;
							return _t31;
						}
						EnumWindows(E005C396C, E005C6A74(__eax, _t57)); // executed
						if( *((intOrPtr*)(_t71 + 0x58)) == 0) {
							L9:
							_t31 =  *(_t71 + 0xb0);
							_t68 =  *((intOrPtr*)(_t31 + 8)) - 1;
							if(_t68 < 0) {
								goto L11;
							} else {
								goto L10;
							}
							do {
								L10:
								asm("cmc");
								asm("sbb eax, eax");
								_t31 = ShowOwnedPopups(E0045CE84( *(_t71 + 0xb0), _t68), _t31);
								_t68 = _t68 - 1;
							} while (_t68 != 0xffffffff);
							goto L11;
						}
						_t50 =  *0x64e7dc; // 0x0
						if( *((char*)(_t50 + 0xeb)) == 0) {
							goto L9;
						}
						_t51 =  *((intOrPtr*)(_t71 + 0xf0));
						if(_t51 != 0) {
							_t51 =  *((intOrPtr*)(_t51 - 4));
						}
						_t70 = _t51 - 1;
						if(_t70 >= 0) {
							do {
								ShowWindow( *( *((intOrPtr*)(_t71 + 0xf0)) + _t70 * 4), 0);
								_t70 = _t70 - 1;
							} while (_t70 != 0xffffffff);
						}
						goto L9;
					}
					if( *((intOrPtr*)(__eax + 0xb4)) > 0) {
						 *((intOrPtr*)(__eax + 0xb4)) =  *((intOrPtr*)(__eax + 0xb4)) - 1;
						if( *((intOrPtr*)(__eax + 0xb4)) == 0) {
							if( *((intOrPtr*)(__eax + 0x58)) == 0) {
								L20:
								_t32 =  *(_t71 + 0xb0);
								_t64 =  *((intOrPtr*)(_t32 + 8)) - 1;
								if(_t64 < 0) {
									L22:
									 *((intOrPtr*)( *( *(_t71 + 0xb0)) + 8))();
									_t60 =  *0x5b4e20; // 0x5b4e24
									return E0040A73C(_t71 + 0xf0, _t60);
								} else {
									goto L21;
								}
								do {
									L21:
									asm("cmc");
									asm("sbb eax, eax");
									_t32 = ShowOwnedPopups(E0045CE84( *(_t71 + 0xb0), _t64), _t32);
									_t64 = _t64 - 1;
								} while (_t64 != 0xffffffff);
								goto L22;
							}
							_t39 =  *0x64e7dc; // 0x0
							if( *((char*)(_t39 + 0xeb)) == 0) {
								goto L20;
							}
							_t40 =  *((intOrPtr*)(__eax + 0xf0));
							if(_t40 != 0) {
								_t40 =  *((intOrPtr*)(_t40 - 4));
							}
							_t66 = _t40 - 1;
							if(_t66 >= 0) {
								do {
									ShowWindow( *( *((intOrPtr*)(_t71 + 0xf0)) + _t66 * 4), 5);
									_t66 = _t66 - 1;
								} while (_t66 != 0xffffffff);
							}
							goto L20;
						}
					}
				}
				return _t31;
			}

0x005c3a71
0x005c3a73
0x005c3a7f
0x005c3a87
0x005c3a94
0x005c3b1d
0x005c3b1d
0x00000000
0x005c3b1d
0x005c3aa7
0x005c3ab0
0x005c3aee
0x005c3aee
0x005c3af7
0x005c3afb
0x00000000
0x00000000
0x00000000
0x00000000
0x005c3afd
0x005c3afd
0x005c3b00
0x005c3b01
0x005c3b12
0x005c3b17
0x005c3b18
0x00000000
0x005c3afd
0x005c3ab2
0x005c3abe
0x00000000
0x00000000
0x005c3ac0
0x005c3ac8
0x005c3acd
0x005c3acd
0x005c3ad1
0x005c3ad5
0x005c3ad7
0x005c3ae3
0x005c3ae8
0x005c3ae9
0x005c3ad7
0x00000000
0x005c3ad5
0x005c3b2f
0x005c3b35
0x005c3b42
0x005c3b4c
0x005c3b8a
0x005c3b8a
0x005c3b93
0x005c3b97
0x005c3bb9
0x005c3bc1
0x005c3bca
0x00000000
0x00000000
0x00000000
0x00000000
0x005c3b99
0x005c3b99
0x005c3b9c
0x005c3b9d
0x005c3bae
0x005c3bb3
0x005c3bb4
0x00000000
0x005c3b99
0x005c3b4e
0x005c3b5a
0x00000000
0x00000000
0x005c3b5c
0x005c3b64
0x005c3b69
0x005c3b69
0x005c3b6d
0x005c3b71
0x005c3b73
0x005c3b7f
0x005c3b84
0x005c3b85
0x005c3b73
0x00000000
0x005c3b71
0x005c3b42
0x005c3b2f
0x005c3bd8

APIs

EnumWindows.USER32(005C396C,00000000), ref: 005C3AA7
ShowWindow.USER32(595AC033,00000000,005C396C,00000000,?,?,?,005C4688,?,?,005C5304), ref: 005C3AE3
ShowOwnedPopups.USER32(00000000,?,005C396C,00000000,?,?,?,005C4688,?,?,005C5304), ref: 005C3B12
ShowWindow.USER32(595AC033,00000005,?,?,?,005C4688,?,?,005C5304), ref: 005C3B7F
ShowOwnedPopups.USER32(00000000,?,?,?,?,005C4688,?,?,005C5304), ref: 005C3BAE

Strings

$N[, xrefs: 005C3BCA

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Show$OwnedPopupsWindow$EnumWindows
String ID: $N[
API String ID: 315437064-1380376025
Opcode ID: 4ede5103998ee7f2bf507fb0be063b4d1c0e757e46f4bf0bd9660c28f92c53ee
Instruction ID: 6e32b22bb02c5cefe823711efd0d3c192a330304940c90f0d2b121b7599d606b
Opcode Fuzzy Hash: 4ede5103998ee7f2bf507fb0be063b4d1c0e757e46f4bf0bd9660c28f92c53ee
Instruction Fuzzy Hash: DA415E30700B458FD720DB68C888FA677E6FB84329F05866DE455C72A2C778ED85DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00407B14, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407B14() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x63e004 != 0) {
					E004079F4();
					E00407A7C(_t46);
					 *0x63e004 = 0;
				}
				if( *0x64abd0 != 0 && GetCurrentThreadId() ==  *0x64abf8) {
					E0040774C(0x64abcc);
					E00407A50(0x64abcc);
				}
				if( *0x0064ABC4 != 0 ||  *0x648058 == 0) {
					L8:
					if( *((char*)(0x64abc4)) == 2 &&  *0x63e000 == 0) {
						 *0x0064ABA8 = 0;
					}
					if( *((char*)(0x64abc4)) != 0) {
						L14:
						E00407774(); // executed
						if( *((char*)(0x64abc4)) <= 1 ||  *0x63e000 != 0) {
							_t15 =  *0x0064ABAC;
							if( *0x0064ABAC != 0) {
								E0040BE54(_t15);
								_t31 =  *((intOrPtr*)(0x64abac));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E0040774C(0x64ab9c);
						if( *((char*)(0x64abc4)) == 1) {
							 *0x0064ABC0();
						}
						if( *((char*)(0x64abc4)) != 0) {
							E00407A50(0x64ab9c);
						}
						if( *0x64ab9c == 0) {
							if( *0x648038 != 0) {
								 *0x648038();
							}
							ExitProcess( *0x63e000); // executed
						}
						memcpy(0x64ab9c,  *0x64ab9c, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x63e000 = 0x63e000;
						0x64ab9c = 0x64ab9c;
						goto L8;
					} else {
						_t20 = E00405554();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00406080(_t44);
							_t23 = E00405554();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x648058; // 0x0
						 *0x648058 = 0;
						 *_t33();
					} while ( *0x648058 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00407b28
0x00407b2a
0x00407b2f
0x00407b36
0x00407b36
0x00407b42
0x00407b56
0x00407b60
0x00407b60
0x00407b69
0x00407b8d
0x00407b91
0x00407b9a
0x00407b9a
0x00407ba1
0x00407bc0
0x00407bc0
0x00407bc9
0x00407bd0
0x00407bd5
0x00407bd7
0x00407bdc
0x00407bdf
0x00407bdf
0x00407be2
0x00407be5
0x00407bec
0x00407bec
0x00407be5
0x00407bd5
0x00407bf3
0x00407bfc
0x00407bfe
0x00407bfe
0x00407c05
0x00407c09
0x00407c09
0x00407c11
0x00407c1a
0x00407c1c
0x00407c1c
0x00407c25
0x00407c25
0x00407c37
0x00407c37
0x00407c39
0x00407c3a
0x00000000
0x00407ba3
0x00407ba3
0x00407ba8
0x00407bac
0x00000000
0x00000000
0x00000000
0x00000000
0x00407bae
0x00407bae
0x00407bb0
0x00407bb5
0x00407bba
0x00407bbc
0x00000000
0x00407bae
0x00407b74
0x00407b74
0x00407b74
0x00407b7d
0x00407b82
0x00407b84
0x00000000
0x00407b8d
0x00000000
0x00407b8d

APIs

GetCurrentThreadId.KERNEL32 ref: 00407B44
FreeLibrary.KERNEL32(00400000,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF,?,?,?,?,004AA512,00000000), ref: 00407BEC
ExitProcess.KERNEL32(00000000,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF,?,?,?,?,004AA512,00000000), ref: 00407C25

Part of subcall function 00407A7C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF), ref: 00407AB5
Part of subcall function 00407A7C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?,00407C4E,0040559F,004055E6,?,?), ref: 00407ABB
Part of subcall function 00407A7C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?), ref: 00407AD6
Part of subcall function 00407A7C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?), ref: 00407ADC

Strings

MZP, xrefs: 00407BEB

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 5b3f371fc3d1073167f85cc1aaa8b01b78d5174e2e999e0bff4678ef27a1dc14
Instruction ID: bbdd28e75b63af066a6c8ab0242256e1fb24c087b4da10ad7f39a180f2722a1f
Opcode Fuzzy Hash: 5b3f371fc3d1073167f85cc1aaa8b01b78d5174e2e999e0bff4678ef27a1dc14
Instruction Fuzzy Hash: 3C317E74E082459ADB31AB79888471B76E69B05718F14483FE445A33D2D77CF8C8CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00407B0C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407B0C() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x63e004 != 0) {
					E004079F4();
					E00407A7C(_t50);
					 *0x63e004 = 0;
				}
				if( *0x64abd0 != 0 && GetCurrentThreadId() ==  *0x64abf8) {
					E0040774C(0x64abcc);
					E00407A50(0x64abcc);
				}
				if( *0x0064ABC4 != 0 ||  *0x648058 == 0) {
					L9:
					if( *((char*)(0x64abc4)) == 2 &&  *0x63e000 == 0) {
						 *0x0064ABA8 = 0;
					}
					if( *((char*)(0x64abc4)) != 0) {
						L15:
						E00407774(); // executed
						if( *((char*)(0x64abc4)) <= 1 ||  *0x63e000 != 0) {
							_t18 =  *0x0064ABAC;
							if( *0x0064ABAC != 0) {
								E0040BE54(_t18);
								_t34 =  *((intOrPtr*)(0x64abac));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E0040774C(0x64ab9c);
						if( *((char*)(0x64abc4)) == 1) {
							 *0x0064ABC0();
						}
						if( *((char*)(0x64abc4)) != 0) {
							E00407A50(0x64ab9c);
						}
						if( *0x64ab9c == 0) {
							if( *0x648038 != 0) {
								 *0x648038();
							}
							ExitProcess( *0x63e000); // executed
						}
						memcpy(0x64ab9c,  *0x64ab9c, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x63e000 = 0x63e000;
						0x64ab9c = 0x64ab9c;
						goto L9;
					} else {
						_t23 = E00405554();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00406080(_t48);
							_t26 = E00405554();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x648058; // 0x0
						 *0x648058 = 0;
						 *_t36();
					} while ( *0x648058 != 0);
					L9:
					while(1) {
					}
				}
			}

0x00407b0e
0x00407b28
0x00407b2a
0x00407b2f
0x00407b36
0x00407b36
0x00407b42
0x00407b56
0x00407b60
0x00407b60
0x00407b69
0x00407b8d
0x00407b91
0x00407b9a
0x00407b9a
0x00407ba1
0x00407bc0
0x00407bc0
0x00407bc9
0x00407bd0
0x00407bd5
0x00407bd7
0x00407bdc
0x00407bdf
0x00407bdf
0x00407be2
0x00407be5
0x00407bec
0x00407bec
0x00407be5
0x00407bd5
0x00407bf3
0x00407bfc
0x00407bfe
0x00407bfe
0x00407c05
0x00407c09
0x00407c09
0x00407c11
0x00407c1a
0x00407c1c
0x00407c1c
0x00407c25
0x00407c25
0x00407c37
0x00407c37
0x00407c39
0x00407c3a
0x00000000
0x00407ba3
0x00407ba3
0x00407ba8
0x00407bac
0x00000000
0x00000000
0x00000000
0x00000000
0x00407bae
0x00407bae
0x00407bb0
0x00407bb5
0x00407bba
0x00407bbc
0x00000000
0x00407bae
0x00407b74
0x00407b74
0x00407b74
0x00407b7d
0x00407b82
0x00407b84
0x00000000
0x00407b8d
0x00000000
0x00407b8d

APIs

GetCurrentThreadId.KERNEL32 ref: 00407B44
FreeLibrary.KERNEL32(00400000,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF,?,?,?,?,004AA512,00000000), ref: 00407BEC
ExitProcess.KERNEL32(00000000,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF,?,?,?,?,004AA512,00000000), ref: 00407C25

Part of subcall function 00407A7C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF), ref: 00407AB5
Part of subcall function 00407A7C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?,00407C4E,0040559F,004055E6,?,?), ref: 00407ABB
Part of subcall function 00407A7C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?), ref: 00407AD6
Part of subcall function 00407A7C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?), ref: 00407ADC

Strings

MZP, xrefs: 00407BEB

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: eacd79f28553a8f16c9529bdea58b274b4ec836a381d7ce754a41b0fb458fc3f
Instruction ID: fa51e720ab6865048e3cdb3bf69d083f517e7fb210bdc3695283f9d241551947
Opcode Fuzzy Hash: eacd79f28553a8f16c9529bdea58b274b4ec836a381d7ce754a41b0fb458fc3f
Instruction Fuzzy Hash: 24315E64E083819ED731AB79848571B3BE29B05718F14583BE045A32D2D77CF8C8CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00632424, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00632424(void* __eflags) {
				intOrPtr* _t2;
				void* _t3;
				void* _t4;
				void* _t5;

				_t2 = E0041158C(_t4, _t5, GetModuleHandleW(L"shell32.dll"), L"SetCurrentProcessExplicitAppUserModelID");
				if(_t2 != 0) {
					_t3 =  *_t2(L"JR.InnoSetup.IDE.6"); // executed
					return _t3;
				}
				return _t2;
			}

0x00632434
0x0063243b
0x00632442
0x00000000
0x00632442
0x00632444

APIs

GetModuleHandleW.KERNEL32(shell32.dll,SetCurrentProcessExplicitAppUserModelID,0063D14B,00000000,0063D1D6), ref: 0063242E

Part of subcall function 0041158C: GetProcAddress.KERNEL32(0063D1D6,00000000), ref: 004115B6

Strings

SetCurrentProcessExplicitAppUserModelID, xrefs: 00632424
JR.InnoSetup.IDE.6, xrefs: 0063243D
shell32.dll, xrefs: 00632429

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: JR.InnoSetup.IDE.6$SetCurrentProcessExplicitAppUserModelID$shell32.dll
API String ID: 1646373207-887922113
Opcode ID: 6c0ea2f0e37e7e8223443da3883ceeedbf6dec5a47f90fbd501133583c4f33cf
Instruction ID: 7dd4dfa8a98537aa84c416e171211e024cadf4b412a5c866b7bfb3ddbfecd6bc
Opcode Fuzzy Hash: 6c0ea2f0e37e7e8223443da3883ceeedbf6dec5a47f90fbd501133583c4f33cf
Instruction Fuzzy Hash: 37B092746C030330081037B6AD23ACD04CB4AC0B4EF0688467502A11A7CD88814000BA

Uniqueness

Uniqueness Score: -1.00%

Function 005E5080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E005E5080(void* __eax, short* __ecx, void* __edx, int* _a4, void** _a8, struct _SECURITY_ATTRIBUTES* _a12, int _a16, int _a20, short* _a24, int _a28) {
				long _t15;
				short* _t16;
				void* _t17;
				int _t18;

				_t17 = __edx;
				_t16 = __ecx;
				_t18 = _a16;
				if(__eax == 2) {
					_t18 = _t18 | 0x00000100;
				}
				_t15 = RegCreateKeyExW(_t17, _t16, _a28, _a24, _a20, _t18, _a12, _a8, _a4); // executed
				return _t15;
			}

0x005e5080
0x005e5080
0x005e5084
0x005e5089
0x005e508b
0x005e508b
0x005e50ac
0x005e50b3

APIs

RegCreateKeyExW.ADVAPI32(00000000,Software\Classes\.iss,00000000,00000002,00000000,00000000,00000000,00000000,?,0063D1D6,?,005EEE0C,00000001,0063D1D6,00000000,00000002), ref: 005E50AC

Strings

Software\Classes\.iss, xrefs: 005E50AA

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Create
String ID: Software\Classes\.iss
API String ID: 2289755597-2940640209
Opcode ID: 37c140cc337f26746cc3a5bd3bee07b5202720bc0b99d1fe04d144d2b588387f
Instruction ID: 2da80eabe1745bf04beddd9761b2ec18a0ef985a34fd8dcf35d1d18e2c32bdf1
Opcode Fuzzy Hash: 37c140cc337f26746cc3a5bd3bee07b5202720bc0b99d1fe04d144d2b588387f
Instruction Fuzzy Hash: A2E07EB6600119AF9B40DE8DDC81EEB37ADAB1D350B004015FA58D7201C264ECA18BA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E50B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E005E50B8(void* __eax, short* __ecx, void* __edx, void** _a4, int _a8, int _a12) {
				long _t7;
				short* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t10 = _a8;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				_t7 = RegOpenKeyExW(_t9, _t8, _a12, _t10, _a4); // executed
				return _t7;
			}

0x005e50b8
0x005e50b8
0x005e50bc
0x005e50c1
0x005e50c3
0x005e50c3
0x005e50d4
0x005e50db

APIs

RegOpenKeyExW.ADVAPI32(00000000,Software\Classes\InnoSetupScriptFile,0063D161,00000001,0063D1D6,Software\Classes\InnoSetupScriptFile,?,005EF75D,?,00000001,00000000,00000000,00000001,00000000,?,005EF84C), ref: 005E50D4

Strings

Software\Classes\InnoSetupScriptFile, xrefs: 005E50BB, 005E50D2

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Open
String ID: Software\Classes\InnoSetupScriptFile
API String ID: 71445658-4120920791
Opcode ID: c3d22d4a2d352086692e699d2b38b415db91e21adabf8fdfe026033afe8ff24f
Instruction ID: b70017280eb529ff01ba908fea2b635b3ec1ea028a02fc911f9f2ba6dd470bd0
Opcode Fuzzy Hash: c3d22d4a2d352086692e699d2b38b415db91e21adabf8fdfe026033afe8ff24f
Instruction Fuzzy Hash: 3DD0527280022C7BAB009A89CC01EFB779CAB0A320F00801AFE1487100C2A0AC9087E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFE8, Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040DFE8(intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _v32;
				intOrPtr _t28;
				void* _t46;
				void* _t47;
				intOrPtr _t70;
				void* _t71;

				_t70 = _a4;
				_v8 = 0;
				if(_t70 == 0) {
					_t28 = 0;
				} else {
					_t28 = E0040E208(_t70);
				}
				_v16 = _t28;
				_t47 =  *0x63ec3c; // 0x0
				while(_t47 != 0) {
					_t66 = E0040E1B8( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 4)));
					_v20 = E0040E208(_t31);
					_v12 =  *_t47;
					if(_t70 == 0) {
						L7:
						if(_t47 != 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 0x18)) != 0) {
							_v24 = E0040E1C8( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 8)));
							_v28 =  *_v24;
							_v32 = E0040E1E8( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 0x18)));
							E0040E264(_t38, _v32, E0040E24C(E0040E1D8( *((intOrPtr*)( *((intOrPtr*)(_t47 + 4)) + 0xc)))) << 2);
							_t71 = _t71 + 0xc;
							FreeLibrary(_v28); // executed
							 *_v24 = 0;
							if(_t47 != 0) {
								E0040E28C(_t47);
								LocalFree(_t47);
							}
							_v8 = 1;
						}
						if(_t70 == 0) {
							goto L13;
						}
					} else {
						if(_v20 != _v16) {
							goto L13;
						} else {
							_t46 = E0040E21C(_t70, _t66, _v20);
							_t71 = _t71 + 0xc;
							if(_t46 != 0) {
								goto L13;
							} else {
								goto L7;
							}
						}
					}
					goto L14;
					L13:
					_t47 = _v12;
				}
				L14:
				return _v8;
			}

0x0040dff3
0x0040dff6
0x0040dffb
0x0040e006
0x0040dffd
0x0040dffe
0x0040e003
0x0040e008
0x0040e00b
0x0040e013
0x0040e026
0x0040e02f
0x0040e036
0x0040e039
0x0040e05d
0x0040e05f
0x0040e077
0x0040e07f
0x0040e08c
0x0040e0ab
0x0040e0b0
0x0040e0b7
0x0040e0c1
0x0040e0c5
0x0040e0c8
0x0040e0d1
0x0040e0d1
0x0040e0d6
0x0040e0d6
0x0040e0df
0x00000000
0x00000000
0x0040e03b
0x0040e041
0x00000000
0x0040e047
0x0040e04d
0x0040e052
0x0040e057
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e057
0x0040e041
0x00000000
0x0040e0e1
0x0040e0e1
0x0040e0e4
0x0040e0ec
0x0040e0f5

APIs

FreeLibrary.KERNEL32(00000000), ref: 0040E0B7
LocalFree.KERNEL32(00000000,00000000), ref: 0040E0D1

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Free$LibraryLocal
String ID:
API String ID: 3007483513-0
Opcode ID: 9ce6e1ba55fcc04021c3b16909f509596b8b061cd7e0c1a27123720e651d0292
Instruction ID: 3ab8131dfe3a8fc00e9b03c2c51be20773028294b73f80920da304d3d255b711
Opcode Fuzzy Hash: 9ce6e1ba55fcc04021c3b16909f509596b8b061cd7e0c1a27123720e651d0292
Instruction Fuzzy Hash: F831F2729001199BD714DFA7D88196FB3B8AF84314B14897EF804BB381DB79DD518BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB58, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040BB58(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407EC8(_v8);
				E00407EC8(_v12);
				_push(_t84);
				_push(0x40bc6f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407DE4(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040BC76);
					return E00407E44( &_v28, 6);
				}
				E0040820C( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040B87C(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L004037D0();
						E0040B22C(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040B9A8(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x64ac10;
							if( *0x64ac10 == 0) {
								L004037D8();
								E0040B22C(_t46, _t60,  &_v28, _t79, _t81);
								E0040B9A8(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040BA8C(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040B9A8(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E00409014(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040bb58
0x0040bb58
0x0040bb5b
0x0040bb5d
0x0040bb5f
0x0040bb61
0x0040bb63
0x0040bb65
0x0040bb67
0x0040bb68
0x0040bb69
0x0040bb6b
0x0040bb6e
0x0040bb74
0x0040bb7c
0x0040bb83
0x0040bb84
0x0040bb89
0x0040bb8c
0x0040bb91
0x0040bb9a
0x0040bc54
0x0040bc56
0x0040bc59
0x0040bc5c
0x0040bc6e
0x0040bc6e
0x0040bba6
0x0040bbab
0x0040bbb0
0x0040bbb5
0x0040bbb5
0x0040bbb7
0x0040bbbc
0x0040bbe3
0x0040bbe9
0x0040bbf2
0x0040bc03
0x0040bc0b
0x0040bc18
0x0040bc1d
0x0040bc20
0x0040bc22
0x0040bc29
0x0040bc2b
0x0040bc33
0x0040bc40
0x0040bc40
0x0040bc29
0x0040bc45
0x0040bc48
0x0040bc4f
0x0040bc4f
0x0040bbf4
0x0040bbfc
0x0040bbfc
0x00000000
0x0040bbf2
0x0040bbbe
0x0040bbde
0x0040bbdf
0x0040bbe1
0x00000000
0x00000000
0x00000000
0x0040bbe1
0x0040bbcd
0x0040bbd7
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040BC6F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040BCF6,00000000,?,00000105), ref: 0040BC03
GetSystemDefaultUILanguage.KERNEL32(00000000,0040BC6F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040BCF6,00000000,?,00000105), ref: 0040BC2B

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: b5c79d54b3f834efd63c54714f711075d79d8ba262462fec7e7704c2e629df46
Instruction ID: 3ff4fab7aa7f74c13d66629a00498e8c98888dc138069a2dd8ccbbccb9694a1a
Opcode Fuzzy Hash: b5c79d54b3f834efd63c54714f711075d79d8ba262462fec7e7704c2e629df46
Instruction Fuzzy Hash: F6313E70A042099BDB14EB95C881BAEB7B5EF44304F5044BFE400B32D5DB78AE81CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 005EEDDC, Relevance: 3.1, APIs: 2, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E005EEDDC(void* __eax, void* __ebx, short* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				short* _v8;
				void* _v12;
				char _v16;
				void* _t12;
				long _t21;
				intOrPtr _t28;
				intOrPtr _t37;
				intOrPtr _t41;
				void* _t44;

				_v8 = __ecx;
				_t39 = __edx;
				_t27 = __eax;
				_t41 = _a4;
				_t32 = __edx;
				_t12 = E005E5080(0, __edx, __eax,  &_v16,  &_v12, 0, 2, 0, 0, 0); // executed
				E005EED00(_t12, _t27, __edx, __edx, _t41);
				_push(_t44);
				_push(0x5eee65);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44 + 0xfffffff4;
				_t28 = _t41;
				if(_t28 != 0) {
					_t28 =  *((intOrPtr*)(_t28 - 4));
				}
				_t21 = RegSetValueExW(_v12, _v8, 0, 1, E00408C3C(_t41), _t28 + 1 + _t28 + 1); // executed
				E005EED00(_t21, _t28 + 1, _t32, _t39, _t41);
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E005EEE6C);
				return RegCloseKey(_v12);
			}

0x005eede5
0x005eede8
0x005eedea
0x005eedec
0x005eee01
0x005eee07
0x005eee0c
0x005eee13
0x005eee14
0x005eee19
0x005eee1c
0x005eee1f
0x005eee23
0x005eee28
0x005eee28
0x005eee44
0x005eee49
0x005eee50
0x005eee53
0x005eee56
0x005eee64

APIs

Part of subcall function 005E5080: RegCreateKeyExW.ADVAPI32(00000000,Software\Classes\.iss,00000000,00000002,00000000,00000000,00000000,00000000,?,0063D1D6,?,005EEE0C,00000001,0063D1D6,00000000,00000002), ref: 005E50AC

RegSetValueExW.ADVAPI32(0063D1D6,?,00000000,00000001,00000000,0063D1D6,00000000,005EEE65,?,00000001,0063D1D6,00000000,00000002,00000000,00000000,00000000), ref: 005EEE44
RegCloseKey.ADVAPI32(0063D1D6,005EEE6C,00000001,00000000,0063D1D6,00000000,005EEE65,?,00000001,0063D1D6,00000000,00000002,00000000,00000000,00000000,00000000), ref: 005EEE5F

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: d18f00d8c535f12501f4dde861e7125b20fc4a93b180c56cb63997e1614f8ceb
Instruction ID: 198e7de508256a500114657b0db39f8a0292dabd89d08f3df6810bb7d2b24115
Opcode Fuzzy Hash: d18f00d8c535f12501f4dde861e7125b20fc4a93b180c56cb63997e1614f8ceb
Instruction Fuzzy Hash: D701B9717103487FEB15DAEA8D8BF9ABBEDEB4CB00F500475B604E72C1D974AD004664

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC7C, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040BC7C(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40bd36);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408CA0( &_v536, _t49);
				_push(_v536);
				E00408CF4( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040BB58(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E00408C3C(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040BD3D);
				E00407E44( &_v540, 2);
				return E00407DE4( &_v8);
			}

0x0040bc89
0x0040bc8f
0x0040bc95
0x0040bc98
0x0040bc9c
0x0040bc9d
0x0040bca2
0x0040bca5
0x0040bcb8
0x0040bcc5
0x0040bcd0
0x0040bce2
0x0040bcf0
0x0040bcf1
0x0040bcfa
0x0040bd09
0x0040bd0e
0x0040bd12
0x0040bd15
0x0040bd18
0x0040bd28
0x0040bd35

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040BD36,?,?,00000000), ref: 0040BCB8
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040BD36,?,?,00000000), ref: 0040BD09

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: 254cbbad23aa49a1afcb14ff67fb71df61482cccc8f67384a47d19efd52b661e
Instruction ID: 5badd18a2a77f2bfb88a9fc234be65ee68627bc9ba59ac967d47f42d6543f18e
Opcode Fuzzy Hash: 254cbbad23aa49a1afcb14ff67fb71df61482cccc8f67384a47d19efd52b661e
Instruction Fuzzy Hash: 70118670A4421CABDB14EB50CD86BDEB3B8DB44704F5144FAB404B32C1DB785F848A99

Uniqueness

Uniqueness Score: -1.00%

Function 005E5AA4, Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005E5AA4(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				void* _t17;
				void* _t18;
				intOrPtr _t19;

				_t18 = __eax;
				InitializeSecurityDescriptor( &_v36, 1);
				SetSecurityDescriptorDacl( &_v36, 0xffffffff, 0, 0);
				_v16 = 0xc;
				_v12 = _t19;
				_v8 = 0;
				_t17 = E0041143C( &_v16, 0, E00408C3C(_t18)); // executed
				return _t17;
			}

0x005e5aa8
0x005e5ab1
0x005e5ac1
0x005e5ac6
0x005e5ad0
0x005e5ad6
0x005e5ae9
0x005e5af2

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005E5AB1
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005E5AC1

Part of subcall function 0041143C: CreateMutexW.KERNEL32(00000001,00000001,00000000,?,005E5AEE,00000000,00000000,00000000,00000000), ref: 00411452

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: a308ca667233726918b688189aceab087e91ab390d98b4b061cebef88b213f4a
Instruction ID: db913a11785f7dfc48a04cf452c58752e2254ffeeaf9c567b8f8e2a7106f3f50
Opcode Fuzzy Hash: a308ca667233726918b688189aceab087e91ab390d98b4b061cebef88b213f4a
Instruction Fuzzy Hash: 6BE065B16043046FE200EFB58C82F5F77DC9B44714F104A2EB664D61D2E678D549879A

Uniqueness

Uniqueness Score: -1.00%

Function 00405374, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405374() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x00648AE0;
				while(_t28 != 0x648adc) {
					_t2 = _t28 + 4; // 0x648adc
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x63e080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x648adc = 0x648adc;
				 *0x00648AE0 = 0x648adc;
				_t26 = 0x400;
				_t23 = 0x648b7c;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x648b7c
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x648af8 = 0;
				E00405B40(0x648afc, 0x80);
				_t18 = 0;
				 *0x648af4 = 0;
				_t31 =  *0x0064AB84;
				while(_t31 != 0x64ab80) {
					_t10 = _t31 + 4; // 0x64ab80
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x64ab80 = 0x64ab80;
				 *0x0064AB84 = 0x64ab80;
				return _t18;
			}

0x00405382
0x00405399
0x00405387
0x00405392
0x00405397
0x00405397
0x0040539d
0x004053a2
0x004053a7
0x004053a9
0x004053ae
0x004053b1
0x004053ba
0x004053bd
0x004053c0
0x004053c0
0x004053c3
0x004053c5
0x004053c8
0x004053cd
0x004053d2
0x004053d2
0x004053d4
0x004053d6
0x004053d6
0x004053d9
0x004053dc
0x004053dc
0x004053e1
0x004053f2
0x004053f7
0x004053f9
0x004053fe
0x00405415
0x00405403
0x0040540e
0x00405413
0x00405413
0x00405419
0x0040541b
0x00405422

APIs

VirtualFree.KERNEL32(00648ADC,00000000,00008000), ref: 00405392
VirtualFree.KERNEL32(0064AB80,00000000,00008000), ref: 0040540E

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 91b2f2efd574017ae2aaee52cd336ab4a2456eb56cd2785189f32983b3bdfa53
Instruction ID: 4effc6e47ef948a625403561f40e2ac42fa320866a60541957ee05f5a343eb98
Opcode Fuzzy Hash: 91b2f2efd574017ae2aaee52cd336ab4a2456eb56cd2785189f32983b3bdfa53
Instruction Fuzzy Hash: BE1182B16016108FD7649F199840B1BBBE6E784714F25807FE609EF781DAB8EC41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00407774, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,004077C2,?,0063E000,0064AB9C,?,?,00407BC5,?,?,?,00407C4E,0040559F,004055E6,?,?), ref: 004077B2

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 087723f83108b48811970ad16049cdef314ca921aa8a0df961ea164287ac39f6
Instruction ID: 985a5b74765ff178271da8157ec45e415f5424b435432588603ee1b1f670200f
Opcode Fuzzy Hash: 087723f83108b48811970ad16049cdef314ca921aa8a0df961ea164287ac39f6
Instruction Fuzzy Hash: 9AF0BB35709705AFD3214F49A980A13BB9DFB497E0765407BD80493B91D274BC00C567

Uniqueness

Uniqueness Score: -1.00%

Function 005EF740, Relevance: 1.5, APIs: 1, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005EF740(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				signed int _t8;
				signed int _t14;

				_t8 = E005E50B8(0, __edx, __eax,  &_v8, 1, 0); // executed
				_t14 = _t8 & 0xffffff00 | _t8 == 0x00000000;
				if(_t14 != 0) {
					RegCloseKey(_v8);
				}
				return _t14;
			}

0x005ef758
0x005ef762
0x005ef766
0x005ef76c
0x005ef76c
0x005ef777

APIs

Part of subcall function 005E50B8: RegOpenKeyExW.ADVAPI32(00000000,Software\Classes\InnoSetupScriptFile,0063D161,00000001,0063D1D6,Software\Classes\InnoSetupScriptFile,?,005EF75D,?,00000001,00000000,00000000,00000001,00000000,?,005EF84C), ref: 005E50D4

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00000001,00000000,?,005EF84C,00000000,005EFA2A,?,?,?,00000000,00000000), ref: 005EF76C

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: d85c6550f44c653d6e9c98b32a78afe51d25b216044755f091d54b33b68238e6
Instruction ID: be6b0b792ea7288e93148facad0b2ccff7e9d8ec5b2e40e1d98f3ee6e4dcc6ee
Opcode Fuzzy Hash: d85c6550f44c653d6e9c98b32a78afe51d25b216044755f091d54b33b68238e6
Instruction Fuzzy Hash: F0E086337553082FFB04D5F95C85BEAA3CCDB49354F100136BA04C7291F9A1ED044394

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9F0, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A9F0(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040BC7C(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x0040a9f8
0x0040a9fa
0x0040a9fe
0x0040aa0e
0x0040aa17
0x0040aa1c
0x0040aa1e
0x0040aa23
0x0040aa28
0x0040aa28
0x0040aa23
0x0040aa36

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040AA0E

Part of subcall function 0040BC7C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040BD36,?,?,00000000), ref: 0040BCB8
Part of subcall function 0040BC7C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040BD36,?,?,00000000), ref: 0040BD09

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 475bed0e5c8705ba368a3b943c0c1d23c49c0bed002e365282e370df3d0f8fdc
Instruction ID: 2551fedb0387eedcdf71fd11b3cb1abe289386f37cbb38024a447c7c82dce0d8
Opcode Fuzzy Hash: 475bed0e5c8705ba368a3b943c0c1d23c49c0bed002e365282e370df3d0f8fdc
Instruction Fuzzy Hash: 1FE0EDB1A003109BDB10DF5CC9C5A4737D8AB08758F044966ED14DF386D375DD208BE6

Uniqueness

Uniqueness Score: -1.00%

Function 0041143C, Relevance: 1.5, APIs: 1, Instructions: 14
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041143C(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, WCHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexW(_a4,  &(_a12[0]) & 0x0000007f, _t4); // executed
				return _t8;
			}

0x0041143f
0x00411447
0x00411452
0x00411458

APIs

CreateMutexW.KERNEL32(00000001,00000001,00000000,?,005E5AEE,00000000,00000000,00000000,00000000), ref: 00411452

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 6d863d41b1acf913bea11200047300a0a931d855ee2e723ebb07936da467321f
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: EEC01273160248AB8700EFA9CC05DDB33DC5718609B04C415B518C7101C139E5908B60

Uniqueness

Uniqueness Score: -1.00%

Function 0040D594, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D594() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040d598
0x0040d5a4

APIs

GetSystemInfo.KERNEL32 ref: 0040D598

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5cd0e627b54b7349c7e1f990f531f96378efd062df8704201900719145604229
Instruction ID: 47ab257af6e364695ea890f9b43c82e37ccfc4e8ddd737aab863078b62403aa0
Opcode Fuzzy Hash: 5cd0e627b54b7349c7e1f990f531f96378efd062df8704201900719145604229
Instruction Fuzzy Hash: 0DA012108084001AC404BB194C4340F39C45941514FC40264745CB56C2E61A866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403C6C, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C6C(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403C00(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x648af4 = 0;
					return 0;
				} else {
					_t10 =  *0x648ae0; // 0x648adc
					_t14 = _t4;
					 *_t14 = 0x648adc;
					 *0x648ae0 = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x648af4 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x648af0 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00403c6e
0x00403c70
0x00403c83
0x00403c8a
0x00403cdc
0x00403ce5
0x00403c8c
0x00403c8c
0x00403c92
0x00403c94
0x00403c9a
0x00403c9f
0x00403ca2
0x00403ca6
0x00403cb1
0x00403cbe
0x00403cc6
0x00403cc8
0x00403cd5
0x00403cd9
0x00403cd9

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00404283,000000FF,00404828,00000000,0040C62F,00000000,0040CB3D,00000000,0040CDFF,00000000), ref: 00403C83

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca0704dfa7b2d44451012a61e24e8d0ac178f177fb75008b0132dee643bcc015
Instruction ID: 2273cbf534e5e06d159a89a440d60ac6a2ba44a8ca1663e8fc46fe7cf8a5406f
Opcode Fuzzy Hash: ca0704dfa7b2d44451012a61e24e8d0ac178f177fb75008b0132dee643bcc015
Instruction Fuzzy Hash: DAF08CF2B012114FE7149F789D407067BE6B705355B11417FEA09EBB94DBB098418788

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040B370, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040B370(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040B34C(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040B34C(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040AD94( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040B34C(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040AD94(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040AD94( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040AD94(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040AD94(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040b37c
0x0040b37f
0x0040b385
0x0040b392
0x0040b396
0x0040b3d5
0x0040b3dc
0x0040b41c
0x00000000
0x0040b3de
0x0040b3e6
0x0040b3f7
0x0040b3fd
0x0040b403
0x0040b40b
0x0040b411
0x0040b41f
0x0040b421
0x0040b424
0x0040b426
0x0040b428
0x0040b428
0x0040b42b
0x0040b433
0x0040b444
0x0040b50b
0x0040b456
0x0040b45a
0x0040b45c
0x0040b45e
0x0040b460
0x0040b460
0x0040b46b
0x0040b47b
0x0040b47f
0x0040b481
0x0040b483
0x0040b485
0x0040b485
0x0040b48b
0x0040b4a3
0x0040b4aa
0x0040b4b0
0x0040b4cc
0x0040b4ce
0x0040b4f5
0x0040b507
0x0040b509
0x00000000
0x0040b509
0x0040b4cc
0x0040b4aa
0x00000000
0x0040b46b
0x0040b521
0x0040b521
0x0040b433
0x0040b411
0x0040b3fd
0x0040b3e6
0x0040b398
0x0040b3a3
0x0040b3a7
0x00000000
0x0040b3a9
0x0040b3a9
0x0040b3b4
0x0040b3b8
0x0040b3bd
0x00000000
0x0040b3bf
0x0040b3cb
0x0040b3cb
0x0040b3bd
0x0040b3a7
0x0040b526
0x0040b52f

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041A548,?,?), ref: 0040B38D
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040B39E
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041A548,?,?), ref: 0040B49E
FindClose.KERNEL32(?,?,?,kernel32.dll,0041A548,?,?), ref: 0040B4B0
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041A548,?,?), ref: 0040B4BC
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041A548,?,?), ref: 0040B501

Strings

GetLongPathNameW, xrefs: 0040B398
\, xrefs: 0040B4CE
kernel32.dll, xrefs: 0040B388

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1795dd52ab7b746f8302318d01f89f34717b2ab0bd176f474cb1e61098d50557
Instruction ID: 6410ca119918e5a5510f2fee2069c3870dc9a90b0c75b748b9fe2600a7d8f5d9
Opcode Fuzzy Hash: 1795dd52ab7b746f8302318d01f89f34717b2ab0bd176f474cb1e61098d50557
Instruction Fuzzy Hash: 56417F71A00618ABCB10EB94CC85AEEB3B5EF45314F1445BA9504F32C1E778AF458A8D

Uniqueness

Uniqueness Score: -1.00%

Function 005B8370, Relevance: 12.1, APIs: 8, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E005B8370(struct HWND__* __eax, signed char __ecx, void* __edx) {
				signed int _v14;
				signed int _v15;
				int _t11;
				int _t13;
				int _t15;
				void* _t23;
				signed int _t27;
				struct HWND__* _t30;
				signed char* _t31;

				_push(__ecx);
				 *_t31 = __ecx;
				_t23 = __edx;
				_t30 = __eax;
				_t11 = GetWindowLongW(__eax, 0xffffffec);
				_t27 = _t11;
				if(_t23 == 0 || (_t27 & 0x00040000) != 0) {
					if(_t23 != 0) {
						goto L14;
					}
					_t11 = 0x00040000 & _t27;
					if(0x40000 != 0x40000) {
						goto L14;
					}
					goto L4;
				} else {
					L4:
					_t13 = IsIconic(_t30);
					asm("sbb eax, eax");
					_v14 = _t13 + 1;
					_t15 = IsWindowVisible(_t30);
					asm("sbb eax, eax");
					_v15 = _t15 + 1;
					if((_v15 & 0x000000ff | _v14) != 0) {
						ShowWindow(_t30, 0);
					}
					if(_t23 == 0) {
						SetWindowLongW(_t30, 0xffffffec, _t27 & 0xfffbffff);
					} else {
						SetWindowLongW(_t30, 0xffffffec, _t27 | 0x00040000);
					}
					_t11 =  *_t31 & 0x000000ff & _v15;
					if(_t11 != 0 || _v14 != 0) {
						if(_v14 == 0) {
							_t11 = ShowWindow(_t30, 5);
						} else {
							_t11 = ShowWindow(_t30, 6);
						}
					}
					L14:
					return _t11;
				}
			}

0x005b8373
0x005b8374
0x005b8377
0x005b8379
0x005b837e
0x005b8383
0x005b8387
0x005b8393
0x00000000
0x00000000
0x005b839e
0x005b83a5
0x00000000
0x00000000
0x00000000
0x005b83ab
0x005b83ab
0x005b83ac
0x005b83b4
0x005b83b7
0x005b83bc
0x005b83c4
0x005b83c7
0x005b83d4
0x005b83d9
0x005b83d9
0x005b83e0
0x005b83fd
0x005b83e2
0x005b83ec
0x005b83ec
0x005b8406
0x005b840a
0x005b8418
0x005b8427
0x005b841a
0x005b841d
0x005b841d
0x005b8418
0x005b842c
0x005b8430
0x005b8430

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005B837E
IsIconic.USER32(?), ref: 005B83AC
IsWindowVisible.USER32(?), ref: 005B83BC
ShowWindow.USER32(?,00000000,?,?,000000EC,00000000,?,?,00000000,005C522B), ref: 005B83D9
SetWindowLongW.USER32 ref: 005B83EC
SetWindowLongW.USER32 ref: 005B83FD
ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,000000EC,00000000,?,?,00000000,005C522B), ref: 005B841D
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,000000EC,00000000,?,?,00000000,005C522B), ref: 005B8427

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Window$LongShow$IconicVisible
String ID:
API String ID: 3484284227-0
Opcode ID: d5ec133a4d9d8e1e1d31d702c67909ef885707b56f31ce23b29cc797cba313cb
Instruction ID: 9b9c17cc5c352ebfbbb5b4136618c674ee8567f73caea2f51a61210eef6f06c3
Opcode Fuzzy Hash: d5ec133a4d9d8e1e1d31d702c67909ef885707b56f31ce23b29cc797cba313cb
Instruction Fuzzy Hash: 1511B21251D69134D62232361D02FFF1EDC9FD3328F18996AF5D5D2083C96C9546C26A

Uniqueness

Uniqueness Score: -1.00%

Function 005ED4AC, Relevance: 9.1, APIs: 6, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E005ED4AC(WCHAR* __eax, void* __ebx, signed int __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr* _t28;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr* _t37;
				signed int _t41;
				intOrPtr* _t43;
				WCHAR* _t62;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				WCHAR* _t78;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t76 = __edi;
				_t80 = _t81;
				_t82 = _t81 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t78 = __edx;
				_t62 = __eax;
				if( *0x64e920 != 0) {
					_v8 = _v8 | 0x00180000;
				}
				E005ED458();
				_push(_t80);
				_push(0x5ed5d2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t82;
				_t28 =  *0x64736c; // 0x64e7dc
				if(IsIconic( *( *_t28 + 0x188)) == 0) {
					_t32 =  *0x64736c; // 0x64e7dc
					_t36 = GetWindowLongW( *( *_t32 + 0x188), 0xfffffff0) & 0xffffff00 | (_t35 & 0x10000000) == 0x00000000;
				} else {
					_t36 = 1;
				}
				if(_t36 == 0) {
					_t37 =  *0x64736c; // 0x64e7dc
					_t41 = GetWindowLongW( *( *_t37 + 0x188), 0xffffffec) & 0xffffff00 | (_t40 & 0x00000080) != 0x00000000;
				} else {
					_t41 = 1;
				}
				if(_t41 == 0) {
					_t43 =  *0x64736c; // 0x64e7dc
					_v12 = E005C54A8( *_t43, _t62, _t78, _t62, _t76, _t78, _v8);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E005ED5D9);
					return E005ED458();
				} else {
					_v16 = GetActiveWindow();
					_v20 = E005B84C0(0, _t62, _t76, _t78);
					_push(_t80);
					_push(0x5ed595);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					_v12 = MessageBoxW(0, _t62, _t78, _v8 | 0x00002000);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E005ED59C);
					E005B8580(_v20);
					return SetActiveWindow(_v16);
				}
			}

0x005ed4ac
0x005ed4ad
0x005ed4af
0x005ed4b2
0x005ed4b3
0x005ed4b4
0x005ed4b7
0x005ed4b9
0x005ed4c2
0x005ed4c4
0x005ed4c4
0x005ed4d0
0x005ed4d7
0x005ed4d8
0x005ed4dd
0x005ed4e0
0x005ed4e3
0x005ed4f8
0x005ed4fe
0x005ed518
0x005ed4fa
0x005ed4fa
0x005ed4fa
0x005ed51d
0x005ed523
0x005ed53a
0x005ed51f
0x005ed51f
0x005ed51f
0x005ed53f
0x005ed5a7
0x005ed5b7
0x005ed5bc
0x005ed5bf
0x005ed5c2
0x005ed5d1
0x005ed541
0x005ed546
0x005ed550
0x005ed555
0x005ed556
0x005ed55b
0x005ed55e
0x005ed573
0x005ed578
0x005ed57b
0x005ed57e
0x005ed586
0x005ed594
0x005ed594

APIs

IsIconic.USER32(?), ref: 005ED4F1
GetWindowLongW.USER32(?,000000F0), ref: 005ED50E
GetWindowLongW.USER32(?,000000EC), ref: 005ED533
GetActiveWindow.USER32 ref: 005ED541
MessageBoxW.USER32(00000000,00000000,00000000,?), ref: 005ED56E
SetActiveWindow.USER32(00000001,005ED59C,?,00000000,005ED595,?,?,000000EC,00000000,005ED5D2,?,00000000,00000001), ref: 005ED58F

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: bfd759ca204322060ed967093a7afbdc5154ec5d4f4bcf7da7fbd156b720c121
Instruction ID: 7c8a6180df9520b39384b3b9f74c82e1742beeb48ea12e0101cb341a4bdac579
Opcode Fuzzy Hash: bfd759ca204322060ed967093a7afbdc5154ec5d4f4bcf7da7fbd156b720c121
Instruction Fuzzy Hash: 4C31C174A04344AFDB09DFAADD45A9A7BF9FB4A304B1044A6F850D73A1CB74EE00DB24

Uniqueness

Uniqueness Score: -1.00%

Function 005C54A8, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E005C54A8(intOrPtr __eax, void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi, int _a4) {
				intOrPtr _v8;
				WCHAR* _v12;
				int _v16;
				struct HWND__* _v20;
				struct HMONITOR__* _v24;
				struct HWND__* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct tagMONITORINFO _v76;
				struct tagRECT _v92;
				struct HMONITOR__* _t49;
				struct HWND__* _t51;
				long _t68;
				intOrPtr _t79;
				struct HWND__* _t85;
				signed int _t91;
				signed int _t92;
				signed int _t95;
				signed int _t96;
				intOrPtr _t99;
				intOrPtr _t100;
				signed int _t102;
				signed int _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t108;
				WCHAR* _t111;
				int _t113;
				void* _t115;
				void* _t116;
				intOrPtr _t117;

				_t115 = _t116;
				_t117 = _t116 + 0xffffffa8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __ecx;
				_t111 = __edx;
				_v8 = __eax;
				_t113 = _a4;
				_v20 = E005C6A28(_v8, __ecx);
				if(_v20 != 0) {
					_t85 = _v20;
				} else {
					_t85 =  *(_v8 + 0x188);
				}
				_push(2);
				_t49 = _v20;
				_push(_t49);
				L004EC384();
				_v24 = _t49;
				_push(2);
				_t51 =  *(_v8 + 0x188);
				_push(_t51);
				L004EC384();
				_v28 = _t51;
				if(_v24 != _v28) {
					_v76.cbSize = 0x28;
					GetMonitorInfoW(_v24,  &_v76);
					GetWindowRect( *(_v8 + 0x188),  &_v92);
					_push(0x1d);
					_push(0);
					_push(0);
					_t105 = _v68;
					_t95 = _v60 - _t105;
					_t96 = _t95 >> 1;
					if(_t95 < 0) {
						asm("adc ecx, 0x0");
					}
					_push(_t96 + _t105);
					_t79 = _v76.rcMonitor;
					_t107 = _v64 - _t79;
					_t108 = _t107 >> 1;
					if(_t107 < 0) {
						asm("adc edx, 0x0");
					}
					SetWindowPos( *(_v8 + 0x188), 0, _t108 + _t79, ??, ??, ??, ??);
				}
				_v36 = E005B84C0(_v20, _t85, _t111, _t113);
				_v32 = E005B8314();
				if(E005C3BDC(_v8) != 0) {
					_t113 = _t113 | 0x00100000;
				}
				_push(_t115);
				_push(0x5c5613);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t117;
				_v16 = MessageBoxW(_t85, _t111, _v12, _t113);
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(E005C561A);
				if(_v24 != _v28) {
					_push(0x1d);
					_push(0);
					_push(0);
					_t100 = _v92.top;
					_t91 = _v92.bottom - _t100;
					_t92 = _t91 >> 1;
					if(_t91 < 0) {
						asm("adc ecx, 0x0");
					}
					_push(_t92 + _t100);
					_t68 = _v92.left;
					_t102 = _v92.right - _t68;
					_t103 = _t102 >> 1;
					if(_t102 < 0) {
						asm("adc edx, 0x0");
					}
					SetWindowPos( *(_v8 + 0x188), 0, _t103 + _t68, ??, ??, ??, ??);
				}
				E005B8580(_v36);
				SetActiveWindow(_v20);
				return E005B831C(_v32);
			}

0x005c54a9
0x005c54ab
0x005c54ae
0x005c54af
0x005c54b0
0x005c54b1
0x005c54b4
0x005c54b6
0x005c54b9
0x005c54c4
0x005c54cb
0x005c54d8
0x005c54cd
0x005c54d0
0x005c54d0
0x005c54db
0x005c54dd
0x005c54e0
0x005c54e1
0x005c54e6
0x005c54e9
0x005c54ee
0x005c54f4
0x005c54f5
0x005c54fa
0x005c5503
0x005c5505
0x005c5514
0x005c5527
0x005c552c
0x005c552e
0x005c5530
0x005c5535
0x005c5538
0x005c553a
0x005c553c
0x005c553e
0x005c553e
0x005c5543
0x005c5547
0x005c554a
0x005c554c
0x005c554e
0x005c5550
0x005c5550
0x005c5562
0x005c5562
0x005c556f
0x005c5577
0x005c5584
0x005c5586
0x005c5586
0x005c558e
0x005c558f
0x005c5594
0x005c5597
0x005c55a6
0x005c55ab
0x005c55ae
0x005c55b1
0x005c55bc
0x005c55be
0x005c55c0
0x005c55c2
0x005c55c7
0x005c55ca
0x005c55cc
0x005c55ce
0x005c55d0
0x005c55d0
0x005c55d5
0x005c55d9
0x005c55dc
0x005c55de
0x005c55e0
0x005c55e2
0x005c55e2
0x005c55f4
0x005c55f4
0x005c55fc
0x005c5605
0x005c5612

APIs

Part of subcall function 005C6A28: GetActiveWindow.USER32 ref: 005C6A4F
Part of subcall function 005C6A28: GetLastActivePopup.USER32(00000001), ref: 005C6A64

MonitorFromWindow.USER32(00000000,00000002), ref: 005C54E1
MonitorFromWindow.USER32(?,00000002), ref: 005C54F5
GetMonitorInfoW.USER32 ref: 005C5514
GetWindowRect.USER32 ref: 005C5527
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?,00000000,00000028,?,00000002,00000000,00000000,00000000), ref: 005C5562
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 005C55A1
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,005C561A,00000000,00000000,005C5613,?,?,00000002,00000000,00000000), ref: 005C55F4

Part of subcall function 005B8580: IsWindow.USER32(?), ref: 005B858E
Part of subcall function 005B8580: EnableWindow.USER32(?,000000FF), ref: 005B859D

SetActiveWindow.USER32(00000000,005C561A,00000000,00000000,005C5613,?,?,00000002,00000000,00000000,00000000), ref: 005C5605

Strings

(, xrefs: 005C5505

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Window$ActiveMonitor$From$EnableInfoLastMessagePopupRect
String ID: (
API String ID: 2800294577-3887548279
Opcode ID: 75997713e73326e48ce38d3a06fe1a933b88ce6f5de706053cec51da2395f7b9
Instruction ID: a1fa2758024460447ea3ae500c6b86efe2ce0e5f4502c732288f787eac2bf249
Opcode Fuzzy Hash: 75997713e73326e48ce38d3a06fe1a933b88ce6f5de706053cec51da2395f7b9
Instruction Fuzzy Hash: 90410875E00609AFDF04DBE8C986FFEBBB9FB48704F548469F500AB285DA74AD408B50

Uniqueness

Uniqueness Score: -1.00%

Function 0040B22C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040B22C(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40b330);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x64ac14);
				if(_t28 !=  *0x64ac2c) {
					LeaveCriticalSection(0x64ac14);
					E00407DE4(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x64ac10 == 0) {
							_t18 = E0040AF14(_t28, _t28, _t44, __edi, _t44);
							L004037D8();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E00408E4C(_t44, E0040B348);
								}
								L004037D8();
								E0040AF14(_t18, _t28,  &_v8, _t42, _t44);
								E00408E4C(_t44, _v8);
							}
						} else {
							E0040B110(_t28, _t44);
						}
					}
					EnterCriticalSection(0x64ac14);
					 *0x64ac2c = _t28;
					E0040AD94(0x64ac2e, E00408C3C( *_t44), 0xaa);
					LeaveCriticalSection(0x64ac14);
				} else {
					E00408CF4(_t44, 0x55, 0x64ac2e);
					LeaveCriticalSection(0x64ac14);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040B337);
				return E00407DE4( &_v8);
			}

0x0040b22c
0x0040b22f
0x0040b231
0x0040b232
0x0040b233
0x0040b235
0x0040b239
0x0040b23a
0x0040b23f
0x0040b242
0x0040b24a
0x0040b256
0x0040b27d
0x0040b284
0x0040b296
0x0040b29f
0x0040b2b0
0x0040b2b5
0x0040b2bd
0x0040b2c2
0x0040b2cb
0x0040b2cb
0x0040b2d0
0x0040b2d8
0x0040b2e2
0x0040b2e2
0x0040b2a1
0x0040b2a5
0x0040b2a5
0x0040b29f
0x0040b2ec
0x0040b2f1
0x0040b30b
0x0040b315
0x0040b258
0x0040b264
0x0040b26e
0x0040b26e
0x0040b31c
0x0040b31f
0x0040b322
0x0040b32f

APIs

EnterCriticalSection.KERNEL32(0064AC14,00000000,0040B330,?,?,?,00000000,?,0040BC10,00000000,0040BC6F,?,?,00000000,00000000,00000000), ref: 0040B24A
LeaveCriticalSection.KERNEL32(0064AC14,0064AC14,00000000,0040B330,?,?,?,00000000,?,0040BC10,00000000,0040BC6F,?,?,00000000,00000000), ref: 0040B26E
LeaveCriticalSection.KERNEL32(0064AC14,0064AC14,00000000,0040B330,?,?,?,00000000,?,0040BC10,00000000,0040BC6F,?,?,00000000,00000000), ref: 0040B27D
IsValidLocale.KERNEL32(00000000,00000002,0064AC14,0064AC14,00000000,0040B330,?,?,?,00000000,?,0040BC10,00000000,0040BC6F), ref: 0040B28F
EnterCriticalSection.KERNEL32(0064AC14,00000000,00000002,0064AC14,0064AC14,00000000,0040B330,?,?,?,00000000,?,0040BC10,00000000,0040BC6F), ref: 0040B2EC
LeaveCriticalSection.KERNEL32(0064AC14,0064AC14,00000000,00000002,0064AC14,0064AC14,00000000,0040B330,?,?,?,00000000,?,0040BC10,00000000,0040BC6F), ref: 0040B315

Strings

en-US,en,, xrefs: 0040B25A, 0040B301

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 1122c7493f9510b89e420d32b61d1aafe4b7e82e8ca23a83f7d486f757b9b324
Instruction ID: 40a78dbe359b709b0cffab3f0adf61096e98e099bc9ec84b72900ea500a8d7e8
Opcode Fuzzy Hash: 1122c7493f9510b89e420d32b61d1aafe4b7e82e8ca23a83f7d486f757b9b324
Instruction Fuzzy Hash: A0219FB47402017BD711BFAA8D4666E2A99DB85709F60447FB400B72D2CB7C8D4186EF

Uniqueness

Uniqueness Score: -1.00%

Function 0040430C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040430C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x64805d; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403CE8();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x64ab7c = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x64898d;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x64805d; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x648aec], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x64898d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x648aec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403B60(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403B60(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x648af4 - 0x13ffe0;
							if( *0x648af4 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403C00(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x648af4 = 0x13ffe0;
								 *0x648af0 = _t82;
								 *0x648aec = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x648aec = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403BA0(_t106, _t88, _t81);
							 *0x648aec = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x0040430c
0x0040430c
0x00404315
0x0040431b
0x00404404
0x00404407
0x004044f4
0x004044f5
0x004044f8
0x00403d98
0x00403d9a
0x00403d9c
0x00403da1
0x00403da4
0x00403da9
0x00403dad
0x00403db3
0x00403db7
0x00403dbd
0x00403dd9
0x00403ddd
0x00403de0
0x00403de0
0x00403de2
0x00403dea
0x00403df7
0x00403dfc
0x00403dfe
0x00403e00
0x00403e03
0x00403e03
0x00403e05
0x00403e09
0x00403e0b
0x00403e0d
0x00403e0f
0x00000000
0x00403e0f
0x00000000
0x00403e0b
0x00403dbf
0x00403dce
0x00403dd4
0x00403dd0
0x00403dd0
0x00403dd0
0x00403dce
0x00403e13
0x00403e15
0x00403e1e
0x00403e27
0x00403e27
0x00403e2a
0x00403e3a
0x004044fe
0x00404503
0x00404503
0x00000000
0x00000000
0x00000000
0x00404321
0x00404321
0x00404323
0x00404325
0x00404388
0x00404388
0x0040438d
0x00404391
0x00000000
0x00000000
0x00404393
0x00404395
0x0040439c
0x00000000
0x0040439e
0x004043a2
0x004043a7
0x004043a8
0x004043a9
0x004043ae
0x004043b2
0x004043bc
0x004043c1
0x004043c2
0x00000000
0x004043c2
0x004043b2
0x00000000
0x0040439c
0x00404388
0x00404327
0x00404327
0x00404327
0x00404327
0x0040432b
0x0040432e
0x0040435c
0x0040435e
0x00404373
0x00404373
0x00404360
0x00404360
0x00404363
0x00404366
0x00404369
0x0040436c
0x0040436e
0x00404371
0x00000000
0x00000000
0x00404371
0x00404376
0x00404378
0x0040437a
0x0040437d
0x0040440d
0x00404410
0x00404412
0x00404414
0x00404415
0x00404417
0x004043c8
0x004043c8
0x004043cd
0x004043d5
0x00000000
0x00000000
0x004043d7
0x004043d9
0x004043e0
0x00000000
0x004043e2
0x004043e4
0x004043e9
0x004043ee
0x004043f6
0x004043fa
0x00000000
0x004043fa
0x004043f6
0x00000000
0x004043e0
0x004043c8
0x00404419
0x00404419
0x00404421
0x00404425
0x0040445c
0x0040445f
0x00404462
0x00404464
0x0040446a
0x0040446c
0x0040446c
0x00404427
0x00404427
0x00404427
0x0040442a
0x0040442a
0x0040442e
0x00404432
0x00404474
0x00404477
0x00404479
0x0040447b
0x00404481
0x00404485
0x00404485
0x00404481
0x00404434
0x0040443a
0x0040448c
0x00404496
0x004044c4
0x004044ca
0x004044cf
0x004044d6
0x004044e0
0x004044e6
0x004044ed
0x004044f1
0x00404498
0x00404498
0x0040449b
0x0040449d
0x004044a0
0x004044a3
0x004044a5
0x004044b4
0x004044b9
0x004044bc
0x004044c0
0x004044c0
0x0040443c
0x0040443f
0x00404442
0x0040444a
0x0040444f
0x00404456
0x0040445a
0x0040445a
0x00404330
0x00404330
0x00404332
0x00404338
0x0040433b
0x00404344
0x00404347
0x0040434a
0x0040434d
0x00404350
0x00404353
0x00404356
0x00404356
0x00404358
0x00404359
0x0040433d
0x0040433d
0x0040433d
0x0040433f
0x00404341
0x00404342
0x00404342
0x0040433b
0x0040432e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040C588,0040C5EE,?,00000000,?,?,0040C911,00000000,?,00000000,0040CE12,00000000), ref: 004043A2
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040C588,0040C5EE,?,00000000,?,?,0040C911,00000000,?,00000000,0040CE12), ref: 004043BC

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1b1c682066e16186c5fa042c49117e669e18974fa29d17ce9c669473d820b7a7
Instruction ID: 8ae07936e0f5873f83ca6ebed6067a33fc8e4cf05f9afa7c784dd515947afd2d
Opcode Fuzzy Hash: 1b1c682066e16186c5fa042c49117e669e18974fa29d17ce9c669473d820b7a7
Instruction Fuzzy Hash: AC7103716043004FD715DF29C984B2ABBD8AF86315F1882BFE944AB3D2D7B89D41CB89

Uniqueness

Uniqueness Score: -1.00%

Function 005C4C6C, Relevance: 12.1, APIs: 8, Instructions: 99
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C4C6C(void* __eax, struct HWND__** __edx) {
				long _v20;
				intOrPtr _t17;
				intOrPtr _t30;
				void* _t46;
				void* _t50;
				struct HWND__** _t51;
				struct HWND__* _t52;
				struct HWND__* _t53;
				void* _t54;
				DWORD* _t55;

				_t55 = _t54 + 0xfffffff8;
				_t51 = __edx;
				_t50 = __eax;
				_t46 = 0;
				_t17 =  *((intOrPtr*)(__edx + 4));
				if(_t17 < 0x100 || _t17 > 0x109) {
					L19:
					return _t46;
				} else {
					_t52 = GetCapture();
					if(_t52 != 0) {
						GetWindowThreadProcessId(_t52, _t55);
						GetWindowThreadProcessId( *(_t50 + 0x188),  &_v20);
						if( *_t55 == _v20 && SendMessageW(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
							_t46 = 1;
						}
						goto L19;
					}
					_t53 =  *_t51;
					_t30 =  *((intOrPtr*)(_t50 + 0x58));
					if(_t30 == 0 || _t53 !=  *((intOrPtr*)(_t30 + 0x3c4))) {
						L7:
						if(E00502AF0(_t53) == 0 && _t53 != 0) {
							_t53 = GetParent(_t53);
							goto L7;
						}
						if(_t53 == 0) {
							_t53 =  *_t51;
						}
						goto L11;
					} else {
						_t53 = E0050F50C(_t30);
						L11:
						if(IsWindowUnicode(_t53) == 0) {
							if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						} else {
							if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						}
						goto L19;
					}
				}
			}

0x005c4c70
0x005c4c73
0x005c4c75
0x005c4c77
0x005c4c79
0x005c4c81
0x005c4d5a
0x005c4d62
0x005c4c92
0x005c4c97
0x005c4c9b
0x005c4d1e
0x005c4d2f
0x005c4d3b
0x005c4d58
0x005c4d58
0x00000000
0x005c4d3b
0x005c4c9d
0x005c4c9f
0x005c4ca4
0x005c4cbf
0x005c4cc8
0x005c4cbd
0x00000000
0x005c4cbd
0x005c4cd0
0x005c4cd2
0x005c4cd2
0x00000000
0x005c4cae
0x005c4cb3
0x005c4cd4
0x005c4cdc
0x005c4d16
0x005c4d18
0x005c4d18
0x005c4cde
0x005c4cf7
0x005c4cf9
0x005c4cf9
0x005c4cf7
0x00000000
0x005c4cdc
0x005c4ca4

APIs

GetCapture.USER32 ref: 005C4C92
IsWindowUnicode.USER32(00000000), ref: 005C4CD5
SendMessageW.USER32(00000000,-0000BBEE,?,?), ref: 005C4CF0
SendMessageA.USER32(00000000,-0000BBEE,?,?), ref: 005C4D0F
GetWindowThreadProcessId.USER32(00000000), ref: 005C4D1E
GetWindowThreadProcessId.USER32(?,?), ref: 005C4D2F
SendMessageW.USER32(00000000,-0000BBEE,?,?), ref: 005C4D4F

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: e0413644bc4df7674be7166c94cbdb9fb6b2e54a99e4c6a1ab8404d50a878f97
Instruction ID: 6a031507f6a1f5bebc2b7d4ec96a29757554a37f93fe2bea8146bd87fa7d1636
Opcode Fuzzy Hash: e0413644bc4df7674be7166c94cbdb9fb6b2e54a99e4c6a1ab8404d50a878f97
Instruction Fuzzy Hash: FC21ADB12042496FD660FAD9C951FA7B7DCEF15310B10442DFE6AC3362DA58FC408B28

Uniqueness

Uniqueness Score: -1.00%

Function 00404504, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404504(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403F88(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403B44(_t202, _t218, _t150);
										E0040430C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403F88(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403B14(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040430C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403F88(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403B14(_t217, _t207, _t109);
									E0040430C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x64805d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403B60(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403BA0(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x648aec = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x648aec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x64898d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x648aec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x648aec = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x64805d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x648aec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x64898d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x648aec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403B60(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403BA0(_t217 + _t238, _t174, _t161);
									}
									 *0x648aec = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403F88(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403B44(_t217, _t213, _t140);
											E0040430C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403F88((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040430C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403F88(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040430C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00404504
0x00404504
0x00404504
0x0040450c
0x0040450e
0x0040459c
0x0040459f
0x0040480c
0x0040480d
0x0040480e
0x00404811
0x00403e3c
0x00403e3d
0x00403e3e
0x00403e3f
0x00403e40
0x00403e43
0x00403e45
0x00403e4c
0x00403e55
0x00403e5a
0x00403f41
0x00403f43
0x00403f56
0x00403f58
0x00403f5a
0x00403f5c
0x00403f62
0x00403f66
0x00403f66
0x00403f69
0x00403f69
0x00403f72
0x00403f79
0x00403f79
0x00403f45
0x00403f45
0x00403f4a
0x00403f4a
0x00403e60
0x00403e69
0x00403e6f
0x00403e6b
0x00403e6b
0x00403e6b
0x00403e7b
0x00403e8a
0x00403e97
0x00403f07
0x00403f0e
0x00403f10
0x00403f12
0x00403f14
0x00403f1a
0x00403f1e
0x00403f1e
0x00403f21
0x00403f21
0x00403f31
0x00403f38
0x00403f38
0x00403e99
0x00403e99
0x00403ea5
0x00403eab
0x00000000
0x00403ead
0x00403ebe
0x00403ec2
0x00403ec4
0x00403ec4
0x00403eda
0x00000000
0x00403ef2
0x00403ef4
0x00403ef7
0x00403f00
0x00403f03
0x00403f03
0x00403eda
0x00403eab
0x00403e97
0x00403f87
0x00404817
0x00404817
0x00404819
0x00404819
0x004045a5
0x004045a7
0x004045aa
0x004045ab
0x004045ae
0x004045b1
0x004045b4
0x004045b6
0x004045b7
0x004046cc
0x004046cf
0x004046d1
0x004047c4
0x004047cf
0x004047d6
0x004047d8
0x004047db
0x004047e0
0x004047e1
0x004047e3
0x00000000
0x004047e5
0x004047e5
0x004047eb
0x004047ed
0x004047ed
0x004047f0
0x004047f8
0x004047ff
0x0040480a
0x0040480a
0x004046d7
0x004046d7
0x004046da
0x004046dd
0x004046df
0x00000000
0x004046e5
0x004046e5
0x004046ec
0x00404749
0x00404749
0x0040474e
0x00404754
0x00404759
0x0040475a
0x0040475a
0x00404766
0x00404777
0x0040477d
0x0040477d
0x0040477f
0x0040478c
0x00404793
0x00404797
0x00404799
0x0040479f
0x004047a1
0x004047a3
0x004047a3
0x00404781
0x00404781
0x00404785
0x00404785
0x004047a8
0x004047a8
0x004047aa
0x004047ad
0x004047b4
0x004047b6
0x004047ba
0x004046ee
0x004046ee
0x004046f3
0x004046fb
0x00000000
0x00000000
0x004046fd
0x004046ff
0x00404706
0x00000000
0x00404708
0x0040470c
0x00404711
0x00404712
0x00404718
0x00404720
0x00404726
0x0040472b
0x0040472c
0x00000000
0x0040472c
0x00404720
0x00000000
0x00404706
0x00404735
0x00404738
0x0040473b
0x0040473d
0x004047bd
0x004047bd
0x00000000
0x0040473f
0x0040473f
0x00404742
0x00404745
0x00404747
0x00000000
0x00000000
0x00000000
0x00000000
0x00404747
0x0040473d
0x004046ec
0x004046df
0x004045bd
0x004045c0
0x004045c2
0x004045cc
0x004045d2
0x004045e9
0x004045e9
0x004045f5
0x004045fb
0x004045fd
0x00404604
0x00404606
0x0040460b
0x00404613
0x00000000
0x00000000
0x00404615
0x00404617
0x0040461e
0x00000000
0x00404620
0x00404623
0x00404628
0x0040462e
0x00404636
0x0040463b
0x00404640
0x00000000
0x00404640
0x00404636
0x00000000
0x0040461e
0x00404649
0x00404649
0x00404649
0x0040464e
0x00404651
0x00404653
0x00404656
0x00404659
0x00404664
0x00404666
0x00404669
0x0040466b
0x0040466d
0x00404673
0x00404675
0x00404675
0x0040465b
0x0040465e
0x0040465e
0x0040467a
0x00404680
0x00404684
0x0040468a
0x00404691
0x00404691
0x00404696
0x004046a3
0x004045d4
0x004045d4
0x004045da
0x004046a4
0x004046a8
0x004046ad
0x004046af
0x004046b1
0x004046b9
0x004046c0
0x004046c5
0x004046c5
0x004046cb
0x004045e0
0x004045e0
0x004045e5
0x004045e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004045e7
0x004045da
0x004045c4
0x004045c4
0x004045c8
0x004045c8
0x004045c2
0x004045b7
0x00404514
0x00404514
0x00404516
0x0040451a
0x0040451d
0x0040451f
0x00404558
0x0040455c
0x0040455d
0x0040455f
0x00404561
0x00404563
0x00404566
0x00404568
0x0040456a
0x0040456f
0x00404571
0x00404573
0x00404579
0x0040457b
0x0040457b
0x00404582
0x00404582
0x00404585
0x00404587
0x00404590
0x00404595
0x00404595
0x00404597
0x00404598
0x00404599
0x0040459a
0x00404521
0x00404521
0x00404528
0x0040452a
0x00404530
0x00404532
0x00404534
0x00404539
0x0040453b
0x0040453d
0x0040453f
0x00404541
0x0040454c
0x00404551
0x00404551
0x00404553
0x00404554
0x00404555
0x0040452c
0x0040452c
0x0040452d
0x0040452e
0x0040452e
0x0040452a
0x0040451f

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f929ef2967dea1e72f2012510eb417fd312d1ad0abe433d1e86b416f8e4c382e
Instruction ID: 91d622b352376166aae89e96f59634e37c9cc89596484bd50d81792410eebb56
Opcode Fuzzy Hash: f929ef2967dea1e72f2012510eb417fd312d1ad0abe433d1e86b416f8e4c382e
Instruction Fuzzy Hash: 8BC125A2B102010BD714AE7DDC8476EB69A8BC5316F18867FF204EB3D6DA7CCD458348

Uniqueness

Uniqueness Score: -1.00%

Function 00406A34, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406A34(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406EF4(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E00406C38(_t71);
								_t57 =  *0x6488fc; // 0x6402d4
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406714( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x00406a3b
0x00406a3d
0x00406a3f
0x00406a42
0x00406a42
0x00406a49
0x00406a50
0x00000000
0x00000000
0x00406a5e
0x00406a65
0x00406afd
0x00406afd
0x00406afd
0x00406b01
0x00000000
0x00000000
0x00406b0c
0x00406b12
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b14
0x00406b14
0x00406b19
0x00406b1f
0x00406b26
0x00406b30
0x00406b35
0x00406b3c
0x00406b43
0x00406b51
0x00406b5f
0x00406b53
0x00406b5b
0x00406b5b
0x00406b51
0x00406b65
0x00406b87
0x00406b90
0x00406b94
0x00406b98
0x00000000
0x00406b67
0x00406b67
0x00406b6c
0x00000000
0x00000000
0x00406b78
0x00406b7e
0x00000000
0x00000000
0x00406b80
0x00000000
0x00406b80
0x00406b67
0x00406b9d
0x00406b9d
0x00406bac
0x00406bb3
0x00406bb6
0x00406bb6
0x00000000
0x00406bac
0x00000000
0x00406afd
0x00406a70
0x00406a76
0x00406a7c
0x00406ad8
0x00406adb
0x00000000
0x00000000
0x00406ae2
0x00406aea
0x00406af0
0x00406afb
0x00000000
0x00406afb
0x00406af2
0x00000000
0x00406af2
0x00000000
0x00406a7e
0x00406a81
0x00000000
0x00406a90
0x00406a90
0x00406a90
0x00000000
0x00406a99
0x00406a9c
0x00000000
0x00000000
0x00406aa1
0x00406aca
0x00406ace
0x00406ad3
0x00406ad6
0x00000000
0x00000000
0x00000000
0x00406ad6
0x00406aaa
0x00406ab0
0x00000000
0x00000000
0x00406ab7
0x00406aba
0x00406ac1
0x00000000
0x00406ac1
0x00406bbd
0x00406bc8

APIs

Part of subcall function 00406EF4: GetCurrentThreadId.KERNEL32 ref: 00406EF7

GetTickCount.KERNEL32 ref: 00406A6B
GetTickCount.KERNEL32 ref: 00406A83
GetCurrentThreadId.KERNEL32 ref: 00406AB2
GetTickCount.KERNEL32 ref: 00406ADD
GetTickCount.KERNEL32 ref: 00406B14
GetTickCount.KERNEL32 ref: 00406B3E
GetCurrentThreadId.KERNEL32 ref: 00406BAE

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 6ffacb8e5c870000d65fe95bc6910342ef2e148bfa6da8696178a65c99809681
Instruction ID: c4c107cf3ebabff5cd2fe57fa16c82cb326836da7de36b25942993d82ef8e0ca
Opcode Fuzzy Hash: 6ffacb8e5c870000d65fe95bc6910342ef2e148bfa6da8696178a65c99809681
Instruction Fuzzy Hash: 6A4182B16083514ED321BE7CC44031BBAE5AF91314F16C97EE4DAA72C1E77C98918B56

Uniqueness

Uniqueness Score: -1.00%

Function 005C4ECC, Relevance: 10.6, APIs: 7, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E005C4ECC(void* __eax, void* __ecx, struct tagMSG* __edx) {
				char _v19;
				char _t12;
				int _t13;
				void* _t14;
				int _t30;
				int _t32;
				MSG* _t43;
				void* _t44;
				char* _t46;

				_t43 = __edx;
				_t44 = __eax;
				_t32 = 0;
				if(PeekMessageW(__edx, 0, 0, 0, 0) != 0) {
					_v19 = _t12;
					if(_v19 == 0) {
						_t13 = PeekMessageA(_t43, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t13 + 1;
					} else {
						_t30 = PeekMessageW(_t43, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t30 + 1;
					}
					if(_t14 != 0) {
						_t32 = 1;
						if(_t43->message == 0x12) {
							 *((char*)(_t44 + 0xbc)) = 1;
						} else {
							 *_t46 = 0;
							if( *((short*)(_t44 + 0x122)) != 0) {
								 *((intOrPtr*)(_t44 + 0x120))();
							}
							if(E005C6C44(_t44, _t43) == 0 && E005C4D64(_t44, _t43) == 0 &&  *_t46 == 0 && E005C4C1C(_t44, _t43) == 0 && E005C4C6C(_t44, _t43) == 0 && E005C4BD4(_t44, _t43) == 0) {
								TranslateMessage(_t43);
								if(_v19 == 0) {
									DispatchMessageA(_t43);
								} else {
									DispatchMessageW(_t43);
								}
							}
						}
					}
				}
				return _t32;
			}

0x005c4ed1
0x005c4ed3
0x005c4ed5
0x005c4ee7
0x005c4f03
0x005c4f0c
0x005c4f2d
0x005c4f35
0x005c4f37
0x005c4f0e
0x005c4f17
0x005c4f1f
0x005c4f21
0x005c4f21
0x005c4f3a
0x005c4f40
0x005c4f46
0x005c4fce
0x005c4f4c
0x005c4f4c
0x005c4f58
0x005c4f64
0x005c4f64
0x005c4f75
0x005c4fb2
0x005c4fbc
0x005c4fc7
0x005c4fbe
0x005c4fbf
0x005c4fbf
0x005c4fbc
0x005c4f75
0x005c4f46
0x005c4f3a
0x005c4fdc

APIs

PeekMessageW.USER32 ref: 005C4EE0
IsWindowUnicode.USER32 ref: 005C4EF4
PeekMessageW.USER32 ref: 005C4F17
PeekMessageA.USER32 ref: 005C4F2D
TranslateMessage.USER32 ref: 005C4FB2
DispatchMessageW.USER32 ref: 005C4FBF
DispatchMessageA.USER32 ref: 005C4FC7

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 245a5167d66c1dc37a542585379b4706f00d6adde5fd081bd227ba7552889842
Instruction ID: b12a60100edca371373eeac0c2b7702173b74ef74f953fc55324c652497aeb53
Opcode Fuzzy Hash: 245a5167d66c1dc37a542585379b4706f00d6adde5fd081bd227ba7552889842
Instruction Fuzzy Hash: 3A21FC303483002DEA327EA90D55FFE9ED56FD2718F14441DF581D7382CADE9C568A1A

Uniqueness

Uniqueness Score: -1.00%

Function 004067D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E004067D0(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L004038A8();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E00405490(_v16);
						_push(_t41);
						_push(E0040687E);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L004038A8();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E00406885);
							return E004054AC(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E004075D4();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x004067d1
0x004067d3
0x004067d8
0x004067f2
0x00406885
0x00406885
0x00000000
0x004067f8
0x004067f8
0x004067fb
0x004067fc
0x004067fe
0x00406805
0x00000000
0x00406811
0x00406819
0x0040681e
0x0040681f
0x00406824
0x00406827
0x0040682d
0x00406831
0x00406832
0x00406837
0x0040683e
0x00406868
0x0040686a
0x0040686d
0x00406870
0x0040687d
0x00406840
0x00406840
0x0040685b
0x0040685e
0x00406866
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406866
0x00406851
0x00406854
0x0040688c
0x00406892
0x00406892
0x0040683e
0x00406805
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004067E5
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004067EB
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00406807

Strings

@, xrefs: 00406885
GetLogicalProcessorInformation, xrefs: 004067DB
kernel32.dll, xrefs: 004067E0

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 4832d12d49fce1dd6007bee6086912f9ef3bd145bdc2496fb04f6db59fc8a7c1
Instruction ID: ff31a30ae12bef6655a73471c73954337378ab5c0821fabbc4587c12a4cbe5c5
Opcode Fuzzy Hash: 4832d12d49fce1dd6007bee6086912f9ef3bd145bdc2496fb04f6db59fc8a7c1
Instruction Fuzzy Hash: EF116372D01208AEDB10FFA5C94579EB7F8DB40305F11C0BBE819B32C1D67C9A508B59

Uniqueness

Uniqueness Score: -1.00%

Function 00407A7C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00407A7C(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x64805c == 0) {
					if( *0x63e032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403820();
					}
					return _t3;
				} else {
					if( *0x648348 == 0xd7b2 &&  *0x648350 > 0) {
						 *0x648360();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408820(0x407b10);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x00407a84
0x00407aea
0x00407aec
0x00407aee
0x00407af3
0x00407af8
0x00407afa
0x00407afa
0x00407b00
0x00407a86
0x00407a8f
0x00407a9f
0x00407a9f
0x00407abb
0x00407ace
0x00407ae2
0x00407ae2

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?,00407C4E,0040559F,004055E6,?,?,004055FF), ref: 00407AB5
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?,00407C4E,0040559F,004055E6,?,?), ref: 00407ABB
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?,?), ref: 00407AD6
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407B34,?,?), ref: 00407ADC

Strings

Runtime error at 00000000, xrefs: 00407AAE, 00407AF3
Error, xrefs: 00407AEE

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 3953e0fa170ed006140440cc0a1168bd199246a0b9f3c1cee7e7221462c8ad68
Instruction ID: 2a8c473052e7f7108311ec27582aeef920fa3d69b48ad6a3e637fe6b3f5c3c81
Opcode Fuzzy Hash: 3953e0fa170ed006140440cc0a1168bd199246a0b9f3c1cee7e7221462c8ad68
Instruction Fuzzy Hash: 51F0AFA1B883007DEB20BBA14C07F1E365D9740F15F10493BB110761C1CABA6984476E

Uniqueness

Uniqueness Score: -1.00%

Function 0042C6A8, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042C6A8(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E0042BE54(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00429FF0();
					return E0042BE54(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L0042A5C4();
						_t123 = _t64;
						if(_t123 == 0) {
							E0042BBAC(_t110);
						}
						E0042C0F0(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E0042C620(_v788 - 1, _t125) != 0) {
								L0042A5DC();
								E0042BE54(_v792);
								L0042A5DC();
								E0042BE54( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E0042C650(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L0042A5CC();
							E0042BE54(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L0042A5D4();
							E0042BE54(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0042c6a8
0x0042c6b4
0x0042c6ba
0x0042c6c0
0x0042c6d0
0x0042c6d7
0x0042c6d7
0x0042c6e2
0x0042c6f0
0x0042c87b
0x0042c882
0x0042c883
0x00000000
0x0042c6f6
0x0042c6f9
0x0042c717
0x0042c6fb
0x0042c706
0x0042c706
0x0042c726
0x0042c732
0x0042c735
0x0042c7a2
0x0042c7a8
0x0042c7a9
0x0042c7af
0x0042c7b0
0x0042c7b2
0x0042c7b7
0x0042c7bb
0x0042c7bd
0x0042c7bd
0x0042c7c8
0x0042c7d3
0x0042c7de
0x0042c7e7
0x0042c7ea
0x0042c806
0x0042c80d
0x0042c818
0x0042c82f
0x0042c834
0x0042c848
0x0042c84d
0x0042c860
0x0042c860
0x0042c869
0x0042c7ec
0x0042c7ec
0x0042c7ed
0x0042c7f3
0x0042c7f9
0x0042c7fb
0x0042c7fd
0x0042c800
0x0042c803
0x0042c803
0x0042c806
0x00000000
0x00000000
0x00000000
0x0042c806
0x0042c737
0x0042c737
0x0042c738
0x0042c73a
0x0042c740
0x0042c742
0x0042c751
0x0042c752
0x0042c75c
0x0042c75d
0x0042c762
0x0042c76d
0x0042c76e
0x0042c778
0x0042c779
0x0042c77e
0x0042c799
0x0042c79b
0x0042c79c
0x0042c79f
0x0042c79f
0x00000000
0x0042c740
0x0042c735

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0042C75D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0042C779
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0042C7B2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0042C82F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0042C848
VariantCopy.OLEAUT32(?,?), ref: 0042C883

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: cb6c270718a200b0536d4faf57a58733645aead7f42911b4ebb5466f5507d33a
Instruction ID: 4f07e8c851d81705d132424b4cb44ac31a7860728e4d773487c566fbd725521f
Opcode Fuzzy Hash: cb6c270718a200b0536d4faf57a58733645aead7f42911b4ebb5466f5507d33a
Instruction Fuzzy Hash: C251DB75A006299FCB22DB59D881BD9B3FCAF4C304F8441DAE508E7215D734AF848F69

Uniqueness

Uniqueness Score: -1.00%

Function 00404850, Relevance: 9.1, APIs: 6, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00404850(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x64805c == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403820();
				} else {
					_t7 = E004082E8(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x63e078; // 0x4039c0
					_t12 = E004082E8(_t11);
					_t13 =  *0x63e078; // 0x4039c0
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E004082E8(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x00404850
0x00404853
0x00404855
0x0040485e
0x004048c1
0x004048c6
0x004048c7
0x004048c8
0x004048ca
0x00404860
0x00404869
0x00404878
0x00404884
0x00404889
0x0040488f
0x0040489d
0x004048ab
0x004048ba
0x004048ba
0x004048d2

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00404872
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00404878
GetStdHandle.KERNEL32(000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00404897
WriteFile.KERNEL32(00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040489D
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 004048B4
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 004048BA

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: FileHandleWrite
String ID:
API String ID: 3320372497-0
Opcode ID: a677816d8b52b72ecad6766277940895e40e196d7a5a523a62959fd1cd51f68c
Instruction ID: 57d3c0f15415704fe40749e77cd5106a0c4e32265403aa7cec733e5f316f3291
Opcode Fuzzy Hash: a677816d8b52b72ecad6766277940895e40e196d7a5a523a62959fd1cd51f68c
Instruction Fuzzy Hash: 6601A9A22442103EE210F76A9C86F9B2BCC8B4476AF104A7F7258F31D2C9795D44937D

Uniqueness

Uniqueness Score: -1.00%

Function 00403F88, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403F88(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x64805d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403CE8();
								_t99 =  *0x64ab84; // 0x64ab80
								 *_t147 = 0x64ab80;
								 *0x64ab84 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x64ab7c = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x648aec], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x64898d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x648aec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x648afc + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x648af8;
							if((0xfffffffe << _t132 &  *0x648af8) == 0) {
								_t133 =  *0x648af4; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403C6C(_t125);
								} else {
									_t110 =  *0x648af0; // 0x2cd0ba0
									_t109 = _t110 - _t125;
									 *0x648af0 = _t109;
									 *0x648af4 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x648aec = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x648b7c + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x648afc + _t142 * 4;
								 *_t80 =  *(0x648afc + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x648af8], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403BA0(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x648aec = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x648994; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x63e080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x64898d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x64805d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x648aec], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x64898d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x648aec], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x648af8;
							__eflags =  *(__ebx + 1) &  *0x648af8;
							if(( *(__ebx + 1) &  *0x648af8) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x648af4; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403C6C(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x648aec = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x648af0; // 0x2cd0ba0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x648af4 =  *0x648af4 - __edi;
									 *0x648af0 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x648afc + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x648afc + __eax * 4) + __eax * 8 * 4;
								__edi = 0x648b7c + ( *(0x648afc + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x648afc + __eax * 4;
									 *_t38 =  *(0x648afc + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x648af8], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403BA0(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x648aec = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2cd0bc0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00403f88
0x00403f94
0x00403f9a
0x004041e8
0x004041ed
0x00404300
0x00404301
0x00404303
0x00403d34
0x00403d38
0x00403d3a
0x00403d44
0x00403d59
0x00403d5d
0x00403d5f
0x00403d61
0x00403d67
0x00403d6a
0x00403d6f
0x00403d74
0x00403d7a
0x00403d80
0x00403d83
0x00403d85
0x00403d8c
0x00403d8c
0x00403d95
0x00404309
0x00404309
0x0040430b
0x0040430b
0x004041f3
0x004041f3
0x004041ff
0x00404202
0x00404204
0x004041ac
0x004041b1
0x004041b9
0x00000000
0x00000000
0x004041bb
0x004041bd
0x004041c4
0x00000000
0x004041c6
0x004041c8
0x004041d2
0x004041da
0x004041de
0x00000000
0x004041de
0x004041da
0x00000000
0x004041c4
0x004041ac
0x00404206
0x00404206
0x00404206
0x0040420e
0x00404211
0x0040421b
0x0040421b
0x00404222
0x00404235
0x00404239
0x0040423f
0x00404258
0x0040425e
0x0040425e
0x00404260
0x0040427e
0x00404262
0x00404262
0x00404267
0x00404269
0x0040426e
0x00404277
0x00404277
0x00404283
0x0040428b
0x00404241
0x00404241
0x0040424b
0x00404253
0x00000000
0x00404253
0x00404224
0x00404227
0x0040422a
0x0040428c
0x0040428c
0x0040428d
0x0040428e
0x00404295
0x00404298
0x0040429b
0x0040429e
0x004042a0
0x004042a2
0x004042a9
0x004042ab
0x004042ab
0x004042ab
0x004042b2
0x004042b4
0x004042b4
0x004042b2
0x004042c0
0x004042c5
0x004042c5
0x004042c7
0x004042e8
0x004042e8
0x004042e8
0x004042c9
0x004042c9
0x004042cf
0x004042d2
0x004042d6
0x004042dc
0x004042de
0x004042de
0x004042dc
0x004042ed
0x004042f0
0x004042f3
0x004042ff
0x004042ff
0x00404222
0x00403fa0
0x00403fa0
0x00403fa2
0x00403fa2
0x00403fa9
0x00403fb0
0x00404008
0x00404008
0x0040400d
0x00404011
0x00000000
0x00000000
0x00404013
0x00404013
0x00404016
0x0040401b
0x0040401f
0x00404021
0x00404021
0x00404024
0x00404029
0x0040402d
0x0040402f
0x00404032
0x00404034
0x0040403b
0x00000000
0x0040403d
0x0040403f
0x00404044
0x00404049
0x0040404d
0x00404055
0x00000000
0x00404055
0x0040404d
0x0040403b
0x0040402d
0x00000000
0x0040401f
0x00404008
0x00403fb2
0x00403fb2
0x00403fb5
0x00403fb8
0x00403fbd
0x00403fbf
0x00403fd8
0x00403fdb
0x00403fdf
0x00403fe1
0x00403fe4
0x0040405c
0x0040405d
0x0040405e
0x00404065
0x00404067
0x00404067
0x0040406c
0x00404074
0x00000000
0x00000000
0x00404076
0x00404078
0x0040407f
0x00000000
0x00404081
0x00404083
0x00404088
0x0040408d
0x00404095
0x00404099
0x00000000
0x00404099
0x00404095
0x00000000
0x0040407f
0x00404067
0x004040a0
0x004040a4
0x004040a4
0x004040aa
0x0040411c
0x00404120
0x00404126
0x00404128
0x00404150
0x00404154
0x00404156
0x0040415b
0x0040415d
0x0040415f
0x00000000
0x00404161
0x00404161
0x00404166
0x00404168
0x00404169
0x0040416a
0x0040416b
0x0040416b
0x0040412a
0x0040412a
0x00404130
0x00404134
0x0040413a
0x0040413c
0x0040413e
0x0040413e
0x00404140
0x00404142
0x00404148
0x00000000
0x00404148
0x004040ac
0x004040ac
0x004040af
0x004040b6
0x004040bd
0x004040c0
0x004040c3
0x004040ca
0x004040cd
0x004040d0
0x004040d3
0x004040d5
0x004040d7
0x004040d9
0x004040de
0x004040e0
0x004040e0
0x004040e0
0x004040e7
0x004040e9
0x004040e9
0x004040e7
0x004040f0
0x004040f5
0x004040f8
0x004040fe
0x0040416c
0x0040416c
0x0040416c
0x00404100
0x00404100
0x00404102
0x00404106
0x00404108
0x0040410b
0x0040410e
0x00404111
0x00404115
0x00404115
0x00404171
0x00404171
0x00404171
0x00404174
0x00404177
0x00404179
0x0040417e
0x00404180
0x00404183
0x0040418a
0x0040418d
0x0040418d
0x00404190
0x00404194
0x00404197
0x0040419a
0x0040419c
0x0040419c
0x0040419e
0x004041a1
0x004041a4
0x004041a7
0x004041a8
0x004041a9
0x004041aa
0x004041aa
0x00403fe6
0x00403fe6
0x00403fe6
0x00403fe6
0x00403fea
0x00403fed
0x00403ff0
0x00403ff3
0x00403ff4
0x00403ff4
0x00403fc1
0x00403fc1
0x00403fc5
0x00403fc5
0x00403fc8
0x00403fcb
0x00403fce
0x00403ff8
0x00403ffb
0x00403ffe
0x00404001
0x00404004
0x00404005
0x00403fd0
0x00403fd0
0x00403fd3
0x00403fd4
0x00403fd4
0x00403fce
0x00403fbf

APIs

Sleep.KERNEL32(00000000,000000FF,00404828,00000000,0040C62F,00000000,0040CB3D,00000000,0040CDFF,00000000,0040CE35), ref: 0040403F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404828,00000000,0040C62F,00000000,0040CB3D,00000000,0040CDFF,00000000,0040CE35), ref: 00404055
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404828,00000000,0040C62F,00000000,0040CB3D,00000000,0040CDFF,00000000,0040CE35), ref: 00404083
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404828,00000000,0040C62F,00000000,0040CB3D,00000000,0040CDFF,00000000,0040CE35), ref: 00404099

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b715f7c927db04bd9bcfbe65b112b6c954bd40c058e19bdd56b5d7a2ad519805
Instruction ID: f04f425ce8251244aaa4bf560e156fe341bd697dd7e0dd954fe574f89a24d872
Opcode Fuzzy Hash: b715f7c927db04bd9bcfbe65b112b6c954bd40c058e19bdd56b5d7a2ad519805
Instruction Fuzzy Hash: E6C15CB66013114FC715CF69D88431ABFE6ABD6311F0881BFE614AB3D1C7B89981C799

Uniqueness

Uniqueness Score: -1.00%

Function 005C396C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E005C396C(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t29;
				signed int _t30;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				struct HWND__* _t41;
				intOrPtr _t42;
				intOrPtr _t47;
				signed int _t51;
				signed int _t52;
				struct HWND__* _t53;

				_t53 = _a4;
				_t52 = _t51 | 0xffffffff;
				_t41 = GetWindow(_t53, 4);
				if(_t41 == 0) {
					L3:
					_v8 = 0;
					L4:
					if(GetCurrentProcessId() == _v8) {
						_t32 =  *0x64e7dc; // 0x0
						if(E0045CF10( *((intOrPtr*)(_t32 + 0xb0)), _t41) < 0) {
							_t35 =  *0x64e7dc; // 0x0
							E0045CD00( *((intOrPtr*)(_t35 + 0xb0)), _t41);
						}
					}
					if(_t41 != 0) {
						_t21 =  *0x64e7dc; // 0x0
						if(_t53 !=  *((intOrPtr*)(_t21 + 0x188))) {
							_t22 =  *0x64e7dc; // 0x0
							if(_t41 ==  *((intOrPtr*)(_t22 + 0x188)) && _t53 != _a8 && IsWindowVisible(_t53) != 0) {
								_t24 =  *0x64e7dc; // 0x0
								_t42 =  *((intOrPtr*)(_t24 + 0xf0));
								if(_t42 != 0) {
									_t42 =  *((intOrPtr*)(_t42 - 4));
								}
								_push(_t42 + 1);
								E0040A618();
								_t29 =  *0x64e7dc; // 0x0
								_t30 =  *(_t29 + 0xf0);
								if(_t30 != 0) {
									_t30 =  *(_t30 - 4);
								}
								_t47 =  *0x64e7dc; // 0x0
								 *( *((intOrPtr*)(_t47 + 0xf0)) + _t30 * 4 - 4) = _t53;
							}
						}
					}
					return _t52;
				}
				_t38 =  *0x64e7dc; // 0x0
				if(_t41 ==  *((intOrPtr*)(_t38 + 0x188))) {
					goto L3;
				} else {
					GetWindowThreadProcessId(_t41,  &_v8);
					goto L4;
				}
			}

0x005c3973
0x005c3976
0x005c3981
0x005c3985
0x005c39a0
0x005c39a2
0x005c39a5
0x005c39ad
0x005c39af
0x005c39c3
0x005c39c5
0x005c39d2
0x005c39d2
0x005c39c3
0x005c39d9
0x005c39df
0x005c39ea
0x005c39ec
0x005c39f7
0x005c3a08
0x005c3a13
0x005c3a17
0x005c3a1c
0x005c3a1c
0x005c3a1f
0x005c3a35
0x005c3a3d
0x005c3a42
0x005c3a4a
0x005c3a4f
0x005c3a4f
0x005c3a51
0x005c3a5d
0x005c3a5d
0x005c39f7
0x005c39ea
0x005c3a68
0x005c3a68
0x005c3987
0x005c3992
0x00000000
0x005c3994
0x005c3999
0x00000000
0x005c3999

APIs

GetWindow.USER32(?,00000004), ref: 005C397C
GetWindowThreadProcessId.USER32(?,?), ref: 005C3999
GetCurrentProcessId.KERNEL32(?,00000004), ref: 005C39A5
IsWindowVisible.USER32(?), ref: 005C39FF

Strings

$N[, xrefs: 005C3A2F

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Window$Process$CurrentThreadVisible
String ID: $N[
API String ID: 3926708836-1380376025
Opcode ID: 1617ef506d2dad6df458cb737aee7d5ee53bde0206cf3729b940c5cfec1e3058
Instruction ID: bea7028dd3d2a1f4acf8b61751eaac66e663a3cd9899bbfe596f5d4f37ae9ea1
Opcode Fuzzy Hash: 1617ef506d2dad6df458cb737aee7d5ee53bde0206cf3729b940c5cfec1e3058
Instruction Fuzzy Hash: 47216B3A2003459FDB10DF99D8C5FA67BA9FB45314F5481BAE90087662DB75FE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006324D8, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E006324D8(void* __ebx, void* __esi, void* __eflags) {
				unsigned int _v8;
				char* _t18;
				char* _t23;
				unsigned int _t24;
				intOrPtr* _t38;
				intOrPtr _t42;
				intOrPtr* _t43;
				intOrPtr _t52;

				_push(0);
				_push(__ebx);
				_push(_t52);
				_push(0x6325b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52;
				_t38 = E0041158C(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"RegisterApplicationRestart");
				if(_t38 != 0) {
					_t18 =  *0x647034; // 0x64f1bd
					if( *_t18 == 0) {
						_t43 =  *0x647234; // 0x64f1b4
						E00408D44( &_v8,  *_t43);
						__eflags = 0;
						E00408B90(_v8, 0);
						if(__eflags != 0) {
							_push(0x63262c);
							_push(_v8);
							_push(0x63262c);
							E00408AC4();
						}
						_t23 =  *0x6470c8; // 0x64f1bc
						__eflags =  *_t23;
						if( *_t23 != 0) {
							E00408A48( &_v8, _v8, L"/CC ");
						}
					} else {
						E00408260( &_v8, L"/WIZARD");
					}
					_t24 = _v8;
					if(_t24 != 0) {
						_t24 =  *(_t24 - 4) >> 1;
					}
					if(_t24 > 0x400) {
						E00407E2C( &_v8);
					}
					 *_t38(E00408A34(_v8), 0xb);
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(E006325BB);
				return E00407E2C( &_v8);
			}

0x006324db
0x006324dd
0x006324e0
0x006324e1
0x006324e6
0x006324e9
0x00632501
0x00632505
0x0063250b
0x00632513
0x00632527
0x0063252f
0x00632537
0x00632539
0x0063253e
0x00632540
0x00632545
0x00632548
0x00632555
0x00632555
0x0063255a
0x0063255f
0x00632562
0x0063256f
0x0063256f
0x00632515
0x0063251d
0x0063251d
0x00632574
0x00632579
0x00632580
0x00632580
0x00632587
0x0063258c
0x0063258c
0x0063259c
0x0063259c
0x006325a0
0x006325a3
0x006325a6
0x006325b3

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,RegisterApplicationRestart,00000000,006325B4,?,?,00000000,?,0063D166,00000000,0063D1D6), ref: 006324F6

Part of subcall function 0041158C: GetProcAddress.KERNEL32(0063D1D6,00000000), ref: 004115B6

Strings

RegisterApplicationRestart, xrefs: 006324EC
kernel32.dll, xrefs: 006324F1
/WIZARD, xrefs: 00632518
/CC , xrefs: 0063256A

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: /CC $/WIZARD$RegisterApplicationRestart$kernel32.dll
API String ID: 1646373207-864635146
Opcode ID: 226b4bf978dacd72e0a7310d86b34321333d370e305633443f048c57bef3fc98
Instruction ID: 4d2a14f8fdde13e697e0b9e925bf220a2ddd0224a25b22dfe95192ada42ec2f3
Opcode Fuzzy Hash: 226b4bf978dacd72e0a7310d86b34321333d370e305633443f048c57bef3fc98
Instruction Fuzzy Hash: D821F670604206AFD701EBA5C9B2A9D77B7EF45714F6100B5F500A76D1CB74EF00DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00405634, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405634(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E00408CF4(_t24, 0x105,  &_v1052);
			}

0x00405636
0x0040563c
0x0040563e
0x00405642
0x0040564c
0x00405650
0x00405657
0x0040566b
0x00405671
0x00405671
0x00405680
0x00405687
0x00405691
0x00405691
0x004056ae

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,00420AF1,0063D108,00000000,0063D1D6), ref: 0040566B
SetCurrentDirectoryW.KERNEL32(?,00000105,?,?,?,00420AF1,0063D108,00000000,0063D1D6), ref: 00405671
GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,00420AF1,0063D108,00000000,0063D1D6), ref: 00405680
SetCurrentDirectoryW.KERNEL32(?,00000105,?,?,?,00420AF1,0063D108,00000000,0063D1D6), ref: 00405691

Strings

:, xrefs: 00405650

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 7a0a98f0548d7c524f36e86e7aede2fffb5a7daf99649ec0d7b1f5843bdb2ea3
Instruction ID: 49ddebb4d1513d1b7596bb638de556b820ee3bdf7eaee84c50bc73a126e56a55
Opcode Fuzzy Hash: 7a0a98f0548d7c524f36e86e7aede2fffb5a7daf99649ec0d7b1f5843bdb2ea3
Instruction Fuzzy Hash: F2F0F061145B447AE320EB54C852AEB72DCDF44305F40883F7AC8D73D2E67E8948976A

Uniqueness

Uniqueness Score: -1.00%

Function 005E50E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E005E50E0(void* __eax, short* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;

				_t10 = __ecx;
				_t7 = __edx;
				if(__eax == 2) {
					if( *0x64e904 == 0) {
						 *0x64e904 = E0041158C(_t7, _t10, GetModuleHandleW(L"advapi32.dll"), L"RegDeleteKeyExW");
					}
					if( *0x64e904 == 0) {
						return 0x7f;
					} else {
						return  *0x64e904(_t7, _t10, 0x100, 0);
					}
				}
				return RegDeleteKeyW(__edx, __ecx);
			}

0x005e50e2
0x005e50e4
0x005e50e8
0x005e50fb
0x005e5112
0x005e5112
0x005e511e
0x00000000
0x005e5120
0x00000000
0x005e5129
0x005e511e
0x005e50f3

APIs

RegDeleteKeyW.ADVAPI32(00000000,Software\Classes\InnoSetupScriptFile\shell), ref: 005E50EC
GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,00000000,00000000,005E5371,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005E5107

Strings

advapi32.dll, xrefs: 005E5102
RegDeleteKeyExW, xrefs: 005E50FD
Software\Classes\InnoSetupScriptFile\shell, xrefs: 005E50EA, 005E5127

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: DeleteHandleModule
String ID: RegDeleteKeyExW$Software\Classes\InnoSetupScriptFile\shell$advapi32.dll
API String ID: 3550747403-3940782867
Opcode ID: 88c73f1bb8ed28f88442db6b8138a29ea913710978ab3c5e6462c0d2d86afabd
Instruction ID: 94c496ed60d286027d21d029de914078e65da01fe7177b2c0ad86a0441e509ed
Opcode Fuzzy Hash: 88c73f1bb8ed28f88442db6b8138a29ea913710978ab3c5e6462c0d2d86afabd
Instruction Fuzzy Hash: EDE02B74A4231476D32C27666C4EBE62E19B78331DF401426F3C1560E3D5B81880C654

Uniqueness

Uniqueness Score: -1.00%

Function 005C2BF8, Relevance: 7.5, APIs: 5, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E005C2BF8() {
				intOrPtr _v4;
				void* _v8;
				int _t5;
				void* _t6;
				intOrPtr _t12;
				struct HHOOK__* _t14;
				void* _t19;
				void* _t20;

				if( *0x64e800 != 0) {
					_t14 =  *0x64e800; // 0x0
					UnhookWindowsHookEx(_t14);
				}
				 *0x64e800 = 0;
				_v4 = 0x64e804;
				_t5 = 0;
				asm("lock xchg [edx], eax");
				_v8 = 0;
				if(_v8 != 0) {
					_t6 =  *0x64e7fc; // 0x0
					SetEvent(_t6);
					if(GetCurrentThreadId() !=  *0x64e7f8) {
						while(MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff) != 0) {
							_t12 =  *0x64e7dc; // 0x0
							E005C4FF8(_t12, _t19, _t20);
						}
					}
					_t5 = CloseHandle(_v8);
				}
				return _t5;
			}

0x005c2c02
0x005c2c04
0x005c2c0a
0x005c2c0a
0x005c2c11
0x005c2c16
0x005c2c22
0x005c2c24
0x005c2c27
0x005c2c2e
0x005c2c30
0x005c2c36
0x005c2c46
0x005c2c54
0x005c2c4a
0x005c2c4f
0x005c2c4f
0x005c2c54
0x005c2c71
0x005c2c71
0x005c2c78

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005C2C0A
SetEvent.KERNEL32(00000000), ref: 005C2C36
GetCurrentThreadId.KERNEL32 ref: 005C2C3B
MsgWaitForMultipleObjects.USER32 ref: 005C2C64
CloseHandle.KERNEL32(00000000,00000000), ref: 005C2C71

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: 1877afac86325a0f72414755ee70438f7eb68ac6baa14edb1159bb2fe8e58937
Instruction ID: b5a07fbacbe843503229a687a160f1a602134a433babb0d173e06d3066d435d5
Opcode Fuzzy Hash: 1877afac86325a0f72414755ee70438f7eb68ac6baa14edb1159bb2fe8e58937
Instruction Fuzzy Hash: FE016D74104301AFEB00EBA4DC49F5A37E5FB06324F118A2EF164CB1E1DB799880CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0046D15C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046D15C(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E0040665C(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x46d255);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00406050(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x46b4f8
						 *((intOrPtr*)(_t66 + 8)) = E00407CA4(0, 0x46d068, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x46b4f8
						 *((intOrPtr*)(_t66 + 8)) = E00407CA4(0, 0x46d068, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E004247B0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x647524; // 0x412b60
						E00425B5C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E004074E0();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(E0046D25C);
				return E00407DE4( &_v20);
			}

0x0046d15c
0x0046d15c
0x0046d15c
0x0046d15d
0x0046d15f
0x0046d166
0x0046d16b
0x0046d16d
0x0046d170
0x0046d170
0x0046d175
0x0046d177
0x0046d17a
0x0046d17e
0x0046d17f
0x0046d184
0x0046d187
0x0046d18e
0x0046d193
0x0046d199
0x0046d19e
0x0046d1a6
0x0046d1aa
0x0046d1aa
0x0046d1aa
0x0046d1ac
0x0046d1b3
0x0046d234
0x0046d23c
0x0046d1b5
0x0046d1b9
0x0046d1dc
0x0046d1ee
0x0046d1bb
0x0046d1c1
0x0046d1d4
0x0046d1d4
0x0046d1f5
0x0046d201
0x0046d209
0x0046d20c
0x0046d216
0x0046d223
0x0046d228
0x0046d228
0x0046d1f5
0x0046d241
0x0046d244
0x0046d247
0x0046d254

APIs

GetLastError.KERNEL32(0046B4F8,00000004,0046B4F4,00000000,0046D255,?,0046B4F4,00000000), ref: 0046D1F7

Part of subcall function 00407CA4: CreateThread.KERNEL32 ref: 00407CFE

GetCurrentThread.KERNEL32 ref: 0046D22F
GetCurrentThreadId.KERNEL32 ref: 0046D237

Strings

`+A, xrefs: 0046D216

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: `+A
API String ID: 3539746228-3225263709
Opcode ID: bee216c4bf9136a9f6f7354c78737f76f6e94a8590e69b14cdf9a1e4731cafb8
Instruction ID: e05fb70a7a2828696a579270aadcb484cc9277d4fcd7efddde7e6635db628dd2
Opcode Fuzzy Hash: bee216c4bf9136a9f6f7354c78737f76f6e94a8590e69b14cdf9a1e4731cafb8
Instruction Fuzzy Hash: 4A313870F04744AED710EB76C8517AB7BE59F4A304F00C87FE06697280E67CA444CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B110(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x64ac0c()) {
					_v16 = E0040B0CC( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x64ac08(4,  &_v32,  &_v20);
				}
				_t39 = E0040B0CC( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408CA0(_t81, _t67);
					_t39 = E004054AC(_t67);
				}
				if(_v16 != 0) {
					 *0x64ac08(0, 0,  &_v20);
					_t68 = E0040B0CC( &_v12);
					if(_v8 != _v12 || E0040B0A8(_v16, _v12, _t68) != 0) {
						 *0x64ac08(8, _v16,  &_v20);
					}
					E004054AC(_t68);
					return E004054AC(_v16);
				}
				return _t39;
			}

0x0040b118
0x0040b11a
0x0040b11e
0x0040b12a
0x0040b134
0x0040b137
0x0040b139
0x0040b140
0x0040b143
0x0040b154
0x0040b15a
0x0040b15d
0x0040b160
0x0040b163
0x0040b169
0x0040b16f
0x0040b17f
0x0040b17f
0x0040b188
0x0040b18d
0x0040b191
0x0040b196
0x0040b19b
0x0040b19d
0x0040b19e
0x0040b1a5
0x0040b1ad
0x0040b1b2
0x0040b1b2
0x0040b1b8
0x0040b1bb
0x0040b1bb
0x0040b1a5
0x0040b1c2
0x0040b1c9
0x0040b1c9
0x0040b1d2
0x0040b1dc
0x0040b1ea
0x0040b1f2
0x0040b20f
0x0040b20f
0x0040b217
0x00000000
0x0040b21f
0x0040b229

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040B121
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040B17F
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040B1DC
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040B20F

Part of subcall function 0040B0CC: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040B18D), ref: 0040B0E3
Part of subcall function 0040B0CC: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040B18D), ref: 0040B100

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: a0994c4483628304f403f8d1e6dff6b0d38800928a68715b8c40e0b365ba35f2
Instruction ID: 0c9ad0f1ba4e595d995ae032e03a005b0e6e9ebf58fb761d69e918555078b09f
Opcode Fuzzy Hash: a0994c4483628304f403f8d1e6dff6b0d38800928a68715b8c40e0b365ba35f2
Instruction Fuzzy Hash: CE319070A0011A9BDB10DFE9C885BEFB3B5FF04314F00457AE524F7291DB789A048B98

Uniqueness

Uniqueness Score: -1.00%

Function 005C4648, Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C4648(void* __eax) {
				long _t28;
				int _t43;
				int _t45;
				void* _t59;

				_t59 = __eax;
				_t28 = E005B82F0( *((intOrPtr*)(__eax + 0x188)));
				if(_t28 != 0) {
					L15:
					return _t28;
				}
				E005C3824();
				if( *((char*)(_t59 + 0xeb)) == 0) {
					SetActiveWindow( *(_t59 + 0x188));
				}
				 *((char*)(_t59 + 0x40)) = 1;
				_t28 = E005C3A6C(_t59, 0);
				if( *((char*)(_t59 + 0xeb)) == 0) {
					E005C601C(_t59,  *(_t59 + 0x188));
					__eflags =  *((intOrPtr*)(_t59 + 0x58));
					if(__eflags == 0) {
						L12:
						_t28 = E005C2CD8( *(_t59 + 0x188), 6, __eflags);
						goto L13;
					}
					__eflags =  *((char*)(_t59 + 0x6f));
					if( *((char*)(_t59 + 0x6f)) != 0) {
						L10:
						__eflags = IsWindowEnabled(E0050F50C( *((intOrPtr*)(_t59 + 0x58))));
						if(__eflags == 0) {
							goto L12;
						}
						_t43 = E005BAEF8( *((intOrPtr*)(_t59 + 0x58)));
						_t45 = E005BAED8( *((intOrPtr*)(_t59 + 0x58)));
						SetWindowPos( *(_t59 + 0x188), E0050F50C( *((intOrPtr*)(_t59 + 0x58))), _t45, _t43,  *( *((intOrPtr*)(_t59 + 0x58)) + 0x58), 0, 0x40);
						_t28 = DefWindowProcW( *(_t59 + 0x188), 0x112, 0xf020, 0);
						goto L13;
					}
					__eflags =  *((char*)( *((intOrPtr*)(_t59 + 0x58)) + 0x69));
					if(__eflags == 0) {
						goto L12;
					}
					goto L10;
				} else {
					_t66 =  *((intOrPtr*)(_t59 + 0x58));
					if( *((intOrPtr*)(_t59 + 0x58)) == 0) {
						 *((char*)(_t59 + 0xf4)) = 1;
					} else {
						E005C601C(_t59, E0050F50C(_t66));
						_t28 = E005BCEFC( *((intOrPtr*)(_t59 + 0x58)), 1);
					}
					L13:
					if( *((short*)(_t59 + 0x162)) == 0) {
						goto L15;
					}
					return  *((intOrPtr*)(_t59 + 0x160))();
				}
			}

0x005c464a
0x005c4652
0x005c4659
0x005c476d
0x005c476d
0x005c476d
0x005c4661
0x005c466d
0x005c4676
0x005c4676
0x005c467b
0x005c4683
0x005c468f
0x005c46cb
0x005c46d0
0x005c46d4
0x005c4743
0x005c474e
0x00000000
0x005c474e
0x005c46d6
0x005c46da
0x005c46e5
0x005c46f3
0x005c46f5
0x00000000
0x00000000
0x005c4705
0x005c470e
0x005c4724
0x005c473c
0x00000000
0x005c473c
0x005c46df
0x005c46e3
0x00000000
0x00000000
0x00000000
0x005c4691
0x005c4691
0x005c4696
0x005c46b7
0x005c4698
0x005c46a3
0x005c46ad
0x005c46ad
0x005c4753
0x005c475b
0x00000000
0x00000000
0x00000000
0x005c4765

APIs

SetActiveWindow.USER32(?,?,?,005C5304), ref: 005C4676

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: 6f38181d5b08d25856fb5b34efc0a9c56e966daf036ede0fcab873b47c99d301
Instruction ID: a26bc370d08b94beb8a4bc2114b23774ef9ea16540b1e6db72ac9d6f47595e82
Opcode Fuzzy Hash: 6f38181d5b08d25856fb5b34efc0a9c56e966daf036ede0fcab873b47c99d301
Instruction Fuzzy Hash: 3B312930600281AFDB14EEA8C8C9F9A3B95BB45304F0844B8BD04DF65BCB65DD81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005C3724, Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C3724(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t16;
				void* _t25;
				struct HWND__* _t31;
				void* _t33;
				void* _t34;
				long _t35;

				_t35 = _t34 + 0xfffffff8;
				_t25 = __eax;
				_t16 =  *(__eax + 0x188);
				if(_t16 != 0) {
					if( *((intOrPtr*)(__eax + 0xac)) == 0) {
						 *_t35 = _t16;
						_v12 = __edx;
						EnumWindows(E005C3664, _t35);
						_t16 =  *(_t25 + 0xa8);
						if( *((intOrPtr*)(_t16 + 8)) != 0) {
							_t31 = GetWindow(_v20, 3);
							_v20 = _t31;
							if((GetWindowLongW(_t31, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t16 =  *(_t25 + 0xa8);
							_t33 =  *((intOrPtr*)(_t16 + 8)) - 1;
							if(_t33 >= 0) {
								do {
									_t16 = SetWindowPos(E0045CE84( *(_t25 + 0xa8), _t33), _v20, 0, 0, 0, 0, 0x213);
									_t33 = _t33 - 1;
								} while (_t33 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t25 + 0xac)) =  *((intOrPtr*)(_t25 + 0xac)) + 1;
				}
				return _t16;
			}

0x005c3726
0x005c3729
0x005c372b
0x005c3733
0x005c3740
0x005c3742
0x005c3745
0x005c3751
0x005c3756
0x005c3760
0x005c376e
0x005c3770
0x005c377d
0x005c377f
0x005c377f
0x005c3786
0x005c378f
0x005c3793
0x005c3795
0x005c37b5
0x005c37ba
0x005c37bb
0x005c3795
0x005c3793
0x005c3760
0x005c37c0
0x005c37c0
0x005c37ca

APIs

EnumWindows.USER32(005C3664), ref: 005C3751
GetWindow.USER32(00000003,00000003), ref: 005C3769
GetWindowLongW.USER32(00000000,000000EC), ref: 005C3776
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 005C37B5

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: ca5b2cdf096dfb59965fed973c7a6be055f48a93be13b693e7bfc9f3c1d45df6
Instruction ID: 36c372a79d29b1f076461793a16a103c825ec17597df69f48128895ca3551d1f
Opcode Fuzzy Hash: ca5b2cdf096dfb59965fed973c7a6be055f48a93be13b693e7bfc9f3c1d45df6
Instruction Fuzzy Hash: 691170B0604710AFDB10AA689885F9A77D4EB05724F14826CF998DF2E2C7749E80C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00502A94, Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00502A94(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x64e640; // 0x0
					if(GlobalFindAtomW(E00408C3C(_t5)) !=  *0x64e63a) {
						_t15 = E00502A60(_t12, _t13);
					} else {
						_t15 = GetPropW(_t12,  *0x64e63a & 0x0000ffff);
					}
				}
				return _t15;
			}

0x00502a94
0x00502a96
0x00502a97
0x00502a99
0x00502a9d
0x00502ab4
0x00502acb
0x00502ae6
0x00502acd
0x00502adb
0x00502adb
0x00502acb
0x00502aed

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00502AA1
GetCurrentProcessId.KERNEL32(?,?,00000000,005C6C76,?,?,?,00000001,005C4F73,?,00000000,00000000,00000000,00000001,?,00000000), ref: 00502AAA
GlobalFindAtomW.KERNEL32(00000000), ref: 00502ABF
GetPropW.USER32 ref: 00502AD6

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 5ae7c1ea4b6b527268a84245b5bb1dd7aa83a71b971578bb74b34587f524c598
Instruction ID: 34f3d27970c84af359b0c379ded87b05339e758eeebc0ba28c04d57c21cee545
Opcode Fuzzy Hash: 5ae7c1ea4b6b527268a84245b5bb1dd7aa83a71b971578bb74b34587f524c598
Instruction Fuzzy Hash: BFF0E5B63001212BCB30BBB65D89CAF298CBB117A4B01043AFA41D7163CE6CCC82837C

Uniqueness

Uniqueness Score: -1.00%

Function 005E4F2C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E005E4F2C(void* __eax, void* __ebx, intOrPtr __ecx, short* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				short* _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				signed int _t58;
				char _t66;
				intOrPtr _t82;
				void* _t87;
				signed int _t93;
				void* _t96;

				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t87 = __eax;
				_push(_t96);
				_push(0x5e5062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffffec;
				while(1) {
					_v24 = 0;
					if(RegQueryValueExW(_t87, _v12, 0,  &_v20, 0,  &_v24) != 0 || _v20 != _a8 && _v20 != _a4) {
						break;
					}
					if(_v24 != 0) {
						__eflags = _v24 - 0x70000000;
						if(__eflags >= 0) {
							E00425A58();
						}
						_t80 = _v24 + 1 >> 1;
						E00407F6C( &_v8, _v24 + 1 >> 1, 0, __eflags);
						_t58 = RegQueryValueExW(_t87, _v12, 0,  &_v20, E00408398( &_v8),  &_v24);
						__eflags = _t58 - 0xea;
						if(_t58 == 0xea) {
							continue;
						} else {
							__eflags = _t58;
							if(_t58 != 0) {
								break;
							}
							__eflags = _v20 - _a8;
							if(_v20 == _a8) {
								L12:
								_t93 = _v24 >> 1;
								while(1) {
									__eflags = _t93;
									if(_t93 == 0) {
										break;
									}
									_t66 = _v8;
									__eflags =  *((short*)(_t66 + _t93 * 2 - 2));
									if( *((short*)(_t66 + _t93 * 2 - 2)) == 0) {
										_t93 = _t93 - 1;
										__eflags = _t93;
										continue;
									}
									break;
								}
								__eflags = _v20 - 7;
								if(_v20 == 7) {
									__eflags = _t93;
									if(_t93 != 0) {
										_t93 = _t93 + 1;
										__eflags = _t93;
									}
								}
								E00408DCC( &_v8, _t80, _t93);
								__eflags = _v20 - 7;
								if(_v20 == 7) {
									__eflags = _t93;
									if(_t93 != 0) {
										(E00408398( &_v8))[_t93 * 2 - 2] = 0;
									}
								}
								E004081C4(_v16, _v8);
								break;
							}
							__eflags = _v20 - _a4;
							if(_v20 != _a4) {
								break;
							}
							goto L12;
						}
					} else {
						E00407DE4(_v16);
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E005E5069);
				return E00407DE4( &_v8);
			}

0x005e4f37
0x005e4f3a
0x005e4f3d
0x005e4f40
0x005e4f44
0x005e4f45
0x005e4f4a
0x005e4f4d
0x005e4f52
0x005e4f54
0x005e4f6f
0x00000000
0x00000000
0x005e4f8d
0x005e4f9e
0x005e4fa5
0x005e4fa7
0x005e4fa7
0x005e4fb5
0x005e4fb9
0x005e4fd6
0x005e4fdb
0x005e4fe0
0x00000000
0x005e4fe6
0x005e4fe6
0x005e4fe8
0x00000000
0x00000000
0x005e4fed
0x005e4ff0
0x005e4ffa
0x005e4ffd
0x005e5002
0x005e5002
0x005e5004
0x00000000
0x00000000
0x005e5006
0x005e5009
0x005e500f
0x005e5001
0x005e5001
0x00000000
0x005e5001
0x00000000
0x005e500f
0x005e5011
0x005e5015
0x005e5017
0x005e5019
0x005e501b
0x005e501b
0x005e501b
0x005e5019
0x005e5021
0x005e5026
0x005e502a
0x005e502c
0x005e502e
0x005e5038
0x005e5038
0x005e502e
0x005e5045
0x00000000
0x005e504a
0x005e4ff5
0x005e4ff8
0x00000000
0x00000000
0x00000000
0x005e4ff8
0x005e4f8f
0x005e4f92
0x00000000
0x005e4f97
0x005e4f8d
0x005e504e
0x005e5051
0x005e5054
0x005e5061

APIs

RegQueryValueExW.ADVAPI32(00000001,00000000,00000000,?,00000000,005EF72D,00000000,005E5062,?,Software\Classes\InnoSetupScriptFile\DefaultIcon,00000000,00000000), ref: 005E4F68
RegQueryValueExW.ADVAPI32(00000001,00000000,00000000,?,00000000,70000000,00000001,00000000,00000000,?,00000000,005EF72D,00000000,005E5062,?,Software\Classes\InnoSetupScriptFile\DefaultIcon), ref: 005E4FD6

Strings

Software\Classes\InnoSetupScriptFile\DefaultIcon, xrefs: 005E4F34

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: QueryValue
String ID: Software\Classes\InnoSetupScriptFile\DefaultIcon
API String ID: 3660427363-3660379042
Opcode ID: 8d1a2c9782b61ec7c2039a883458cbae55e4a00fd6db63e58bc348ae0b36259c
Instruction ID: 5fc3a364f375244236496069d954a934c390c7e7401baa39e2263567602e4d53
Opcode Fuzzy Hash: 8d1a2c9782b61ec7c2039a883458cbae55e4a00fd6db63e58bc348ae0b36259c
Instruction Fuzzy Hash: D8416931900659EFDB15DF92C985AAEBBB8FF04704F50446AF950F7280E734AE448B95

Uniqueness

Uniqueness Score: -1.00%

Function 005C6A28, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C6A28(void* __eax, void* __ecx) {
				void* _t13;
				intOrPtr* _t17;

				_t13 = __eax;
				 *_t17 = 0;
				if( *((short*)(__eax + 0x112)) != 0) {
					 *((intOrPtr*)(__eax + 0x110))();
				}
				if( *_t17 == 0) {
					 *_t17 = GetActiveWindow();
				}
				if( *_t17 == 0) {
					 *_t17 = GetLastActivePopup( *(_t13 + 0x188));
				}
				return  *_t17;
			}

0x005c6a2a
0x005c6a2e
0x005c6a39
0x005c6a43
0x005c6a43
0x005c6a4d
0x005c6a54
0x005c6a54
0x005c6a5b
0x005c6a69
0x005c6a69
0x005c6a71

APIs

GetActiveWindow.USER32 ref: 005C6A4F
GetLastActivePopup.USER32(00000001), ref: 005C6A64

Strings

K+c, xrefs: 005C6A3D

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Active$LastPopupWindow
String ID: K+c
API String ID: 4190390916-558200504
Opcode ID: 14398c010762180a6b0dd02d55b7fbd10bcd1c03810338c707714269ce900f26
Instruction ID: 17e3b2aff2db4908ce71a2613d3fde2388ee1161981432c3715a74f10589dc2d
Opcode Fuzzy Hash: 14398c010762180a6b0dd02d55b7fbd10bcd1c03810338c707714269ce900f26
Instruction Fuzzy Hash: C4E0C971608604CFDB04EFA5D885BE977F4AB48301F05487DE9858B246D77499C0CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 006326E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006326E8() {

				MessageBoxW(0, L"Command line usage:\r\n\r\ncompil32 /cc <script file>\r\ncompil32 /wizard <wizard name> <script file>\r\n\r\nExamples:\r\ncompil32 /cc c:\\isetup\\sample32\\sample1.iss\r\ncompil32 /cc \"C:\\Inno Setup\\Sample32\\My script.iss\"\r\ncompil32 /wizard \"My Script Wizard\" c:\\temp.iss", L"Inno Setup Compiler", 0x30);
				return E00407C44(1);
			}

0x006326f6
0x00632705

APIs

MessageBoxW.USER32(00000000,Command line usage:compil32 /cc <script file>compil32 /wizard <wizard name> <script file>Examples:compil32 /cc c:\iset,Inno Setup Compiler,00000030), ref: 006326F6

Strings

Command line usage:compil32 /cc <script file>compil32 /wizard <wizard name> <script file>Examples:compil32 /cc c:\iset, xrefs: 006326EF
Inno Setup Compiler, xrefs: 006326EA

Memory Dump Source

Source File: 00000015.00000002.342029746.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.342023641.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342233709.000000000063E000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342238099.000000000063F000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342242717.0000000000640000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342247164.0000000000642000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342252023.0000000000645000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342256297.0000000000647000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342260619.0000000000648000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342265067.000000000064D000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342269926.0000000000650000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342273858.0000000000652000.00000008.00020000.sdmp Download File
Associated: 00000015.00000002.342278065.0000000000654000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.342282094.0000000000655000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.342286543.0000000000657000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_Compil32.jbxd

Similarity

API ID: Message
String ID: Command line usage:compil32 /cc <script file>compil32 /wizard <wizard name> <script file>Examples:compil32 /cc c:\iset$Inno Setup Compiler
API String ID: 2030045667-646189637
Opcode ID: 023275a6c546a95d3cade01e3a272990e14f056e3fb19ecdbe3f53d3b3a986b8
Instruction ID: dd34eeb1fe97bf37fee0e897079ec0d00920598bb8a359cfeced49e9566164cc
Opcode Fuzzy Hash: 023275a6c546a95d3cade01e3a272990e14f056e3fb19ecdbe3f53d3b3a986b8
Instruction Fuzzy Hash: 35B012307D835221F50C31D10C63F4400117720F09F8210597344BC0C284CE314080DE

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://jrsoftware.org/download.php/is.exe?site=1

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 6036 Parent PID: 4824

General

Chronological Activities

Analysis Process: conhost.exe PID: 4464 Parent PID: 6036

General

Chronological Activities

Analysis Process: wget.exe PID: 5436 Parent PID: 6036

Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Function 004B63A1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Function 004B60E8, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
windowCOMMON

Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre